Textbook Quizzes
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/149
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
150 Terms
What controls are concerned with the accuracy, completeness, validity, and authorization of data captured, processed, and stored?
application controls
What controls identify and correct problems and recover from the resulting errors; for example, having backup copies of files
corrective controls
What controls are used to discover problems that were not prevented; for example, preparing monthly trial balances
detective controls
What controls are used to make sure the control environment is stable and well managed; for example, security controls
general controls
What controls deter problems before they arise; for example, segregating employee duties
Preventative controls
What is the name of the law that congress passed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud?
Sarbanes Oxley Act (SOX)
What is the name of the law congress passed to prevent companies from bribing foreign officials?
Foreign Corrupt Practices Act (FCPA)
Internal controls are the processes implemented to provide reasonable assurance that the following control objectives are achieved: (3)
Safeguard assets
Comply with applicable laws and regulations
Provide accurate and reliable info
Controls that prevent, detect, and correct transaction errors and fraud in application programs are called:
application controls
The level of control that describes how a company creates value and helps employees understand management’s vision is called a:
belief system
The COBIT framework describes best practices for the effective governance and management of IT. It is based on five key principles of IT governance and management. What are the 5 key principles?
Meeting stakeholder needs
Covering the enterprise end to end
Applying a single, integrated frame work
Enabling a holistic approach
Separating governance from management
Based on the basic principles that ERM is built on, uncertainty results in ___, which is the possibility that something positively affects the company’s ability to create value. But uncertainty also results in ___, which is the possibility that something negatively affects the company’s ability to create value.
opportunity, risk
What are the five components of COSO Internal Controls?
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
COBIT consolidates control standards from many sources into a single framework that allows:
Users to be assured that adequate IT security and controls exist
Management to benchmark security and control practices of IT environments
Auditors to substantiate their internal control opinions and to advise on IT security and control measures
COSO’s Internal Control Model has five components and 17 principles. Which of the following is(are) principle(s) of the control environment component? (Check all that apply.)
A. A commitment to attract, develop, and retain competent individuals in alignment with objectives
B. Selecting, developing, and performing ongoing or separate evaluations of the components of internal control
C. Commitment to integrity and ethics
D. Considering the potential of fraud
E. Holding individuals accountable for their internal control responsibilities in pursuit of objectives
A, C, E
Which of the following are part of an internal environment? (Check all that apply.)
A. Principles of value creation
B. Internal control oversight by the board of directors
C. Effective management to auditor communication
D. Commitment to integrity, ethical values, and competence
E. Management’s philosophy, operating style, and risk appetite
B, D, E
Which of the following is part of an internal environment? (Check all that apply.)
A. Human resource standards that attract, develop, and retain competent individuals
B. Organizational structure
C. Monitoring the achievement of management objectives
D. Commitment to risk assessment and response
E. Methods of assigning authority and responsibility
A, B, E
Which of the following are ways that companies endorse integrity? (Check all that apply.)
A. Consistently rewarding achievements and giving verbal labels to both high and low producers
B. Making a commitment to competence, and hiring employees with the necessary knowledge, experience, training, and skills
C. Developing a written code of conduct that explicitly describes honest and dishonest behaviors
D. Implementing aggressive sales practices and handsomely rewarding those who achieve them and not giving bonuses to those who underachieve
E. Actively making employees aware that favorable outcomes and reports are more important than almost anything else
B, C
Which of the following are Human Resources standards that attract, develop, and retain competent employees? (Check all that apply.)
A. Give dismissed employees weeks to find a new job before they have to leave
B. Evaluate, compensate, and promote employees based more on subjective criteria than performance
C. Train new employees on their responsibilities, expected levels of performance and behavior, and the company’s policies and procedures
D. Hire employees based on educational background, experience, achievements, integrity, and meeting written job requirements
E. Rotate employee duties periodically, and require all employees to take an annual vacation
C, D, E
Which of the following statements is true with respect to a company’s control environment? (Check all that apply.)
A. Management should assign authority and responsibility for goals and objectives to departments and individuals and hold them accountable for achieving them.
B. An involved board of directors represents shareholders and provides an independent review of management that acts as a check and balance on their actions.
C. One of the greatest control strengths is the dishonesty of employees; one of the greatest control weaknesses is the honesty of employees.
D. An overly complex or unclear organizational structure is not an indication of possible serious problems in an organization.
A, B
Which of the following statements are true? (Check all that apply.)
A. Management must take an entity-wide view of risk.
B. Inherent risk is the risk that remains after management implements internal controls, or some other response, to risk.
C. Management must identify and analyze risks to determine how they should be managed.
D. Management must specify objectives clearly enough for risks to be identified and assessed.
E. Residual risk is the susceptibility of a set of accounts or transactions to significantly control problems in the absence of internal control.
A, C, D
What are the four ways that management can respond to risk?
Share it or transfer it to someone else
Accept its likelihood and impact
Avoid it by not engaging in the activity that produces the risk
Reduce its likelihood and impact
Which of the following statements are true? (Check all that apply.)
A. Detective controls are superior to preventive controls; neither is as good as a corrective control.
B. Some events pose a greater risk because they are more likely to occur.
C. The benefits of an internal control procedure are usually easier to measure than the costs.
D. The objective of an internal control system is to provide reasonable assurance that events do not take place.
E. The likelihood and impact of a risk must be considered separately.
B, D
What is the correct sequence for assessing and responding to risk?
Identify threats
Estimate likelihood of risk
Identify controls
Estimate cost and benefits of controls
Which of the following statements is true? (Check all that apply.)
A. Cost-effective controls should be implemented to reduce risk.
B. The benefits of implementing controls are generally easier to quantify accurately than are the costs of implementing controls.
C. Risk should never be accepted, even if it is within the company’s risk tolerance range.
D. In evaluating internal controls, management must consider factors other than those in the expected cost/benefit calculation.
A, D
Effective segregation of accounting duties is achieved when which of the following functions are separated? (Check all that apply.)
A. Recording transactions and preparing documents and reports
B. Managing information systems
C. Supervision of accounting duties and processes
D. Custody of cash and other assets
E. Authorization of transactions and decisions
A, D, E
To achieve proper segregation of systems duties, which of the following system functions should be separated from the other system functions? (Check all that apply.)
A. Data entry
B. Internal auditing
C. Users
D. Authorization
E. Management
A, C, D, E
Which of the following are important systems development controls? (Check all that apply.)
A. A project development plan that shows the prioritization of all projects that must be completed
B. A data processing schedule that shows when each task should be performed
C. A steering committee that oversees systems development
D. Performance measurements used to evaluate all company employees
E. A post-implementation review to determine whether anticipated benefits were achieved
B, C, E
Which of the following are important independent checks on performance? (Check all that apply.)
A. Single-entry accounting
B. Reconciliation of independently maintained records.
C. An independent review where a person double checks the work she performed
D. Analytical reviews that examine relationships between different sets of data
B, D
Which of the following statements are true? (Check all that apply.)
A. Systems analysts have the ultimate responsibility for selecting and implementing appropriate controls over technology.
B. Control activities are policies and procedures that provide reasonable assurance that risk responses are carried out.
C. Controls are more effective when placed in a system after it is up and running.
D. Throughput and response time are useful system performance measurements.
E. Employees who process transactions should verify the presence of appropriate authorizations.
B, D, E
A way to trace data from the point of origin to the output, or vice versa:
audit trail
An employee who monitors the system and provides info about the improper system uses and their consequences
Computer Security Officer (CSO)
An employee responsible for complying with all laws and regulatory rulings
Chief Compliance Officer (CCO)
Specialist in fraud prevention/detection/auditing
forensic investigators
specialists who discover, extract, safeguard, and document computer evidence
Computer forensics specialist
ccording to internal control frameworks, which of the following principles apply to the information and communication process? (Check all that apply.)
A. Obtain or generate relevant, high-quality information to support internal control
B. Make sure to compare actual inventory quantities with recorded amounts before transmitting them to external parties
C. Communicate relevant internal control matters to external parties
D. Internally communicate the information necessary to support the other components of internal control
A, C, D
According to the text, which of the following are key methods of monitoring internal control system performance? (Check all that apply.)
A. Use responsibility accounting systems
B. Schedule periodic government inspections
C. Track purchased software and mobile devices
D. Implement effective supervision
E. Observe employees implementing the controls
A, C, D
Which of the following are true statements? (Check all that apply.)
A. People witnessing fraudulent behavior are eager and willing to report fraud perpetrators.
B. Neural networks and other programs with learning capabilities are still not able to accurately identify fraud.
C. Some whistle-blowers have been ostracized, persecuted, or suffered damage to their careers.
D. Virtually all calls to fraud hotlines are worthy of investigation.
E. Fraudsters follow distinct patterns and leave clues behind that can be discovered by fraud detection software.
C, E
Which of the following statements are true? (Check all that apply.)
A. Supervision is especially important in organizations without responsibility reporting or an adequate segregation of duties.
B. Customer relationship management (CRM) software includes budgets, schedules, and standard costs; reports comparing actual and planned performance; and procedures for investigating and correcting significant variances.
C. Accounting systems generally consist of several subsystems, each designed to process a particular type of transaction.
D. All system transactions and activities should be recorded in a log that indicates who accessed what data and when.
E. Most mobile devices do not need to be tracked and monitored as their loss represents minimal exposure.
A, C, D
People who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges are called:
Computer forensics specialist
True or False: all other things equal, preventative controls are superior to detective controls?
True
To achieve segregation of duties, certain functions must be separated. What is the correct listing of the accounting-related functions that must be separated?
Authorization
Recording
Custody
Which of the following is not an independent check?
A. Periodic comparison of subsidiary ledger totals to control accounts
B. Trial balance
C. Bank reconciliation
D. Re-adding the total of a batch of invoices and comparing it with your first total
D
What is a control that relates to both the design and the use of documents and records?
Sequentially prenumbering sales invoices
What is the correct order of the risk assessment steps?
Identify threats
estimate risk and exposure
identify controls
estimate costs and benefits
Hiring qualified personnel, segregating employee duties, and controlling physical access to assets and information are examples of what kind of internal controls?
preventative
A potential adverse occurrence is called a threat. With respect to threats, which of these statements is false?
A. The potential dollar loss from a threat is called the exposure or impact.
B. The timing of when a threat will occur is called the timeframe or timeline.
C. The probability a threat will occur is called the likelihood or risk.
D. None of these statements about threats are false.
B
A(n) ___ helps managers focus subordinates attention on key strategic issues and to be more involved in their decisions
interactive control system
Considering the potential of fraud belongs to which component of COSOs IC model?
Risk Assessment
Which of the following is not a SOX requirement?
A. Auditors must report specific information to the company’s audit committee.
B. Auditors must maintain an audit trail that documents all client-auditor communications.
C. The CEO must certify that financial statements were reviewed by management and are not misleading.
D. Audit committee members must be on the company's board of directors and be independent of the company.
B
The amount of risk a company is willing to accept in order to achieve its goals and objectives is called
risk appetite
A company’s organizational structure provides a framework for planning, executing, controlling, and monitoring operations. Which of the following are important aspects of the organizational structure? (Check all that apply.)
A. Centralization or decentralization of authority.
B. Size and nature of company activities.
C. The technology needed to meet information requirements
D. Organization by industry, product line, location, or marketing network.
A, B, D
Which of the following is not a key method of monitoring internal control system performance?
A. Hire private investigators to investigate employee behavior.
B. Employ a computer security officer.
C. Implement a fraud hotline.
D. Perform internal control evaluations.
A
The examination of the relationship between different sets of data is called
analytical reviews
Which of the following does not help safeguard assets, documents, and data?
A. Measure the throughput and utilization of data and physical assets.
B. Periodically reconcile recorded asset quantities with a count of those assets.
C. Create and enforce appropriate policies and procedures.
D. Store data and documents in fireproof storage areas or secure offsite locations.
E. Restrict access to data and documents.
A
The Trust Services Principle ___ focuses on: ensuring the accuracy of data
Processing Integrity
The Trust Services Principle ___ focuses on: ensuring that personal information from customers, suppliers, and employees is collected, used, disclosed, and maintained in a manner that is consistent with organization policies
Privacy
The Trust Services Principle ___ focuses on: protection of sensitive corporate data from unauthorized disclosure.
Confidentiality
Management seeks assurance that __________. (Check all that apply.)
A. the Cloud service providers the company uses are reliable
B. the information produced by the organization’s own accounting system is reliable
C. the company is complying with regulatory requirements
D. there is no security risk
A, B, C
Which of the following was developed jointly by the AICPA and the CICA?
A. Trust Services
B. GDPR
C. SOX
D. COBIT 2019
A
The time-based model of security posits that security is effective when which equation is satisfied:
P>D+R
What is one way to increase the effectiveness of the time based model?
increase P
Which of the following statements are true? (Check all that apply.)
A. Employees should be taught how to follow security policies and why those policies exist.
B. Employees can be an organization’s weakest link in terms of security.
C. Targeted e-mails are an example of a social engineering tactic that is called piggybacking.
D. Senior management does not need security awareness training.
A, B
A good relationship between the information security and internal audit functions is important because it:
A. increases security-related material internal control weaknesses.
B. increases top management support for information security.
C. improves the ability to detect serious issues involving employee noncompliance with security policies.
D. eliminates security incidents.
C
What is the proper sequence of steps in the security life cycle?
Assess threats and select risk response, develop and communicate policy, acquire and implement solutions, monitor performance
Which of the following statements is true? (Check all that apply.)
A. Complexity (number of different types of characters) is more important than length (number of characters) in determining the strength of a password or passphrase.
B. Length (number of characters) is more important than complexity (number of different types of characters) in determining the strength of a password or passphrase.
C. The authorization process controls what actions (e.g, print, create, delete, etc.) an employee can perform, whereas the authentication process determines whether to grant an employee access to the system.
D. The authentication process controls what actions (e.g, print, create, delete, etc.) an employee can perform, whereas the authorization process determines whether to grant an employee access to the system.
B, C
Which of the following statements about improving the security of wireless is true? (Check all that apply.)
A. Wireless SSIDs should use meaningful names such as “finance department” or “payroll” rather than names like “XYZ345”.
B. Wireless devices should be configured to operate only in infrastructure mode, not ad hoc mode.
C. Wireless access points should be placed in the DMZ.
D. All wireless traffic should be encrypted.
B, C, D
Which of the following statements is true?
A. Routers should be configured to perform deep packet inspection.
B. Firewalls protect a network by looking for patterns in incoming traffic to identify and automatically block attacks.
C. A firewall that inspects the data portion of a TCP packet is performing a process referred to as packet-filtering.
D. A DMZ is a separate network located outside the organization’s internal information system.
D
Which of the following is an example of multi-modal authentication?
A. PIN plus ATM card
B. Smart card plus fingerprint scan
C. Passphrase plus answer to a security question
D. All of these are examples of multi-modal authentication
C
Which of the following is an example of multi-factor authentication?
A. USB device plus retina scan
B. Voice recognition plus answer to security question
C. Password plus smart card
D. All of these are examples of multi-factor authentication
D
A “fake” or “decoy” system used to provide early warning that attackers are targeting an organization’s systems is called a(n):
honeypot
Which component of the time-based model of security does log analysis affect?
Detection
One way to improve the efficiency and effectiveness of log analysis is to use a(n):
SIEM
Which of the following statements are true? (Check all that apply.)
A. The goal of log analysis is to determine the reasons for events such as a failed login attempt.
B. Log analysis should be done once a year.
C. Finding changes in log records is an indication that a system has been compromised.
D. Log analysis can be automated by installing a SIEM.
A, C
Which activity are accountants most likely to participate in?
A. Continuous monitoring
B. Log analysis
C. Running an IDS
D. Installing and monitoring a honeypot
A
Which step should happen first as part of the incident response process?
Recognition of an attack
Which of the following is the final phase of the incident response process?
analysis of the root cause of the incident
Which of the following statements are true? (Check all that apply.)
A. The CIRT should include members of senior management.
B. Members of the CIRT must have multiple methods of communicating with one another (e.g., e-mail, landlines, cellphones, etc.).
C. None of these are correct
D. The CIRT should include technical specialists.
A, B, D
Which of the following statements are true? (Check all that apply.)
A. The CIO has responsibility that vulnerability risk assessments and security audits are periodically conducted.
B. The CIO needs to work closely with the person in charge of physical security because unauthorized physical access enables an attacker to bypass logical access controls.
C. Organizations that have a CISO are more likely to have a well-trained CIRT.
D. Ideally, the CISO should report to a member of senior management, such as the COO or CEO, rather than to the CIO.
C, D
Which of the following statements is(are) true? (Check all that apply.)
A. A CIRT can improve the time-based model of security by increasing the value of R.
B. Creating the position of CISO is one way to satisfy the time-based model of security by reducing the value of R.
C. A CIRT can improve the time-based model of security by reducing the value of R.
D. Creating the position of CISO is one way to satisfy the time-based model of security by increasing the value of R.
B, C
Which of the following statements is(are) true?
A. Penetration tests show whether it is possible to break into a system.
B. Penetration tests seldom succeed.
C. Vulnerability scanning is an alternative to penetration testing.
D. Penetration tests are authorized attacks.
D
Which of the following statements is(are) true? (Check all that apply.)
A. Good change management and change control eliminates the need for penetration tests.
B. Good change management and change control results in better operating performance by reducing the number of problems that need to be fixed.
C. Good change management and change control reduces the costs incurred when a security incident happens.
D. Good change management and change control increases the number of “emergency” changes needed.
B, C
Which of the following statements is(are) true? (Check all that apply.)
A. It is important to update system documentation after a change has been approved.
B. An increase in the number of emergency changes is an indicator that the change management and change control process is functioning well.
C. Changes should be tested in a system separate from the one used for daily business processes.
D. Emergency changes do not need to be documented.
A, C
Change management and change control processes need to be applied to any modifications to: (Check all that apply.)
A. None of these statements are true.
B. operating procedures.
C. hardware.
D. software.
B, C, D
Which of the following are characteristics of a well-designed and effectively functioning change management and change control process? (Check all that apply.)
A. Development of “backout” plans in the event a change creates unexpected problems.
B. Conversion controls to ensure that data is completely and accurately transferred to the new system.
C. Senior management review and approval of major changes.
D. Monitoring of how changes affect segregation of duties.
A, B, C, D
___ is necessary for protecting confidentiality, privacy, integrity of processing, and availability of into resources.
Information security
Which of the following is a preventative control?
A. training
B. log analysis
C. virtualization
D. CIRT
A
The control procedure designed to restrict what portions of an info system an employee can access and what actions they can perform is called ___.
authorization
A weakness an attacker can take advantage of to either disable or take control of a system is called a(n) ___.
vulnerability
Which of the following is a detective control?
A. physical access controls
B. penetration testing
C. patch management
D. endpoint hardening
B
Which of the following is true?
A. Emergency changes need to be documented once the problem is resolved.
B. Change controls are necessary to maintain adequate segregation of duties.
C. Changes should be tested in a system separate from the one used to process transactions
A, B, C
What technique is the most effective way for a firewall to protect the perimeter?
Deep packet inspection
The Trust Services Framework identifies five principles for systems reliability. Which one of those five principles is a necessary prerequisite to the other four?
A. Availability
B. Security
C. Confidentiality
D. Processing integrity
E. Privacy
B
The Trust Services Reliability Principle that states, "access to the system and its data is controlled and restricted to legitimate users," is known as
Security
If the time an attacker takes to break through the organization’s preventive controls is shorter than the sum of the time required for the organization to detect the attack and the time required to respond to the attack, then organization’s security is considered
ineffective
Combining a password with which of the following is an example of multi-modal authentication?
A. Your e-mail address
B. All of these are examples of multi-modal authentication
C. Correctly identifying a picture you had selected when you set up the account
D. Name of your first-grade teacher
B
Which device blocks or admits individual packets by examining information in the TCP and IP headers?
Firewalls
What is the objective of a penetration test?
To identify where additional protections are most needed to increase the time and effort required to compromise the system
Which of the following are indicators that an organization’s change management and change control process is effective?
A. A low number of emergency changes
B. A reduction in the number of problems that need to be fixed
C. Testing of all changes takes place in a system separate from the one used for regular business operations
D. All of these are correct
D
What is the correct sequence of steps in the incident response process?
Recognize that a problem exists, stop the attack, repair the damage, learn from the attack