ACC 564 Quiz 2 – New

ACC 564 Quiz 2 – Strayer New

ACC 564 Week 5 Quiz 2 Chapter 6 Through 9

Click On The Link Below To Purchase
Instant Download

http://www.budapp.net/ACC-564-Quiz-2-Strayer-New-ACC564Q2.htm

 

Chapter 6 Computer Fraud and Abuse Techniques

1) Wally Hewitt maintains an online brokerage account. In early March, Wally received an email from the firm that explained that there had been a computer error and that provided a phone number so that Wally could verify his customer information. When he called, a recording asked that he enter the code from the email, his account number, and his social security number. After he did so, he was told that he would be connected with a customer service representative, but the connection was terminated. He contacted the brokerage company and was informed that they had not sent the email. Wally was a victim of
A) Bluesnarfing.
B) splogging.
C) vishing.
D) typosquatting.
Answer:
Page Ref: 157
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

2) When a computer criminal gains access to a system by searching records or the trash of the target company, this is referred to as
A) data diddling.
B) dumpster diving.
C) eavesdropping.
D) piggybacking.
Answer:
Page Ref: 159
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

3) Jerry Schneider was able to amass operating manuals and enough technical data to steal $1 million of electronic equipment by
A) scavenging.
B) skimming.
C) Internet auction fraud.
D) cyber extortion.
Answer:
Page Ref: 159
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

4) A part of a program that remains idle until some date or event occurs and then is activated to cause havoc in the system is a
A) trap door.
B) data diddle.
C) logic bomb.
D) virus.
Answer:
Page Ref: 161
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

5) The unauthorized copying of company data is known as
A) data leakage.
B) eavesdropping.
C) masquerading.
D) phishing.
Answer:
Page Ref: 154
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

6) Computer fraud perpetrators who use telephone lines to commit fraud and other illegal acts are typically called
A) hackers.
B) crackers.
C) phreakers.
D) jerks.
Answer:
Page Ref: 154
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
7) What is a denial of service attack?
A) A denial of service attack occurs when the perpetrator sends hundreds of messages from randomly generated false addresses, overloading an Internet service provider’s e-mail server.
B) A denial of service attack occurs when an e-mail message is sent through a re-mailer, who removes the message headers making the message anonymous, then resends the message to selected addresses.
C) A denial of service attack occurs when a cracker enters a system through an idle modem, captures the PC attached to the modem, and then gains access to the network to which it is connected.
D) A denial of service attack occurs when the perpetrator e-mails the same message to everyone on one or more Usenet newsgroups LISTSERV lists.
Answer:
Page Ref: 150
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Analytic

8) Gaining control of someone else’s computer to carry out illicit activities without the owner’s knowledge is known as
A) hacking.
B) hijacking.
C) phreaking.
D) sniffings.
Answer:
Page Ref: 150
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

9) Illegally obtaining and using confidential information about a person for economic gain is known as
A) eavesdropping.
B) identity theft.
C) packet sniffing.
D) piggybacking.
Answer:
Page Ref: 156
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic
10) Tapping into a communications line and then entering the system by accompanying a legitimate user without their knowledge is called
A) superzapping.
B) data leakage.
C) hacking.
D) piggybacking.
Answer:
Page Ref: 153
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

11) Which of the following is not a method of identify theft?
A) Scavenging
B) Phishing
C) Shoulder surfing
D) Phreaking
Answer:
Page Ref: 154
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

12) Which method of fraud is physical in its nature rather than electronic?
A) cracking
B) hacking
C) eavesdropping
D) scavenging
Answer:
Page Ref: 159
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

13) Which of the following is the easiest method for a computer criminal to steal output without ever being on the premises?
A) dumpster diving
B) by use of a Trojan horse
C) using a telescope to peer at paper reports
D) electronic eavesdropping on computer monitors
Answer:
Page Ref: 159
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic
14) The deceptive method by which a perpetrator gains access to the system by pretending to be an authorized user is called
A) cracking.
B) masquerading.
C) hacking.
D) superzapping.
Answer:
Page Ref: 153
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

15) The unauthorized access to, and use of, computer systems is known as
A) hacking.
B) hijacking.
C) phreaking.
D) sniffing.
Answer:
Page Ref: 149
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

16) A fraud technique that slices off tiny amounts from many projects is called the ________ technique.
A) Trojan horse
B) round down
C) salami
D) trap door
Answer:
Page Ref: 154
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
17) Data diddling is
A) gaining unauthorized access to and use of computer systems, usually by means of a personal computer and a telecommunications network.
B) unauthorized copying of company data such as computer files.
C) unauthorized access to a system by the perpetrator pretending to be an authorized user.
D) changing data before, during, or after it is entered into the system in order to delete, alter, or add key system data.
Answer:
Page Ref: 154
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

18) Spyware is
A) software that tells the user if anyone is spying on his computer.
B) software that monitors whether spies are looking at the computer.
C) software that monitors computing habits and sends the data it gathers to someone else.
D) none of the above
Answer:
Page Ref: 159
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

19) The unauthorized use of special system programs to bypass regular system controls and perform illegal act is called
A) a Trojan horse.
B) a trap door.
C) the salami technique.
D) superzapping.
Answer:
Page Ref: 162
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

20) Computer fraud perpetrators that modify programs during systems development, allowing access into the system that bypasses normal system controls are using
A) a Trojan horse.
B) a trap door.
C) the salami technique.
D) superzapping.
Answer:
Page Ref: 162
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

21) A fraud technique that allows a perpetrator to bypass normal system controls and enter a secured system is called
A) superzapping.
B) data diddling.
C) using a trap door.
D) piggybacking.
Answer:
Page Ref: 162
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

22) A set of unauthorized computer instructions in an otherwise properly functioning program is known as a
A) logic bomb.
B) spyware.
C) trap door.
D) Trojan horse.
Answer:
Page Ref: 161
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
23) A ________ is similar to a ________, except that it is a program rather than a code segment hidden in a host program.
A) worm; virus
B) Trojan horse; worm
C) worm; Trojan horse
D) virus; worm
Answer:
Page Ref: 163
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

24) Wally Hewitt is an accountant with a large accounting firm. The firm has a very strict policy of requiring all users to change their passwords every sixty days. In early March, Wally received an email from the firm that explained that there had been an error updating his password and that provided a link to a Web site with instructions for re-entering his password. Something about the email made Wally suspicious, so he called the firm’s information technology department and found that the email was fictitious. The email was an example of
A) social engineering.
B) phishing.
C) piggybacking.
D) spamming.
Answer:
Page Ref: 157
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

25) Developers of computer systems often include a user name and password that is hidden in the system, just in case they need to get into the system and correct problems in the future. This is referred to as a
A) Trojan horse.
B) key logger.
C) spoof.
D) back door.
Answer:
Page Ref: 162
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
26) In the 1960s, techniques were developed that allowed individuals to fool the phone system into providing free access to long distance phone calls. The people who use these methods are referred to as
A) phreakers.
B) hackers.
C) hijackers.
D) superzappers.
Answer:
Page Ref: 154
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

27) During a routine audit, a review of cash receipts and related accounting entries revealed discrepancies. Upon further analysis, it was found that figures had been entered correctly and then subsequently changed, with the difference diverted to a fictitious customer account. This is an example of
A) kiting.
B) data diddling.
C) data leakage.
D) phreaking.
Answer:
Page Ref: 154
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

28) It was late on a Friday afternoon when Troy Willicott got a call at the help desk for Taggitt Finances. A man with an edge of panic clearly discernible in his voice was on the phone. “I’m really in a bind and I sure hope that you can help me.” He identified himself as Chet Frazier from the Accounting Department. He told Troy that he had to work on a report that was due on Monday morning and that he had forgotten to bring a written copy of his new password home with him. Troy knew that Taggitt’s new password policy, that required that passwords must be at least fifteen characters long, must contain letters and numbers, and must be changed every sixty days, had created problems. Consequently, Troy provided the password, listened as it was read back to him, and was profusely thanked before ending the call. The caller was not Chet Frazier, and Troy Willicott was a victim of
A) phreaking.
B) war dialing.
C) identity theft.
D) social engineering.
Answer:
Page Ref: 156
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic
29) Chiller451 was chatting online with 3L3tCowboy. “I can’t believe how lame some people are! 🙂 I can get into any system by checking out the company web site to see how user names are defined and who is on the employee directory. Then, all it takes is brute force to find the password.” Chiller451 is a ________ and the fraud he is describing is ________.
A) phreaker; dumpster diving
B) hacker; social engineering
C) phreaker; the salami technique
D) hacker; password cracking
Answer:
Page Ref: 153
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Analytic

30) After graduating from college with a communications degree, Sylvia Placer experienced some difficulty in finding full-time employment. She free-lanced during the summer as a writer and then started a blog in the fall. Shortly thereafter she was contacted by Clickadoo Online Services, who offered to pay her to promote their clients by mentioning them in her blog and linking to their Web sites. She set up several more blogs for this purpose and is now generating a reasonable level of income. She is engaged in
A) Bluesnarfing.
B) splogging.
C) vishing.
D) typosquatting.
Answer:
Page Ref: 150
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

31) Telefarm Industries is a telemarketing firm that operates in the Midwest. The turnover rate among employees is quite high. Recently, the information technology manager discovered that an unknown employee had used a Bluetooth-enabled mobile phone to access the firm’s database and copy a list of customers from the past three years that included credit card information. Telefarm was a victim of
A) Bluesnarfing.
B) splogging.
C) vishing.
D) typosquatting.
Answer:
Page Ref: 165
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
32) Jim Chan decided to Christmas shop online. He linked to Amazon.com, found a perfect gift for his daughter, registered, and placed his order. It was only later that he noticed that the Web site’s URL was actually Amazom.com. Jim was a victim of
A) Bluesnarfing.
B) splogging.
C) vishing.
D) typosquatting.
Answer:
Page Ref: 158
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

33) Computers that are part of a botnet and are controlled by a bot herder are referred to as
A) posers.
B) zombies.
C) botsquats.
D) evil twins.
Answer:
Page Ref: 150
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

34) Jiao Jan had been the Web master for Folding Squid Technologies for only three months when the Web site was inundated with access attempts. The only solution was to shut down the site and then selectively open it to access from certain Web addresses. FST suffered significant losses during the period. The company had been the victim of a(an)
A) denial-of-service attack.
B) zero-day attack.
C) malware attack.
D) cyber-extortion attack.
Answer:
Page Ref: 150
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
35) Jiao Jan had been the Web master for Folding Squid Technologies for only three months when he received an anonymous email that threatened to inundate the company Web site with access attempts unless a payment was wired to an account in Eastern Europe. Jiao was concerned that FST would suffer significant losses if the threat was genuine. The author of the email was engaged in
A) a denial-of-service attack.
B) Internet terrorism.
C) hacking.
D) cyber-extortion.
Answer:
Page Ref: 154
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

36) Mo Chauncey was arrested in Emporia, Kansas, on February 29, 2008, for running an online business that specialized in buying and reselling stolen credit card information. Mo was charged with
A) typosquatting.
B) carding.
C) pharming.
D) phishing.
Answer:
Page Ref: 158
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

37) I work in the information technology department of a company I’ll call CMV. On Wednesday morning, I arrived at work, scanned in my identity card and punched in my code. This guy in a delivery uniform came up behind me carrying a bunch of boxes. I opened the door for him, he nodded and went on in. I didn’t think anything of it until later. Then I wondered if he might have been
A) pretexting.
B) piggybacking.
C) posing.
D) spoofing.
Answer:
Page Ref: 153
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
38) The call to tech support was fairly routine. A first-time computer user had purchased a brand new PC two months ago and it was now operating much more slowly and sluggishly than it had at first. Had he been accessing the Internet? Yes. Had he installed any “free” software? Yes. The problem is likely to be a(an)
A) virus.
B) zero-day attack.
C) denial of service attack.
D) dictionary attack.
Answer:
Page Ref: 163
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

39) In November of 2005 it was discovered that many of the new CDs distributed by Sony BMG installed software when they were played on a computer. The software was intended to protect the CDs from copying. Unfortunately, it also made the computer vulnerable to attack by malware run over the Internet. The scandal and resulting backlash was very costly. The software installed by the CDs is a
A) virus.
B) worm.
C) rootkit.
D) squirrel.
Answer:
Page Ref: 162
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

40) Which of the following would be least effective to reduce exposure to a computer virus?
A) Only transfer files between employees with USB flash drives.
B) Install and frequently update antivirus software.
C) Install all new software on a stand-alone computer for until it is tested.
D) Do not open email attachments from unknown senders.
Answer:
Page Ref: 164
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
41) Which of the following is not an example of social engineering?
A) Obtaining and using another person’s Social Security Number, credit card, or other confidential information
B) Creating phony Web sites with names and URL addresses very similar to legitimate Web sites in order to obtain confidential information or to distribute malware or viruses
C) Using email to lure victims into revealing passwords or user IDs
D) Setting up a computer in a way that allows the user to use a neighbors unsecured wireless network
Answer:
Page Ref: 156-159
Objective: Learning Objective 2
Difficulty : Moderate
AACSB: Analytic

42) How can a system be protected from viruses?

43) Describe at least six computer attacks and abuse techniques.

44) Describe at least four social engineering techniques.

45) Describe the differences between a worm and a virus?

Accounting Information Systems, 12e (Romney/Steinbart)
Chapter 7 Control and Accounting Information Systems

1) What is one reason why AIS threats are increasing?
A) LANs and client/server systems are easier to control than centralized, mainframe systems.
B) Many companies do not realize that data security is crucial to their survival.
C) Computer control problems are often overestimated and overly emphasized by management.
D) Many companies believe that protecting information is a strategic requirement.
Answer:
Page Ref: 184
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

2) Which of the following is not one of the risk responses identified in the COSO Enterprise Risk Management Framework?
A) Monitoring
B) Avoidance
C) Acceptance
D) Sharing
Answer:
Page Ref: 193
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

3) A control procedure designed so that the employee that records cash received from customers does not also have access to the cash itself is an example of a(n)
A) preventive control.
B) detective control.
C) corrective control.
D) authorization control.
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Reflective Thinking

4) At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Then, ticket stubs collected at the theater entrance are counted and compared with the number of tickets sold. Which of the following situations does this control detect?
A) Some customers presented tickets purchased on a previous day when there wasn’t a ticket taker at the theater entrance (so the tickets didn’t get torn.)
B) A group of kids snuck into the theater through a back door when customers left after a show.
C) The box office cashier accidentally gives too much change to a customer.
D) The ticket taker admits his friends without tickets.
Answer:
Page Ref: 199-200
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Reflective Thinking

5) At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Cash is counted and compared with the number of tickets sold. Which of the following situations does this control detect?
A) Some customers presented tickets purchased on a previous day when there wasn’t a ticket taker at the theater entrance (so the tickets didn’t get torn.)
B) A group of kids snuck into the theater through a back door when customers left after a show.
C) The box office cashier accidentally gives too much change to a customer.
D) The ticket taker admits his friends without tickets.
Answer:
Page Ref: 199-200
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Reflective Thinking

6) Which of the following is an example of a preventive control?
A) approving customer credit prior to approving a sales order
B) reconciling the bank statement to the cash control account
C) counting inventory on hand and comparing counts to the perpetual inventory records
D) maintaining frequent backup records to prevent loss of data
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Analytic

7) Independent checks on performance include all the following except
A) data input validation checks.
B) reconciling hash totals.
C) preparing a trial balance report.
D) supervisor review of journal entries and supporting documentation.
Answer:
Page Ref: 200
Objective: Learning Objective 7
Difficulty : Easy
AACSB: Analytic

8) A computer operator is allowed to work as a programmer on a new payroll software project. Does this create a potential internal control problem?
A) Yes, the computer operator could alter the payroll program to increase her salary.
B) Yes, this is a potential problem unless the computer operator is supervised by the payroll manager.
C) No, ideal segregation of duties is not usually possible, and operators are often the best at programming changes and updates.
D) No, as long as the computer operator separately accounts for hours worked in programming and in operations.
Answer:
Page Ref: 198
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Analytic

9) One of the objectives of the segregation of duties is to
A) make sure that different people handle different parts of the same transaction.
B) ensure that no collusion will occur.
C) make sure that different people handle different transactions.
D) achieve an optimal division of labor for efficient operations.
Answer:
Page Ref: 196
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Analytic
10) Pam is a receptionist for Dunderhead Paper Co., which has strict corporate policies on appropriate use of corporate resources. The first week of August, Pam saw Michael, the branch manager, putting pencils, pens, erasers, paper and other supplies into his briefcase on his way out the door. This situation best reflects a weakness in which aspect of internal environment, as discussed in the COSO Enterprise Risk Management Framework?
A) Integrity and ethical values
B) Risk management philosophy
C) Restrict access to assets
D) Methods of assigning authority and responsibility
Answer:
Page Ref: 189
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

11) Which of the following statements is true?
A) Internal auditors, rather than external auditors, can conduct evaluations of effectiveness of Enterprise Risk Management processes.
B) Re-adding the total of a batch of invoices and comparing the total with the first total you calculated is an example of an independent check.
C) Requiring two signatures on checks over $20,000 is an example of segregation of duties.
D) Although forensic specialists utilize computers, only people can accurately identify fraud.
Answer:
Page Ref: 201
Objective: Learning Objective 7
Difficulty : Difficult
AACSB: Reflective Thinking

12) Of the following examples of fraud, which will be the most difficult to prevent and detect? Assume the company enforces adequate segregation of duties.
A) Jim issues credit cards to him and Marie, and when the credit card balances are just under $1,000, Marie writes off the accounts as bad debt. Jim then issues new cards.
B) An employee puts inventory behind the dumpster while unloading a vendor’s delivery truck, then picks up the inventory later in the day and puts it in her car.
C) A mail room employee steals a check received from a customer and destroys the documentation.
D) The accounts receivable clerk does not record sales invoices for friends or family, so they can receive free goods.
Answer:
Page Ref: 197
Objective: Learning Objective 7
Difficulty : Difficult
AACSB: Reflective Thinking
13) According to The Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is directly responsible for
A) hiring and firing the external auditors.
B) performing tests of the company’s internal control structure.
C) certifying the accuracy of the company’s financial reporting process.
D) overseeing day-to-day operations of the internal audit department.
Answer:
Page Ref: 186
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Analytic

14) Go-Go Corporation, a publicly traded company, has three brothers who serve as President, Vice President of Finance and CEO. This situation
A) increases the risk associated with an audit.
B) must be changed before your audit firm could accept the audit engagement.
C) is a violation of the Sarbanes-Oxley Act.
D) violates the Securities and Exchange Act.
Answer:
Page Ref: 193
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

15) Which of the following is a control related to design and use of documents and records?
A) Sequentially prenumbering sales invoices
B) Comparing physical inventory counts with perpetual inventory records
C) Reconciling the bank statement to the general ledger
D) Locking blank checks in a drawer or safe
Answer:
Page Ref: 199
Objective: Learning Objective 7
Difficulty : Easy
AACSB: Analytic
16) Which of the following duties could be performed by the same individual without violating segregation of duties controls?
A) Approving accounting software change requests and testing production scheduling software changes
B) Programming new code for accounting software and testing accounting software upgrades
C) Approving software changes and implementing the upgraded software
D) Managing accounts payable function and revising code for accounting software to more efficiently process discount due dates on vendor invoices
Answer:
Page Ref: 198
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Reflective Thinking

17) With a limited work force and a desire to maintain strong internal control, which combination of duties would result in the lowest risk exposure?
A) Updating the inventory subsidiary ledgers and recording purchases in the purchases journal
B) Approving a sales return on a customer’s account and depositing customers’ checks in the bank
C) Updating the general ledger and working in the inventory warehouse
D) Entering payments to vendors in the cash disbursements journal and entering cash received from customers in the cash receipts journal
Answer:
Page Ref: 196-197
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Reflective Thinking

18) Which of the following is not a factor of internal environment according to the COSO Enterprise Risk Management Framework?
A) Analyzing past financial performance and reporting
B) Providing sufficient resources to knowledgeable employees to carry out duties
C) Disciplining employees for violations of expected behavior
D) Setting realistic targets for long-term performance
Answer:
Page Ref: 188
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
19) Which of the following suggests a weakness in a company’s internal environment?
A) The audit committee regularly meets with the external auditors.
B) The Board of Directors is primarily independent directors.
C) The company has an up-to-date organizational chart.
D) Formal employee performance evaluations are prepared every three years.
Answer:
Page Ref: 191
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

20) Which of the following statements about internal environment is false?
A) Management’s attitudes toward internal control and ethical behavior have only minimal impact on employee beliefs or actions.
B) Supervision is especially important in organizations that cannot afford elaborate responsibility reporting or are too small to have adequate segregation of duties.
C) An overly complex or unclear organizational structure may be indicative of more serious problems.
D) A written policy and procedures manual is an important tool for assigning authority and responsibility.
Answer:
Page Ref: 189
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Reflective Thinking

21) Which of the following is not a reason for the increase in security problems for AIS?
A) Confidentiality issues caused by interlinked inter-company networks
B) Difficult to control distributed computing networks
C) Increasing efficiency resulting from more automation
D) Increasing numbers of information systems and users
Answer:
Page Ref: 184
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

22) One reason why many organizations do not adequately protect their systems is because
A) control problems may be overestimated by many companies.
B) productivity and cost cutting cause management to forgo implementing and maintaining internal controls.
C) control technology has not yet been developed.
D) all of the above
Answer:
Page Ref: 184
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

23) Accountants must try to protect the AIS from threats. Which of the following would be a measure that should be taken?
A) Take a proactive approach to eliminate threats.
B) Detect threats that do occur.
C) Correct and recover from threats that do occur.
D) All of the above are proper measures for the accountant to take.
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

24) The process that a business uses to safeguard assets, provide accurate and reliable information, and promote and improve operational efficiency is known as
A) a phenomenon.
B) internal control.
C) an AIS threat.
D) a preventive control.
Answer:
Page Ref: 184
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
25) Safeguarding assets is one of the control objectives of internal control. Which of the following is not one of the other control objectives?
A) providing accurate and reliable information
B) promoting operational efficiency
C) ensuring that no fraud has occurred
D) encouraging adherence to management policies
Answer:
Page Ref: 184
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

26) Internal control is often referred to as a(n) ________, because it permeates an organization’s operating activities and is an integral part of management activities.
A) event
B) activity
C) process
D) system
Answer:
Page Ref: 184
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

27) Which of the following is accomplished by corrective controls?
A) Identify the cause of the problem.
B) Correct the resulting errors.
C) Modify the system to prevent future occurrences of the problem.
D) All of the above are accomplished by corrective controls.
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

28) Duplicate checking of calculations is an example of a ________ control, and procedures to resubmit rejected transactions is an example of a ________ control.
A) corrective; detective
B) detective; corrective
C) preventive; corrective
D) detective; preventive
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
29) What is not a corrective control procedure?
A) Identify the cause of a problem.
B) Deter problems before they arise.
C) Correct resulting errors or difficulties.
D) Modify the system so that future problems are minimized or eliminated.
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

30) ________ controls are designed to make sure an organization’s control environment is stable and well managed.
A) Application
B) Detective
C) General
D) Preventive
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

31) ________ controls prevent, detect and correct transaction errors and fraud.
A) Application
B) Detective
C) General
D) Preventive
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

32) The primary purpose of the Foreign Corrupt Practices Act of 1977 was
A) to require corporations to maintain a good system of internal control.
B) to prevent the bribery of foreign officials by American companies.
C) to require the reporting of any material fraud by a business.
D) All of the above are required by the act.
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
33) Congress passed this federal law for the purpose of preventing financial statement fraud, to make financial reports more transparent and to strengthen the internal control of public companies.
A) Foreign Corrupt Practices Act of 1977
B) The Securities Exchange Act of 1934
C) The Sarbanes-Oxley Act of 2002
D) The Control Provision of 1998
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

34) Which of the following is not one of the important aspects of the Sarbanes-Oxley Act?
A) The creation of the Public Company Accounting Oversight Board
B) New rules for auditors and management
C) New roles for audit committees
D) New rules for information systems development
Answer:
Page Ref: 186
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

35) A(n) ________ helps employees act ethically by setting limits beyond which an employee must not pass.
A) boundary system
B) diagnostic control system
C) interactive control system
D) internal control system
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
36) A(n) ________ measures company progress by comparing actual performance to planned performance.
A) boundary system
B) diagnostic control system
C) interactive control system
D) internal control system
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

37) A(n) ________ helps top-level managers with high-level activities that demand frequent and regular attention.
A) boundary system
B) diagnostic control system
C) interactive control system
D) internal control system
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

38) This control framework addresses the issue of control from three vantage points: business objectives, information technology resources, and information technology processes.
A) ISACA’s control objectives for information and related technology
B) COSO’s internal control framework
C) COSO’s enterprise risk management framework
D) none of the above
Answer:
Page Ref: 186
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic
39) This control framework’s intent includes helping the organization to provide reasonable assurance that objectives are achieved and problems are minimized, and to avoid adverse publicity and damage to the organization’s reputation.
A) ISACA’s control objectives for information and related technology
B) COSO’s internal control framework
C) COSO’s enterprise risk management framework
D) none of the above
Answer:
Page Ref: 187
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

40) The COSO Enterprise Risk Management Framework includes eight components. Which of the following is not one of them?
A) control environment
B) risk assessment
C) compliance with federal, state, or local laws
D) monitoring
Answer:
Page Ref: 188
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

41) Which of the following is not one of the eight interrelated risk and control components of COSO Enterprise Risk Management Framework?
A) Internal environment
B) Monitoring
C) Risk response
D) Event assessment
Answer:
Page Ref: 188
Objective: Learning Objective 2
Difficulty : Moderate
AACSB: Analytic

42) The COSO Enterprise Risk Management Integrated Framework stresses that
A) risk management activities are an inherent part of all business operations and should be considered during strategy setting.
B) effective risk management is comprised of just three interrelated components; internal environment, risk assessment, and control activities.
C) risk management is the sole responsibility of top management.
D) risk management policies, if enforced, guarantee achievement of corporate objectives.
Answer:
Page Ref: 187
Objective: Learning Objective 2
Difficulty : Moderate
AACSB: Analytic

43) Which of the following would be considered a “red flag” for problems with management operating style if the question were answered “yes”?
A) Does management take undue business risks to achieve its objectives?
B) Does management attempt to manipulate performance measures such as net income?
C) Does management pressure employees to achieve results regardless of the methods?
D) All of the above statements would raise “red flags” if answered “yes.”
Answer:
Page Ref: 189
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

44) Which component of the COSO Enterprise Risk Management Integrated Framework is concerned with understanding how transactions are initiated, data are captured and processed, and information is reported?
A) Information and communication
B) Internal environment
C) Event identification
D) Objective setting
Answer:
Page Ref: 201
Objective: Learning Objective 8
Difficulty : Easy
AACSB: Analytic
45) The COSO Enterprise Risk Management Integrated Framework identifies four objectives necessary to achieve corporate goals. Objectives specifically identified include all of the following except
A) implementation of newest technologies.
B) compliance with laws and regulations.
C) effective and efficient operations.
D) reliable reporting.
Answer:
Page Ref: 192
Objective: Learning Objective 4
Difficulty : Easy
AACSB: Analytic

46) The audit committee of the board of directors
A) is usually chaired by the CFO.
B) conducts testing of controls on behalf of the external auditors.
C) provides a check and balance on management.
D) does all of the above.
Answer:
Page Ref: 189
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

47) The audit committee is responsible for
A) overseeing the internal control structure.
B) overseeing the financial reporting process.
C) working with the internal and external auditors.
D) All of the above are responsibilities.
Answer:
Page Ref: 189
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

48) The definition of the lines of authority and responsibility and the overall framework for planning, directing, and controlling is laid out by the
A) control activities
B) organizational structure
C) budget framework
D) internal environment
Answer:
Page Ref: 190
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
49) Reducing management layers, creating self-directed work teams, and emphasizing continuous improvement are all related to which aspect of internal environment?
A) Organizational structure
B) Methods of assigning authority and responsibility
C) Management philosophy and operating style
D) Commitment to competence
Answer:
Page Ref: 190
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

50) Personnel policies such as background checks, mandatory vacations, and rotation of duties tend to deter
A) unintentional errors.
B) employee fraud or embezzlement.
C) fraud by outsiders.
D) disgruntled employees.
Answer:
Page Ref: 190-191
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

51) The SEC and FASB are best described as external influences that directly affect an organization’s
A) hiring practices.
B) philosophy and operating style.
C) internal environment.
D) methods of assigning authority.
Answer:
Page Ref: 192
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
52) Which attribute below is not an aspect of the COSO ERM Framework internal environment?
A) Enforcing a written code of conduct
B) Holding employees accountable for achieving objectives
C) Restricting access to assets
D) Avoiding unrealistic expectations
Answer:
Page Ref: 188
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

53) The amount of risk a company is willing to accept in order to achieve its goals and objectives is
A) Inherent risk
B) Residual risk
C) Risk appetite
D) Risk assessment
Answer:
Page Ref: 189
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

54) The risk that remains after management implements internal controls is
A) Inherent risk
B) Residual risk
C) Risk appetite
D) Risk assessment
Answer:
Page Ref: 193
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

55) The risk that exists before management takes any steps to control the likelihood or impact of a risk is
A) Inherent risk
B) Residual risk
C) Risk appetite
D) Risk assessment
Answer:
Page Ref: 193
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic
56) When undertaking risk assessment, the expected loss is calculated like this.
A) Impact times expected loss
B) Impact times likelihood
C) Inherent risk times likelihood
D) Residual risk times likelihood
Answer:
Page Ref: 194
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

57) Generally in a risk assessment process, the first step is to
A) identify the threats that the company currently faces.
B) estimate the risk probability of negative events occurring.
C) estimate the exposure from negative events.
D) identify controls to reduce all risk to zero.
Answer:
Page Ref: 194
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

58) Store policy that allows retail clerks to process sales returns for $300 or less, with a receipt dated within the past 60 days, is an example of
A) general authorization.
B) specific authorization.
C) special authorization.
D) generic authorization.
Answer:
Page Ref: 196
Objective: Learning Objective 7
Difficulty : Easy
AACSB: Reflective Thinking

59) Corporate policy that requires a purchasing agent and purchasing department manager to sign off on asset purchases over $1,500 is an example of
A) general authorization.
B) specific authorization.
C) special authorization.
D) generic authorization.
Answer:
Page Ref: 196
Objective: Learning Objective 7
Difficulty : Easy
AACSB: Reflective Thinking
60) A document that shows all projects that must be completed and the related IT needs in order to achieve long-range company goals is known as a
A) performance evaluation.
B) project development plan.
C) data processing schedule.
D) strategic master plan.
Answer:
Page Ref: 198
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Analytic

61) A ________ is created to guide and oversee systems development and acquisition.
A) performance evaluation
B) project development plan
C) steering committee
D) strategic master plan
Answer:
Page Ref: 198
Objective: Learning Objective 7
Difficulty : Easy
AACSB: Analytic

62) A ________ shows how a project will be completed, including tasks and who will perform them as well as a timeline and cost estimates.
A) performance evaluation
B) project development plan
C) steering committee
D) strategic master plan
Answer:
Page Ref: 198
Objective: Learning Objective 7
Difficulty : Easy
AACSB: Analytic
63) Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The management at Folding Squid Technologies
A) asked their auditors to make recommendations for the redesign of their information technology system and to aid in the implementation process.
B) hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit.
C) selected the company’s Chief Financial Officer to chair the audit committee.
D) did not mention to auditors that the company had experienced significant losses due to fraud during the past year.
Answer:
Page Ref: 186
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Analytic

64) The Sarbanes-Oxley Act (SOX) applies to
A) all companies with gross annual revenues exceeding $500 million.
B) publicly held companies with gross annual revenues exceeding $500 million.
C) all private and publicly held companies incorporated in the United States.
D) all publicly held companies.
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Analytic

65) Chuck Hewitt was relaxing after work with a colleague at a local watering hole. Well into his second martini, he began expressing his opinions about his company’s budgeting practices. It seems that, as a result of “budget handcuffs” that require managers to explain material deviations from budgeted expenditures, his ability to creatively manage his department’s activities have been curtailed. The level of control that the company is using in this case is a
A) boundary system.
B) belief system.
C) interactive control system.
D) diagnostic control system.
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
66) Chuck Hewitt was relaxing after work with a colleague at a local watering hole. Well into his second martini, he began expressing his opinions about his work environment. It seems that, as a result of “feminazi” interference, the suggestive banter that had been prevalent in the workplace during his youth was no longer acceptable. He even had to sit through a sexual harassment workshop! The level of control that the company is using in this case is a
A) boundary system.
B) belief system.
C) interactive control system.
D) diagnostic control system.
Answer:
Page Ref: 185
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Analytic

67) River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the impact of this risk without insurance?
A) $50,000
B) $650,000
C) $650
D) $50
Answer:
Page Ref: 194
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

68) River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the expected loss without insurance?
A) $50,000
B) $650,000
C) $650
D) $50
Answer:
Page Ref: 194
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic
69) River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the expected loss with insurance?
A) $50,000
B) $650,000
C) $650
D) $50
Answer:
Page Ref: 194
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

70) River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits have an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. Based on cost-benefit analysis, what is the most that the business should pay for the insurance?
A) $500
B) $650
C) $600
D) $50
Answer:
Page Ref: 194
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

71) Due to data errors occurring from time to time in processing the Albert Company’s payroll, the company’s management is considering the addition of a data validation control procedure that is projected to reduce the risk of these data errors from 13% to 2%. The cost of the payroll reprocessing is estimated to be $11,000. The cost of implementing the data validation control procedure is expected to be $700. Which of the following statements is true?
A) The data validation control procedure should be implemented because its net estimated benefit is $510.
B) The data validation control procedure should be implemented because its cost of $700 is less than the payroll reprocessing cost of $1,430.
C) The data validation control procedure should not be implemented because its cost of $700 exceeds the expected benefit by $480.
D) The data validation control procedure should not be implemented because its net estimated benefit is a negative $1,210.
Answer:
Page Ref: 194
Objective: Learning Objective 6
Difficulty : Moderate
AACSB: Analytic

72) The organization chart for Geerts Corporation includes a controller and an information processing manager, both of whom report to the vice president of finance. Which of the following would be a control weakness?
A) Assigning the programming and operating of the computer system to an independent control group which reports to the controller
B) Providing for maintenance of input data controls by an independent control group which reports to the controller
C) Periodically rotating assignment of application processing among machine operators, who all report to the information processing manager
D) Providing for review and distribution of system-generated reports by an independent control group which reports to the controller
Answer:
Page Ref: 198
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Reflective Thinking

73) Global Economic Strategies, L.L.D., has been diligent in ensuring that their operations meet modern control standards. Recently, they have extended their control compliance system by incorporating policies and procedures that require the specification of company objectives, uncertainties associated with objectives, and contingency plans. They are transitioning from a ________ to a ________ control framework.
A) COSO-Integrated Framework; COBIT
B) COBIT; COSO-Integrated Framework
C) COBIT; COSO-ERM
D) COSO-Integrated Framework; COSO-ERM
E) COSO-ERM; COBIT
Answer:
Page Ref: 187-188
Objective: Learning Objective 2
Difficulty : Moderate
AACSB: Reflective Thinking

74) FranticHouse Partners, L.L.C., does home remodeling and repair. All employees are bonded, so the firm’s risk exposure to employee fraud is
A) reduced.
B) shared.
C) avoided.
D) accepted.
Answer:
Page Ref: 193
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

75) FranticHouse Partners, L.L.C., does home remodeling and repair. The firm does not accept jobs that require the installation of slate or copper roofing because these materials often require costly post-installation services. The firm’s risk exposure to costly post-installation services is
A) reduced.
B) shared.
C) avoided.
D) accepted.
Answer:
Page Ref: 193
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

76) According to the COSO Enterprise Risk Management Framework, the risk assessment process incorporates all of the following components except
A) reporting potential risks to auditors.
B) identifying events that could impact the enterprise.
C) evaluating the impact of potential events on achievement of objectives.
D) establishing objectives for the enterprise.
Answer:
Page Ref: 193
Objective: Learning Objective 6
Difficulty : Moderate
AACSB: Analytic

77) Ferdinand Waldo Demara was known as the great imposter. He had an astounding ability to convince people that he was who he truly was not. He worked as a naval officer, physician, college teacher, prison warden, and other jobs without any of the prerequisite qualifications. By not diligently checking references, the organizations fooled by Demara (including the Canadian Navy) apparently chose to ________ the risk of fraud.
A) reduce
B) share
C) avoid
D) accept
Answer:
Page Ref: 193
Objective: Learning Objective 6
Difficulty : Easy
AACSB: Analytic

78) Which of the following is an independent check on performance?
A) The Purchasing Agent physically reviews the contents of shipments and compares them with the purchase orders he has placed.
B) Production teams perform quality evaluations of the products that they produce.
C) The General Manager compares budgeted amounts with expenditure records from all departments.
D) Petty cash is disbursed by Fred Haynes. He also maintains records of disbursements, places requests to finance to replace expended funds, and periodically reconciles the petty cash balance.
Answer:
Page Ref: 200
Objective: Learning Objective 7
Difficulty : Easy
AACSB: Analytic

79) Petty cash is disbursed by the Fred Haynes in the Cashier’s Office. He also maintains records of disbursements, places requests to the Finance Department to replace expended funds, and periodically reconciles the petty cash balance. This represents a(an) ________ segregation of duties.
A) effective
B) ideal
C) ineffective
D) limited
Answer:
Page Ref: 196
Objective: Learning Objective 7
Difficulty : Easy
AACSB: Analytic

80) Hiring decisions at Frazier’s Razors are made by Sheila Frazier, the Director of Human Resources. Pay rates are approved by the Vice President for Operations. At the end of each pay period, supervisors submit time cards to Sheila, who prepares paycheck requisitions. Paychecks are then distributed through the company’s mail room. This represents a(an) ________ segregation of duties.
A) effective
B) partial
C) ineffective
D) limited
Answer:
Page Ref: 196
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Reflective Thinking

81) Change management refers to
A) disbursement controls on petty cash.
B) operational controls applied to companies after mergers or acquisitions.
C) replacement of upper management and their introduction to the organization.
D) controls designed to ensure that updates in information technology do not have negative consequences.
Answer:
Page Ref: 199
Objective: Learning Objective 7
Difficulty : Easy
AACSB: Analytic

82) The Director of Information Technology for the city of Bumpkiss, Minnesota, formed a company to sell computer supplies and software. All purchases made on behalf of the City were made from his company. He was later charged with fraud for overcharging the City, but was not convicted. The control issue in this case arose because the Director had both ________ and ________ duties.
A) custody; authorization
B) custody; recording
C) recording; authorization
D) management; custody
Answer:
Page Ref: 196
Objective: Learning Objective 7
Difficulty : Moderate
AACSB: Reflective Thinking

83) According to the ERM, these help the company address all applicable laws and regulations.
A) Compliance objectives
B) Operations objectives
C) Reporting objectives
D) Strategic objectives
Answer:
Page Ref: 192
Objective: Learning Objective 4
Difficulty : Easy
AACSB: Analytic

84) According to the ERM, high level goals that are aligned with and support the company’s mission are
A) compliance objectives.
B) operations objectives.
C) reporting objectives.
D) strategic objectives.
Answer:
Page Ref: 192
Objective: Learning Objective 4
Difficulty : Easy
AACSB: Analytic
85) According to the ERM, these deal with the effectiveness and efficiency of company operations, such as performance and profitability goals.
A) Compliance objectives
B) Operations objectives
C) Reporting objectives
D) Strategic objectives
Answer:
Page Ref: 192
Objective: Learning Objective 4
Difficulty : Easy
AACSB: Analytic

86) According to the ERM, these objectives help ensure the accuracy, completeness and reliability of internal and external company reports.
A) Compliance objectives
B) Operations objectives
C) Reporting objectives
D) Strategic objectives
Answer:
Page Ref: 192
Objective: Learning Objective 4
Difficulty : Easy
AACSB: Analytic

87) Which of the following is not a risk reduction element of a disaster recovery plan?
A) Identification of alternate work site
B) Off-site storage of backup files and programs
C) Documentation of procedures and responsibilitie
D) Adequate casualty insurance
Answer:
Page Ref: 193
Objective: Learning Objective 6
Difficulty : Difficult
AACSB: Reflective Thinking
88) Describe the differences between general and specific authorization.

89) Explain how a company could be the victim of fraud, even if ideal segregation of duties is enforced.

90) Classify each of the following controls as preventive, detective, or corrective.
Periodic bank reconciliation
Separation of cash and accounting records
Maintaining backup copies of master and transaction files
Pre-numbering of sales invoices
Chart of accounts
Retina scan before entering a sensitive R & D facility
Resubmission of error transactions for subsequent processing
Internal auditor rechecking the debits and credits on the payment voucher
Depositing all cash receipts intact
Hiring qualified accounting personnel

91) Discuss four reasons why AIS threats are increasing.

92) Explain why the Foreign Corrupt Practices Act was important to accountants.

93) Discuss the internal environment and identify the elements that comprise the internal environment.

94) Explain why management’s philosophy and operating style are considered to be the most important element of the internal environment.

95) What are some of the ways to assign authority and responsibility within an organization?

96) Discuss the weaknesses in COSO’s internal control framework that led to the development of the COSO Enterprise Risk Management framework.

Accounting Information Systems, 12e (Romney/Steinbart)
Chapter 8 Information Systems Controls for System ReliabilityPart 1: Information Security

1) The Trust Services Framework reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as
A) availability.
B) security.
C) maintainability.
D) integrity.
Answer:
Page Ref: 221
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic

2) Which of the following is not a useful control procedure to control access to system outputs?
A) Allowing visitors to move through the building without supervision
B) Coding reports to reflect their importance
C) Requiring employees to log out of applications when leaving their desk
D) Restricting access to rooms with printers
Answer:
Page Ref: 229
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

3) According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that
A) is available for operation and use at times set forth by agreement.
B) is protected against unauthorized physical and logical access.
C) can be maintained as required without affecting system availability, security, and integrity.
D) is complete, accurate, and valid.
Answer:
Page Ref: 221
Objective: Learning Objective 1
Difficulty : Easy
AACSB: Analytic
4) Which of the following is not one of the three fundamental information security concepts?
A) Information security is a technology issue based on prevention.
B) Security is a management issue, not a technology issue.
C) The idea of defense-in-depth employs multiple layers of controls.
D) The time-based model of security focuses on the relationship between preventive, detective and corrective controls.
Answer:
Page Ref: 222-224
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

5) Which of the following is not one of the essential criteria for successfully implementing each of the principles that contribute to systems reliability, as discussed in the Trust Services Framework?
A) Developing and documenting policies
B) Effectively communicating policies to all outsiders
C) Designing and employing appropriate control procedures to implement policies
D) Monitoring the system and taking corrective action to maintain compliance with policies
Answer:
Page Ref: 223
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

6) If the time an attacker takes to break through the organization’s preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is
A) effective.
B) ineffective.
C) overdone.
D) undermanaged.
Answer:
Page Ref: 224
Objective: Learning Objective 2
Difficulty : Moderate
AACSB: Analytic
7) Verifying the identity of the person or device attempting to access the system is
A) authentication.
B) authorization.
C) identification.
D) threat monitoring.
Answer:
Page Ref: 226
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

8) Restricting access of users to specific portions of the system as well as specific tasks, is
A) authentication.
B) authorization.
C) identification.
D) threat monitoring.
Answer:
Page Ref: 228
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

9) Which of the following is an example of a preventive control?
A) Encryption
B) Log analysis
C) Intrusion detection
D) Emergency response teams
Answer:
Page Ref: 228
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

10) Which of the following is an example of a detective control?
A) Physical access controls
B) Encryption
C) Log analysis
D) Emergency response teams
Answer:
Page Ref: 237
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
11) Which of the following is an example of a corrective control?
A) Physical access controls
B) Encryption
C) Intrusion detection
D) Incident response teams
Answer:
Page Ref: 239
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

12) Which of the following is not a requirement of effective passwords?
A) Passwords should be changed at regular intervals.
B) Passwords should be no more than 8 characters in length.
C) Passwords should contain a mixture of upper and lowercase letters, numbers and characters.
D) Passwords should not be words found in dictionaries.
Answer:
Page Ref: 227
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

13) Multi-factor authentication
A) involves the use of two or more basic authentication methods.
B) is a table specifying which portions of the systems users are permitted to access.
C) provides weaker authentication than the use of effective passwords.
D) requires the use of more than one effective password.
Answer:
Page Ref: 228
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

14) An access control matrix
A) does not have to be updated.
B) is a table specifying which portions of the system users are permitted to access.
C) is used to implement authentication controls.
D) matches the user’s authentication credentials to his authorization.
Answer:
Page Ref: 228
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
15) Perimeter defense is an example of which of the following preventive controls that are necessary to provide adequate security?
A) Training
B) Controlling physical access
C) Controlling remote access
D) Host and application hardening
Answer:
Page Ref: 230
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

16) Which of the following preventive controls are necessary to provide adequate security for social engineering threats?
A) Controlling remote access
B) Encryption
C) Host and application hardening
D) Awareness training
Answer:
Page Ref: 226
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

17) A special purpose hardware device or software running on a general purpose computer, which filters information that is allowed to enter and leave the organization’s information system, is known as a(n)
A) demilitarized zone.
B) intrusion detection system.
C) intrusion prevention system.
D) firewall.
Answer:
Page Ref: 230
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
18) This protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet.
A) Access control list
B) Internet protocol
C) Packet switching protocol
D) Transmission control protocol
Answer:
Page Ref: 231
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

19) This protocol specifies the structure of packets sent over the internet and the route to get them to the proper destination.
A) Access control list
B) Internet protocol
C) Packet switching protocol
D) Transmission control protocol
Answer:
Page Ref: 231
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

20) This network access control determines which IP packets are allowed entry to a network and which are dropped.
A) Access control list
B) Deep packet inspection
C) Stateful packet filtering
D) Static packet filtering
Answer:
Page Ref: 233
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

21) Compatibility tests utilize a(n) ________, which is a list of authorized users, programs, and data files the users are authorized to access or manipulate.
A) validity test
B) biometric matrix
C) logical control matrix
D) access control matrix
Answer:
Page Ref: 228
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

22) The process that screens individual IP packets based solely on the contents of the source and/or destination fields in the packet header is known as
A) access control list.
B) deep packet inspection.
C) stateful packet filtering.
D) static packet filtering.
Answer:
Page Ref: 233
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

23) The process that maintains a table that lists all established connections between the organization’s computers and the Internet, to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer is known as
A) access control list.
B) deep packet inspection.
C) stateful packet filtering.
D) static packet filtering.
Answer:
Page Ref: 233
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
24) The process that allows a firewall to be more effective by examining the data in the body of an IP packet, instead of just the header, is known as
A) deep packet inspection.
B) stateful packet filtering.
C) static packet filtering.
D) an intrusion prevention system.
Answer:
Page Ref: 233
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

25) The security technology that evaluates IP packet traffic patterns in order to identify attacks against a system is known as
A) an intrusion prevention system.
B) stateful packet filtering.
C) static packet filtering.
D) deep packet inspection.
Answer:
Page Ref: 234
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

26) This is used to identify rogue modems (or by hackers to identify targets).
A) War chalking
B) War dialing
C) War driving
D) none of the above
Answer:
Page Ref: 235
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

27) The process of turning off unnecessary features in the system is known as
A) deep packet inspection.
B) hardening.
C) intrusion detection.
D) war dialing.
Answer:
Page Ref: 236
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
28) The most common input-related vulnerability is
A) buffer overflow attack.
B) hardening.
C) war dialing.
D) encryption.
Answer:
Page Ref: 237
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

29) This creates logs of network traffic that was permitted to pass the firewall.
A) Intrusion detection system
B) Log analysis
C) Penetration test
D) Vulnerability scan
Answer:
Page Ref: 238
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

30) The process that uses automated tools to identify whether a system possesses any well-known security problems is known as a(n)
A) intrusion detection system.
B) log analysis.
C) penetration test.
D) vulnerability scan.
Answer:
Page Ref: 236
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

31) This is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization’s information system.
A) Intrusion detection system
B) Log analysis
C) Penetration test
D) Vulnerability scan
Answer:
Page Ref: 238
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
32) A well-known hacker started his own computer security consulting business shortly after being released from prison. Many companies pay him to attempt to gain unauthorized access to their network. If he is successful, he offers advice as to how to design and implement better controls. What is the name of the testing for which the hacker is being paid?
A) Penetration test
B) Vulnerability scan
C) Deep packet inspection
D) Buffer overflow test
Answer:
Page Ref: 238
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

33) The ________ disseminates information about fraud, errors, breaches and other improper system uses and their consequences.
A) chief information officer
B) chief operations officer
C) chief security officer
D) computer emergency response team
Answer:
Page Ref: 240
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

34) In 2007, a major U.S. financial institution hired a security firm to attempt to compromise its computer network. A week later, the firm reported that it had successfully entered the system without apparent detection and presented an analysis of the vulnerabilities that had been found. This is an example of a
A) preventive control.
B) detective control.
C) corrective control.
D) standard control.
Answer:
Page Ref: 238
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
35) It was 9:08 A.M. when Jiao Jan, the Network Administrator for Folding Squid Technologies, was informed that the intrusion detection system had identified an ongoing attempt to breach network security. By the time that Jiao had identified and blocked the attack, the hacker had accessed and downloaded several files from the company’s server. Using the notation for the time-based model of security, in this case
A) P > D
B) D > P
C) C > P
D) P > C
Answer:
Page Ref: 224
Objective: Learning Objective 2
Difficulty : Difficult
AACSB: Analytic

36) Which of the following is commonly true of the default settings for most commercially available wireless access points?
A) The security level is set at the factory and cannot be changed.
B) Wireless access points present little danger of vulnerability so security is not a concern.
C) Security is set to the lowest level that the device is capable of.
D) Security is set to the highest level that the device is capable of.
Answer:
Page Ref: 235
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

37) In recent years, many of the attacks carried out by hackers have relied on this type of vulnerability in computer software.
A) Code mastication
B) Boot sector corruption
C) Weak authentication
D) Buffer overflow
Answer:
Page Ref: 236
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
38) Meaningful Discussions is a social networking site that boasts over a million registered users and a quarterly membership growth rate in the double digits. As a consequence, the size of the information technology department has been growing very rapidly, with many new hires. Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. This is an example of a(an)
A) authentication control.
B) biometric device.
C) remote access control.
D) authorization control.
Answer:
Page Ref: 226
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

39) When new employees are hired by Folding Squid Technologies, they are assigned user names and appropriate permissions are entered into the information system’s access control matrix. This is an example of a(an)
A) authentication control.
B) biometric device.
C) remote access control.
D) authorization control.
Answer:
Page Ref: 228
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

40) When new employees are hired by Folding Squid Technologies, they are assigned user names and passwords and provided with laptop computers that have an integrated fingerprint reader. In order to log in, the user’s fingerprint must be recognized by the reader. This is an example of a(an)
A) authorization control.
B) biometric device.
C) remote access control.
D) defense in depth.
Answer:
Page Ref: 227
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
41) Information technology managers are often in a bind when a new exploit is discovered in the wild. They can respond by updating the affected software or hardware with new code provided by the manufacturer, which runs the risk that a flaw in the update will break the system. Or they can wait until the new code has been extensively tested, but that runs the risk that they will be compromised by the exploit during the testing period. Dealing with these issues is referred to as
A) change management.
B) hardening.
C) patch management.
D) defense in depth.
Answer:
Page Ref: 240
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

42) Murray Snitzel called a meeting of the top management at Snitzel Capital Management. Number one on the agenda was computer system security. “The risk of security breach incidents has become unacceptable,” he said, and turned to the Chief Information Officer. “This is your responsibility! What do you intend to do?” Which of the following is the best answer?
A) Evaluate and modify the system using the Trust Services framework
B) Evaluate and modify the system using the COSO Internal Control Framework.
C) Evaluate and modify the system using the CTC checklist.
D) Evaluate and modify the system using COBOL.
Answer:
Page Ref: 221
Objective: Learning Objective 1
Difficulty : Moderate
AACSB: Analytic

43) Which of the following is the most effective method of protecting against social engineering attacks on a computer system?
A) stateful packet filtering
B) employee awareness training
C) a firewall
D) a demilitarized zone
Answer:
Page Ref: 226
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
44) The most effective way to protect network resources, like email servers, that are outside of the network and are exposed to the Internet is
A) stateful packet filtering.
B) employee training.
C) a firewall.
D) a demilitarized zone.
Answer:
Page Ref: 230
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

45) All employees of E.C. Hoxy are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a(an)
A) authentication control.
B) authorization control.
C) physical access control.
D) hardening procedure.
Answer:
Page Ref: 229
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

46) On February 14, 2008, students enrolled in an economics course at Swingline College received an email stating that class would be cancelled. The email claimed to be from the professor, but it wasn’t. Computer forensic experts determined that the email was sent from a computer in one of the campus labs at 9:14 A.M. They were then able to uniquely identify the computer that was used by means of its network interface card’s ________ address. Security cameras revealed the identity of the student responsible for spoofing the class.
A) TCP/IP
B) MAC
C) DMZ
D) IDS
Answer:
Page Ref: 228
Objective: Learning Objective 3
Difficulty : Difficult
AACSB: Analytic
47) There are “white hat” hackers and “black hat” hackers. Cowboy451 was one of the “black hat” hackers. He had researched an exploit and determined that he could penetrate the target system, download a file containing valuable data, and cover his tracks in eight minutes. Six minutes into the attack he was locked out of the system. Using the notation of the time-based model of security, which of the following must be true?
A) P < 6 B) D = 6 C) P = 6 D) P > 6
Answer:
Page Ref: 224
Objective: Learning Objective 2
Difficulty : Difficult
AACSB: Analytic

48) Identify three ways users can be authenticated and give an example of each.
Answer: Users can be authenticated by verifying: 1. something they know (password). 2. something they have (smart card or ID badge). 3. Something they are (biometric identification of fingerprint).
Page Ref: 226
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

49) Describe four requirements of effective passwords .
Answer: 1. Strong passwords should be at least 8 characters. 2. Passwords should use a mixture of upper and lowercase letters, numbers and characters. 3. Passwords should be random and not words found in dictionaries. 4. Passwords should be changes frequently.
Page Ref: 227
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

50) Explain social engineering.
Answer: Social engineering attacks use deception to obtain unauthorized access to information resources, such as attackers who post as a janitor or as a legitimate system user. Employees must be trained not to divulge passwords or other information about their accounts to anyone who contacts them and claims to be part of the organization’s security team.
Page Ref: 226
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
51) Explain the value of penetration testing.
Answer: Penetration testing involves an authorized attempt by an internal audit team or an external security consultant to break into the organization’s information system. This type of service is provided by risk management specialists in all the Big Four accounting firms. These specialists spend more than half of their time on security matters. The team attempts to compromise the system using every means possible. With a combination of systems technology skills and social engineering, these teams often find weaknesses in systems that were believed to be secure.
Page Ref: 238
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Reflective Thinking

52) Describe the function of a computer incident response team (CIRT) and the steps that a CIRT should perform following a security incident.
Answer: CIRT is responsible for dealing with major security incidents and breaches. The team should include technical specialists and senior operations management. In response to a security incident, first the CIRT must recognize that a problem exists. Log analysis, intrusion detection systems can be used to detect problems and alert the CIRT. Second, the problem must be contained, perhaps by shutting down a server or curtailing traffic on the network. Third, the CIRT must focus on recovery. Corrupt programs may need to be reinstalled and data restored from backups. Finally, the CIRT must follow-up to discover how the incident occurred and to design corrective controls to prevent similar incidents in the future.
Page Ref: 239
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

53) Identify six physical access controls.
Answer: Require visitors to sign in and receive a visitor badge before being escorted by an employee; require employees to wear photo ID badges that are checked by security guards; physical locks and keys; storing documents and electronic media in a fire-proof safe or cabinet; restrict or prohibit cell phones, iPods and other portable devices; set screen savers to start after a few minutes of inactivity; set computers to lock keyboards after a few minutes of inactivity; utilize screen protection devices; use biometric devices to authorize access to spaces and equipment; attach and lock laptops to immobile objects; utilize magnetic or chip cards to authorize access to spaces and equipment; limit or prohibit windows and glass walls in sensitive areas.
Page Ref: 229-230
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

Accounting Information Systems, 12e (Romney/Steinbart)
Chapter 9 Information Systems Controls for Systems ReliabilityPart 2: Confidentiality and Privacy

1) Concerning virtual private networks (VPN), which of the following is not true?
A) VPNs provide the functionality of a privately owned network using the Internet.
B) Using VPN software to encrypt information while it is in transit over the Internet in effect creates private communication channels, often referred to as tunnels, which are accessible only to those parties possessing the appropriate encryption and decryption keys.
C) The cost of the VPN software is much less than the cost of leasing or buying the infrastructure (telephone lines, satellite links, communications equipment, etc.) needed to create a privately owned secure communications network.
D) It is more expensive to reconfigure VPNs to include new sites than it is to add or remove the corresponding physical connections in a privately owned network.
Answer:
Page Ref: 264
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

2) Which of the following is not associated with asymmetric encryption?
A) No need for key exchange
B) Public keys
C) Private keys
D) Speed
Answer:
Page Ref: 260
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

3) The system and processes used to issue and manage asymmetric keys and digital certificates are known as
A) asymmetric encryption.
B) certificate authority.
C) digital signature.
D) public key infrastructure.
Answer:
Page Ref: 262
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

4) Which of the following describes one weakness of encryption?
A) Encrypted packets cannot be examined by a firewall.
B) Encryption protects the confidentiality of information while in storage.
C) Encryption protects the privacy of information during transmission.
D) Encryption provides for both authentication and non-repudiation.
Answer:
Page Ref: 264
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

5) Using a combination of symmetric and asymmetric key encryption, Chris Kai sent a report to her home office in Syracuse, New York. She received an email acknowledgement that the document had been received and then, a few minutes later, she received a second email that indicated that the hash calculated from the report differed from that sent with the report. This most likely explanation for this result is that
A) the public key had been compromised.
B) the private key had been compromised.
C) the symmetric encryption key had been compromised.
D) the asymmetric encryption key had been compromised.
Answer:
Page Ref: 261
Objective: Learning Objective 3
Difficulty : Difficult
AACSB: Analytic

6) Encryption has a remarkably long and varied history. The invention of writing was apparently soon followed by a desire to conceal messages. One of the earliest methods, attributed to an ancient Roman emperor, was the simple substitution of numbers for letters, for example A = 1, B = 2, etc. This is an example of
A) a hashing algorithm.
B) symmetric key encryption.
C) asymmetric key encryption.
D) a public key.
Answer:
Page Ref: 260
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
7) An electronic document that certifies the identity of the owner of a particular public key.
A) Asymmetric encryption
B) Digital certificate
C) Digital signature
D) Public key
Answer:
Page Ref: 262
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

8) These systems use the same key to encrypt and to decrypt.
A) Asymmetric encryption
B) Hashing encryption
C) Public key encryption
D) Symmetric encryption
Answer:
Page Ref: 260
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

9) These are used to create digital signatures.
A) Asymmetric encryption and hashing
B) Hashing and packet filtering
C) Packet filtering and encryption
D) Symmetric encryption and hashing
Answer:
Page Ref: 261
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

10) Information encrypted with the creator’s private key that is used to authenticate the sender is
A) asymmetric encryption.
B) digital certificate.
C) digital signature.
D) public key.
Answer:
Page Ref: 261
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
11) Which of the following is not one of the three important factors determining the strength of any encryption system?
A) Key length
B) Key management policies
C) Encryption algorithm
D) Privacy
Answer:
Page Ref: 259
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

12) A process that takes plaintext of any length and transforms it into a short code.
A) Asymmetric encryption
B) Encryption
C) Hashing
D) Symmetric encryption
Answer:
Page Ref: 260
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

13) Which of the following descriptions is not associated with symmetric encryption?
A) A shared secret key
B) Faster encryption
C) Lack of authentication
D) Separate keys for each communication party
Answer:
Page Ref: 260
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic
14) Encryption has a remarkably long and varied history. Spies have been using it to convey secret messages ever since there were secret messages to convey. One powerful method of encryption uses random digits. Two documents are prepared with the same random sequence of numbers. The spy is sent out with one and the spy master retains the other. The digits are used as follows. Suppose that the word to be encrypted is SPY and the random digits are 352. Then S becomes V (three letters after S), P becomes U (five letters after P), and Y becomes A (two letters after Y, restarting at A after Z). The spy would encrypt a message and then destroy the document used to encrypt it. This is an early example of
A) a hashing algorithm.
B) asymmetric key encryption.
C) symmetric key encryption.
D) public key encryption.
Answer:
Page Ref: 260
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

15) One way to circumvent the counterfeiting of public keys is by using
A) a digital certificate.
B) digital authority.
C) encryption.
D) cryptography.
Answer:
Page Ref: 262
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic

16) In a private key system the sender and the receiver have ________, and in the public key system they have ________.
A) different keys; the same key
B) a decrypting algorithm; an encrypting algorithm
C) the same key; two separate keys
D) an encrypting algorithm; a decrypting algorithm
Answer:
Page Ref: 260
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
17) Asymmetric key encryption combined with the information provided by a certificate authority allows unique identification of
A) the user of encrypted data.
B) the provider of encrypted data.
C) both the user and the provider of encrypted data.
D) either the user or the provider of encrypted data.
Answer:
Page Ref: 262
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

18) Which of the following is not one of the 10 internationally recognized best practices for protecting the privacy of customers’ personal information?
A) Providing free credit report monitoring for customers
B) Inform customers of the option to opt-out of data collection and use of their personal information
C) Allow customers’ browsers to decline to accept cookies
D) Utilize controls to prevent unauthorized access to, and disclosure of, customers’ information
Answer:
Page Ref: 256-257
Objective: Learning Objective 2
Difficulty : Moderate
AACSB: Analytic

19) On March 3, 2008, a laptop computer belonging to Folding Squid Technology was stolen from the trunk of Jiao Jan’s car while he was attending a conference in Cleveland, Ohio. After reporting the theft, Jiao considered the implications of the theft for the company’s network security and concluded there was nothing to worry about because
A) the computer was protected by a password.
B) the computer was insured against theft.
C) it was unlikely that the thief would know how to access the company data stored on the computer.
D) the data stored on the computer was encrypted.
Answer:
Page Ref: 258
Objective: Learning Objective 3
Difficulty : Easy
AACSB: Analytic
20) Jeff Davis took a call from a client. “Jeff, I need to interact online and real time with our affiliate in India, and I want to make sure that our communications aren’t intercepted. What do you suggest?” Jeff responded “The best solution will be to implement
A) a virtual private network.”
B) a private cloud environment.”
C) an asymmetric encryption system with digital signatures.”
D) multifactor authentication.”
Answer:
Page Ref: 264
Objective: Learning Objective 3
Difficulty : Moderate
AACSB: Analytic

21) In developing policies related to personal information about customers, Folding Squid Technologies adhered to the Trust Services framework. The standard applicable to these policies is
A) security.
B) confidentiality.
C) privacy.
D) availability.
Answer:
Page Ref: 254
Objective: Learning Objective 2
Difficulty : Easy
AACSB: Analytic

22) Jeff Davis took a call from a client. “Jeff, I need for my customers to make payments online using credit cards, but I want to make sure that the credit card data isn’t intercepted. What do you suggest?” Jeff responded “The best solution will be to implement
A) a virtual private network.”
B) a private cloud environment.”
C) an encryption system with digital signatures.”
D) a data masking program.”
Answer:
Page Ref: 261
Objective: Learning Objective 2
Difficulty : Moderate
AACSB: Analytic

23) Describe some steps you can take to minimize your risk of identify theft.

24) Describe symmetric encryption and identify three limitations.