SECOND ASSIGNMENT DURING THE QUARANTINE

MULTIPLE CHOICE QUESTIONS. Identify the letter of the choice that best completes the statement or answers the
questions.

1. All of the following are objectives of operating system control except

A. Protecting the OS from users.
B. Protesting users from each other.
C. Protecting users from themselves.
D. Protecting the environment from users.
2. Passwords are secret codes that users enter to gain access to systems. Security can be compromised by all of the
following except
A. Failure to change passwords on a regular basis.
B. Using obscure passwords unknown to others.
C. Recording passwords in obvious places.
D. Selecting passwords that can be easily detected by computer criminals.
3. Audit trails cannot be used to
A. Detect unauthorized access to systems.
B. Facilitate reconstruction of events.
C. Reduce the need for other forms of security.
D. Promote personal accountability.
4. Which control will not reduce the likelihood of data loss due to a line error?
A. Echo check.
B. Encryption.
C. Vertical parity bit.
D. Horizontal parity bit.
5. Which method will render useless data captured by unauthorized receivers?
A. Echo check.
B. Parity bit.
C. Public key encryption.
D. Message sequencing.
6. Which method is most likely to detect unauthorized access to the system?
A. Message transaction log.
B. Data encryption standard.
C. Vertical parity check.
D. Request-response technique.
7. All of the following techniques are used to validate electronic data interchange transactions except
A. Value added networks can compare passwords to a valid customer file before message transmission.
B. Prior to converting the message, the translation software of the receiving company can compare the
password against a validation file in the firm's database.
C. The recipient's application software can validate the password prior to processing.
D. The recipient's application software can validate the password after the transaction has been processed.
8. In an electronic data interchange environment, customers routinely access
A. The vendor's price list file.
B. The vendor's accounts payable file.
C. The vendor's open purchase order file.
D. None of the above.
9. All of the following tests of controls will provide evidence that adequate computer virus control techniques are in
place and functioning except
A. Verifying that only authorized software is used on company computers.
B. Reviewing system maintenance records.
C. Confirming that antivirus software is in use.
D. Examining the password policy including a review of the authority table.
10. Audit objectives for the database management include all of the following except
A. Verifying that the security group monitors and reports on fault tolerance violations.
B. Confirming that backup procedures are adequate.
C. Ensuring that authorized users access only those files they need to perform their duties.
D. Verifying that unauthorized users cannot access data files.
11. All of the following tests of controls will provide evidence that access to the data files is limited except
A. Inspecting biometric controls.
B. Reconciling program version numbers.
C. Comparing job descriptions with access privileges stored in the authority table.
1
 SECOND ASSIGNMENT DURING THE QUARANTINE
D. Attempting to retrieve unauthorized data via inference queries.
12. Audit objectives for communications controls include all of the following except
A. Detection and correction of message loss due to equipment failure.
B. Prevention and detection of illegal access to communication channels.
C. Procedures that render intercepted messages useless.
D. All of the above.
13. When auditors examine and test the call-back feature, they are testing which audit objective?
A. Incompatible functions have been segregated.
B. Application programs are protected from unauthorized access.
C. Physical security measures are adequate to protect the organization from natural disaster.
D. Illegal access to the system is prevented and detected.
14. In an Electronic Data Interchange (EDI) environment, when the auditor compares the terms of the trading partner
agreement against the access privileges stated in the database authority table, the auditor is testing which audit
objective?
A. All EDI transactions are authorized.
B. Unauthorized trading partners cannot gain access to database records.
C. Authorized trading partners have access only to approved data.
D. A complete audit trail is maintained.
15. Audit objectives in the Electronic Data Interchange (EDI) environment include all of the following except
A. All EDI transactions are authorized.
B. Unauthorized trading partners cannot gain access to database records.
C. A complete audit trail of EDI transactions is maintained.
D. Backup procedures are in place and functioning properly.
16. In determining whether a system is adequately protected from attacks by computer viruses, all of the following
policies are relevant except
A. The policy on the purchase of software only from reputable vendors.
B. The policy that all software upgrades are checked for viruses before they are implemented.
C. The policy that current versions of antivirus software should be available to all users.
D. The policy that permits users to take files home to work on them.
17. Which of the following is not a test of access controls?
A. Biometric controls.
B. Encryption controls.
C. Backup controls.
D. Inference controls.
18. In an electronic data interchange environment, customers routinely
A. Access the vendor's accounts receivable file with read/write authority.
B. Access the vendor's price list file with read/write authority.
C. Access the vendor's inventory file with read-only authority.
D. Access the vendor's open purchase order file with read-only authority.
19. In an electronic data interchange environment, the audit trail
A. Is a printout of all incoming and outgoing transactions.
B. Is an electronic log of all transactions received, translated, and processed by the system.
C. Is a computer resource authority table.
D. Consists of pointers and indexes within the database.
20. All of the following are designed to control exposures from subversive threats except
A. Firewalls.
B. One-time passwords.
C. Field interrogation.
D. Data encryption.
21. Many techniques exist to reduce the likelihood and effects of data communication hardware failure. One of these is
A. Hardware access procedures.
B. Antivirus software.
C. Parity checks.
D. Data encryption.
22. Which of the following deal with transaction legitimacy?
A. Transaction authorization and validation.
B. Access controls.
C. EDI audit trail.
D. All of the above.
23. Firewalls are
A. Special materials used to insulate computer facilities.
2
 SECOND ASSIGNMENT DURING THE QUARANTINE
B. A system that enforces access control between two networks.
C. Special software used to screen Internet access.
D. None of the above.
24. The database attributes that individual users have permission to access are defined in
A. Operating system.
B. User manual. [C] Database schema.
C. User view.
D. Application listing.
25. An integrated group of programs that supports the applications and facilitates their access to specified resources is
called a (an)
A. Operating system.
B. Database management system.
C. Utility system.
D. Facility system.
E. Object system.
26. Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, is
A. A smurf attack.
B. IP Spoofing.
C. An ACK echo attack.
D. A ping attack.
E. None of the above.
27. Which of the following is true?
A. Deep Packet Inspection uses a variety of analytical and statistical techniques to evaluate the contents of
message packets.
B. An Intrusion prevention system works in parallel with a firewall at the perimeter of the network to act as a
filer that removes malicious packets from the flow before they can affect servers and networks.
C. A distributed denial of service attack is so named because it is capable of attacking many victims
simultaneously who are distributed across the internet.
D. None of the above are true statements.
28. Advance encryption standard (AES) is
A. A 64 -bit private key encryption technique.
B. A 128-bit private key encryption technique.
C. A 128-bit public key encryption technique.
D. A 256-bit public encryption technique that has become a U.S. government standard.
29. Which statement is not correct? The audit trail in a computerized environment
A. Consists of records that are stored sequentially in an audit file.
B. Traces transactions from their source to their final disposition.
C. Is a function of the quality and integrity of the application programs.
D. May take the form of pointers, indexes, and embedded keys.
30. Which control is not associated with new systems development activities?
A. Reconciling program version numbers.
B. Program testing.
C. User involvement.
D. Internal audit participation.
31. Routine maintenance activities require all of the following controls except
A. Documentation updates.
B. Testing.
C. Formal authorization.
D. Internal audit approval.
32. Which statement is correct?
A. Compiled programs are very susceptible to unauthorized modification.
B. The source program library stores application programs in source code form.
C. Modifications are made to programs in machine code language.
D. The source program library management system increases operating efficiency.
33. Which control is not a part of the source program library management system?
A. Using passwords to limit access to application programs.
B. Assigning a test name to all programs undergoing maintenance.
C. Combining access to the development and maintenance test libraries.
D. Assigning version numbers to programs to record program modifications.
34. Which control ensures that production files cannot be accessed without specific permission?
A. Database Management System.
3
 SECOND ASSIGNMENT DURING THE QUARANTINE
B. Recovery Operations Function.
C. Source Program Library Management System.
D. Computer Services Function.
35. Program testing
A. Involves individual modules only, not the full system.
B. Requires creation of meaningful test data.
C. Need not be repeated once the system is implemented.
D. Is primarily concerned with usability.
36. The correct purchase order number, 123456, was incorrectly recorded as shown in the solutions. All of the following
are transcription errors except
A. 1234567.
B. 12345.
C. 124356.
D. 123454.
37. Which of the following is correct?
A. Check digits should be used for all data codes.
B. Check digits are always placed at the end of a data code.
C. Check digits do not affect processing efficiency.
D. Check digits are designed to detect transcription and transposition errors.
38. Which statement is not correct? The goal of batch controls is to ensure that during processing
A. Transactions are not omitted.
B. Transactions are not added.
C. Transactions are free from clerical errors.
D. An audit trail is created.
39. An example of a hash total is
A. Total payroll checks–P12,315.
B. Total number of employees–10.
C. Sum of the social security numbers–12,555,437,251.
D. None of the above.
40. Which statement is not true? A batch control record
A. Contains a transaction code.
B. Records the record count.
C. Contains a hash total.
D. Control figures in the record may be adjusted during processing.
E. All the above are true.
41. Which of the following is not an example of a processing control?
A. Hash total.
B. Record count.
C. Batch total.
D. Check digit.
42. Which of the following is an example of input control test?
A. Sequence check.
B. Zero value check.
C. Spooling check.
D. Range check.
43. Which input control check would detect a payment made to a nonexistent vendor?
A. Missing data check.
B. Numeric/alphabetic check.
C. Range check.
D. Validity check.
44. Which input control check would detect a posting to the wrong customer account?
A. Missing data check.
B. Check digit.
C. Reasonableness check.
D. Validity check.
45. The employee entered "40" in the "hours worked per day" field. Which check would detect this unintentional error?
A. Numeric/alphabetic data check.
B. Sign check.
C. Limit check.
D. Missing data check.

4
 SECOND ASSIGNMENT DURING THE QUARANTINE
46. An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two of the
items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could
detect this error?
A. Numeric/alphabetic data checks.
B. Limit check.
C. Range check.
D. Reasonableness check.
47. Which check is not an input control?
A. Reasonableness check.
B. Validity check.
C. Spooling check.
D. Missing data check.
48. A computer operator was in a hurry and accidentally used the wrong master file to process a transaction file. As a
result, the accounts receivable master file was erased. Which control would prevent this from happening?
A. Header label check.
B. Expiration date check.
C. Version check.
D. Validity check.
49. Run-to-run control totals can be used for all of the following except
A. To ensure that all data input is validated.
B. To ensure that only transactions of a similar type are being processed.
C. To ensure the records are in sequence and are not missing.
D. To ensure that no transaction is omitted.
50. Methods used to maintain an audit trail in a computerized environment include all of the following except
A. Transaction logs.
B. Transaction Listings.
C. Data encryption.
D. Log of automatic transactions.
51. Risk exposures associated with creating an output file as an intermediate step in the printing process (spooling)
include all of the following actions by a computer criminal except
A. Gaining access to the output file and changing critical data values.
B. Using a remote printer and incurring operating inefficiencies.
C. Making a copy of the output file and using the copy to produce illegal output reports.
D. Printing an extra hardcopy of the output file.
52. Which statement is not correct?
A. Only successful transactions are recorded on a transaction log.
B. Unsuccessful transactions are recorded in an error file.
C. A transaction log is a temporary file.
D. A hardcopy transaction listing is provided to users.
53. Input controls include all of the following except
A. Check digits.
B. Limit check.
C. Spooling check.
D. Missing data check.
54. Which of the following is an example of an input error correction technique?
A. Immediate correction.
B. Rejection of batch.
C. Creation of error file.
D. All are examples of input error correction techniques.
55. Which test of controls will provide evidence that the system as originally implemented was free from material errors
and free from fraud? Review of the documentation indicates that
A. A cost-benefit analysis was conducted.
B. The detailed design was an appropriate solution to the user's problem.
C. Tests were conducted at the individual module and total system levels prior to implementation.
D. Problems detected during the conversion period were corrected in the maintenance phase.
56. Which statement is not true?
A. An audit objective for systems maintenance is to detect unauthorized access to application databases.
B. An audit objective for systems maintenance is to ensure that applications are free from errors.
C. An audit objective for systems maintenance is to verify that user requests for maintenance reconcile to
program version numbers.

5
 SECOND ASSIGNMENT DURING THE QUARANTINE
D. An audit objective for systems maintenance is to ensure that the production libraries are protected from
unauthorized access.
57. When the auditor reconciles the program version numbers, which audit objective is being tested?
A. Protect applications from unauthorized changes.
B. Ensure applications are free from error.
C. Protect production libraries from unauthorized access.
D. Ensure incompatible functions have been identified and segregated.
58. When auditors do not rely on a detailed knowledge of the application's internal logic, they are performing
A. Black box tests of program controls.
B. White box tests of program controls.
C. Substantive testing.
D. Intuitive testing.
59. All of the following concepts are associated with the black box approach to auditing computer applications except
A. The application need not be removed from service and tested directly.
B. Auditors do not rely on a detailed knowledge of the application's internal logic.
C. The auditor reconciles previously produced output results with production input transactions.
D. This approach is used for complex transactions that receive input from many sources.
60. Which test is not an example of a white box test?
A. Determining the fair value of inventory.
B. Ensuring that passwords are valid.
C. Verifying that all pay rates are within a specified range.
D. Reconciling control totals.
61. When analyzing the results of the test data method, the auditor would spend the least amount of time reviewing
A. The test transactions.
B. Error reports.
C. Updated master files.
D. Output reports.
62. All of the following are advantages of the test data technique except
A. Auditors need minimal computer expertise to use this method.
B. This method causes minimal disruption to the firm's operations.
C. The test data is easily compiled.
D. The auditor obtains explicit evidence concerning application functions.
63. All of the following are disadvantages of the test data technique except
A. The test data technique requires extensive computer expertise on the part of the auditor.
B. The auditor cannot be sure that the application being tested is a copy of the current application used by
computer services personnel.
C. The auditor cannot be sure that the application being tested is the same application used throughout the
entire year.
D. Preparation of the test data is time-consuming.
64. All of the following statements are true about the integrated test facility (ITF) except
A. Production reports are affected by ITF transactions.
B. ITF databases contain "dummy" records integrated with legitimate records.
C. ITF permits ongoing application auditing.
D. ITF does not disrupt operations or require the intervention of computer services personnel.
65. Which statement is not true? Embedded audit modules
A. Can be turned on and off by the auditor.
B. Reduce operating efficiency.
C. May lose their viability in an environment where programs are modified frequently.
D. Identify transactions to be analyzed using white box tests.
66. Generalized audit software packages perform all of the following tasks except
A. Recalculate data fields.
B. Compare files and identify differences.
C. Stratify statistical samples.
D. Analyze results and form opinions.
67. Which of the following is not an input control?
A. Range check.
B. Limit check.
C. Spooling check.
D. Validity check.
E. They are all input controls.
68. Which of the following is an input control?
6
 SECOND ASSIGNMENT DURING THE QUARANTINE
A. Reasonableness check.
B. Run-to-run check.
C. Spooling check.
D. Batch check.
E. None are input controls.