Final Exam 2

In addition to focusing on controls, COBIT 5 expands its scope by incorporating which of the following broad perspectives?

How IT brings value to the firm.

How IT can automate specific business processes.

IT networking requirements.

IT cost reductions.

How IT brings value to the firm.

The Sarbanes-Oxley Act (SOX) was passed as a response to which of the following events?

The savings & loan scandals of the 1980s.

The bust of dot-com bubble companies such as pets.com and Webvan.

Corporate reporting scandals by companies such as WorldCom, Enron, and Tyco.

Securities manipulation and insider trading in the 1930s.

Corporate reporting scandals by companies such as WorldCom, Enron, and Tyco.

Which of the following best describes why firms choose to create codes of ethics?

Because most people will not behave ethically without a written set of guidelines.

Codes of ethics protect firms against lawsuits that may be filed due to corporate fraud.

They allow firms to create a formal set of expectations for employees who may have different sets of personal values.

Companies must have a written code of ethics in order to conduct interstate commerce in the U.S.

They allow firms to create a formal set of expectations for employees who may have different sets of personal values.

Internal controls guarantee the accuracy and reliability of accounting records.

true

false

false

According to COSO 2013, which of the following components of the enterprise risk management addresses an entity’s integrity and ethical values?

Information and communication.

Internal environment.

Risk assessment.

Control activities.

Internal environment.

Which of the following represents an inherent risk for a financial institution?

Bank reconciliations are not performed on a timely basis.

The economy goes into a recession.

Customer credit check not performed.

An error occurs in a loan loss calculation.

The economy goes into a recession.

Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?

Disclosing lack of segregation of duties to external auditors during the annual review.

Replacing personnel every three or four years.

Requiring accountants to pass a yearly background check.

Providing greater management oversight of incompatible activities.

Providing greater management oversight of incompatible activities.

Which of the following is not a component of internal control as defined by COSO?

\
Control environment.

Control activities.

Inherent risk.

Monitoring.

Inherent risk.

All of the following are the primary functions of internal controls except:

Prevention.

Reflection.

Detection.

Correction.

Reflection.

The framework to be used by management in its internal control assessment under requirements of SOX is the:

COSO internal control framework.

COSO enterprise risk management framework.

COBIT framework.

All of the choices are correct.

All of the choices are correct.

The internal control provisions of SOX apply to which companies in the United States?

All companies.

SEC registrants.

All issuer (public) companies and nonissuer (nonpublic) companies with more than $100,000,000 of net worth.

All nonissuer companies.

SEC registrants.

The ISO 27000 Series of standards are designed to address which of the following?

Corporate governance.

Internal controls.

Information security issues.

IT value.

Information security issues.

Blockchain was built to minimize the use of:

US Dollars.

Regulators.

Intermediaries.

Accountants.

Intermediaries.

What is not a general function of blockchain technology?

Transfer digital assets.

Authenticate identities.

Generation of bitcoin.

Ability to create value.

Generation of bitcoin.

Which of the following is not benefit of blockchain?

Past information is easily edited.

New transactions are propagated to all participants.

Consensus must be reached to propagate transactions.

Participating parties do not need to trust each other.

Past information is easily edited.

In which of the following situations would blockchain add value?

Multiple parties that do not trust each other want to collaborate.

Management would like to automate routine tasks.

A prediction on weather related losses is needed.

Contracts need to be reviewed for revenue recognition.

Multiple parties that do not trust each other want to collaborate.

To be considered blockchain a technology must have all of the following except:

Rewardability.

Consensus.

Immutability.

Decentralization.

Rewardability.

When an accounting team automates account reconciliations this is an example of:

Robotic process automation.

Spreadsheet automation.

Natural language automation.

Internet automation.

Robotic process automation.

When a bank has an input file of FICO scores and uses machine learning to help predict credit losses for each customer, they are likely using which type of learning?

Reinforcement Learning.

Unsupervised Learning.

Supervised Learning.

Matrix Learning.

Supervised Learning.

Which of the following is the best description of neural networks?

Mathematical models that convert inputs to outputs/predictions.

Intelligence exhibited by machines rather than humans.

A blockchain network where participants need permission to join the network.

A ledger where individual entries are separate in time and location.

Mathematical models that convert inputs to outputs/predictions.

Artificial Intelligence can include all of the following except:

Database programming.

Visual perception.

Logical thinking.

Language translation.

Database programming.

One of the largest challenges across the accounting industry for auditing firms which use blockchain is:

Understanding business activities.

Continuous monitoring.

Deciphering cryptocurrency.

A gap in skillset.

A gap in skillset.

When using an analytical mindset which of the following is the first task?

Master the data.

Share the story.

Ask the right question.

Request data.

Ask the right question.

Which type of analysis assists with understanding why something happened during the third step of the AMPS model, performing the analysis?

Descriptive.

Diagnostic.

Predictive.

Prescriptive.

Diagnostic.

Which type of analysis assists with defining how to optimize performance based on a potential constraint?

Descriptive.

Diagnostic.

Predictive.

Prescriptive.

Prescriptive.

Which type of analysis assists with understanding what is happening right now?

Descriptive.

Diagnostic.

Predictive.

Prescriptive.

Descriptive.

Which of the following best summarizes the two key limiting factors for business systems when dealing with Big Data?

Data storage capacity and processing power.

Data availability and software tools.

Database organization and transaction volume.

Analytic skills and software tools.

Data storage capacity and processing power.

As described in the text, which of the following best defines the term data analytics?

The ability extra and load large datasets.

The science of moving data from Access to Enterprise Reporting Tools to draw conclusions for decision making.

The process of organizing extremely large datasets to create more manageability.

The science of examining raw data, removing excess noise, and organizing it in order to draw conclusions for decision making.

The science of examining raw data, removing excess noise, and organizing it in order to draw conclusions for decision making.

The four Vs are considered a defining feature of big data. Which of the following is the best definition of the term big data?

Volition, veracity, velocity & variety.

Variety, visibility, velocity & valuation.

Volume, veracity, velocity, & variety.

Volume, variability, variety & veracity.

Volume, veracity, velocity, & variety.

How does data analytics play a vital role in today’s business world?

By allowing data to be organized into predefined tables and fields.

By defining three main categories of classes that help organize a company’s data structure models.

By examining data to generate models for predictions of patterns and trends.

By capturing the ever-increasing transaction activity of large companies.

By examining data to generate models for predictions of patterns and trends.

Which of the following is not a part of the AMPS model?

Ask the right questions.

Share the story.

Master the data.

Parse the data.

Parse the data.

Which of the following is the best definition of the term big data?

Databases measured in terms of zettabytes.

Datasets that are too large and complex for businesses’ existing systems utilizing traditional capabilities.

Databases for businesses that generate more than one million electronic transactions per month.

Datasets generated by social media applications such as Facebook, Twitter, Tencent QQ, and Instagram.

Datasets that are too large and complex for businesses’ existing systems utilizing traditional capabilities.

Select a correct statement regarding encryption methods?

To use symmetric-key encryption, each user needs two different keys

Most companies prefer using symmetric-key encryption than asymmetric-key encryption method

Both symmetric-key and asymmetric-key encryption methods require the involvement of a certificate authority

When conducting e-business, most companies use both symmetric-key and asymmetric-key encryption methods

When conducting e-business, most companies use both symmetric-key and asymmetric-key encryption methods

Which of the following describes the primary goals of the CIA approach to information security management

Controls, Innovation, Analysis

Confidentiality, Integrity, Availability

Convenience, Integrity, Awareness

Confidentiality, Innovation, Availability

Confidentiality, Integrity, Availability

Which of the following best illustrates the use of multifactor authentication?

Requiring password changes every 30, 60, 90 days

Requiring the use of a smart card and a password

Requiring the use of upper case, lower case, numeric, and special characters for a password

The use of fingerprint scanner for access to a device

Requiring the use of a smart card and a password

For businesses considering a cloud computing solution, which of the following should they ask the cloud vendor to provide before entering into a contract for critical business operations?

FASB 51

Report Audit Report

SAS 3 Report

SOC 2 Report

SOC 2 Report

In general, the goal of information security management is to protect all of the following except:

Confidentiality

Integrity

Availability

Redundancy

Redundancy

What is the primary objective of data security controls?

To establish a framework for controlling the design, security, and use of computer programs throughout the organization

To ensure that the data storage media are subject to authorization prior to access, change, or destruction

To formalize standard rules and procedures to ensure the organization’s control are properly executed

To monitor the use of system software to prevent unauthorized access to system software and computer programs

To ensure that the data storage media are subject to authorization prior to access, change, or destruction

An entity doing business on the internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except:

Password management

Data encryption

Digital certificates

Batch processing

Batch processing

An information technology director collecting the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?

Data restoration plan

Disaster recovery plan

System security policy

System hardware policy

Disaster recovery plan

Which of the following is a password security weakness?

Users are assigned passwords when accounts are created, but do not change them

Users have accounts on several systems with different passwords

Users write down their passwords on a note paper and carry it with them

Users select passwords that are not part of an online password directory

Users are assigned passwords when accounts are created, but do not change them

To prevent invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This technique is known as:

A validation check

Check digit verification

A dependency check

A format check

Check digit verification

Why would companies want to use digital signatures when conducting e-business?

They are cheap

They are always the same so it can be verified easily

They are more convenient that requiring a real signature

They can authenticate the document sender and maintain data integrity

They can authenticate the document sender and maintain data integrity

Ben goes to his bank to wire transfer $1,000 to his sister Jennifer. The role of the bank in this transaction is best described as:

miner.

blockchain.

middleman.

consensus.

middleman.

Which of the following statements is true?

Because blockchain transactions are stored in chronological order, you may trace a block from an earlier transaction block to the most recent block in the blockchain.

Both permissioned and public blockchains need miners to determine which transaction block should be added next.

Ethereum is a private blockchain.

Smart contract was introduced in Ethereum.

Smart contract was introduced in Ethereum.

Which feature cannot be found in bitcoin?

Double spend

Anyone can join and leave the bitcoin network at any time

Immutable history of transactions

A new block is added every 10 minutes

Double spend

In the Ethereum network:

mining of Ether occurs at a constant rate.

transaction fees are higher than Bitcoin.

miner uses SHA256 to determine if a block is a valid block.

because a smart contract describes business rules and is also flexible for different industries, it can be modified to fit the business after a block is inserted to the Ethereum network.

mining of Ether occurs at a constant rate.

A selected set of organizations may run a blockchain node separately for keeping the transaction records. Administrators from the organizations establish the access rights and permissions for each participant. This type of blockchain is often called:

public blockchain.

permissionless blockchain.

private blockchain.

consortium blockchain.

consortium blockchain.

Which of the following statement is false?

A distributed ledger contains many copies of the same ledger.

A distributed ledger stores the same set of transaction records.

Because a distributed ledger exists in a blockchain network, a computer consisting of all transaction records may crash and cause the syncing issue in the blockchain network.

A transaction record cannot be added to the blockchain unless there is network consensus.

Because a distributed ledger exists in a blockchain network, a computer consisting of all transaction records may crash and cause the syncing issue in the blockchain network.

Which of the following statement is false?

Hyperledger is an open source blockchain platform created by the Linux foundation.

Hyperledger is a permissioned blockchain with capabilities of handling smart contracts.

The main objective of Hyperledger is to achieve cross-industry collaboration with blockchain technology.

Hyperledger is a public blockchain.

Hyperledger is a public blockchain.

When we refer to smart contract in blockchain, we mean:

a contract that can be edited at any time for business rules.

a digital copy of paper contract such as a Word file.

a piece of software code that can be executed or triggered by business activities.

a digital contract that can be distributed all to the participants with all terms defined.

a piece of software code that can be executed or triggered by business activities.

What information does a block in the Bitcoin network not contain?

The sender

The receiver

The quantity of bitcoins to transfer

The sender and the receiver

None, a block contains all of this information.

None, a block contains all of this information.

Which of the following is not true with respect to artificial intelligence?

AI is a broad field in computer science.

AI is intelligence exhibited by machines rather than humans.

AI began in the 1990s.

AI is also called cognitive technologies.

None of these is true.

AI began in the 1990s.

Which of the following best describes the difference between artificial intelligence and machine learning?

Machine learning is a subset of AI.

Machine learning only applies to deep learning algorithms.

AI and machine learning are the same thing.

Machine learning requires less data than AI.

None of these choices are correct.

Machine learning is a subset of AI.

Which of the following best describes artificial neural networks?

Training a neural network involves the use of real-world data.

Deep learning is required for a neural network.

Neural networks consist of inputs, neurons or nodes, and outputs.

Neural networks only have two layers.

None of these choices are correct.

Neural networks consist of inputs, neurons or nodes, and outputs.

Which of the following best describes supervised learning?

The training data contain missing labels or incomplete data.

The training data match inputs to nodes in the network.

The training data contain input—output pairs.

The training data only include input values.

None of these choices are correct.

The training data contain input—output pairs.

Which of the following best describes a confusion matrix?

It is a table summarizing the prediction results.

It has as many rows and columns as classifications to predict.

It can be used to calculate other performance metrics.

All of these choices are correct.

All of these choices are correct.

If a confusion matrix shows 46 TP, 6 FN, 500 TN, and 4 FP, what is the precision ratio? (Round your answer to 2 decimal places.)

0\.90

0\.92

0\.98

0\.88

None of these choices are correct.

0.92 Precision: TP/(TP+FP)

If a confusion matrix shows 46 TP, 6 FN, 500 TN, and 4 FP, what is the recall ratio? (Round your answer to 2 decimal places.)

0\.90

0\.92

0\.98

0\.88

None of these choices are correct.

0.88 Recall: TP/(TP+FN)

If a confusion matrix shows 46 TP, 6 FN, 500 TN, and 4 FP, what is the accuracy ratio? (Round your answer to 2 decimal places.)

0\.90

0\.92

0\.98

0\.88

None of these choices are correct.

0.98 Accuracy: (TP+TN) / (all sum)

If a confusion matrix shows 25 TP, 5 FN, 1000 TN, and 5 FP, what is the precision ratio? (Round your answer to 2 decimal places.)

0\.90

0\.92

0\.99

0\.83

None of these choices are correct.

0.83 Precision: TP/(TP+FP)

If a confusion matrix shows 25 TP, 5 FN, 1000 TN, and 5 FP, what is the recall ratio? (Round your answer to 2 decimal places.)

0\.90

0\.92

0\.99

0\.83

None of these choices are correct.

0.83 Recall: TP/(TP+FN)

If a confusion matrix shows 25 TP, 5 FN, 1000 TN, and 5 FP, what is the accuracy ratio? (Round your answer to 2 decimal places.)

0\.90

0\.92

0\.99

0\.83

None of these choices are correct.

0.99 Accuracy: (TP+TN) / (all sum)

Which of the following statements is false?

private blockchain requires permission to join the network

bitcoin uses smart contract to specify the business rules

in Ethereum, a new block is added evert 12 to 15 seconds

blockchain transactions are immutable

bitcoin uses smart contract to specify the business rules

Which of the following is created mainly for cryptocurrency application?

ethereum

hyperledger

corda

bitcoin

bitcoin

What is a requirement of the proof of authority algorithm?

a few members have known identities

a portion of the miner's blocks will be locked until it is validated

large quantities of computer power are requires to solve a complex mathematical problem

none of these are a requirement of the proof of authority algorithm

a few members have known identities

Which of the following best describes the difference between AI and machine learning?

machine learning is a subset of AI

machine learning only applies to deep learning algorithm

AI and machine learning are the same thing d. machine learning requires less data than AI

machine learning is a subset of AI

Which of the following best describes machine learning?

machine learning is driven by programming instructions.

machine learning is a different branch of computer science from AI

machine learning is a technique where a software model is trained using data

machine learning is the ability of a machine to think on its own.

e. none of these

machine learning is a technique where a software model is trained using data

which of the following is not part of the virtuous cycle of machine learning?

model

learn.

predict

data

none of these

model

which of the following best describes artificial neural networks?

training a neural network involves the use of real-world data

deep learning is required for a neural network

neural networks consist of inputs, neurons or nodes, and output

neural networks only have two layers e. none of these

neural networks consist of inputs, neurons or nodes, and outputs

Which of the following best describes deep learning?

deep learning is used to solve philosophical problems.

deep learning involves complex, multilayer neural networks

deep learning is different from machine learning in fundamental ways

deep learning provides more output values than machine learning

none of these

deep learning involves complex, multilayer neural networks

Which of the following is not directly related to one of the five questions that machine learning/AI is best suited to answer?

which business strategy will be most successful?

is the firm a good merger candidate?

what type of customer will like this new product

how much can we sell this product for?

none of these

which business strategy will be most successful?

Which of the following best describes unsupervised learning?

the training data contain missing labels or incomplete data

the training data match inputs to nodes in the network

the training data contain d. the training data only include values

none of these

the training data only include values

Which of the following best describes semi-supervised learning?

the training data contain missing labels or incomplete data

the training data match inputs to nodes in the network

the training data contain input-output pairs

the training data only include values

none of these

the training data contain missing labels or incomplete data

Which of the following best describes reinforcement learning?

the model determines how elements of the dataset are alike

the training data match inputs to nodes in the network

the training data contain input-output pairs

the model learns by trial and error

none of these

the model learns by trial and error

(CISA exam, adapted) Authentication is the process by which the:

system verifies that the user is entitled to enter the transaction requested.
user identifies him- or herself to the system.
system verifies the identity of the user.
user indicates to the system that the transaction was processed correctly.

system verifies the identity of the user.

(CMA exam, adapted) Data processing activities may be classified in terms of three stages or processes: input, processing, and output. An activity that is not normally associated with the input stage is:

batching.
verifying.
recording.
reporting.

reporting.

(CISA exam, adapted) To ensure confidentiality in an asymmetric-key encryption system, knowledge of which of the following keys is required to decrypt the receive message?

Private
Public
I
II
Both I and II
Neither I nor II

Private

To authenticate the message sender in an asymmetric-key encryption system, which of the following keys is required to decrypt the received message?

Sender's private key
Receiver's private key
Sender's public key
Receiver's public key

Sender's public key

To ensure the data sent over the Internet are protected, which of the following keys is required to encrypt the data (before transmission) using an asymmetric-key encryption method?

Sender's public key
Sender's private key
Receiver's public key
Receiver's private key

Receiver's public key

Which of the following groups/laws was the earliest to encourage auditors to

PCAOB
COBIT
SAS No. 99
COSO
Sarbanes-Oxley Act

SAS No. 99

Incentive to commit fraud usually will include all of the following, except:

inadequate segregation of duties.
alcohol, drug, or gambling addiction.
feelings of resentment.
personal habits and lifestyle.
financial pressure.

inadequate segregation of duties.

(CPA exam, adapted) An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?

System hardware policy
Internal control policy
Disaster recovery plan
Supply chain management policy
System security policy

Disaster recovery plan

A message digest is the result of hashing. Which of the following statements about the hashing process is true?

It is reversible.
Comparing the hashing results can ensure confidentiality.
Hashing is the best approach to make sure that two files are identical.
None of the choices are true.

Hashing is the best approach to make sure that two files are identical.

Which one of the following vulnerabilities would create the most serious risk to a firm?

Employees writing instant messages with friends during office hours
Unauthorized access to the firm's network
Employees recording passwords in Excel files
Using open source software (downloaded for free) on the firm's network

Unauthorized access to the firm's network

Which of the following statements is correct?

SOC 1 reports provide the evaluations on a broader set of controls implemented by the service provider.
A spam will send a network packet that appears to come from a source other than its actual source.
Multifactor authentication is less secure than requiring a user always entering a password to access a network.
Fault tolerance uses redundant units to provide a system with the ability to continue functioning when part of the system fails.

Fault tolerance uses redundant units to provide a system with the ability to continue functioning when part of the system fails.

Which of the following can be considered as a good alternative to back up data and applications?

Continuous monitoring
Business continuity management
Cloud computing
Disaster recover planning

Cloud computing

A digital certificate:

indicates that the subscriber identified has sole control and access to the private key.
is used to certify public-key and private-key pairs.
ensures that the symmetric-key encryption method functions well.
is a trusted entity to certify and revoke Certificate Authorities (CA).

indicates that the subscriber identified has sole control and access to the private key.

The symmetric-key encryption method:

is slow.
solves problems in key distribution and key management.
uses the same key for both senders and receivers for encryption and decryption.
is not appropriate for encrypting large data sets.

uses the same key for both senders and receivers for encryption and decryption.

The fraud triangle indicates which of the following condition(s) exist for a fraud to be perpetrated?

rationalization.
pressure.
legal environment.
a and b are correct
a, b, and c are correct

a, b, and c are correct

To prevent repudiation in conducting e-business, companies must be able to authenticate their trading partners. Which of the following encryption methods can be used for authentication purpose?

Symmetric-key encryption method
Asymmetric-key encryption method
Both symmetric-key and asymmetric-key encryption methods are good for authentication.

Asymmetric-key encryption method

Regarding GDPR, which of the following statements is/are correct?

It is a regulation enforced by EU.
It is to protect EU citizens' personal data.
It is not relevant to the companies in the U.S.
a and b are correct
a, b, and c are correct

a and b are correct

Which organization created the Reporting on an Entity's Cybersecurity Risk Management Program and Controls: Attestation Guide in 2017?

SEC
AICPA
US Congress
Department of Homeland Security

AICPA

Business continuity management is a

preventive control.
detective control.
corrective control.
Two of the choices are correct.

corrective control.

Encryption is a

preventive control.
detective control.
corrective control.
Two of the choices are correct.

preventive control.

What is fault tolerance?

A policy allowing employees to make mistakes
Using redundant units to continue functioning when a system is failing
An application that can detect mistakes and correct mistakes automatically
Two of the choices are correct.

Using redundant units to continue functioning when a system is failing

Comparing encryption with hashing, which one of the following is correct?

Hashing process is reversible.
Encryption is used to ensure data integrity.
Hashing results are large data.
Encryption results are called cypher text.

Encryption results are called cypher text.

Disaster recovery plan is a

preventive control.
detective control.
corrective control.
Two of the choices are correct.

corrective control.

Select a correct statement describing encryption or hashing process.

Encryption process is reversible.
Hashing results are called message digests.
Hashing process is used to obtain a digital signature.
Encryption process is to maintain confidentiality.
All of the choices are correct.

Encryption process is reversible.

Select a correct statement regarding encryption methods.

Most companies prefer using asymmetric-key encryption method for data transmission.
Symmetric-key encryption method is used to authenticate trading partners.
Only asymmetric-key encryption method can ensure confidentiality.
Asymmetric-key encryption method is used to create digital signatures.

Asymmetric-key encryption method is used to create digital signatures.