Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1. Data mining is the process of searching for patterns in the data in a data warehouse and to
analyze the patterns for decision making.
True False
2. The data in a data warehouse are updated when transactions are processed.
True False
True False
4. Data governance is the convergence of data quality, data management, data policies, business
process management, and risk management surrounding the handling of data in a company.
True False
5. Computer-assisted audit techniques (CAAT) are often used when auditing a company's IT
infrastructure.
True False
12-1
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
6. Firewalls are security systems comprised of hardware and software that is built using routers,
servers, and a variety of software.
True False
7. The Generally Accepted Auditing Standards (GAAS) issued by PCAOB provide guidelines for
conducting an IS/IT audit.
True False
8. Virtual private network (VPN) is a private network, provided by a third party, for exchanging
information through a high capacity connection.
True False
9. A wireless network is comprised access points and stations. Access points logically connect stations
to a firm's network.
True False
10. Integrated test facility (ITF) is an automated technique that enables test data to be continually
evaluated during the normal operation of a system.
True False
11. Accountants increasingly participate in designing internal controls and improving business and IT
processes in a database environment.
True False
12. A data warehouse is for daily operations and often includes data for the current fiscal year only.
True False
13. Parallel simulation attempts to simulate the firm's key features or processes.
True False
12-2
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
14. Embedded audit module is a programmed audit module that is added to the system under
review.
True False
True False
16. Which of the following is not an approach used for the online analytical processing (OLAP).
A. Exception reports
B. What-if simulations
C. Consolidation
D. Data mining
12-3
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
18. Which of the statements regarding the data warehouse is incorrect?
20. Which of the following describes a group of computers that connects the internal users of a
company distributed over an office building?
A. Internet
B. LAN
C. Virtual private network (VPN)
D. Decentralized network
21. Which of the following is not a management control for wireless networks?
12-4
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
22. What is the man-in-the-middle threat for wireless LANs?
A. The attacker impersonates an authorized user and gains certain unauthorized privileges to the
wireless network
B. The attacker passively monitors wireless networks for data, including authentication credentials
C. The attacker steals or makes unauthorized use of a service
D. The attacker actively intercepts communications between wireless clients and access points to
obtain authentication credentials and data.
23. Which of the following statements regarding the black-box approach for systems auditing is
correct?
A. The auditors need to gain detailed knowledge of the systems' internal logic
B. The black-box approach could be adequate when automated systems applications are
complicated
C. The auditors first calculating expected results from the transactions entered into the system.
Then, the auditors compare these calculations to the processing or output results.
D. All of the above are correct
12-5
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
25. What is the test data technique?
26. Within a WAN, a router would perform which of the following functions?
27. Which of the following strategies will a CPA most likely consider in auditing an entity that
processes most of its financial data only in electronic form, such as a paperless system?
A. Continuous monitoring and analysis of transaction processing with an embedded audit module.
B. Increased reliance on internal control activities that emphasize the segregation of duties.
C. Verification of encrypted digital certificates used to monitor the authorization of transactions.
D. Extensive testing of firewall boundaries that restrict the recording of outside network traffic.
28. Which of the following is the primary reason that many auditors hesitate to use embedded audit
modules?
12-6
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
29. The results of a generalized audit software simulation of the aging of accounts receivable revealed
substantial differences in the aging contribution, even though grand totals reconciled. Which of
the following should the IS auditor do first to resolve the discrepancy?
30. Common IT techniques that are needed to implement continuous auditing include
31. Which statements are incorrect about virtual private network (VPN)?
12-7
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
33. Which of the following is least likely to be considered a component of a computer network?
A. Application programs.
B. Computers.
C. Servers.
D. Routers.
34. Which of the following statements regarding the purposes of an operating system is correct?
A. Mobility
B. Rapid deployment
C. Flexibility and Scalability
D. Security
A. The attacker actively intercepts communications between wireless clients and access points to
obtain authentication credentials and data
B. The attacker alters a legitimate message sent via wireless networks by deleting, adding to,
changing, or reordering it
C. The attacker passively monitors wireless networks for data, including authentication credentials
D. The attacker impersonates an authorized user and gains certain unauthorized privileges to the
wireless network
12-8
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
37. Which of the following statements is not correct?
12-9
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
40. Which of the following statements about firewalls is wrong?
A. A firewall is a security system comprised of hardware and software that is built using routers,
servers, and a variety of software
B. A firewall allows individuals on the corporate network to send and receive data packets from the
Internet
C. A firewall can filter through packets coming from outside networks to prevent unauthorized
access
D. A firewall connects different LANs, software-based intelligent devices, examines IP addresses
Essay Questions
12-10
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
41. Identify each of the following statements with one of the five fundamental control objectives of
operating systems.
Control objectives:
12-11
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
42. Categorize the following scenarios as management, operational, or technical controls for wireless
networks' security controls.
43. What are the two approaches of CAATs in auditing systems? What are the differences between
them?
12-12
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
44. What are the differences between LANs and WANs? Have you ever used any LANs and WANS?
45. What are the general security objectives for both wired LANs and wireless LANs?
46. What are the benefits of conducting continuous audits (or monitoring)?
12-13
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
47. Discuss five significant barriers that are often encountered in implementing continuous auditing?
48. List common security threats for wireless LANs. Find a specific case in which the security of wireless
LANs was threatened. Given the case you find, comment on how to prevent or mitigate the
threats?
12-14
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Chapter 12 Monitoring and Auditing AIS Answer Key
1. Data mining is the process of searching for patterns in the data in a data warehouse and to
analyze the patterns for decision making.
TRUE
2. The data in a data warehouse are updated when transactions are processed.
FALSE
TRUE
12-15
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS
4. Data governance is the convergence of data quality, data management, data policies, business
process management, and risk management surrounding the handling of data in a company.
TRUE
5. Computer-assisted audit techniques (CAAT) are often used when auditing a company's IT
infrastructure.
FALSE
6. Firewalls are security systems comprised of hardware and software that is built using routers,
servers, and a variety of software.
TRUE
12-16
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS
7. The Generally Accepted Auditing Standards (GAAS) issued by PCAOB provide guidelines for
conducting an IS/IT audit.
FALSE
8. Virtual private network (VPN) is a private network, provided by a third party, for exchanging
information through a high capacity connection.
FALSE
9. A wireless network is comprised access points and stations. Access points logically connect
stations to a firm's network.
TRUE
12-17
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS
10. Integrated test facility (ITF) is an automated technique that enables test data to be continually
evaluated during the normal operation of a system.
TRUE
11. Accountants increasingly participate in designing internal controls and improving business and
IT processes in a database environment.
TRUE
12. A data warehouse is for daily operations and often includes data for the current fiscal year
only.
FALSE
12-18
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS
13. Parallel simulation attempts to simulate the firm's key features or processes.
TRUE
14. Embedded audit module is a programmed audit module that is added to the system under
review.
TRUE
TRUE
12-19
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Multiple Choice Questions
16. Which of the following is not an approach used for the online analytical processing (OLAP).
A. Exception reports
B. What-if simulations
C. Consolidation
D. Data mining
12-20
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
18. Which of the statements regarding the data warehouse is incorrect?
12-21
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
20. Which of the following describes a group of computers that connects the internal users of a
company distributed over an office building?
A. Internet
B. LAN
C. Virtual private network (VPN)
D. Decentralized network
21. Which of the following is not a management control for wireless networks?
12-22
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
22. What is the man-in-the-middle threat for wireless LANs?
A. The attacker impersonates an authorized user and gains certain unauthorized privileges to
the wireless network
B. The attacker passively monitors wireless networks for data, including authentication
credentials
C. The attacker steals or makes unauthorized use of a service
D. The attacker actively intercepts communications between wireless clients and access points
to obtain authentication credentials and data.
23. Which of the following statements regarding the black-box approach for systems auditing is
correct?
A. The auditors need to gain detailed knowledge of the systems' internal logic
B. The black-box approach could be adequate when automated systems applications are
complicated
C. The auditors first calculating expected results from the transactions entered into the system.
Then, the auditors compare these calculations to the processing or output results.
D. All of the above are correct
12-23
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
24. What is data mining?
12-24
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
26. Within a WAN, a router would perform which of the following functions?
27. Which of the following strategies will a CPA most likely consider in auditing an entity that
processes most of its financial data only in electronic form, such as a paperless system?
12-25
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
28. Which of the following is the primary reason that many auditors hesitate to use embedded
audit modules?
29. The results of a generalized audit software simulation of the aging of accounts receivable
revealed substantial differences in the aging contribution, even though grand totals reconciled.
Which of the following should the IS auditor do first to resolve the discrepancy?
12-26
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
30. Common IT techniques that are needed to implement continuous auditing include
31. Which statements are incorrect about virtual private network (VPN)?
12-27
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
32. LAN is the abbreviation for
33. Which of the following is least likely to be considered a component of a computer network?
A. Application programs.
B. Computers.
C. Servers.
D. Routers.
12-28
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
34. Which of the following statements regarding the purposes of an operating system is correct?
A. Mobility
B. Rapid deployment
C. Flexibility and Scalability
D. Security
12-29
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
36. Masquerading threat for wireless LANs is:
A. The attacker actively intercepts communications between wireless clients and access points
to obtain authentication credentials and data
B. The attacker alters a legitimate message sent via wireless networks by deleting, adding to,
changing, or reordering it
C. The attacker passively monitors wireless networks for data, including authentication
credentials
D. The attacker impersonates an authorized user and gains certain unauthorized privileges to
the wireless network
12-30
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
38. Which of the following is not a use of CAATs in auditing?
12-31
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
40. Which of the following statements about firewalls is wrong?
A. A firewall is a security system comprised of hardware and software that is built using routers,
servers, and a variety of software
B. A firewall allows individuals on the corporate network to send and receive data packets from
the Internet
C. A firewall can filter through packets coming from outside networks to prevent unauthorized
access
D. A firewall connects different LANs, software-based intelligent devices, examines IP addresses
Essay Questions
12-32
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
41. Identify each of the following statements with one of the five fundamental control objectives of
operating systems.
Control objectives:
12-33
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Difficulty: 3 Hard
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS
42. Categorize the following scenarios as management, operational, or technical controls for
wireless networks' security controls.
12-34
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
43. What are the two approaches of CAATs in auditing systems? What are the differences between
them?
The two approaches are auditing around the computer (the black-box approach) auditing
through the computer (the white-box approach).
Using the black-box approach, auditors do not need to gain detailed knowledge of the systems'
internal logic. The system will not be interrupted for auditing purposes. The approach applies
when the automated systems applications are relatively simple. Using the white-box approach
requires auditors to understand the internal logic of the system/application being tested.
Auditors need to create test cases to verify specific logic and controls in a system. Auditing
through the computer approach embraces a variety of techniques such as test data technique,
parallel simulation. The white-box approach is used when the automated systems applications
are complicated.
44. What are the differences between LANs and WANs? Have you ever used any LANs and WANS?
1) LANs covers a small area while WANs covers a significantly larger area.
2) LANs speeds are also significantly faster than WANs.
3) LANs is more secure than WANs.
4) WANs are much more expensive to implement than LANs.
The Internet is the most popular WAN. A local area network is often used in a computer lab on
campus. (Students' answers may vary.)
12-35
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS
45. What are the general security objectives for both wired LANs and wireless LANs?
12-36
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
46. What are the benefits of conducting continuous audits (or monitoring)?
Using continuous audit/monitoring, most firms can reduce errors and frauds; increase
operational effectiveness; better comply with laws and regulations; and increase management
confidence in control effectiveness and financial information.
In addition, continuous auditing allows internal and external auditors to monitor transaction
data in a timely manner; better understand critical control points, rules, and exceptions; perform
control and risk assessments in real time or near real time; notify management of control
deficiencies in a timely manner; and reduce efforts on routine testing while focus on more
valuable investigation activities.
47. Discuss five significant barriers that are often encountered in implementing continuous
auditing?
12-37
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Topic: Monitoring and auditing an AIS
48. List common security threats for wireless LANs. Find a specific case in which the security of
wireless LANs was threatened. Given the case you find, comment on how to prevent or mitigate
the threats?
1) Eavesdropping: The attacker passively monitors wireless networks for data, including
authentication credentials.
2) Man-in-the-Middle: The attacker actively intercepts communications between wireless clients
and access points to obtain authentication credentials and data.
3) Masquerading: The attacker impersonates an authorized user and gains certain unauthorized
privileges to the wireless network.
4) Message Modification: The attacker alters a legitimate message sent via wireless networks by
deleting, adding to, changing, or reordering it.
5) Message Replay: The attacker passively monitors transmissions via wireless networks and
retransmits messages, acting as if the attacker was a legitimate user.
6) Misappropriation: The attacker steals or makes unauthorized use of a service.
7) Traffic Analysis: The attacker passively monitors transmissions via wireless networks to
identify communication patterns and participants.
8) Rogue Access Points: The attacker sets up an unsecured wireless network near the enterprise
with an identical name and intercepts any messages sent by unsuspecting users that log onto it.
Students' answers vary on the specific case and the approaches to mitigate the threats.
12-38
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.