CHAPTER 1: AUDITING, ASSURANCE & INTERNAL CONTROL 1. Which of the following is NOT a task performed in the audit planning stage? 2. reviewing an organization's policies and practices b. planning substantive testing procedures -reviewing general controls d, determining the degree of reliance on controls. 2. Which of the following statements is true? 1a, Both the SEC and the PCAOB require the use of the COSO framework bb. Any framework can be used that encompasses all of COSO's general themes ¢. The SEC recommends COBIT, and the PCAOB recommends COSO 4d. Both the SEC and the PCAOB require the COBIT framework . None of the above are true 3. Which of the following is NOT a requirement of Section 302 of SOX? a. Corporate management (including the CEO) must certify monthly and annually their organization's internal controls over financial reporting bb, Auditors must interview management regarding, significant changes in the design or operation of internal control that occurred since the last audit . Auditors must determine whether changes in internal control have materially affected or are likely to ‘materially affect, internal control over financial reporting dd. Management must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter €. All of the above are requirements 4. Which of the following is NOT an example of preventive control? 2. Separation of responsibilities for the recording, custodial, and authorization functions b. Sound personnel practices ¢. Documentation of policies and procedures d, Password authentication software and hardware . Source documents for capturing sales data 5. The underlying assumption of reasonable assurance regarding the implementation of internal control ‘means that ‘a. Auditors are reasonably assured that fraud has not ‘occurred in the period 'b, Auditors are reasonably assured that employee carelessness can weaken an internal control structure ‘c. Implementation of the control procedure should not have a significant adverse effect on efficiency or profitability d, Management assertions about control effectiveness should provide auditors with reasonable assurance €. Acontrol applies reasonably well to all forms of computer technology Ensuring that all material transactions processed by the information system are valid and in accordance with management's objectives is an example of a. Transaction authorization b. Supervision . Accounting records d. Independent verification Which of the following situations is NOT a segregation of duties violation? a. The treasurer has the authority to sign checks but sives the signature block to the assistant treasurer to run the check-signing machine b. The warehouse clerk, who has custodial responsibility over inventory in the warehouse, selects the vendor and authorizes purchases when inventories are low . The sales manager has the responsibility to approve Credit and the authority to write off accounts 4. The department time clerk is given the undistributed payroll checks to mail to absent employees €. The accounting clerk who shares the record-keeping. responsibility for the accounts receivable subsidiary ledger performs the monthly reconciliation of the subsidiary ledger and the control account ‘Which of the following is often called a compensating control? a. Transaction authorization b. Supervision «. Accounting records d. Segregation of duties Which of the following benefits is least likely to result from a system of internal controls? a. Reduction of cost of an external audit, b. Prevention of employee collusion to commit fraud . Availability of reliable data for decision-making purposes 4. Some assurance of compliance with the Foreign Corrupt Practices Act of 197710. 1. 12, 13, 14. 415. 16. e. Some assurance that important documents and records are protected Which is NOT 2 source of evidence for an external auditor? ‘2, Work performed by internal auditors who organizationally report to the controller b. Tests of controls. Substantive tests d. Work performed by internal auditors who report to the audit committee of the 800 Which of the following is a preventive control? a. Credit check before approving a sale on account b. Bank reconciliation Physical inventory count 4d. Comparing the accounts receivable subsidiary ledger to the control account A physical inventory count is an example of a a. Preventive control b, Detective control ¢. Corrective control 4, Feed-forward control ‘Which of the following is the best reason to separate duties in a manual system? a. To avoid collusion between the programmer and the computer operator b. To ensure that supervision is not required To prevent the record keeper from authorizing transactions 4d. to enable the firm to function more efficiently ‘The importance to the accounting profession of the Sarbanes-Oxley Act is that a. Bribery will be eliminated . Management will not override the company’s internal controls ¢. Management is required to certify their internal control system 4d. Firms will not be exposed to lawsuits The office management forgot to record in the accounting records the daily bank deposit. Which control procedure would most likely prevent or detect this error? a. Segregation of duties b, Independent verification . Accounting records 4d, Supervision Control activities under SAS 109/COSO include a. IT controls, preventive controls, and corrective controls unets-RevieweR b. Physical controls, preventive controls, and corrective controls . General controls, application controls, physical controls d. Transaction authorizations, segregation of duties, risk assessment 117. Management can expect various benefits to follow from implementing a system of strong internal control. Which of the following benefits is least likely to occur? a. Reduced cost of an external audit b. Prevents employee collusion to commit fraud . Availability of reliable data for decision-making purposes d. Some assurance of compliance with the Foreign Corrupt Practices Act of 1977 18. Which statement is not true? a. Auditors must maintain independence b. IT auditors attest to the integrity of the computer system . IT auditing is independent of the general finan: audit d. IT auditing can be performed by both internal and external auditors 19. When planning the audit, information is gathered by all of the following methods except a. Completing questionnaires b. Interviewing management ©. Observing activities . Confirming accounts receivable 20. All of the following are components of audit risk except a. Control risk b. Legal risk €. Detection risk 4. Inherent risk CHAPTER \UDITING IT GOVERNANCE CONTROLS 1. Which of the following is true? a. Core competency theory argues that an organization should outsource core assets. b. Core competency theory argues that an organization should focus exclusively on its core business competencies. . Core competency theory argues that an organization should not outsource commodity assets. d. Core competency theory argues that an organization should retain certain specific (no-core) assets in-house. . None of the above statements are true. The following are examples of commodity assets except ‘a, network management. b. data center operations. . systems development. 4d. server maintenance. ¢. all are commodity assets. ‘Which of the following is NOT a control concern in a distributed data processing environment? a. redundancy b. hiring qualified professionals «. incompatibility d. lack of standards ¢. all of the above are control concerns ‘Which of the following disaster recovery techniques may be least effective in the case of a disaster? empty shell b. mutual aid pact internally provided backup d. they are all equally benefici ‘Which of the following would strengthen ‘organizational control in a centralized data processing environment? 2. requiring the user departments to specify the general control standards necessary for processing transactions b. requiring that requests and instructions for data processing services be submitted directly to the ‘computer operator in the data center having the database administrator report to the systems development manager 4d. assigning maintenance responsibility to the ‘original system designer who best knows its logic enone of the above In general, which of the following disaster recovery techniques has the least risk associated with it? a, empty shell b. ROC internally provided backup 4. they are all equally risky ‘Which of the following disaster recovery techniques may be least effective in the case of a widespread natural disaster? a. empty shell 10. 11. 22. Auncis-RevieweR b. internally provided backup ©. ROC d. they are all equally beneficial Which of the following is NOT true about the SAE 16 report? a. It isa third-party attestation report, b, It replaced Staternent on Auditing Standards No. 70 (SAS 70), €. The service provider prepares a separate SSAE 16 report tailored to the needs of each of its client firms, upon which the client auditors rely. d. When using the carve-out method, service provider management would exclude the subservice organization's relevant controls. €. All of the above are true. A disadvantage of distributed data processing i a. the increased time between job request and job completion. b, the potential for hardware and software incompatibility among users. the disruption caused when the mainframe goes down. d. that users are not likely to be involved e. none of the above are disadvantages. Segregation of duties in the IT environment include a. separating the programmer from the computer operator. b, separating news systems development from program maintenance. c. separating the DBA from systems development. d. all of the above. Adequate backups will protect against all of the following except a. natural disasters such as fires, b, unauthorized access . data corruption caused by program errors, d. system crashes ystems development is separated from data processing activities because failure to do so a. weakens database access security b. allows programmers access to make unauthorized changes to applications during execution -results in inadequate documentation 4d, results in master files being inadvertently erased13. Allof the following are control risks associated with the distributed data processing structure except a. lack of separation of duties b. system incompatibilities . system interdependency d. lack of documentation standards 14. Which of the following is not an essential feature of adisaster recovery plan? a. off-site storage of backups b. computer services function second site backup 4. critical applications identified 15. An advantage of a recovery operations center is that a. this is an inexpensive solution b. the initial recovery period is very quick the company has sole control over the ‘administration of the center none of the above are advantages of the recovery operations center 16. All of the following are recommended features of a fire protection system for a computer center except a. clearly marked exits b. an elaborate water sprinkler system ‘c. Manual fire extinguishers in strategic locations automatic and manual alarms in strategic locations 17. All of the following tests of controls will provide evidence about the physical security of the computer center except «a. review of fire marshal records b. review of the test of the backup power supply . verification of the second site backup location 4d. observation of procedures surrounding visitor ‘access to the computer center 18. Which of the following is not true? 2, Large-scale IT outsourcing involves transferring specific assets to a vendor b. Specific assets, while valuable to the client, are of litte value to the vendor Once an organization outsources its specific assets, it may not be able to return to its pre- outsource state. d. Specific assets are of value to vendors because, ‘once acquired, vendors can achieve economies of scale by employing them with other clients. voc neviewer 19. Which of the following is not true? a. Management may outsource their organizations’ IT functions, but they cannot outsource their management responsibilities for internal control. b. Section 404 requires the explicit testing of outsourced controls. ¢. The SSAE 16 report, which is prepared by the outsourcer's auditor, attests to the adequacy of the vendor's internal controls. d. Auditors issue two types of SSAE 16 reports: Type | report and Type Il report 20. Which of the following isa feature of fault tolerance control? a. Interruptible power supplies b.RAID DOP d. MDP What problems may occur as a result of combining applications programming and ‘maintenance tasks into one position? 21. One problem that may occur is inadequate documentation. Documenting is not considered interesting a task as designing, testing, and implement new system; thus a system professional may move on| ‘new project rather than spend time documenting an alt complete project. Job security may be another reas programmer may not fully document his or her wor Another problem that may occur is the increased potential for fraud. Ifthe original programmer generates fraudulent code during development, then this programmer, through maintenance procedures, may disable the code prior to audits. Thus, the programmer can continue to cover his or her tracks. 22. What are some risks associated with DP? Inefficient use of resources, destruction of audit trails, inadequate segregation of duties, hiring qualified professionals, lack of standards 23. What is a mirrored data center? ‘A mirrored data center duplicates programs and data onto a computer at a separate location. Mirroring is performed for backup purposes. 24. What are the often-cited benefits of IT outsourcing?improved core business performance, Oft-cited benefits of IT outsourcing include proved IT performance (due to the vendor's expertise), and reduced IT costs. CHAPTER 3: AUDITING OPERATING SYSTEMS AND. NETWORK 1 ‘ADDOS attack 2. is more intensive than a DoS attack because it ‘emanates from a single source. b. may take the form of either a SYN flood or ‘smurf attack. ¢.is so named because it affects many victims simultaneously, which are distributed across the Internet. 4d. turns the target victim's computers into zombies that are unable to access the Internet. enone of the above is correct. A digital signature a. isthe encrypted mathematical value of the message sender's name. b. is derived from the digest of a document that has been encrypted with the sender's private key. «is derived from the digest of a document that has been encrypted with the sender's public key. 4d. is the computed digest of the sender's digital certificate, €¢. allows digital messages to be sent over analog telephone line. ‘Which of the following statements is correct? 2. Cloud computing allows client firms to acquire TT resources from vendors in strict accordance with long-term contracts that stipulate services. b. Apacket combines the messages of multiple Users into a unit for transmission. At the receiving end, the packet is disassembled into individual messages and distributed to the user. . A virtual private network (VPN) is a private network within a public network, d. Infrastructure-as-2-Service (IaaS) is a software distribution model in which service providers host applications for client organizations over a private network or the Internet. . An advantage of cloud computing over traditional outsourcing is that internal control and security issues are not concerns for the client firm, but are the responsibility of the cloud service provider’ Aube Reviewer Which of the following statements about cookies is true? a. Cookies were originally intended to facilitate advertising on the web, 'b. Cookies always contain encrypted data. €. Cookies are text files and never contain, encrypted data. d. Cookies allow websites to offload the storage of information about visitors. . Web browsers cannot function without cookies, ‘A message that is contrived to appear to becoming from a trusted or authorized source is called a. a DDOS attack », digital signature forging. c. a SYN-ACK packet d, URL masquerading. e. Internet protocol spoofing. Which of the following statements is correct? ‘a. TCP/IP i the basic protocol that permits communication between Internet sites. b. TCP/IP controls web browsers that access the web. €. TCP/IP is the document format used to pro-duce web pages. d. TCP/IP is used to transfer text files, programs, spreadsheets, and databases across the Inter-net. TCP/IP isa low-level encryption scheme used to secure transmissions in higher-level(}TTP) format. A ping signal is a. used to perpetrate URL masquerading. b, an internet maintenance tool. .use for Internet protocol spoofing. d. an Internet protocol ea SYN-ACK packet. A system of computers that connects the internal users of an organization distributed over a wide geographic area is a(n) a. LAN b, Internet c. decentralized network d. intranet e. multidrop network The client-server model a.is best suited to the token ring topology because the random-access method this topology uses detects data collisions. b. is most effective when used as a bus topology because its deterministic access method avoidscollisions and prevents data loss during transmissions. distributes both data and processing tasks to the server node. The client-server model can use the bus or ring topology. 4d. is more efficient than the bus or ring topologies because it transmits an entire file of records to the requesting node rather than only a single record €. is not used in conjunction with either the bus or ring topology. 10. Which statement about Sniffer software is true? 2a. tis used by malicious websites to sniff data from cookies stored on the user's hard drive. b. illegal software for decoding encrypted messages transmitted over a shared intranet channel €.Itis used by bus topology intranets to sniff for carriers before transmitting a message to avoid data collisions. 4d. itis an illegal program downloaded from the ‘web to decode encrypted data of Internet ‘customers. And sniff passwords their passwords. ¢. It is used by network administrators to analyze network traffic. 11. What is a cookie? Cookies are files that contain information about a visitor to a company's Web site. The cookie is stored on the visitor's computer. When a visitor returns to the company's Web site, the information stored in the cookie is made available to the Web site. 12, What is a seal of assurance? A seal of assurance isa certificate stating the legitimacy of Web sites. It is offered by third-party organizations that are charged with determining whether the company receiving the seal of assurance complies with certain business practices, capabilities, and controls. 13. How does IP spoofing support Internet crime? A criminal may use IP spoofing to make a message appear to be coming from a trusted or authorized source and thus slip through control systems designed to accept transmissions from certain (trusted) host computers and block out others. This technique could be used to crack into corporate networks to perpetrate fraud, conduct acts of espionage, or destroy data. CHAPTER 1 \UDITING DATABASE SYSTEM Which of the following statements does not apply to the database approach? a. Database systems have data independence; that is, the data and the programs are maintained separately, except during processing. , Database management systems employ a data definition language that helps describe each schema and subschema ¢. The database administrator is part of the software package that instructs the operating aspects of the program when data are retrieved. 4d. A primary goal of database systems is to minimize data redundancy. e. Database systems are based on the philosophy of data ownership. Database tables should be normalized. This means a. each attribute in a row should be dependent on the primary key and independent of other attributes in the table. ». each attribute in a row should be independent of the primary key and dependent on other attributes in the table. each attribute in a row should contain a unique inits value. d, the value of each attribute should fall within a ‘normal range of values predetermined for that attribute e. both a and d are correct. Which of the following isa characteristic of a relational database system? 2a. User views limit access to the database. b, Database navigation follows explicit links that are contained within the records. .All users share all the data to achieve integration of functions. 4d, No two users share the same user view. Replicated databases are most effective when a. users in the system do not need to share common data. b. primary users of the data are clearly identifiable ¢. read-only access is needed at each site. d, all of the above, The functions of a database administrator are a. database planning, data input preparation, and10. database design. b. data input preparation, database design, and database operation. c. database design, database operation, and ‘equipment operations. d. database design, database implementation, and database planning. €. database operations, database maintenance, and data input preparation. ‘The data attributes that a particular user has permission to access are defined by the 2. operating system view. b. systems design view. «. database schema. user view. «. application program. ‘An inventory table in a relational database system contains values for items such as part number, part name, description, color, and quantity, These individual items are called a. entities. b. record types. attributes. 4. occurrences. ‘Which of the following is a characteristic of a relational database system? a. Tables are linked to other related tables through explicit pointers. b. Aparent table may be related to many child tables, but a child table may have only one parent. ¢. Each table must contain an attribute whose value is unique. . Tables in 1:M associations are linked by ‘embedding the primary key of the M side tables into the 1 side table as a foreign key. ‘A database system that has several remote users networked together, but each user site stores a Unique portion of the database is called @ 2. replicated data processing network, b. partitioned database. .recentralized network, 4. multi-drop data network. . hybrid system, For those instances where individual users may be granted summary and statistical query access to confidential data to which they normally are denied access, which type of control is most suitable? 11. 12. 13. 14. 15. 16. a. User-defined procedures . Data encryption Inference controls, 4d. Biometric devices Where are database access permission defined? a. Operating system b, Database authority table €. Database schema 4d, Systems manual . Application programs Database currency is achieved by a. implementing partitioned databases at remote sites. , employing data-cleansing techniques. . ensuring that the database is secure from accidental entry. d. an external auditor's reconciliation of reports from multiple sites. €. a database lockout that prevents multiple simultaneous access. Which of the following is not a problem usually associated with the flat-file approach to data ‘management? a. data redundancy b, restricting access to data to the primary user data storage d. currency of information AA description of the physical arrangement of records in the database is a. the internal view bs, the conceptual view the subschema d. the external view The data definition language a. identifies, for the database management system, the names and relationships of all data elements, records, and files that comprise the database b. inserts database commands into application ‘programs to enable standard programs to interact with and manipulate the database . permits users to process data in the database without the need for conventional programs d, describes every data element in the database Which duty is not the responsibility of the database administrator? a. to develop and maintain the data dictionaryb. to implement security controls ¢.to design application programs 4d. to design the subschema 17. Which term is not associated with the relational database model? a. tuple b. attribute «collision 4.relation 18. In the relational database model al of the following are true except a. data is presented to users as tables b. data can be extracted from specified rows from specified tables a new table can be built by joining two tables. 4d. only one-to-many relationships can be supported 19. Which procedure will prevent two end users from ‘accessing the same data element at the same time? ‘a. data redundancy b. data replication data lockout d. none of the above 20. The advantages of a partitioned database include all of the following except ‘user control is enhanced b. data transmission volume is increased ¢. response time is improved d. risk of destruction of the entire database is reduced 21, Which of the following is not an access control in a database system? a. antivirus software b. database authorization table ¢. passwords . voice prints 22. Which of the following is not a basic database backup and recovery feature? ‘a. checkpoint b. backup database transaction log d. database authority table 23, What is a database authorization table? The database authorization table contains rules that limit the actions a user can take. Each useris granted certain privileges that are coded in the authority table, which is used to verify the user's action requests, AUDCIS REVIEWER 24. What types of problems do data redundancy cause? a. increased data storage because the same data is stored in multiple files b. increased data updating because changes must be made to multiple files €. problem of current data in some files, but not all files 25. What does allow users to retrieve and modify data easily? Query language 26. How does the database approach solve the problem of data redundancy? Data redundancy is not a problem with the database approach because individual data elements need to be stored only once yet be available to multiple users. 27. Why are the hierarchical and network models called navigational databases? These are called navigational models because traversing or searching them requires following a predefined path which is established through explicit linkages between related records.