1.

The ethical principle of justice asserts that the benefits of the decision should be distributed fairly to
those who share the risks.
2.The ethical principle of informed consent suggests that the decision should be implemented so as to
minimize all of the risks and to avoid any unnecessary risks.
3.Employees should be made aware of the firms commitment to ethics.
4.Business ethics is the analysis of the nature and social impact of computer technology, and the
corresponding formulation and justification of policies for the ethical use of such technology.
5.Para computer ethics is the exposure to stories and reports found in the popular media regarding the
good or bad ramifications of computer technology.
***
1. A factor that contributes to computer crime is the reluctance of many organizations to prosecute
criminals for fear of negative publicity.
2. Cookies are files created by user computers and stored on Web servers.
3. Because of network protocols, users of networks built by different manufacturers are able to
communicate and share data.
4. The client-server model can only be applied to ring and star topologies.
5. Only two types of motivation drive DoS attacks: 1) to punish an organization with which the
perpetrator had a grievance; and 2) to gain bragging rights for being able to do it.
***
1. In a computerized environment, the audit trail log must be printed onto paper documents.
2. Disguising message packets to look as if they came from another user and to gain access to the hosts
network is called spooling.
3. A formal log-on procedure is the operating systems last line of defense against unauthorized access.
4. Computer viruses usually spread throughout the system before being detected.
5. A worm is software program that replicates itself in areas of idle memory until the system fails.
***
11. While the Sarbanes-Oxley Act prohibits auditors from providing non-accounting services to their
audit clients, they are not prohibited from performing such services for non-audit clients or privately
held companies.
12. The Sarbanes-Oxley Act requires the audit committee to hire and oversee the external auditors.
13. Section 404 requires that corporate management (including the CEO) certify their organizations
internal controls on a quarterly and annual basis.
14. Section 302 requires the management of public companies to assess and formally report on the
effectiveness of their organizations internal controls.
15. Application controls apply to a wide range of exposures that threaten the integrity of all programs
processed within the computer environment.
16. IT auditing is a small part of most external and internal audits.
17. Advisory services is an emerging field that goes beyond the auditors traditional attestation
function.
18. An IT auditor expresses an opinion on the fairness of the financial statements.
19. External auditing is an independent appraisal function established within an organization to examine
and evaluate its activities as a service to the organization.
20. External auditors can cooperate with and use evidence gathered by internal audit departments
that are organizationally independent and that report to the Audit Committee of the Board of
Directors.

***
1. Corporate management (including the CEO) must certify monthly and annually their organizations
internal controls over financial reporting.
2. Both the SEC and the PCAOB require management to use the COBIT framework for assessing internal
control adequacy.
3. Both the SEC and the PCAOB require management to use the COSO framework for assessing internal
control adequacy.
4. A qualified opinion on managements assessment of internal controls over the financial reporting
system necessitates a qualified opinion on the financial statements?
5. The same internal control objectives apply to manual and computer-based information systems.
6. The external auditor is responsible for establishing and maintaining the internal control system.
7. Segregation of duties is an example of an internal control procedure.
8. Preventive controls are passive techniques designed to reduce fraud.
9. The Sarbanes-Oxley Act requires only that a firm keep good records.
10. A key modifying assumption in internal control is that the internal control system is the
responsibility of management.
***
31. When planning the audit, information is gathered by all of the following methods except
a. completing questionnaires
b. interviewing management
c. observing activities
d. confirming accounts receivable
32. Substantive tests include
a. examining the safety deposit box for stock certificates
b. reviewing systems documentation
c. completing questionnaires
d. observation
33. Tests of controls include
a. confirming accounts receivable
b. counting inventory
c. completing questionnaires
d. counting cash
34. All of the following are components of audit risk except
a. control risk
b. legal risk
c. detection risk
d. inherent risk

35. Control risk is

a. the probability that the auditor will render an unqualified opinion on financial statements that are
materially misstated
b. associated with the unique characteristics of the business or industry of the client
c. the likelihood that the control structure is flawed because controls are either absent or inadequate
to prevent or detect errors in the accounts
d. the risk that auditors are willing to take that errors not detected or prevented by the control structure
will also not be detected by the auditor
36. Which of the following is true?
a. In the CBIS environment, auditors gather evidence relating only to the contents of databases, not the
reliability of the computer system.
b. Conducting an audit is a systematic and logical process that applies to all forms of information
systems.
c. Substantive tests establish whether internal controls are functioning properly.
d. IT auditors prepare the audit report if the system is computerized.
37. Inherent risk
a. exists because all control structures are flawed in some ways.
b. is the likelihood that material misstatements exist in the financial statements of the firm.
c. is associated with the unique characteristics of the business or industry of the client.
d. is the likelihood that the auditor will not find material misstatements.
38. Attestation services require all of the following except
a. written assertions and a practitioners written report
b. the engagement is designed to conduct risk assessment of the clients systems to verify their degree
of SOX compliance
c. the formal establishment of measurements criteria
d. the engagement is limited to examination, review, and application of agreed-upon procedures
39. The financial statements of an organization reflect a set of management assertions about the
financial health of the business. All of the following describe types of assertions except
a. that all of the assets and equities on the balance sheet exist
b. that all employees are properly trained to carry out their assigned duties
c. that all transactions on the income statement actually occurred
d. that all allocated amounts such as depreciation are calculated on a systematic and rational basis
40. Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?
a. Auditors must determine, whether changes in internal control has, or is likely to, materially affect
internal control over financial reporting.
b. Auditors must interview management regarding significant changes in the design or operation of
internal control that occurred since the last audit.
c. Corporate management (including the CEO) must certify monthly and annually their organizations
internal controls over financial reporting.
d. Management must disclose any material changes in the companys internal controls that have
occurred during the most recent fiscal quarter.
***

21. Tests of controls determine whether the database contents fairly reflect the organization's
transactions.
22. Audit risk is the probability that the auditor will render an unqualified opinion on financial
statements that are materially misstated.
23. A strong internal control system will reduce the amount of substantive testing that must be
performed.
24. Substantive testing techniques provide information about the accuracy and completeness of an
application's processes.
***
1. The concept of reasonable assurance suggests that
a. the cost of an internal control should be less than the benefit it provides
b. a well-designed system of internal controls will detect all fraudulent activity
c. the objectives achieved by an internal control system vary depending on the data processing method
d. the effectiveness of internal controls is a function of the industry environment
2. Which of the following is not a limitation of the internal control system?
a. errors are made due to employee fatigue
b. fraud occurs because of collusion between two employees
c. the industry is inherently risky
d. management instructs the bookkeeper to make fraudulent journal entries
3. The most cost-effective type of internal control is
a. preventive control
b. accounting control
c. detective control
d. corrective control
4. Which of the following is a preventive control?
a. credit check before approving a sale on account
b. bank reconciliation
c. physical inventory count
d. comparing the accounts receivable subsidiary ledger to the control account
5. A well-designed purchase order is an example of a
a. preventive control
b. detective control
c. corrective control
d. none of the above
6. A physical inventory count is an example of a
a. preventive control
b. detective control
c. corrective control
d. Feed-forward control

7. The bank reconciliation uncovered a transposition error in the books. This is an example of a
a. preventive control
b. detective control
c. corrective control
d. none of the above
8. Which of the following is not an element of the internal control environment?
a. management philosophy and operating style
b. organizational structure of the firm
c. well-designed documents and records
d. the functioning of the board of directors and the audit committee
9. Which of the following suggests a weakness in the internal control environment?
a. the firm has an up-to-date organizational chart
b. monthly reports comparing actual performance to budget are distributed to managers
c. performance evaluations are prepared every three years
d. the audit committee meets quarterly with the external auditors
10. Which of the following indicates a strong internal control environment?
a. the internal audit group reports to the audit committee of the board of directors
b. there is no segregation of duties between organization functions
c. there are questions about the integrity of management
d. adverse business conditions exist in the industry
***
21. Internal control system have limitations. These include all of the following except
a. possibility of honest error
b. circumvention
c. management override
d. stability of systems
22. Management can expect various benefits to follow from implementing a system of strong internal
control. Which of the following benefits is least likely to occur?
a. reduced cost of an external audit.
b. prevents employee collusion to commit fraud.
c. availability of reliable data for decision-making purposes.
d. some assurance of compliance with the Foreign Corrupt Practices Act of 1977.
e. some assurance that important documents and records are protected.
23. Which of the following situations is not a segregation of duties violation?
a. The treasurer has the authority to sign checks but gives the signature block to the assistant treasurer
to run the check-signing machine.
b. The warehouse clerk, who has the custodial responsibility over inventory in the warehouse, selects
the vendor and authorizes purchases when inventories are low.
c. The sales manager has the responsibility to approve credit and the authority to write off accounts.
d. The department time clerk is given the undistributed payroll checks to mail to absent employees.
e. The accounting clerk who shares the record keeping responsibility for the accounts receivable
subsidiary ledger performs the monthly reconciliation of the subsidiary ledger and the control account.

24. Which concept is not an integral part of an audit?

a. evaluating internal controls
b. preparing financial statements
c. expressing an opinion
d. analyzing financial data
25. Which statement is not true?
a. Auditors must maintain independence.
b. IT auditors attest to the integrity of the computer system.
c. IT auditing is independent of the general financial audit.
d. IT auditing can be performed by both external and internal auditors.
26. Typically, internal auditors perform all of the following tasks except
a. IT audits
b. evaluation of operational efficiency
c. review of compliance with legal obligations
d. internal auditors perform all of the above tasks
27. The fundamental difference between internal and external auditing is that
a. internal auditors represent the interests of the organization and external auditors represent
outsiders
b. internal auditors perform IT audits and external auditors perform financial statement audits
c. internal auditors focus on financial statement audits and external auditors focus on operational audits
and financial statement audits
d. external auditors assist internal auditors but internal auditors cannot assist external auditors
28. Internal auditors assist external auditors with financial audits to
a. reduce audit fees
b. ensure independence
c. represent the interests of management
d. the statement is not true; internal auditors are not permitted to assist external auditors with financial
audits
29. Which statement is not correct?
a. Auditors gather evidence using tests of controls and substantive tests.
b. The most important element in determining the level of materiality is the mathematical formula.
c. Auditors express an opinion in their audit report.
d. Auditors compare evidence to established criteria.
30. All of the following are steps in an IT audit except
a. substantive testing
b. tests of controls
c. post-audit testing
d. audit planning
***

11. According to COSO, an effective accounting system performs all of the following except
a. identifies and records all valid financial transactions
b. records financial transactions in the appropriate accounting period
c. separates the duties of data entry and report generation
d. records all financial transactions promptly
12. Which of the following is the best reason to separate duties in a manual system?
a. to avoid collusion between the programmer and the computer operator
b. to ensure that supervision is not required
c. to prevent the record keeper from authorizing transactions
d. to enable the firm to function more efficiently
13. Which of the following is not an internal control procedure?
a. authorization
b. managements operating style
c. independent verification
d. accounting records
14. The decision to extend credit beyond the normal credit limit is an example of
a. independent verification
b. authorization
c. segregation of functions
d. supervision
15. When duties cannot be segregated, the most important internal control procedure is
a. supervision
b. independent verification
c. access controls
d. accounting records
16. An accounting system that maintains an adequate audit trail is implementing which internal control
procedure?
a. access controls
b. segregation of functions
c. independent verification
d. accounting records
17. The importance to the accounting profession of the Sarbanes-Oxely Act is that
a. bribery will be eliminated
b. management will not override the companys internal controls
c. management are required to certify their internal control system
d. firms will not be exposed to lawsuits
18. The board of directors consists entirely of personal friends of the chief executive officer. This
indicates a weakness in
a. the accounting system
b. the control environment
c. control procedures
d. this is not a weakness

19. The office manager forgot to record in the accounting records the daily bank deposit. Which control
procedure would most likely prevent or detect this error?
a. segregation of duties
b. independent verification
c. accounting records
d. supervision
20. Control activities under SAS 109/COSO include
a. IT Controls, preventative controls, and Corrective controls
b. physical controls, preventative controls, and corrective controls.
c. general controls, application controls, and physical controls.
d. transaction authorizations, segregation of duties, and risk assessment
***
21. A generally accepted advantage of IT outsourcing is improved security.
22. An advantage of distributed data processing is that individual end user groups set specific IT
standards without concern for the broader corporate needs.
23. A mutual aid is the lowest cost disaster recovery option, but has shown to be effective and low
risk.
24. Critical applications should be identified and prioritized by the user departments, accountants,
and auditors.
25. A widespread natural disaster is a risk associated with a ROC.
***
1. All of the following are issues of computer security except
a. releasing incorrect data to authorized individuals
b. permitting computer operators unlimited access to the computer room
c. permitting access to data by unauthorized individuals
d. providing correct data to unauthorized individuals
2. Segregation of duties in the computer-based information system includes
a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator
3. In a computer-based information system, which of the following duties needs to be separated?
a. program coding from program operations
b. program operations from program maintenance
c. program maintenance from program coding
d. all of the above duties should be separated

4. Supervision in a computerized environment is more complex than in a manual environment for all of
the following reasons except
a. rapid turnover of systems professionals complicates management's task of assessing the competence
and honesty of prospective employees
b. many systems professionals have direct and unrestricted access to the organization's programs and
data
c. rapid changes in technology make staffing the systems environment challenging
d. systems professionals and their supervisors work at the same physical location
5. Adequate backups will protect against all of the following except
a. natural disasters such as fires
b. unauthorized access
c. data corruption caused by program errors
d. system crashes
6. Which is the most critical segregation of duties in the centralized computer services function?
a. systems development from data processing
b. data operations from data librarian
c. data preparation from data control
d. data control from data librarian
7. Systems development is separated from data processing activities because failure to do so
a. weakens database access security
b. allows programmers access to make unauthorized changes to applications during execution
c. results in inadequate documentation
d. results in master files being inadvertently erased
8. Which organizational structure is most likely to result in good documentation procedures?
a. separate systems development from systems maintenance
b. separate systems analysis from application programming
c. separate systems development from data processing
d. separate database administrator from data processing
9. All of the following are control risks associated with the distributed data processing structure except
a. lack of separation of duties
b. system incompatibilities
c. system interdependency
d. lack of documentation standards
10. Which of the following is not an essential feature of a disaster recovery plan?
a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified
***

11. A cold site backup approach is also known as

a. internally provided backup
b. recovery operations center
c. empty shell
d. mutual aid pact
12. The major disadvantage of an empty shell solution as a second site backup is
a. the host site may be unwilling to disrupt its processing needs to process the critical applications of the
disaster stricken company
b. intense competition for shell resources during a widespread disaster
c. maintenance of excess hardware capacity
d. the control of the shell site is an administrative drain on the company
13. An advantage of a recovery operations center is that
a. this is an inexpensive solution
b. the initial recovery period is very quick
c. the company has sole control over the administration of the center
d. none of the above are advantages of the recovery operations center
14. For most companies, which of the following is the least critical application for disaster recovery
purposes?
a. month-end adjustments
b. accounts receivable
c. accounts payable
d. order entry/billing
15. The least important item to store off-site in case of an emergency is
a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program
16. Some companies separate systems analysis from programming/program maintenance. All of the
following are control weaknesses that may occur with this organizational structure except
a. systems documentation is inadequate because of pressures to begin coding a new program before
documenting the current program
b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of
time
c. a new systems analyst has difficulty in understanding the logic of the program
d. inadequate systems documentation is prepared because this provides a sense of job security to the
programmer
17. All of the following are recommended features of a fire protection system for a computer center
except
a. clearly marked exits
b. an elaborate water sprinkler system
c. manual fire extinguishers in strategic locations
d. automatic and manual alarms in strategic locations

18. All of the following tests of controls will provide evidence about the physical security of the
computer center except
a. review of fire marshal records
b. review of the test of the backup power supply
c. verification of the second site backup location
d. observation of procedures surrounding visitor access to the computer center
19. All of the following tests of controls will provide evidence about the adequacy of the disaster
recovery plan except
a. inspection of the second site backup
b. analysis of the fire detection system at the primary site
c. review of the critical applications list
d. composition of the disaster recovery team
20. The following are examples of commodity assets except
a. network management
b. systems operations
c. systems development
d. server maintenance
***
1. To fulfill the segregation of duties control objective, computer processing functions (like authorization
of credit and billing) are separated.
2. To ensure sound internal control, program coding and program processing should be separated.
3. Some systems professionals have unrestricted access to the organization's programs and data.
4. 44IT governance focuses on the management and assessment of strategic IT resources
5. Distributed data processing places the control IT recourses under end users.
6. An advantage of distributed data processing is that redundant tasks are greatly eliminated
7. Certain duties that are deemed incompatible in a manual system may be combined in a computerbased information system environment.
8. To improve control and efficiency, the CBIS tasks of new systems development and program
maintenance should be performed by the same individual or group.
9. In a CBIS environment, data consolidation protects corporate data from computer fraud and losses
from disaster.
10. The database administrator should be separated from systems development.
***
11. A disaster recovery plan is a comprehensive statement of all actions to be taken after a disaster.
12. RAID is the use of parallel disks that contain redundant elements of data and applications.
13. Transaction cost economics (TCE) theory suggests that firms should outsource specific noncore IT
assets
14. Commodity IT assets easily acquired in the marketplace and should be outsourced under the core
competency theory.
15. A database administrator is responsible for the receipt, storage, retrieval, and custody of data
files.
16. A ROC usually involves two or more user organizations that buy or lease a building and remodel it
into a computer site, but without the computer and peripheral equipment.

17. Fault tolerance is the ability of the system to continue operation when part of the system fails due
to hardware failure, application program error, or operator error.
18. An often-cited benefit of IT outsourcing is improved core business performance.
19. Commodity IT assets include such things are network management.
20. Specific IT assets support an organizations strategic objectives.
***
21. The following are examples of specific assets except
a. application maintenance
b. data warehousing
c. highly skilled employees
d. server maintenance
22. Which of the following is true?
a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core business
competencies
c. Core competency theory argues that an organization should not outsource specific commodity assets.
d. Core competency theory argues that an organization should retain certain specific noncore assets inhouse.
23. Which of the following is not true?
a. Large-scale IT outsourcing involves transferring specific assets to a vendor
b. Specific assets, while valuable to the client, are of little value to the vendor
c. Once an organization outsources its specific assets, it may not be able to return to its pre-outsource
state.
d. Specific assets are of value to vendors because, once acquired, vendors can achieve economies of
scale by employing them with other clients
24. Which of the following is not true?
a. When management outsources their organizations IT functions, they also outsource responsibility
for internal control.
b. Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendors
performance.
c. IT outsourcing may affect incongruence between a firms IT strategic planning and its business
planning functions.
d. The financial justification for IT outsourcing depends upon the vendor achieving economies of scale.
25. Which of the following is not true?
a. Management may outsource their organizations IT functions, but they cannot outsource their
management responsibilities for internal control.
b. section 404 requires the explicit testing of outsourced controls.
c. The SAS 70 report, which is prepared by the outsourcers auditor, attests to the adequacy of the
vendors internal controls.
d. Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II report.

26. Segregation of duties in the computer-based information system includes

a. separating the programmer from the computer operator
b. preventing management override
c. separating the inventory process from the billing process
d. performing independent verifications by the computer operator
27. A disadvantage of distributed data processing is
a. the increased time between job request and job completion.
b. the potential for hardware and software incompatibility among users.
c. the disruption caused when the mainframe goes down.
d. that users are not likely to be involved.
28. Which of the following is NOT a control implication of distributed data processing?
a. redundancy
b. user satisfaction
c. incompatibility
d. lack of standards
29. Which of the following disaster recovery techniques may be least optimal in the case of a disaster?
a. empty shell
b. mutual aid pact
c. internally provided backup
d. they are all equally beneficial
30. Which of the following is a feature of fault tolerance control?
a. interruptible power supplies
b. RAID
c. DDP
d. MDP
31. Which of the following disaster recovery techniques is has the least risk associated with it?
a. empty shell
b. ROC
c. internally provided backup
d. they are all equally risky
32. Which of the following is NOT a potential threat to computer hardware and peripherals?
a. low humidity
b. high humidity
c. carbon dioxide fire extinguishers
d. water sprinkler fire extinguishers
33. Which of the following would strengthen organizational control over a large-scale data processing
center?
a. Requiring the user departments to specify the general control standards necessary for processing
transactions.
b. Requiring that requests and instructions for data processing services be submitted directly to the
computer operator in the data center.

c. Having the database administrator report to the manager of computer operations.

d. Assigning maintenance responsibility to the original system designer who best knows its logic.
34. Which of the following is true?
a. Core competency theory argues that an organization should outsource specific core assets.
b. Core competency theory argues that an organization should focus exclusively on its core business
competencies
c. Core competency theory argues that an organization should not outsource specific commodity assets.
d. Core competency theory argues that an organization should retain certain specific non-core assets inhouse.
***
11. In a telecommunications environment, line errors can be detected by using an echo check.
12. Firewalls are special materials used to insulate computer facilities
13. The message authentication code is calculated by the sender and the receiver of a data
transmission.
14. The request-response technique should detect if a data communication transmission has been
diverted.
15. Electronic data interchange translation software interfaces with the sending firm and the value
added network.
16. A value added network can detect and reject transactions by unauthorized trading partners.
17. Electronic data interchange customers may be given access to the vendor's data files.
18. The audit trail for electronic data interchange transactions is stored on magnetic media.
19. A firewall is a hardware partition designed to protect networks from power surges.
20. To preserve audit trails in a computerized environment, transaction logs are permanent records of
transactions.
***
1. In a computerized environment, the audit trail log must be printed onto paper documents.
2. Disguising message packets to look as if they came from another user and to gain access to the hosts
network is called spooling.
3. A formal log-on procedure is the operating systems last line of defense against unauthorized access.
4. Computer viruses usually spread throughout the system before being detected.
5. A worm is software program that replicates itself in areas of idle memory until the system fails.
6. Viruses rarely attach themselves to executable files.
7. Operating system controls are of interest to system professionals but should not concern accountants
and auditors.
8. The most frequent victims of program viruses are microcomputers.
9. Operating system integrity is not of concern to accountants because only hardware risks are involved.
10. Audit trails in computerized systems are comprised of two types of audit logs: detailed logs of
individual keystrokes and event-oriented logs.
***
1. The operating system performs all of the following tasks except
a. translates third-generation languages into machine language
b. assigns memory to applications
c. authorizes user access
d. schedules job processing

2. Which of the following is considered an unintentional threat to the integrity of the operating system?
a. a hacker gaining access to the system because of a security flaw
b. a hardware flaw that causes the system to crash
c. a virus that formats the hard drive
d. the systems programmer accessing individual user files
3. A software program that replicates itself in areas of idle memory until the system fails is called a
a. Trojan horse
b. worm
c. logic bomb
d. none of the above
4. A software program that allows access to a system without going through the normal logon
procedures is called a
a. logic bomb
b. Trojan horse
c. worm
d. back door
5. All of the following will reduce the exposure to computer viruses except
a. install antivirus software
b. install factory-sealed application software
c. assign and control user passwords
d. install public-domain software from reputable bulletin boards
6. Hackers can disguise their message packets to look as if they came from an authorized user and gain
access to the hosts network using a technique called
a. spoofing.
b. spooling.
c. dual-homed.
d. screening.
7. Which is not a biometric device?
a. password
b. retina prints
c. voice prints
d. signature characteristics
8. All of the following are objectives of operating system control except
a. protecting the OS from users
b. protesting users from each other
c. protecting users from themselves
d. protecting the environment from users
9. Passwords are secret codes that users enter to gain access to systems. Security can be compromised
by all of the following except
a. failure to change passwords on a regular basis
b. using obscure passwords unknown to others

c. recording passwords in obvious places

d. selecting passwords that can be easily detected by computer criminals
10. Audit trails cannot be used to
a. detect unauthorized access to systems
b. facilitate reconstruction of events
c. reduce the need for other forms of security
d. promote personal accountability
***
11. Which control will not reduce the likelihood of data loss due to a line error?
a. echo check
b. encryption
c. vertical parity bit
d. horizontal parity bit
12. Which method will render useless data captured by unauthorized receivers?
a. echo check
b. parity bit
c. public key encryption
d. message sequencing
13. Which method is most likely to detect unauthorized access to the system?
a. message transaction log
b. data encryption standard
c. vertical parity check
d. request-response technique
14. All of the following techniques are used to validate electronic data interchange transactions except
a. value added networks can compare passwords to a valid customer file before message transmission
b. prior to converting the message, the translation software of the receiving company can compare the
password against a validation file in the firm's database
c. the recipient's application software can validate the password prior to processing
d. the recipient's application software can validate the password after the transaction has been
processed
15. In an electronic data interchange environment, customers routinely access
a. the vendor's price list file
b. the vendor's accounts payable file
c. the vendor's open purchase order file
d. none of the above
16. All of the following tests of controls will provide evidence that adequate computer virus control
techniques are in place and functioning except
a. verifying that only authorized software is used on company computers
b. reviewing system maintenance records
c. confirming that antivirus software is in use
d. examining the password policy including a review of the authority table

17. Audit objectives for communications controls include all of the following except
a. detection and correction of message loss due to equipment failure
b. prevention and detection of illegal access to communication channels
c. procedures that render intercepted messages useless
d. all of the above
18. When auditors examine and test the call-back feature, they are testing which audit objective?
a. incompatible functions have been segregated
b. application programs are protected from unauthorized access
c. physical security measures are adequate to protect the organization from natural disaster
d. illegal access to the system is prevented and detected
19. In an electronic data interchange (EDI) environment, when the auditor compares the terms of the
trading partner agreement against the access privileges stated in the database authority table, the
auditor is testing which audit objective?
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database records
c. authorized trading partners have access only to approved data
d. a complete audit trail is maintained
20. Audit objectives in the electronic data interchange (EDI) environment include all of the following
except
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database records
c. a complete audit trail of EDI transactions is maintained
d. backup procedures are in place and functioning properly
***
21. Examining programmer authority tables for information about who has access to Data Definition
Language commands will provide evidence about who is responsible for creating subschemas.
22. The standard format for an e-mail address is DOMAIN NAME@USER NAME.
23. The network paradox is that networks exist to provide user access to shared resources while one
of its most important objectives is to control access.
24. IP spoofing is a form of masquerading to gain unauthorized access to a Web server.
25. The rules that make it possible for users of networks to communicate are called protocols.
26. A factor that contributes to computer crime is the reluctance of many organizations to prosecute
criminals for fear of negative publicity.
27. Cookies are files created by user computers and stored on Web servers.
28. Because of network protocols, users of networks built by different manufacturers are able to
communicate and share data.
29. The client-server model can only be applied to ring and star topologies.
30. Only two types of motivation drive DoS attacks: 1) to punish an organization with which the
perpetrator had a grievance; and 2) to gain bragging rights for being able to do it.
***

21. In determining whether a system is adequately protected from attacks by computer viruses, all of
the following policies are relevant except
a. the policy on the purchase of software only from reputable vendors
b. the policy that all software upgrades are checked for viruses before they are implemented
c. the policy that current versions of antivirus software should be available to all users
d. the policy that permits users to take files home to work on them
22. Which of the following is not a test of access controls?
a. biometric controls
b. encryption controls
c. backup controls
d. inference controls
23. In an electronic data interchange environment, customers routinely
a. access the vendor's accounts receivable file with read/write authority
b. access the vendor's price list file with read/write authority
c. access the vendor's inventory file with read-only authority
d. access the vendor's open purchase order file with read-only authority
24. In an electronic data interchange environment, the audit trail
a. is a printout of all incoming and outgoing transactions
b. is an electronic log of all transactions received, translated, and processed by the system
c. is a computer resource authority table
d. consists of pointers and indexes within the database
25. All of the following are designed to control exposures from subversive threats except
a. firewalls
b. one-time passwords
c. field interrogation
d. data encryption
26. Many techniques exist to reduce the likelihood and effects of data communication hardware failure.
One of these is
a. hardware access procedures
b. antivirus software
c. parity checks
d. data encryption
27. Which of the following deal with transaction legitimacy?
a. transaction authorization and validation
b. access controls
c. EDI audit trail
d. all of the above
28. Firewalls are
a. special materials used to insulate computer facilities
b. a system that enforces access control between two networks
c. special software used to screen Internet access
d. none of the above

29. An integrated group of programs that supports the applications and facilitates their access to
specified resources is called a (an)
a. operating system.
b. database management system.
c. utility system
d. facility system.
e. object system.
30. Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, is
a. a smurf attack.
b. IP Spoofing.
c. an ACK echo attack
d. a ping attack.
e. none of the above
***
31. Which of the following is true?
a. Deep Packet Inspection uses a variety of analytical and statistical techniques to evaluate the
contents of message packets.
b. An Intrusion prevention system works in parallel with a firewall at the perimeter of the network to act
as a filer that removes malicious packets from the flow before they can affect servers and networks.
c. A distributed denial of service attack is so named because it is capable of attacking many victims
simultaneously who are distributed across the internet.
d. None of the above are true statements.
32. Advance encryption standard (AES) is
a. a 64 -bit private key encryption technique
b. a 128-bit private key encryption technique
c. a 128-bit public key encryption technique
d. a 256-bit public encryption technique that has become a U.S. government standard
33. What do you call a system of computers that connects the internal users of an organization that is
distributed over a wide geographic area?
a. LAN
b. decentralized network
c. multidrop network
d. Intranet