Receive items
Forecast production
Record time spent on specific jobs
Deliver or ship order
Which of the following is a major activity for the revenue cycle?
Which of the following would be an activity associated with the human resources/payroll cycle?
Deposit cash receipts
Adjust customer account
Pay for items
Record time worked by employees
Which of the following is considered a disadvantage of an Enterprise Resource Planning (ERP) system?
Data input is captured once
Time required for implementation
Customer relationship management
Increased productivity
Which of the following is NOT an element of data processing?
Create
Update
Reconcile
Delete
Update
Which of the following is NOT a major business cycle?
The production cycle
The revenue cycle
The financing cycle
The cash receipts cycle
The payroll cycle
A chart of accounts:
is a list of all accounts in the organization with each account identified by a three- or four-digit code.
is used to summarize each customer's current balance.
provides an audit trail.
is a list of all permanent accounts in the organization. Temporary accounts, such as revenue and expense accounts, are not included in the chart of accounts.
None of the above.
Which of the following is a source document associated with the revenue cycle?
Sales order
Deposit slip
Credit memo
Bill of lading
All of the above
An entity is something about which information is stored. What is the term for the characteristics of interest that are stored about an entity such as a pay rate or an address?
Field
File
Record
Attribute
Which of the following is NOT a typical Enterprise Resource Planning system module?
Financial
Strategic Planning
Manufacturing.
Project Management
An audit trail consists of which of the following items?
Sales invoice
Sales Journal
Accounts Receivable Ledger
All of the above
What are the characteristics of a master file?
Is conceptually similar to a ledger in a manual AIS
Are permanent
Contain individual records which are frequently changed
May have records which are added to it
All of the above
Which of the following is NOT a common data coding technique discussed in the chapter?
Mnemonic
Group
Sequence
Block
Sorted
A chart of accounts provides the user with a list of general ledger accounts.
TrueFalse
An audit trail can only assist external auditors.
TrueFalse
A master file is analogous to a journal in a manual system.
TrueFalse
Accounts receivable generally has a sub-ledger for many companies.
TrueFalse
Data processing is comprised of four elements and can be represented by the acronym CRUD. The R in CRUD stands for Revise.
TrueFalse
1. A foreign key imposes a specific kind of integrity to related tables. What is the name of this integrity?
Schema
Referential
Independence
Data
None of the above
What are the benefits associated with database technology?
Data sharing
Data integration
Data independence
Answers #1 and #2 only
Answers #1, #2, and #3
Which of the following provides the low-level view of the database?
Conceptual-level schema
External-level schema
The internal-level schema
None of the above
This type of key is used to link rows from one table to the rows in another table.
Primary key
Foreign key
Encryption key
Public key
Which method of gathering business intelligence uses sophisticated statistical analysis and neural networks to aid in decision making?
Data Warehousing
Semantic data modeling
Data mining
None of the above.
Which of the following cannot be blank (null)?
Foreign key
Secondary key
Connecting key
Primary key
None of the above can be null.
Two of the above cannot be null.
When the same, non-key, data element is stored multiple times in table it creates an anomaly known as the:
Delete Anomaly.
Update Anomaly.
Insert Anomaly.
None of the above.
Which of the following are requirements of a relational database?
All nonkey (primary and foreign) attributes must describe a quality of the item identified by the primary key.
Primary keys cannot be null or empty.
Foreign keys (if not empty) must be a primary key in another table.
All of the above.
None of the above.
When a non-null value for the primary key indicates that a specific object exists and can be identified by reference to its primary key value, it is referred to as
the referential integrity rule.
the relational database rule.
the entity integrity rule.
None of the above.
What is (are) the component(s) of a data dictionary?
Field length
Field type
Authorized users
Data location
Answers #1, #2, and #3 are correct.
"Get me the date attribute of the third tuple in the sales order relation." What is being requested?
The person wants the value in the date field of the third table that is related to sales order.
The person wants the value in the date field in the third row of the sales order item table.
The person wants the value in the date field of the third sales order that is related to the sales order item table.
The person wants the value in the date field of the third record in the sales order table.
None of the above.
Data manipulation language is used to do which of the following?
Updating the database
Creating the database
Querying the database
All of the above
A data manipulation language (DML) is used to query a database.
TrueFalse
A data dictionary contains information about the structure of the database.
TrueFalse
The primary difference between the conceptual and external schema is that the external schema is an organization-wide view of the entire database.
TrueFalse
It is possible that two or more attributes can form a single key.
TrueFalse
A foreign key is an attribute in a table that is a primary key in another table.
TrueFalse
A scheme where the perpetrator steals the cash or check that customer A mails in to pay its accounts receivable, then the perpetrator takes the funds from customer B to later cover that account. And so on with Customer C.
Computer fraud
Employee fraud
Kiting
Correct. Lapping
Which of the following creates an environment where computer fraud is less likely to occur?
Hire employees without adequate security and criminal checks.
Assume that corporate security policies are understood by all employees.
Increase the penalties for committing fraud.
None of the above.
Kiting is a scheme in which:
insufficient funds are covered up by deposits made at one bank by checks drawn at another bank.
a computer system is infiltrated under false pretenses.
an external user impersonates an internal user.
None of the above.
Which of the following is not part of the fraud triangle?
Pressure
Opportunity
Rationalization
All are part of the fraud triangle.
In order for an act to be legally considered fraud it must be all of the following except:
A material fact.
Justifiable reliance.
A false statement.
No intent to deceive.
An injury or loss suffered by the victim.
According to Statement on Auditing Standards No. 99 (SAS 99) requires an auditor to do all of the following during an audit except:
Incorporate a technology focus.
Identify, assess, and respond to risks.
Acquire malpractice insurance in case the auditor does not detect an actual fraud during the audit.
Document and communicate findings.
According to the opportunity part of the fraud triangle, a person may do all of the following acts except:
Convert the theft or misrepresentation for personal gain.
Control the fraud.
Commit the fraud.
Conceal the fraud.
Which of the following pressures are classified as Management Characteristics that can lead to financial statement fraud?
High management and/or employee turnover
Declining industry
New regulatory requirements that impair financial stability or profitability
Intense pressure to meet or exceed earnings expectations
All of the following are classification of computer fraud except:
Input fraud.
Reconciliation fraud.
Computer instructions fraud.
Processor fraud.
Output fraud.
Which of the following actions are used to reduce fraud losses?
Implement a fraud hotline.
Conduct periodic external and internal audits.
Maintain adequate insurance.
Develop a strong system of internal controls.
Which of the following is considered a financial pressure that can lead to employee fraud?
Gambling habit.
Greed.
Poor credit ratings.
Job dissatisfaction.
There are many threats to accounting information systems. Which of the following is an example of an Intentional Act.
War and attack by terrorists
Hardware or software failure
Computer fraud
Logic errors
Unintentional acts pose greater risk of loss to information systems than do intentional acts.
TrueFalse
Research indicates that there are very few significant differences between violent and white-collar criminals.
TrueFalse
Lapping involves a manipulation of accounts payable.
TrueFalse
Inadequate supervision provides an "opportunity" for fraud.
TrueFalse
Processor fraud includes the theft of computer time and services.
TrueFalse
A computer crime that involves attacking phone lines is:
data diddling.
phreaking.
phishing.
pharming.
Hackers use all of the techniques except:
war dialing.
war driving.
war chalking.
war walking.
Social engineering facilitates what type of computer fraud?
Click fraud
Identity theft
Spoofing
Dictionary attacks
The computer crime of piggybacking
involves the clandestine use of another user's WIFI.
usually results from spamming.
requires the permission of another user to gain access.
None of the above.
A network of computers used in a denial-of-service (DoS) attack is called a (an):
Worm.
Botnet.
Rootkit.
Splog.
Time bombs are most likely planted in an information system by:
advertisers.
spammers.
disgruntled computer programmers.
customers who have read-only access.
Spyware infections came from:
worms/viruses.
drive-by downloads.
file-sharing programs.
All of the above.
Which of the following is not a characteristic of computer viruses?
They can lie dormant for a time without doing damage.
They can mutate which increases their ability to do damage.
They can hinder system performance.
They are easy to detect and destroy.
Which of the following is known as a zero-day attack?
An attack between the time a new software vulnerability is discovered and the time a patch for fixing the problem is released.
An attack on the first day a software program is released.
An attack on New Year's Day since it is a holiday and most people are not at work.
None of the above.
Which of the following is a method used to embezzle money a small amount at a time from many different accounts?
Data diddling.
Pretexting.
Spoofing.
Salami technique.
Which of the following is NOT a method that is used for identity theft?
Dumpster diving
Phishing
Shoulder surfing
Spamming
A computer fraud and abuse technique that steals information, trade secrets, and intellectual property.
Cyber-extortion.
Data diddling.
Economic espionage.
Skimming.
Internet pump-and-dump inflates advertising bills by manipulating click numbers on websites.
TrueFalse
Pretexting is a technique employed in Social Engineering schemes.
TrueFalse
A rootkit captures data from packets that travel across networks.
TrueFalse
Bluesnarfing is the act of stealing contact lists, images, and other data using Bluetooth.
TrueFalse
"Hacking" is an external attack on an accounting information system.
TrueFalse
The Sarbanes Oxley Act is the most important business-oriented legislation in the past 75 years. Which of the following are elements of the Sarbanes Oxley Act?
the establishment of the Public Company Accounting Oversight Board.
the prohibition against auditors performing certain services for their audit clients such as bookkeeping and human resource functions.
audit committee members must be independent of the audited company.
All of the above.
None of the above.
After the Sarbanes-Oxley Act (SOX) was passed, the Securities and Exchange Commission (SEC) required management to do which of the following:
use the same audit firm for at least two consecutive audit years.
conclude that internal controls are not effective if there are material weaknesses.
disclose all weaknesses regardless of materiality.
Conduct 100% substantive testing of all internal controls.
Which of the following system(s) compares actual performance with planned performance?
Boundary system
Belief system
Diagnostic control system
Interactive control system
None of the above.
Which of the following is (are) a component(s) of COSO's internal control model?
Control activities
Risk assessment
Monitoring
All of the above.
What is (are) a principle(s) behind enterprise risk management (ERM)?
Uncertainty can result in opportunity.
The ERM framework can help management manage uncertainty.
Uncertainty results in risk.
All of the above.
None of the above.
General authorization is different from specific authorization. With general authorization an employee in the proper functional area can:
authorize typical purchases of inventory items.
approve purchases within normal customer credit limits.
endorse checks for deposit.
approve sales returns and allowances.
approve vendor invoices for payment.
All of the above.
The ERM model includes an element called Risk Response. According to that element, which of the following is an appropriate way to respond to risk?
Implement a system to effectively monitor risk.
Estimate material risk assessments.
Share the risk with another.
All of the above.
What is an assumption underlying the valuation of internal controls?
Costs are more difficult to quantify than revenues.
The primary cost analyzed is overhead.
The internal control should at least provide reasonable assurance that control problems do not develop.
None of the above.
Which functions should be segregated?
Authorization and recording
Authorization and custody
Recording and custody
All of the above.
None of the above.
Which of the following is not a principle applicable to project development and acquisition controls?
Strategic master plan
Project controls
Steering committee
Network management
According to sound internal control concepts, which of the following systems duties should be segregated?
Programming and Systems Administration
Computer operations and programming
Custody and record keeping.
Answers 1 and 2 are correct.
Which of the following are internal control functions?
Preventive controls
Detective controls.
Corrective controls.
All of the above are internal control functions.
Distributed computer networks are harder to control than centralized mainframe systems.
TrueFalse
Cost considerations have generally not factored into how well companies protect data.
TrueFalse
The exposure of a threat is defined as the probability that a threat will occur.
TrueFalse
A primary objective of internal controls is to safeguard assets.
TrueFalse
Segregation of functions is a detective control.
TrueFalse
What criteria contribute to systems reliability?
Developing and documenting policies
Effectively communicating policies to all authorized users
Designing appropriate control procedures
Monitoring the system and taking corrective action
All of the above
None of the above.
Compliance with the Sarbanes Oxley Act of 2002 requires
The CEO to certify that he/she evaluates the effectiveness of internal controls.
The CFO to certify that he/she evaluates the effectiveness of internal controls.
The CEO and CFO must certify that they have evaluated the effectiveness of internal controls.
Neither the CEO nor CFO are required to certify internal control effectiveness.
What type of security controls are authorization controls?
Corrective controls
Detective controls
Internal controls
Preventive controls
Which of the following devices should NOT be placed in the demilitarized zone (DMZ)?
Web server
Sales department server
Mail server
Remote access server
The time based model of security does not include which factor to evaluate the effectiveness of an entity's security controls
The time it takes an attacker to break through the entity's preventative controls.
The time it takes to determine that an attack is in progress.
The time it takes to respond to an attack.
The time it takes to evaluate the financial consequences from an attack.
Defense in depth utilizes what techniques to assure security?
Employs multiple layers of controls
Provides redundancy of controls
Utilizes overlapping and complementary controls
All of the above
None of the above
Which of the following statements is true regarding authorization controls?
Permits access to all aspects of an entity's operating system
Permits the user to engage in all operating actions
Permits the user unlimited ability to change information
All of the above.
None of the above.
Which of the following items are considered detective controls?
Log analysis
Intrusion detection systems
Authentication controls
Both 1 and 2
None of the above
Which of the following is an example of a corrective control?
Authentication controls
Encryption
Log analysis
Patch management
Which type of network filtering screens individual IP packets based solely on its contents?
Static packet filtering
Stateful packet filtering
Deep packet filtering
None of the above
Which step would a computer incident response team (CIRT) team take first in the incident response process?
Containment of the problem
Recovery
Follow up
Recognition that the problem exists
Which of the following is a method of controlling remote access?
Border Routers
Firewalls
Intrusion Prevention Systems
All of the above
None of the above
Security is considered to be more the responsibility of the Information Technology department than that of Management.
TrueFalse
The time-based model of security, while theoretically valid, is difficult to apply.
TrueFalse
Authentication is a type of access control.
TrueFalse
Cloud computing takes advantage of the power and speed of modern computers to run multiple systems simultaneously on one computer.
TrueFalse
Detective controls actually monitor preventive controls.
TrueFalse
Access controls include the following:
require employee logouts when the workstations are left unattended.
prohibitions against visitors roaming the building in which computers are stored.
form design.
Answers 1 and 2 only.
All of the above.
Identity theft can be prevented by:
monitor credit reports regularly.
sending personal information in encrypted form.
immediately cancel missing credit cards.
shred all personal documents after they are used.
All of the above.
Which of the following can be used to detect whether confidential information has been disclosed?
A digital watermark
Information rights management (IRM) software
Data loss prevention (DLP) software
None of the above
Which of the following is a fundamental control for protecting privacy?
Information rights management (IRM) software
Training
Encryption
None of the above
Which of the following are internationally recognized best practices for protecting the privacy of customers' personal information.
Organizations should explain the choices available and obtain their consent to the collection of customer data prior to its collection.
Use and retention of customer information as described by their privacy policy.
Disclosure to third parties only according to their privacy policy.
All of the above.
The same key is used to encrypt and decrypt in which type of encryption systems?
Symmetric encryption systems
Asymmetric encryption systems
A public key system
A private key system
None of the above
Which of the following represents a process that takes plaintext and transforms into a short code?
Public Key Infrastructure
Symmetric key Infrastructure
Hashing
All of the above.
Which of the following uses encryption to create a secure pathway to transmit data?
Encryption tunnel
Virtual Private Network (VPN)
Demilitarized Zone
None of the above.
Which of the following represents an organization that issues documentation as to the validity and authenticity of digital identification such as digital certificates?
Symmetric Key Infrastructure
Digital Clearing House
Certificate Authority
Digital Signature Repository
Which of the following is NOT a factor that can influence encryption strength?
Encryption algorithm
Key length
Policies for managing cryptographic keys
Digital Certificate Length
What is the first step in protecting the confidentiality of intellectual property and other sensitive business information?
Encrypt the data.
Install information rights management software.
Employ deep packet inspection techniques on all incoming packets.
Identify where confidential data resides and who has access to it.
Which of the following is a major privacy-related concern?
Spam
Identity theft
Public Key Infrastructure
Answers 1 and 2
Encryption is generally sufficient to ensure data confidentiality.
TrueFalse
CAN-SPAM provides only civil sanctions for SPAM violations.
TrueFalse
A digital signature is an electronic document that contains an entity's public key.
TrueFalse
Training is arguably the most important control for protecting confidentiality.
TrueFalse
One significant advantage of firewalls is that they can inspect encrypted packets.
TrueFalse
Which of the following controls checks the accuracy of input data by using it to retrieve and display other related information?
Prompting
Validity check
Closed-loop verification
All of the above.
Which of the following backup procedures copies all changes made since the last full backup?
Incremental backup
Differential backup
Archive backup
None of the above.
Data entry controls do NOT include
field checks.
sign checks.
parity check.
range check.
Online processing data entry controls include:
prompting.
closed loop verification.
trailer Record.
echo check.
Answers 1 and 2 only.
Online processing controls include
validity checks on the customer item numbers.
sign checks on inventory-on-hand balances.
limit checks.
All of the above.
A facility that is not only pre-wired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities.
Archive
Checkpoint
Cold site
Hot site
Which of the following maintains two copies of a database in two separate data centers at all times and updating both copies in real-time as each transaction occurs.
Real-time mirroring
Full backups
Incremental backups
Archiving
The least expensive and effective option for replacing and computer equipment lost in a disaster is:
leasing a cold site.
reciprocal agreements with another organization that has similar equipment.
creating a hot site.
All of the above are ineffective options in disaster recovery.
Disaster recovery and testing plans should be done:
only when a disaster seems imminent.
only immediately after disaster recovery is designed.
at least annually.
only if determined to be necessary.
Important change management controls would not include
Change requests have to be documented.
All changes have to be approved by management.
All changes must be tested prior to implementation.
User rights and privileges should be reviewed after the change process is completed.
Threats to system availability include:
hardware and software failures.
natural disasters.
human error.
All of the above.
Preparing batch totals is the ___ step in processing credit sales transactions.
last
first
second
third
Data transmission controls are considered to be processing controls.
TrueFalse
The recovery point objective (RPO) represents the length of time that an organization is willing to attempt to function without its information system.
TrueFalse
A limit check has an upper and lower limit.
TrueFalse
Validity checks are a type of online processing control.
TrueFalse
An incremental backup copies all changes since the last full backup.
TrueFalse