Controls Practice AIS – Flashcards
Unlock all answers in this set
Unlock answersquestion
Modest Expectations Investment Services (MEIS) allows customers to manage their investments over the internet. If customers attempt to sell more shares of a stock than they have in their account, an error message is displayed. This is an example of a
answer
Reasonable Test
question
[blank] enables a system to continue functioning in the event that a particular component fails
answer
Fault Tolerance
question
All of the following controls for online entry of a sales would be used except
answer
check digit verification on the dollar amount of the order
question
Information technology managers are often in a bind when a new exploit is discovered in the wild. They can respond by updating the affected software or hardware with new code provided by the manufacturer, which runs the risk that a flaw in the update will break the system. Or they can wait until the new code has been extensively tested, but that runs the risk that they will be compromised by the exploit during the testing period. Dealing with these issues is referred to as
answer
Patch Management
question
The organization chart for Geerts Corporation includes a controller and an information processing manager, both of whom report to the vice president of finance. Which of the following would be a control weakness?
answer
Assigning the programming and operating of the computer system to an independent control group which reports to the controller.
question
A specific inventory record indicates that there were 12 items on hand before a customer brings two of the items to the check stand to be purchased. The cashier accidentally entered quantity 20 instead of 2. Which data entry would best have prevented this error?
answer
Sign check
question
Probably the most important change management control is
answer
Management's careful monitoring and review
question
According to the Sarbanes-Oxley Act of 2002, the audit committee of the board of directors is directly responsible for
answer
hiring and firing external auditors
question
In recent years, many of the attacks carried out by hackers have relied on this type of vulnerability in computer software
answer
Buffer overflow
question
Which of the following is the most effective method of protecting against social engineering attacks on a computer system?
answer
employee awareness training
question
Forms design is an example of this type of control
answer
Input control
question
One of the objectives of the segregation of duties is to
answer
Make sure that different people handle different parts of the same transaction
question
The most common input-related vulnerability is
answer
Buffer overflow attack
question
File labels are an example of
answer
processing controls
question
Encryption has a remarkably long and varied history. The invention of writing was apparently soon followed by a desire to conceal messages. One of the earliest methods, attributed to an ancient Roman emperor, was the simple substation of numbers for letters, for example A=1 B=2, etc. This is an example of
answer
Symmetric key encryption
question
Which of the following is not an objective of a disaster recovery plan?
answer
Permanently establish an alternative means of processing information.
question
Which of the following is a control related to design and use of documents and records?
answer
sequentially renumbering sales invoices
question
This data entry control compares the ID number in the transaction data to a master file to verify that the ID number exists.
answer
Validity Check
question
Which item below would not typically be part of an adequate disaster recovery plan?
answer
A system upgrade due to operating system software changes.
question
The COSO enterprise risk management integrated framework stresses that
answer
risk management activities are an inherent part of all business operations and should be considered during strategy setting.
question
One way to circumvent the counterfeit of public keys is by using
answer
A digital certificate
question
Reducing management layers, creating self-directed work teams, and emphasizing continuous improvement are all related to which aspect of internal environment?
answer
Organizational Structure
question
According to the Trust Services Framework, the reliability principle of integrity is achieved when the system produces data that
answer
Is complete, accurate, and valid
question
A customer failed to include her account number on her check, and the accounts receivable clerk credited her payment to a different customer with the same last name. Which control could have been used to most effectively prevent this error?
answer
Closed-loop verification
question
Restricting access of users to specific portions of the system as well as specific tasks, is
answer
Authorization
question
Which component of the COSO enterprise Risk Management Integrated Framework is concerned with understanding how transactions are initiated, data are captured and processed, and information is reported?
answer
Information and communication
question
An Access control matrix
answer
is a table specifying which portions of the system users are permitted to access
question
Turnaround documents are an example of a(n)
answer
Input Control
question
The Trust Services Framework reliability principle that states that users must be able to enter, update, and retrieve data during agreed-upon times is known as
answer
Availability
question
On March 3, 2008, a laptop computer belonging to Folding Squid Technology was stolen from the trunk of Jiao Jan's car while he was attending a conference in Cleveland, Ohio. After reporting the theft, Jiao considered the implications of the theft for the company's network security and concluded there was nothing to worry about because
answer
The data stored on the computer was encrypted
question
A computer operator accidentally used the wrong master file when updating a transaction file. As a result, the master file data is now unreadable. Which control could best have prevented this from happening?
answer
Internal Header Label
question
Which of the following descriptions is not associated with symmetric encryption?
answer
Lack of Authentication
question
It was 9:08 A.M. when Jiao Jan, the Network Administrator for Folding Squid Technologies, was informed that the intrusion detection system had identified an ongoing attempt to breach network security. By the time that Jiao had identified and blocked the attack, the hacker had accessed an downloaded several files from the company's server. Using the notation for that time-based model of security in this case
answer
D > P
question
Chuck Hewitt was relaxing after work with a colleague at a local watering hole. Well into his second martini, he began expressing his opinions about his work environment. It seems that, as a result of "feminazi" interference, the suggestive banter that had been prevalent in the workplace during his youth was no longer acceptable. He even had to sit through a sexual harassment workshop! The level of control that the company is using in this case is a
answer
Boundary System
question
The data entry control that would best prevent entering an invoice received from a vendor who is not on an authorized supplier list is
answer
A validity check
question
A process that takes plaintext of any length and transforms into a short code
answer
Hashing
question
This batch processing data entry control sums a field that contains dollar values.
answer
Financial Total
question
Which of the following is not a requirement of effective passwords?
answer
Passwords should be no more than 8 characters in length.
question
There are "white hat" hackers and "black hat" hackers. Cowboy451 was one of the "black hat" hackers. He had researched an exploit and determined that he could penetrate the target system, download a file containing valuable data, and cover his tracks in eight minutes. Six minutes into the attack he was locked out of the system. Using the notation of the time-based model of security, which of the following must be true?
answer
P > 6
question
The accounting department at Synergy Hydroelectric records an average of 12,500 transactions per hour. By cost-benefit analysis, managers have concluded that the maximum acceptable loss of data in the event of a system failure is 25,000 transactions. If the firm's recovery time objective is 120 minutes, then the worst case recovery time objective is
answer
4 hours
question
Multi-factor authentication methods
answer
involves the use of two or more basis authentication methods
question
This determines if characters are of the proper type
answer
Field Check
question
This control entails verifying that the proper number of bits are set to the value 1 in each character received.
answer
Parity Check
question
Go-Go Corporation, a publicly traded company, has three brothers who serve as President, Vice President of Finance and CEO. This situation
answer
increases the risk associated with an audit
question
________ controls are designed to make sure an organization's control environment is stable and well managed.
answer
General
question
Which of the following is an independent check on performance?
answer
The General Manager compares budgeted amounts with expenditure records from all departments.
question
This determines if all required data items have been entered.
answer
Completeness Check
question
This protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet.
answer
Transmission control protocol
question
Generally in a risk assessment process, the first step is to
answer
Identify the threats the company currently faces
question
Change management refers to
answer
controls designed to ensure that updates in information technology do not have negative consequences.
question
Parity checks are an example of a(n)
answer
data transmission control.
question
The Director of Information Technology for the city of Bumpkiss, Minnesota, formed a company to sell computer supplies and software. All purchases made on behalf of the City were made from his company. He was later charged with fraud for overcharging the City, but was not convicted. The control issue in this case arose because the Director had both ________ and ________ duties.
answer
recording; auhtorization
question
On February 14, 2008, students enrolled in an economics course at Swingline College received an email stating that class would be cancelled. The email claimed to be from the professor, but it wasn't. Computer forensic experts determined that the email was sent from a computer in one of the campus labs at 9:14 A.M. They were then able to uniquely identify the computer that was used by means of its network interface card's ________ address. Security cameras revealed the identity of the student responsible for spoofing the class.
answer
MAC
question
A special purpose hardware device or software running on a general purpose computer, which filters information that is allowed to enter and leave the organization's information system, is known as a(n)
answer
firewall
question
Safeguarding assets is one of the control objectives of internal control. Which of the following is not one of the other control objectives?
answer
ensuring that no fraud has occured
question
The system and processes used to issue and manage asymmetric keys and digital certificates are known as
answer
public key infrastructure.
question
According to the ERM, these help the company address all applicable laws and regulations.
answer
Compliance Objectives
question
This batch processing data entry control sums a non-financial numeric field.
answer
Hash total
question
Information encrypted with the creator's private key that is used to authenticate the sender is
answer
digital signature.
question
The maximum amount of time between backups is determined by a company's
answer
recovery point objective.
question
Which attribute below is not an aspect of the COSO ERM Framework internal environment?
answer
Restricting access to assets
question
The security technology that evaluates IP packet traffic patterns in order to identify attacks against a system is known as
answer
n intrusion prevention system.
question
A facility that contains all the computing equipment the organization needs to perform its essential business activities is known as a
answer
hot site
question
This batch processing data entry control sums the number of items in a batch.
answer
record count
question
When new employees are hired by Folding Squid Technologies, they are assigned user names and passwords and provided with laptop computers that have an integrated fingerprint reader. In order to log in, the user's fingerprint must be recognized by the reader. This is an example of a(an)
answer
biometric device.
question
Which of the following is not a reason for the increase in security problems for AIS?
answer
Increasing efficiency resulting from more automation
question
Sequentially prenumbered forms is an example of a(n)
answer
input control
question
The process of turning off unnecessary features in the system is known as
answer
hardening
question
The Spontaneous Combustion Rocket Shoppe in downtown Fargo, North Dakota, generates three quarters of its revenue from orders taken over the Internet. The revenue clearing account is debited by the total of cash and credit receipts and credited by the total of storefront and Internet sales. This is an example of a
answer
Zero-balance test
question
Which of the following suggests a weakness in a company's internal environment?
answer
Formal employee performance evaluations are prepared every three years.
question
Which of the following is not a violation of the Sarbanes-Oxley Act (SOX)? The management at Folding Squid Technologies
answer
hired the manager from the external audit team as company CFO twelve months after the manager had worked on the audit.
question
The process that a business uses to safeguard assets, provide accurate and reliable information, and promote and improve operational efficiency is known as
answer
internal control
question
Which of the following describes one weakness of encryption?
answer
Encrypted packets cannot be examined by a firewall.
question
An electronic document that certifies the identity of the owner of a particular public key.
answer
Digital Certificate
question
Which of the following is not one of the three important factors determining the strength of any encryption system?
answer
Privacy
question
Internal control is often referred to as a(n) ________, because it permeates an organization's operating activities and is an integral part of management activities.
answer
process
question
This creates logs of network traffic that was permitted to pass the firewall.
answer
Intrusion detection system
question
Which of the following preventive controls are necessary to provide adequate security for social engineering threats?
answer
Awareness Training
question
A facility that is pre-wired for necessary telecommunications and computer equipment, but doesn't have equipment installed, is known as a
answer
cold site
question
All employees of E.C. Hoxy are required to pass through a gate and present their photo identification cards to the guard before they are admitted. Entry to secure areas, such as the Information Technology Department offices, requires further procedures. This is an example of a(an)
answer
physical access control.
question
Which of the following is not one of the three fundamental information security concepts?
answer
nformation security is a technology issue based on prevention.
question
The SEC and FASB are best described as external influences that directly affect an organization's
answer
nternal environment.
question
This control framework's intent includes helping the organization to provide reasonable assurance that objectives are achieved and problems are minimized, and to avoid adverse publicity and damage to the organization's reputation.
answer
COSO's enterprise risk management framework
question
Perimeter defense is an example of which of the following preventive controls that are necessary to provide adequate security?
answer
Controlling remote access
question
A validity check is an example of a(n)
answer
data entry control.
question
Encryption has a remarkably long and varied history. Spies have been using it to convey secret messages ever since there were secret messages to convey. One powerful method of encryption uses random digits. Two documents are prepared with the same random sequence of numbers. The spy is sent out with one and the spy master retains the other. The digits are used as follows. Suppose that the word to be encrypted is SPY and the random digits are 352. Then S becomes V (three letters after S), P becomes U (five letters after P), and Y becomes A (two letters after Y, restarting at A after Z). The spy would encrypt a message and then destroy the document used to encrypt it. This is an early example of
answer
symmetric key encryption.
question
In a private key system the sender and the receiver have ________, and in the public key system they have ________.
answer
the same key; two separate keys
question
Which of the following would be considered a "red flag" for problems with management operating style if the question were answered "yes"?
answer
All of these statements would raise "red flags" if answered "yes."
question
A well-known hacker started his own computer security consulting business shortly after being released from prison. Many companies pay him to attempt to gain unauthorized access to their network. If he is successful, he offers advice as to how to design and implement better controls. What is the name of the testing for which the hacker is being paid?
answer
Penetration test
question
A data entry input control in which the application software sums the first four digits of a customer number to calculate the value of the fifth digit and then compares the calculated number to the number typed in during data entry is an example of a
answer
check digit verification.
question
This ensures that the input data will fit into the assigned field.
answer
Size check
question
The process that screens individual IP packets based solely on the contents of the source and/or destination fields in the packet header is known as
answer
static packet filtering.
question
These are used to create digital signatures.
answer
Asymmetric encryption and hashing
question
At a movie theater box office, all tickets are sequentially prenumbered. At the end of each day, the beginning ticket number is subtracted from the ending number to calculate the number of tickets sold. Cash is counted and compared with the number of tickets sold. Which of the following situations does this control detect?
answer
The box office cashier accidentally gives too much change to a customer.
question
Jeff Davis took a call from a client. "Jeff, I need for my customers to make payments online using credit cards, but I want to make sure that the credit card data isn't intercepted. What do you suggest?" Jeff responded "The best solution will be to implement
answer
an encryption system with digital signatures."
question
Duplicate checking of calculations is an example of a ________ control, and procedures to resubmit rejected transactions is an example of a ________ control.
answer
detective; corrective
question
Which of the following is not a useful control procedure to control access to system outputs?
answer
Allowing visitors to move through the building without supervision
question
Cancellation and storage of documents means that
answer
documents are defaced and stored.
question
Using a combination of symmetric and asymmetric key encryption, Chris Kai sent a report to her home office in Syracuse, New York. She received an email acknowledgement that the document had been received and then, a few minutes later, she received a second email that indicated that the hash calculated from the report differed from that sent with the report. This most likely explanation for this result is that
answer
the symmetric encryption key had been compromised.
question
Which of the following is not one of the 10 internationally recognized best practices for protecting the privacy of customers' personal information?
answer
Providing free credit report monitoring for customers
question
Meaningful Discussions is a social networking site that boasts over a million registered users and a quarterly membership growth rate in the double digits. As a consequence, the size of the information technology department has been growing very rapidly, with many new hires. Each employee is provided with a name badge with a photo and embedded computer chip that is used to gain entry to the facility. This is an example of a(an)
answer
authentication control.
question
A(n) ________ measures company progress by comparing actual performance to planned performance.
answer
diagnostic control system
question
Asymmetric key encryption combined with the information provided by a certificate authority allows unique identification of
answer
either the user or the provider of encrypted data.
question
According to the ERM, high level goals that are aligned with and support the company's mission are
answer
strategic objectives.
question
Concerning system availability, which of the following statements is true ?
answer
Threats to system availability include hardware and software failures as well as natural and man-made disasters.
question
Error logs and review are an example of
answer
data entry controls.
question
The Sarbanes-Oxley Act (SOX) applies to
answer
all publicly held companies.
question
Which of the following statements about internal environment is false ?
answer
Management's attitudes toward internal control and ethical behavior have only minimal impact on employee beliefs or actions.
question
According to the ERM, these objectives help ensure the accuracy, completeness and reliability of internal and external company reports.
answer
Reporting objectives
question
Concerning virtual private networks (VPN), which of the following is not true?
answer
t is more expensive to reconfigure VPNs to include new sites than it is to add or remove the corresponding physical connections in a privately owned network.
question
________ involves copying only the data items that have changed since the last partial backup.
answer
Incremental backup
question
Batch totals are an example of a(n)
answer
data entry control.
question
The most effective way to protect network resources, like email servers, that are outside of the network and are exposed to the Internet is
answer
a demilitarized zone.
question
The COSO Enterprise Risk Management Integrated Framework identifies four objectives necessary to achieve corporate goals. Objectives specifically identified include all of the following except
answer
implementation of newest technologies.
question
Check digit verification is an example of a(n)
answer
input control.
question
The risk that remains after management implements internal controls is
answer
Residual risk
question
What is not a corrective control procedure?
answer
Deter problems before they arise.
question
Murray Snitzel called a meeting of the top management at Snitzel Capital Management. Number one on the agenda was computer system security. "The risk of security breach incidents has become unacceptable," he said, and turned to the Chief Information Officer. "This is your responsibility! What do you intend to do?" Which of the following is the best answer?
answer
Evaluate and modify the system using the Trust Services framework
question
In developing policies related to personal information about customers, Folding Squid Technologies adhered to the Trust Services framework. The standard applicable to these policies is
answer
privacy
question
The COSO Enterprise Risk Management Framework includes eight components. Which of the following is not one of them?
answer
compliance with federal, state, or local laws
question
Which of the following is an example of a preventive control?
answer
Encryption
question
Compatibility tests utilize a(n) ________, which is a list of authorized users, programs, and data files the users are authorized to access or manipulate.
answer
access control matrix
question
This is used to identify rogue modems (or by hackers to identify targets).
answer
War dialing
question
If the time an attacker takes to break through the organization's preventive controls is greater than the sum of the time required to detect the attack and the time required to respond to the attack, then security is
answer
effective.
question
What is the most effective way to ensure information system availability?
answer
Maintain a hot site
question
the ________ disseminates information about fraud, errors, breaches and other improper system uses and their consequences.
answer
chief security officer
question
When a computer system's files are automatically duplicated on a second data storage system as they are changed, the process is referred to as
answer
real-time mirroring.
question
Which of the following is an example of a corrective control?
answer
Incident response teams
question
When new employees are hired by Folding Squid Technologies, they are assigned user names and appropriate permissions are entered into the information system's access control matrix. This is an example of a(an)
answer
authorization control.
question
This is an authorized attempt by an internal audit team or an external security consultant to attempt to break into the organization's information system.
answer
Penetration test
question
These systems use the same key to encrypt and to decrypt.
answer
Symmetric encryption
question
Which of the following is not one of the important aspects of the Sarbanes-Oxley Act?
answer
New rules for information systems development
question
According to the COSO Enterprise Risk Management Framework, the risk assessment process incorporates all of the following components except
answer
reporting potential risks to auditors.
question
River Rafting Adventures of Iowa provides rafts and tour guides to tourists eager to ride the wild rivers of Iowa. Management has determined that there is one chance in a thousand of a client being injured or killed. Settlement of resulting lawsuits has an average cost of $650,000. Insurance with a $50,000 deductible is available. It covers the costs of lawsuits, unless there is evidence of criminal negligence. What is the impact of this risk without insurance?
answer
$650,000
question
Verifying the identity of the person or device attempting to access the system is
answer
authentication.
question
While this type of backup process takes longer than the alternative, restoration is easier and faster.
answer
Differential backup
question
Which of the following is not associated with asymmetric encryption?
answer
Speed
question
The process that maintains a table that lists all established connections between the organization's computers and the Internet, to determine whether an incoming packet is part of an ongoing communication initiated by an internal computer is known as
answer
stateful packet filtering.
question
A copy of a database, master file, or software that will be retained indefinitely as a historical record is known as a(n)
answer
archive.
question
The process that allows a firewall to be more effective by examining the data in the body of an IP packet, instead of just the header, is known as
answer
deep packet inspection.
question
According to the ERM, these deal with the effectiveness and efficiency of company operations, such as performance and profitability goals.
answer
Operations objectives
question
eff Davis took a call from a client. "Jeff, I need to interact online and real time with our affiliate in India, and I want to make sure that our communications aren't intercepted. What do you suggest?" Jeff responded "The best solution will be to implement
answer
a virtual private network."