Which of the following is a major activity for the

revenue cycle?

Receive items Forecast production Record time spent on specific jobs Deliver or ship order

Which of the following would be an activity associated with the human resources/payroll cycle? Deposit cash receipts Adjust customer account Pay for items Record time worked by employees

Which of the following is considered a disadvantage of an Enterprise Resource Planning (ERP) system? Data input is captured once Time required for implementation Customer relationship management Increased productivity

Which of the following is NOT an element of data processing? Create Update Reconcile Delete Update

Which of the following is NOT a major business cycle? The production cycle The revenue cycle The financing cycle The cash receipts cycle The payroll cycle

A chart of accounts:

is a list of all accounts in the organization with each account identified by a three- or four-digit code. is used to summarize each customer's current balance. provides an audit trail. is a list of all permanent accounts in the organization. Temporary accounts, such as revenue and expense accounts, are not included in the chart of accounts. None of the above.

Which of the following is a source document associated with the revenue cycle?

Sales order Deposit slip Credit memo Bill of lading All of the above

An entity is something about which information is stored. What is the term for the characteristics of interest that are stored about an entity such as a pay rate or an address? Field

File Record Attribute

Which of the following is NOT a typical Enterprise Resource Planning system module? Financial Strategic Planning Manufacturing. Project Management

An audit trail consists of which of the following items? Sales invoice Sales Journal Accounts Receivable Ledger All of the above

What are the characteristics of a master file? Is conceptually similar to a ledger in a manual AIS Are permanent Contain individual records which are frequently changed May have records which are added to it All of the above

Which of the following is NOT a common data coding technique discussed in the chapter?

Mnemonic Group Sequence Block Sorted

A chart of accounts provides the user with a list of general ledger accounts. True False

An audit trail can only assist external auditors.

True False

A master file is analogous to a journal in a manual system. True False

Accounts receivable generally has a sub-ledger for many companies. True False

Data processing is comprised of four elements and can be represented by the acronym CRUD. The R in CRUD stands for Revise. True False

1. A foreign key imposes a specific kind of integrity to related tables. What is the name of this integrity?

Schema Referential Independence Data None of the above

What are the benefits associated with database technology? Data sharing Data integration Data independence Answers #1 and #2 only Answers #1, #2, and #3

Which of the following provides the low-level view of the database?

Conceptual-level schema External-level schema The internal-level schema None of the above

This type of key is used to link rows from one table to the rows in another table. Primary key Foreign key

Encryption key Public key

Which method of gathering business intelligence uses sophisticated statistical analysis and neural networks to aid in decision making? Data Warehousing Semantic data modeling Data mining None of the above.

Which of the following cannot be blank (null)?

Foreign key Secondary key Connecting key Primary key None of the above can be null. Two of the above cannot be null.

When the same, non-key, data element is stored multiple times in table it creates an anomaly known as the: Delete Anomaly. Update Anomaly. Insert Anomaly. None of the above.

Which of the following are requirements of a relational database?

All nonkey (primary and foreign) attributes must describe a quality of the item identified by the primary key. Primary keys cannot be null or empty. Foreign keys (if not empty) must be a primary key in another table. All of the above. None of the above.

When a non-null value for the primary key indicates that a specific object exists and can be identified by reference to its primary key value, it is referred to as the referential integrity rule. the relational database rule. the entity integrity rule. None of the above.

What is (are) the component(s) of a data dictionary? Field length Field type Authorized users Data location Answers #1, #2, and #3 are correct.

"Get me the date attribute of the third tuple in the sales order relation." What is being requested?

The person wants the value in the date field of the third table that is related to sales order. The person wants the value in the date field in the third row of the sales order item table. The person wants the value in the date field of the third sales order that is related to the sales order item table. The person wants the value in the date field of the third record in the sales order table.

None of the above.

Data manipulation language is used to do which of the following? Updating the database Creating the database Querying the database All of the above

A data manipulation language (DML) is used to query a database.

True False

A data dictionary contains information about the structure of the database. True False

The primary difference between the conceptual and external schema is that the external schema is an organization-wide view of the entire database. True False

It is possible that two or more attributes can form a single key. True False

A foreign key is an attribute in a table that is a primary key in another table.

True False

A scheme where the perpetrator steals the cash or check that customer A mails in to pay its accounts receivable, then the perpetrator takes the funds from customer B to later cover that account. And so on with Customer C.

Computer fraud Employee fraud Kiting Correct. Lapping

Which of the following creates an environment where computer fraud is less likely to occur?

Hire employees without adequate security and criminal checks. Assume that corporate security policies are understood by all employees. Increase the penalties for committing fraud. None of the above.

Kiting is a scheme in which: insufficient funds are covered up by deposits made at one bank by checks drawn at another bank. a computer system is infiltrated under false pretenses. an external user impersonates an internal user. None of the above.

Which of the following is not part of the fraud triangle? Pressure

Opportunity Rationalization All are part of the fraud triangle.

In order for an act to be legally considered fraud it must be all of the following except: A material fact. Justifiable reliance. A false statement. No intent to deceive. An injury or loss suffered by the victim.

According to Statement on Auditing Standards No. 99 (SAS 99) requires an auditor to do all of the following during an audit except: Incorporate a technology focus. Identify, assess, and respond to risks. Acquire malpractice insurance in case the auditor does not detect an actual fraud during the audit. Document and communicate findings.

According to the opportunity part of the fraud triangle, a person may do all of the following acts except: Convert the theft or misrepresentation for personal gain. Control the fraud. Commit the fraud. Conceal the fraud.

Which of the following pressures are classified as Management Characteristics that can lead to financial statement fraud?

High management and/or employee turnover Declining industry New regulatory requirements that impair financial stability or profitability Intense pressure to meet or exceed earnings expectations

All of the following are classification of computer fraud except: Input fraud. Reconciliation fraud. Computer instructions fraud. Processor fraud. Output fraud.

Which of the following actions are used to reduce fraud losses?

Implement a fraud hotline. Conduct periodic external and internal audits. Maintain adequate insurance. Develop a strong system of internal controls.

Which of the following is considered a financial pressure that can lead to employee fraud?

Gambling habit. Greed. Poor credit ratings. Job dissatisfaction.

There are many threats to accounting information systems. Which of the following is an example of an Intentional Act. War and attack by terrorists Hardware or software failure Computer fraud Logic errors

Unintentional acts pose greater risk of loss to information systems than do intentional acts.

True False

Research indicates that there are very few significant differences between violent and white-collar criminals. True False

Lapping involves a manipulation of accounts payable.

True False

Inadequate supervision provides an "opportunity" for fraud.

True False

Processor fraud includes the theft of computer time and services.

True False

A computer crime that involves attacking phone lines is: data diddling. phreaking. phishing. pharming.

Hackers use all of the techniques except:

war dialing. war driving. war chalking. war walking.

Social engineering facilitates what type of computer fraud? Click fraud Identity theft Spoofing Dictionary attacks

The computer crime of piggybacking

involves the clandestine use of another user's WIFI. usually results from spamming.

requires the permission of another user to gain access. None of the above.

A network of computers used in a denial-of-service (DoS) attack is called a (an): Worm. Botnet. Rootkit. Splog.

Time bombs are most likely planted in an information system by:

advertisers. spammers. disgruntled computer programmers. customers who have read-only access.

Spyware infections came from: worms/viruses. drive-by downloads. file-sharing programs. All of the above.

Which of the following is not a characteristic of computer viruses? They can lie dormant for a time without doing damage. They can mutate which increases their ability to do damage.

They can hinder system performance. They are easy to detect and destroy.

Which of the following is known as a zero-day attack? An attack between the time a new software vulnerability is discovered and the time a patch for fixing the problem is released. An attack on the first day a software program is released. An attack on New Year's Day since it is a holiday and most people are not at work. None of the above.

Which of the following is a method used to embezzle money a small amount at a time from many different accounts? Data diddling. Pretexting. Spoofing. Salami technique.

Which of the following is NOT a method that is used for identity theft?

Dumpster diving Phishing Shoulder surfing Spamming

A computer fraud and abuse technique that steals information, trade secrets, and intellectual property. Cyber-extortion.

Data diddling. Economic espionage. Skimming.

Internet pump-and-dump inflates advertising bills by manipulating click numbers on websites. True False

Pretexting is a technique employed in Social Engineering schemes. True False

A rootkit captures data from packets that travel across networks. True False

Bluesnarfing is the act of stealing contact lists, images, and other data using Bluetooth. True False

"Hacking" is an external attack on an accounting information system.

True False

The Sarbanes Oxley Act is the most important business-oriented legislation in the past 75 years. Which of the following are elements of the Sarbanes Oxley Act? the establishment of the Public Company Accounting Oversight Board. the prohibition against auditors performing certain services for their audit clients such as bookkeeping and human resource functions. audit committee members must be independent of the audited company. All of the above. None of the above.

After the Sarbanes-Oxley Act (SOX) was passed, the Securities and Exchange Commission (SEC) required management to do which of the following: use the same audit firm for at least two consecutive audit years. conclude that internal controls are not effective if there are material weaknesses. disclose all weaknesses regardless of materiality. Conduct 100% substantive testing of all internal controls.

Which of the following system(s) compares actual performance with planned performance?

Boundary system Belief system Diagnostic control system Interactive control system None of the above.

Which of the following is (are) a component(s) of COSO's internal control model?

Control activities Risk assessment

Monitoring All of the above.

What is (are) a principle(s) behind enterprise risk management (ERM)?

Uncertainty can result in opportunity. The ERM framework can help management manage uncertainty. Uncertainty results in risk. All of the above. None of the above.

General authorization is different from specific authorization. With general authorization an employee in the proper functional area can: authorize typical purchases of inventory items. approve purchases within normal customer credit limits. endorse checks for deposit. approve sales returns and allowances. approve vendor invoices for payment. All of the above.

The ERM model includes an element called Risk Response. According to that element, which of the following is an appropriate way to respond to risk? Implement a system to effectively monitor risk. Estimate material risk assessments. Share the risk with another. All of the above.

What is an assumption underlying the valuation of internal controls?

Costs are more difficult to quantify than revenues. The primary cost analyzed is overhead. The internal control should at least provide reasonable assurance that control problems do not develop. None of the above.

Which functions should be segregated? Authorization and recording Authorization and custody Recording and custody All of the above. None of the above.

Which of the following is not a principle applicable to project development and acquisition controls? Strategic master plan Project controls Steering committee Network management

According to sound internal control concepts, which of the following systems duties should be segregated? Programming and Systems Administration Computer operations and programming Custody and record keeping. Answers 1 and 2 are correct.

Which of the following are internal control functions? Preventive controls Detective controls. Corrective controls. All of the above are internal control functions.

Distributed computer networks are harder to control than centralized mainframe systems.

True False

Cost considerations have generally not factored into how well companies protect data.

True False

The exposure of a threat is defined as the probability that a threat will occur.

True False

A primary objective of internal controls is to safeguard assets.

True

False

Segregation of functions is a detective control.

True False

What criteria contribute to systems reliability? Developing and documenting policies Effectively communicating policies to all authorized users Designing appropriate control procedures Monitoring the system and taking corrective action All of the above None of the above.

Compliance with the Sarbanes Oxley Act of 2002 requires

The CEO to certify that he/she evaluates the effectiveness of internal controls. The CFO to certify that he/she evaluates the effectiveness of internal controls. The CEO and CFO must certify that they have evaluated the effectiveness of internal controls. Neither the CEO nor CFO are required to certify internal control effectiveness.

What type of security controls are authorization controls?

Corrective controls Detective controls Internal controls

Preventive controls

Which of the following devices should NOT be placed in the demilitarized zone (DMZ)?

Web server Sales department server Mail server Remote access server

The time based model of security does not include which factor to evaluate the effectiveness of an entity's security controls The time it takes an attacker to break through the entity's preventative controls. The time it takes to determine that an attack is in progress. The time it takes to respond to an attack. The time it takes to evaluate the financial consequences from an attack.

Defense in depth utilizes what techniques to assure security? Employs multiple layers of controls Provides redundancy of controls Utilizes overlapping and complementary controls All of the above None of the above

Which of the following statements is true regarding authorization controls?

Permits access to all aspects of an entity's operating system

Permits the user to engage in all operating actions Permits the user unlimited ability to change information All of the above. None of the above.

Which of the following items are considered detective controls?

Log analysis Intrusion detection systems Authentication controls Both 1 and 2 None of the above

Which of the following is an example of a corrective control?

Authentication controls Encryption Log analysis Patch management

Which type of network filtering screens individual IP packets based solely on its contents? Static packet filtering Stateful packet filtering Deep packet filtering None of the above

Which step would a computer incident response team (CIRT) team take first in the incident response process? Containment of the problem Recovery Follow up Recognition that the problem exists

Which of the following is a method of controlling remote access? Border Routers Firewalls Intrusion Prevention Systems All of the above None of the above

Security is considered to be more the responsibility of the Information Technology department than that of Management. True False

The time-based model of security, while theoretically valid, is difficult to apply.

True False

Authentication is a type of access control.

True False

Cloud computing takes advantage of the power and speed of modern computers to run multiple systems simultaneously on one computer. True False

Detective controls actually monitor preventive controls.

True False

Access controls include the following:

require employee logouts when the workstations are left unattended. prohibitions against visitors roaming the building in which computers are stored. form design. Answers 1 and 2 only. All of the above.

Identity theft can be prevented by:

monitor credit reports regularly. sending personal information in encrypted form. immediately cancel missing credit cards. shred all personal documents after they are used. All of the above.

Which of the following can be used to detect whether confidential information has been disclosed? A digital watermark Information rights management (IRM) software

Data loss prevention (DLP) software None of the above

Which of the following is a fundamental control for protecting privacy? Information rights management (IRM) software Training Encryption None of the above

Which of the following are internationally recognized best practices for protecting the privacy of customers' personal information. Organizations should explain the choices available and obtain their consent to the collection of customer data prior to its collection. Use and retention of customer information as described by their privacy policy. Disclosure to third parties only according to their privacy policy. All of the above.

The same key is used to encrypt and decrypt in which type of encryption systems?

Symmetric encryption systems Asymmetric encryption systems A public key system A private key system None of the above

Which of the following represents a process that takes plaintext and transforms into a short code?

Public Key Infrastructure Symmetric key Infrastructure Hashing All of the above.

Which of the following uses encryption to create a secure pathway to transmit data? Encryption tunnel Virtual Private Network (VPN) Demilitarized Zone None of the above.

Which of the following represents an organization that issues documentation as to the validity and authenticity of digital identification such as digital certificates? Symmetric Key Infrastructure Digital Clearing House Certificate Authority Digital Signature Repository

Which of the following is NOT a factor that can influence encryption strength? Encryption algorithm Key length Policies for managing cryptographic keys Digital Certificate Length

What is the first step in protecting the confidentiality of intellectual property and other sensitive business information?

Encrypt the data. Install information rights management software. Employ deep packet inspection techniques on all incoming packets. Identify where confidential data resides and who has access to it.

Which of the following is a major privacy-related concern? Spam Identity theft Public Key Infrastructure Answers 1 and 2

Encryption is generally sufficient to ensure data confidentiality.

True False

CAN-SPAM provides only civil sanctions for SPAM violations.

True False

A digital signature is an electronic document that contains an entity's public key.

True False

Training is arguably the most important control for protecting confidentiality.

True False

One significant advantage of firewalls is that they can inspect encrypted packets.

True False

Which of the following controls checks the accuracy of input data by using it to retrieve and display other related information? Prompting Validity check Closed-loop verification All of the above.

Which of the following backup procedures copies all changes made since the last full backup? Incremental backup Differential backup Archive backup None of the above.

Data entry controls do NOT include

field checks. sign checks. parity check. range check.

Online processing data entry controls include:

prompting. closed loop verification. trailer Record. echo check. Answers 1 and 2 only.

Online processing controls include

validity checks on the customer item numbers. sign checks on inventory-on-hand balances. limit checks. All of the above.

A facility that is not only pre-wired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities. Archive Checkpoint Cold site Hot site

Which of the following maintains two copies of a database in two separate data centers at all times and updating both copies in real-time as each transaction occurs. Real-time mirroring

Full backups Incremental backups Archiving

The least expensive and effective option for replacing and computer equipment lost in a disaster is: leasing a cold site. reciprocal agreements with another organization that has similar equipment. creating a hot site. All of the above are ineffective options in disaster recovery.

Disaster recovery and testing plans should be done:

only when a disaster seems imminent. only immediately after disaster recovery is designed. at least annually. only if determined to be necessary.

Important change management controls would not include Change requests have to be documented. All changes have to be approved by management. All changes must be tested prior to implementation. User rights and privileges should be reviewed after the change process is completed.

Threats to system availability include: hardware and software failures.

natural disasters. human error. All of the above.

Preparing batch totals is the ___ step in processing credit sales transactions. last first second third

Data transmission controls are considered to be processing controls. True False

The recovery point objective (RPO) represents the length of time that an organization is willing to attempt to function without its information system. True False

A limit check has an upper and lower limit.

True False

Validity checks are a type of online processing control.

True False

An incremental backup copies all changes since the last full backup.

True False