Test 2

Question 1

The text mentions four different AIS threats. Which type of threat is sabotage?
A. Intentional acts
B. Software errors and equipment failures
C. Unintentional acts
D. Natural abd political disasters

Answer 1

Intentional acts

Question 2

Terrorist attacks are considered which type of threat?
A. Intentional acts
B. Natural and political disasters
C. Unintentional acts
D. Software errors and equipment failures

Answer 2

Natural and political disasters

Question 3

Threats that arise from human carelessness, failure to follow established procedures, and poorly supervised personnel are which type of threat?
A. Unintentional acts
B. Software errors and equipment failures
C. Natural and political disasters
D. Intentional acts

Answer 3

Unintentional acts

Question 4

Power outages and fluctuations can result in which type of threat?
A. Unintentional acts
B. Intentional acts
C. Natural and political disasters
D. Software errors and equipment failures

Answer 4

Software errors and equipment failures

Question 5

According to the text, which type of threat represents the greatest risk to information systems and causes the greatest dollar losses?
A. Natural and political disasters
B. Unintentional acts
C. Intentional acts
D. Software errors and equipment failures

Answer 5

Unintentional acts

Question 6

Legally, for an act to be fraudulent there must be:
A. An intent to do bodily harm
B. A material fact that induces a person to act
C. An injury or loss suffered by the perpetrator
D. A false statement, representation, or disclosure
E. A justifiable reliance, where a person relies on a misrepresentation to take an action

Answer 6

B. A material fact that induces a person to act

D. A false statement, representation, or disclosure

E. A justifiable reliance, where a person relies on a misrepresentation to take an action

Question 7

Which of the following statements are true?
A. Small businesses are less vulnerable to fraud than large companies kbecause small companies typically gave more effective internal controls than larger companies
B. Fraud perpetrators are often referred to as blue-collar criminals
C. A typical organization loses 5% of its annual revenue to fraud, indicatjng yearly global losses of over $3.7 trillion
D. Most fraud perpetrators are knowledgeable insiders woth the requisite access, skills, and resources
E. The controls used to protect corpoyassets make it more difficult for an outsider to steal from a company

Answer 7

C. A typical organization loses 5% of its annual revenue to fraud, indicatjng yearly global losses of over $3.7 trillion

D. Most fraud perpetrators are knowledgeable insiders woth the requisite access, skills, and resources

E. The controls used to protect corpoyassets make it more difficult for an outsider to steal from a company

Question 8

Which of the following processing controls can be used to achieve the objective of processing integrity? (Check all that apply.)

a) File labels
b) Reconciliation procedures
c) Validity check
d) Write-protection mechanisms
e) Parity bits
f) Recalculation of batch totals
g) Check digit verification

Answer 8

a) File labels
d) Write-protection mechanisms
f) Recalculation of batch totals

Question 9

Which of the following input controls can be used to ensure the objective of processing integrity? (Check all that apply.)

a) Limit check
b) Completeness check
c) Forms design
d) Cross-footing and zero-balance tests
e) File labels
f) Turnaround documents
g) Field check

Answer 9

a) Limit check
b) Completeness check
c) Forms design
f) Turnaround documents
g) Field check

Question 10

Assume that the XYZ Company wants to create batch totals for a transaction file that contains payments to suppliers. Which of the following fields could be used to create a financial total? (Check all that apply.)

a) Purchase order number
b) Discount for prompt payment
c) Quantity purchased
d) Check amount
e) Vendor number
f) Gross amount due

Answer 10

b) Discount for prompt payment
d) Check amount
f) Gross amount due

Question 11

Assume that the XYZ Company wants to create batch totals for a transaction file that contains all sales invoices. Which of the following fields could be used to create a hash total? (Check all that apply.)

a) Total amount of sale
b) Customer name
c) Quantity sold
d) Part number
e) Customer number

Answer 11

c) Quantity sold
d) Part number
e) Customer number

Question 12

Which control ensures that the master inventory file actually contains an inventory item identified by the number 251184?

a) Field check
b) Check digit verification
c) Validity check
d) Limit check

Answer 12

c)Validity check

Question 13

Which type of file is retained indefinitely?
A. UPS
B. RAID
C. Archive
D. Backup

Answer 13

C. Archive

Question 14

The \_\_\_\_ represents the amount of data that an organization is willing to lose, or reenter, in the event of a disaster; the \_\_\_\_ represents the number of hours or days that the organization is willing to operate without its data center.
A.RTO, RPO
B.RPO, RTO
C.DRP, BCP
D.BCP, DRP

Answer 14

B.RPO, RTO

Question 15

Which option is appropriate for an organization, like an airline, that cannot tolerate any downtime or any loss of data?
A.Any of the three choices is appropriate.
B.Hot site
C.Cold site
D.Real-time mirroring

Answer 15

D.Real-time mirroring

Question 16

Which of the following statements are true? (Check all that apply.)
A.Virtualization significantly reduces RTO.
B.All of the other three answers are true.
C.Virtualization does not eliminate the need for backups.
D.Virtualization cannot be used to support real-time mirroring.

Answer 16

A.Virtualization significantly reduces RTO.

C.Virtualization does not eliminate the need for backups.

Question 17

Incremental daily backups take \_\_\_\_ time to make than Differential daily backups, but the restoration process taken is \_\_\_\_\_.
A.more, shorter
B. less, shorter
C.more, longer
D.less, longer

Answer 17

D.less, longer

Question 18

A turnaround document is an example of a(n)

a) output control
b) input control
c) processing control
d) none of these are correct

Answer 18

b)input control

Question 19

Which of the following is an effective data entry control to ensure that overtime hours should be zero for someone who has not worked the maximum number of regular hours in a pay period?

a) A limit check.
b) A range check.
c) A reasonableness check.
d) A validity check

Answer 19

c)A reasonableness check.

Question 20

When Jo, a sales associate, enters an account number, which of the following controls would allow the system to retrieve and display the account name so that Jo could verify that the correct account number had been entered?

a) Prompting.
b) Sequence check.
c) Data matching.
d) Closed-loop verification.

Answer 20

d)Closed-loop verification.

Question 21

Which of the following is designed to prevent an attacker from executing a buffer overflow attack by submitting lengthy attack code into the address field on a website form?

a) limit check
b) reasonableness test
c) field check
d) size check

Answer 21

d)size check

Question 22

A batch total that is computed by adding up the invoice numbers in a set of sales invoices is called a

a) record count
b) checksum
c) hash total
d) financial total

Answer 22

c)hash total

Question 23

A facility that is not only prewired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities is called

a) virtualization
b) a real-time mirroring site.
c) a cold site.
d) a hot site.

Answer 23

d) a hot site.

Question 24

A cold site is an appropriate strategy for disaster recovery for organizations that are willing to tolerate operating for several ________ without their ERP system and who are also willing to reenter or even lose several __________ worth of transactions.

a) hours; hours
b) days; days
c) minutes; minutes
d) minutes; hours
e) minutes; days
f) hours; days

Answer 24

b)days; days

Question 25

Each night during the week an organization backs up just that day’s transactions. This is referred to as making what kind of backup?

a) archival
b) incremental
c) differential
d) full

Answer 25

b)incremental

Question 26

Which of the following techniques can be used to minimize system downtime?

a) all of the actions minimize system downtime
b) UPS
c) preventive maintenance
d) RAID

Answer 26

a)all of the actions minimize system downtime

Question 27

After a tornado destroys an organization’s data center, the CIO turns to the __________ for instructions on how to recover.

a) Backup Plan (BP)
b) Business Continuity Plan (BCP)
c) Incident Response Plan (IRP)
d) Disaster Recovery Plan (DRP)

Answer 27

d)Disaster Recovery Plan (DRP)

Question 28

After the Sarbanes-Oxley Act (SOX) was passed, the Securities and Exchange Commission (SEC) required management to do which of the following:

a. use the same audit firm for at least two consecutive audit years.
b. report material internal control weaknesses.
c. disclose all weaknesses regardless of materiality.
d. conduct 100% substantive testing of all internal controls.

Answer 28

b.report material internal control weaknesses.

Question 29

Identify the corrective control below

a. Reconciling the bank statement to the cash control account
b. Approving customer credit prior to approving a sales order.
c. Maintaining frequent backup records.
d. Counting inventory on hand and comparing counts to the perpetual inventory records.

Answer 29

c. Maintaining frequent backups records.

Question 30

Hiring decisions at a company are made by the Director of Human Resources. Pay rates are approved by the Vice President for Operations. At the end of each pay period, supervisors submit time cards to the payroll clerk, who prepares paycheck requisitions. Paychecks are then distributed through the company’s mail room. This represents a(n) segregation of duties.

a. partial
b. effective
c. ineffective
d. limited4.

Answer 30

b.effective

Question 31

Which of the following is (are) a component(s) of COSO’s internal control model?

a. Control activities
b. Risk assessment
c. Monitoring
d. All of the above.

Answer 31

d.All of the above.

Question 32

What is (are) a principle(s) behind enterprise risk management (ERM)?a.Uncertainty can result in opportunity.

b. The ERM framework can help management manage uncertainty.
c. Uncertainty results in risk.
d. All of the above.e.None of the above.

Answer 32

d.All of the above.e.None of the above.

Question 33

General authorization is different from specific authorization. With general authorization an employee in the proper functional area can:

a. authorize typical purchases of inventory items.
b. approve purchases within normal customer credit limits.
c. endorse checks for deposit.
d. approve sales returns and allowances.
e. approve vendor invoices for payment.
f. All of the above.

Answer 33

f.All of the above.

Question 34

The organization chart for a corporation includes a controller and an information processing manager, both of whom report to the vice president of finance. Which of the following would be a control weakness?

a. Assigning the programming and operating of the computer system to an independent control group which reports to the controller
b. Providing for maintenance of input data controls by an independent control group which reports to the controller
c. Periodically rotating assignment of application processing among machine operators, who all report to the information processing manager
d. Providing for review and distribution of system-generated reports by an independent control group which reports to the controller

Answer 34

a.Assigning the programming and operating of the computer system to an independent control group which reports to the controller

Question 35

As a result of an internal risk assessment, an insurance company decided it was no longer profitable to provide fire insurance in the western states without a general rate increase. The insurance company apparently chose to the risk of paying fire claims in the western states by raising its insurance rate.

a. reduce
b. share
c. avoid
d. accept

Answer 35

b.share

Question 36

Which functions should be segregated?

a. Authorization and recording
b. Authorization and custody
c. Recording and custody
d. All of the above.
e. None of the above.

Answer 36

d.All of the above.

Question 37

Which of the following is not a principle applicable to project development and acquisition controls?

a. Strategic master plan
b. Project controls
c. Steering committee
d. Network management

Answer 37

d.Network management

Question 38

According to sound internal control concepts, which of the following systems duties should be segregated?

a. Programming and Systems Administration
b. Computer operations and programming
c. Custody and record keeping.
d. Answers 1 and 2 are correct.

Answer 38

a. Programming and Systems Administration

b. Computer operations and programming

Question 39

Which of the following is not related to information and communicating in the updated COSO Integrated Control framework?

a. Communicate relevant internal control matters to external parties.
b. Obtain or generate relevant, high-quality information to support internal control.
c. Surround internal control processes with information technology that enables discrepancies to be identified.
d. Internally communicate the information necessary to support the other components of internal control

Answer 39

c.Surround internal control processes with information technology that enables discrepancies to be identified.

Question 40

Helping employees understand entity goals and objectives and then holding them accountable for achieving them are all related to which aspect of the control environment?

a. Organizational structure.
b. Methods of assigning authority and responsibility.
c. Management philosophy and operating style.
d. Commitment to competence.

Answer 40

b.Methods of assigning authority and responsibility.

Question 41

What criteria contribute to system reliability?

a. Developing and documenting policies
b. Effectively communicating policies to all authorized users
c. Monitoring the system and taking corrective action
e. All of the above
f. None of the above

Answer 41

e. All of the above

Question 42

What type of security controls are authorization controls?

a. Corrective controls
b. Detective controls
c. Preventive controls

Answer 42

c. Preventive controls

Question 43

Which of the following devices should NOT be placed in the demilitarized zone (DMZ)?

a. Web server
b. Sales department server
c. Mail server
d. Remote access server

Answer 43

b. Sales department server

Question 44

The time-based model of security does not include which factor to evaluate the effectiveness of an entity security controls:

a. The time it takes an attacker to break through the entity’s preventative controls
b. The time it takes to determine that an attack is in progress
c. The time it takes to respond to an attack
d. The time it takes to evaluate the financial consequences from an attack

Answer 44

d. The time it takes to evaluate the financial consequences from an attack

Question 45

Which of the following is an example of a preventive control?
a. The creation of “security-aware” culture
b. The creation of “Log user friendly” culture
c. The creation of a “continuous monitoring” culture
d, The creation of a chief information security officer position

Answer 45

a. The creation of “security-aware” culture

Question 46

Which of the following statements is true regarding authorization controls?

a. Permits access to all aspects of an entity’s operating system
b. Permits the user to engage in all operating actions
c. Permits the user unlimited ability to change information
d. All of the about
e. None of the above

Answer 46

e. None of the above

Question 47

Which of the following items are considered detective controls?

a. Log analysis
b. Intrusion detection system
c. Antiwalware controls
d. Both log analysis and intrusion Detection Systems
e. None of the above

Answer 47

d. Both log analysis and intrusion Detection Systems

Question 48

Which of the following is an example of a corrective control?

a. Authentication controls
b. Encryption
c. Log analysis
d. Patch management

Answer 48

d. Patch management

Question 49

Company XYZ hired a renowned security firm to attempt to compromise its computer network. A few days later, the security firm reported that it had successfully entered XYZ’s computer system without being detected. The security firm presented an analysis of the vulnerabilities that had been found to the financial institution. This is an example of a:

a. Preventive control
b. Detective controls
c. Corrective control
d. Security control

Answer 49

b. Detective controls

Question 50

Which step would a computer incident response team (CIRT) team take first in the incident response process?

a. Containment of the problem
b. Recovery
c. Follow up
d. Recognition that the problem exists

Answer 50

d. Recognition that the problem exists

Question 51

According to the Trust Services Framework, the reliability principle of security is achieved when the system produces data that:

a. Is available for operation and use at times set forth by agreement
b. Is protected against unauthorized physical and logical access
c. Can be maintained as required without affecting system availability, security, and integrity
d. Is complete, accurate, and valid.

Answer 51

b. Is protected against unauthorized physical and logical access

Question 52

If the time an attacker takes to break through the organization’s preventive controls is 25 minutes, time required to detect the attack is 5 minutes, and the time required to correct/respond to the attack is 12 minutes, then security is:

a. effective
b. ineffective
c. overdone
d. undermanaged

Answer 52

a. effective

Question 53

Access controls include the following:
a, require employee logouts when the workstations are left unattended
b. prohibitions against visitors roaming the building in which computers are stored
c. Both a and b
d. Neither a nor b

Answer 53

c. Both a and b

Question 54

Which of the following can be used to detect whether confidential information has been disclosed?
a, A digital watermark
b. Information rights management (IRM) software
c. Data loss prevention (DLP) software
d. None of the above

Answer 54

a, A digital watermark

Question 55

Identify the type of information below that is least likely to be considered confidential by an organization?
a, Audited financial statements
b. Legal documents
c. Top executive salaries
d. New product development plans

Answer 55

a, Audited financial statements

Question 56

If an organization asks you to disclose your social security number, yet fails to permit you to opt-out before you provide the information, the organization has likely violated which of the General Accepted Privacy Principles?
a, Management
b. Notice
c. Choice and consent
d. Use and retention

Answer 56

c. Choice and consent

Question 57

Which of the following are internationally recognized best practices for protecting the privacy of customers’ personal information?

a. Organizations should explain the choices available and obtain their consent to the collection of customer data prior to its collection
b. Use and retention of customer information as described by their privacy policy
c. Disclosure to third parties only according to their privacy policy
d. All of the above

Answer 57

d. All of the above

Question 58

The same key is used to encrypt and decrypt in which type of encryption systems?

a. Symmetric encryption systems
b. Asymmetric encryption systems
c. Neither of the above

Answer 58

a. Symmetric encryption systems

Question 59

Which of the following statements is true?

a. Hashing is reversible, but encryption is not
b. Encryption is reversible, but hashing is not
c. Both encryption and hashing are reversible
d. Neither hashing nor encryption are reversible

Answer 59

b. Encryption is reversible, but hashing is not

Question 60

Which of the following uses encryption to create a secure pathway to transmit data?

a. Encryption tunnel
b. Virtual Private Network (VPN)
c. Demilitarized Zone
d. None of the above

Answer 60

b. Virtual Private Network (VPN)

Question 61

Which of the following is NOT a factor that can influence encryption strength?

a. Encryption algorithm
b. Key length
c. Policies for managing cryptographic keys
d. All of the above affect encryption strength

Answer 61

d. All of the above affect encryption strength

Question 62

A client would like a way for their customers to take payments online using credit cards, but would like to make sure the credit card data isn’t intercepted. What should you suggest?

a. a data masking program
b. a virtual private network
c. a private cloud environment
d. an encryption system with digital signatures

Answer 62

d. an encryption system with digital signatures

Question 63

What is the first step in protecting the confidentiality of intellectual property and other sensitive business information?

a. Encrypt the data
b. Install information rights management software
c. Employ deep packet inspection techniques on all incoming packets
d. Identify where confidential data resides and who has access to it

Answer 63

d. Identify where confidential data resides and who has access to it

Question 64

A programmer for a hospital system has recently developed a new computer program. As part of the testing process, he needs to use realistic patients’ data to ensure that the system is working properly. To protect privacy, management uses a program that replaces private information with fake values before sending the data to the programmer for testing. The program that replaces patient information with fake values is called:

a. data encryption
b. data masking
c. data wiping
d. data redacting

Answer 64

b. data masking

Question 65

Blockchains typically have copies of all blocks distributed on multiple machines. The distribution of the ledger helps ensure which of the following?

a. Distribution provides a means to identify any attempts to unilaterally alter the original documents.
b. Distribution ensures that data entered into a blockchain is correct
c. Distribution speeds up the process of adding blocks to a blockchain
d. All of the above are benefits of distribution.

Answer 65

a. Distribution provides a means to identify any attempts to unilaterally alter the original documents.

Question 66

Which of the following controls checks the accuracy of input data by using it to retrieve and display other related information?

a. Prompting
b. Validity check
c. Closed-loop verification
d. All of the above

Answer 66

c. Closed-loop verification

Question 67

Which of the following backup procedures copies all changes made since the last full backup?

a. Incremental backup
b. Differential backup
c. Archive backup
d. None of the above

Answer 67

b. Differential backup

Question 68

Data entry controls do NOT include

a. field checks
b. sign checks
c. parity checks
d. range checks

Answer 68

c. parity checks

Question 69

Online processing data entry controls includes:

a. Prompting
b. Closed loop verification
c. trailer records
d. echo check
e. Answers 1 and 2 only

Answer 69

e. Answer 1 and 2 only

Question 70

A customer forgets to include her account number on her check, and the accounts receivable clerk credited her payment to a different customer with the same last name. Which control could have been used to most effectively prevent this error?

a. closed-loop verification
b. duplicate values check
c. reasonableness test
d. reconciliation of a batch control total

Answer 70

a, closed-loop verification

Question 71

Which of the following maintains two copies of a database in two separate data centers at all times and updating both copies in real-time as each transaction occurs.

a. real-time mirroring
b. full backups
c. incremental backups
d. archives

Answer 71

a, real-time mirroring

Question 72

The least expensive and least effective option for replacing computer equipment lost in a disaster it:

a. leasing a cold site
b. real-time mirroring
c. creating a hot site
d. All of the above are ineffective options in disaster recovery

Answer 72

a. leasing a cold site

Question 73

Disaster recovery and testing plans should be done:
a, only when a disaster seems imminent
b. only immediately after disaster recovery is designated
c, at least annually
d. only if determined to be necessary

Answer 73

c, at least annually

Question 74

Threats to system availability include:

a. hardware and software failures
b. natural disasters
c. human error
d. all of the above

Answer 74

d. all of the above

Question 75

A shop generates 3 quarters of its revenue from orders taken over the internet. The revenue clearing account is debited by the total cash and credit receipts and credited by the total of storefront and internet sales. This is an example of a:

a. data integrity test
b. zero-balace test
c. trial balance audit
d. cross-footing balance test

Answer 75

b. zero-balance test

Question 76

Which of the following is not an objective of a disaster recovery plan?

a. minimize the extent of the disruption, damage or loss
b. establish a permanent alternative means of processing information
c. resume normal operations as soon as possible
d. train employees for emergency operations

Answer 76

b. establish a permanent alternative means of processing information

Question 77

A university course enrollment system allows students to manage their classes online. If students attempt to add more than 21 hours per semester an error message is displayed. This is an example of a

a. reasonableness test
b. field check
c. validity checks
d. limit check

Answer 77

a. reasonableness test