You are on page 1of 38

Chapter 12

Monitoring and Auditing AIS

True / False Questions

1. Data mining is the process of searching for patterns in the data in a data warehouse and to
analyze the patterns for decision making.

True False

2. The data in a data warehouse are updated when transactions are processed.

True False

3. Parallel simulation uses an independent program to simulate a part of an existing application


program, and is designed to test the validity and to verify the accuracy of an existing application
program.

True False

4. Data governance is the convergence of data quality, data management, data policies, business
process management, and risk management surrounding the handling of data in a company.

True False

5. Computer-assisted audit techniques (CAAT) are often used when auditing a company's IT
infrastructure.

True False

12-1
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
6. Firewalls are security systems comprised of hardware and software that is built using routers,
servers, and a variety of software.

True False

7. The Generally Accepted Auditing Standards (GAAS) issued by PCAOB provide guidelines for
conducting an IS/IT audit.

True False

8. Virtual private network (VPN) is a private network, provided by a third party, for exchanging
information through a high capacity connection.

True False

9. A wireless network is comprised access points and stations. Access points logically connect stations
to a firm's network.

True False

10. Integrated test facility (ITF) is an automated technique that enables test data to be continually
evaluated during the normal operation of a system.

True False

11. Accountants increasingly participate in designing internal controls and improving business and IT
processes in a database environment.

True False

12. A data warehouse is for daily operations and often includes data for the current fiscal year only.

True False

13. Parallel simulation attempts to simulate the firm's key features or processes.

True False

12-2
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
14. Embedded audit module is a programmed audit module that is added to the system under
review.

True False

15. A continuous audit is to perform audit-related activities on a continuous basis.

True False

Multiple Choice Questions

16. Which of the following is not an approach used for the online analytical processing (OLAP).

A. Exception reports
B. What-if simulations
C. Consolidation
D. Data mining

17. The purpose of a company's firewall is to:

A. Guard against spoofing


B. Filtering packets
C. Deny computer hackers access to sensitive data
D. All of the above

12-3
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
18. Which of the statements regarding the data warehouse is incorrect?

A. It is a centralized collection of firm-wide data


B. The purpose of a data warehouse is to provide a rich data set for management to identify
patterns and to examine trends of business events
C. Includes data for the current fiscal year only
D. The data in a data warehouse is pulled from each of the operational databases periodically

19. Which of the following statements about switches is correct?

A. Hub is smarter than Switch.


B. Switches provide more security protections than hubs do for a company's internal network.
C. Switch is widely used in WANs.
D. A Switch contains multiple ports.

20. Which of the following describes a group of computers that connects the internal users of a
company distributed over an office building?

A. Internet
B. LAN
C. Virtual private network (VPN)
D. Decentralized network

21. Which of the following is not a management control for wireless networks?

A. Assigning roles and responsibilities of employees for access control


B. Conducting risk assessment on a regular basis
C. Conducting appropriate awareness training on wireless networks
D. Creating policies and procedures

12-4
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
22. What is the man-in-the-middle threat for wireless LANs?

A. The attacker impersonates an authorized user and gains certain unauthorized privileges to the
wireless network
B. The attacker passively monitors wireless networks for data, including authentication credentials
C. The attacker steals or makes unauthorized use of a service
D. The attacker actively intercepts communications between wireless clients and access points to
obtain authentication credentials and data.

23. Which of the following statements regarding the black-box approach for systems auditing is
correct?

A. The auditors need to gain detailed knowledge of the systems' internal logic
B. The black-box approach could be adequate when automated systems applications are
complicated
C. The auditors first calculating expected results from the transactions entered into the system.
Then, the auditors compare these calculations to the processing or output results.
D. All of the above are correct

24. What is data mining?

A. A particular attribute of information.


B. A common term for the representation of multidimensional data.
C. The process of analyzing data to extract of information that is not affected by the raw data
alone.
D. None of the above is correct.

12-5
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
25. What is the test data technique?

A. It uses a set of input data to validate system integrity.


B. It requires auditors to prepare both valid and invalid data to examine critical logics and controls
of the system
C. It is an automated technique that enables test data to be continually evaluated during the
normal operation of a system
D. A and B are correct
E. None of the above is correct

26. Within a WAN, a router would perform which of the following functions?

A. Provide the communication within the network


B. Select network pathways within a network for the flow of data packets.
C. Amplify and rebroadcast signals in a network
D. Forward data packets to their internal network destination

27. Which of the following strategies will a CPA most likely consider in auditing an entity that
processes most of its financial data only in electronic form, such as a paperless system?

A. Continuous monitoring and analysis of transaction processing with an embedded audit module.
B. Increased reliance on internal control activities that emphasize the segregation of duties.
C. Verification of encrypted digital certificates used to monitor the authorization of transactions.
D. Extensive testing of firewall boundaries that restrict the recording of outside network traffic.

28. Which of the following is the primary reason that many auditors hesitate to use embedded audit
modules?

A. Embedded audit modules cannot be protected from computer viruses.


B. Auditors are required to monitor embedded audit modules continuously to obtain valid results.
C. Embedded audit modules can easily be modified through management tampering.
D. Auditors are required to be involved in the system design of the application to be monitored.

12-6
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
29. The results of a generalized audit software simulation of the aging of accounts receivable revealed
substantial differences in the aging contribution, even though grand totals reconciled. Which of
the following should the IS auditor do first to resolve the discrepancy?

A. Recreate the test, using different software.


B. List a sample of actual data to verify the accuracy of the test program.
C. Ignore the discrepancy because the grand totals reconcile and instruct the controller to correct
program.
D. Create test transactions and run test data on both the production and simulation program.

30. Common IT techniques that are needed to implement continuous auditing include

A. Data warehouse and data mining


B. Transaction logging and query tools
C. Computer-assisted audit techniques.
D. All of the above.

31. Which statements are incorrect about virtual private network (VPN)?

A. It is a way to use the public telecommunication infrastructure in providing secures access to an


organization's network.
B. It enables the employees to work remotely by accessing their firm's network securely using the
Internet
C. The packets sent through VPN are encrypted and with authentication technology.
D. The expensive cost is one major disadvantage of VPN.

32. LAN is the abbreviation for

A. Large Area Network.


B. Local Area Network.
C. Longitudinal Analogue Network.
D. Low Analytical Nets.

12-7
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
33. Which of the following is least likely to be considered a component of a computer network?

A. Application programs.
B. Computers.
C. Servers.
D. Routers.

34. Which of the following statements regarding the purposes of an operating system is correct?

A. To ensure the integrity of a system


B. To control the flow of multiprogramming and tasks of scheduling in the computer
C. To allocate computer resources to users and applications
D. All of the above are correct

35. Which of the following is not a benefit of using wireless technology?

A. Mobility
B. Rapid deployment
C. Flexibility and Scalability
D. Security

36. Masquerading threat for wireless LANs is:

A. The attacker actively intercepts communications between wireless clients and access points to
obtain authentication credentials and data
B. The attacker alters a legitimate message sent via wireless networks by deleting, adding to,
changing, or reordering it
C. The attacker passively monitors wireless networks for data, including authentication credentials
D. The attacker impersonates an authorized user and gains certain unauthorized privileges to the
wireless network

12-8
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
37. Which of the following statements is not correct?

A. The IP address of a desktop computer often changes


B. The MAC address of a desktop computer often changes
C. The IP address of a Web server does not change
D. Each hardware device must have a MAC address

38. Which of the following is not a use of CAATs in auditing?

A. Test of details of transactions and balances


B. Analytical review procedures
C. Fraud examination
D. Produce terms and conditions of employment

39. Which of the following statements is wrong regarding continuous audit?

A. Continuous audit is to perform audit-related activities on a continuous basis


B. Testing in continuous audits often consists of continuous controls monitoring and continuous
data assurance
C. Technology plays a key role in continuous audit in analyzing trends and patterns of transactions,
identifying exceptions and anomalies, and testing controls
D. Continuous audit is frequently used to perform substantive tests and is used for testing of
controls through transactional-data analysis

12-9
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
40. Which of the following statements about firewalls is wrong?

A. A firewall is a security system comprised of hardware and software that is built using routers,
servers, and a variety of software
B. A firewall allows individuals on the corporate network to send and receive data packets from the
Internet
C. A firewall can filter through packets coming from outside networks to prevent unauthorized
access
D. A firewall connects different LANs, software-based intelligent devices, examines IP addresses

Essay Questions

12-10
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
41. Identify each of the following statements with one of the five fundamental control objectives of
operating systems.

Control objectives:

(a) Protect operations systems from users.


(b) The operating system must protect users from each other.
(c) The operating system must be protected from itself.
(d) The operating system must be protected from its environment.
(e) The operating system must protect users from themselves.

12-11
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
42. Categorize the following scenarios as management, operational, or technical controls for wireless
networks' security controls.

43. What are the two approaches of CAATs in auditing systems? What are the differences between
them?

12-12
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
44. What are the differences between LANs and WANs? Have you ever used any LANs and WANS?

45. What are the general security objectives for both wired LANs and wireless LANs?

46. What are the benefits of conducting continuous audits (or monitoring)?

12-13
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
47. Discuss five significant barriers that are often encountered in implementing continuous auditing?

48. List common security threats for wireless LANs. Find a specific case in which the security of wireless
LANs was threatened. Given the case you find, comment on how to prevent or mitigate the
threats?

12-14
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Chapter 12 Monitoring and Auditing AIS Answer Key

True / False Questions

1. Data mining is the process of searching for patterns in the data in a data warehouse and to
analyze the patterns for decision making.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

2. The data in a data warehouse are updated when transactions are processed.

FALSE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

3. Parallel simulation uses an independent program to simulate a part of an existing application


program, and is designed to test the validity and to verify the accuracy of an existing
application program.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry

12-15
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

4. Data governance is the convergence of data quality, data management, data policies, business
process management, and risk management surrounding the handling of data in a company.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

5. Computer-assisted audit techniques (CAAT) are often used when auditing a company's IT
infrastructure.

FALSE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-02 Understand and apply computer-assisted audit techniques.
Source: Original
Topic: Monitoring and auditing an AIS

6. Firewalls are security systems comprised of hardware and software that is built using routers,
servers, and a variety of software.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology

12-16
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

7. The Generally Accepted Auditing Standards (GAAS) issued by PCAOB provide guidelines for
conducting an IS/IT audit.

FALSE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

8. Virtual private network (VPN) is a private network, provided by a third party, for exchanging
information through a high capacity connection.

FALSE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

9. A wireless network is comprised access points and stations. Access points logically connect
stations to a firm's network.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember

12-17
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

10. Integrated test facility (ITF) is an automated technique that enables test data to be continually
evaluated during the normal operation of a system.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

11. Accountants increasingly participate in designing internal controls and improving business and
IT processes in a database environment.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12. A data warehouse is for daily operations and often includes data for the current fiscal year
only.

FALSE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy

12-18
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

13. Parallel simulation attempts to simulate the firm's key features or processes.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

14. Embedded audit module is a programmed audit module that is added to the system under
review.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

15. A continuous audit is to perform audit-related activities on a continuous basis.

TRUE

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

12-19
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Multiple Choice Questions

16. Which of the following is not an approach used for the online analytical processing (OLAP).

A. Exception reports
B. What-if simulations
C. Consolidation
D. Data mining

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

17. The purpose of a company's firewall is to:

A. Guard against spoofing


B. Filtering packets
C. Deny computer hackers access to sensitive data
D. All of the above

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-20
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
18. Which of the statements regarding the data warehouse is incorrect?

A. It is a centralized collection of firm-wide data


B. The purpose of a data warehouse is to provide a rich data set for management to identify
patterns and to examine trends of business events
C. Includes data for the current fiscal year only
D. The data in a data warehouse is pulled from each of the operational databases periodically

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

19. Which of the following statements about switches is correct?

A. Hub is smarter than Switch.


B. Switches provide more security protections than hubs do for a company's internal network.
C. Switch is widely used in WANs.
D. A Switch contains multiple ports.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-21
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
20. Which of the following describes a group of computers that connects the internal users of a
company distributed over an office building?

A. Internet
B. LAN
C. Virtual private network (VPN)
D. Decentralized network

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

21. Which of the following is not a management control for wireless networks?

A. Assigning roles and responsibilities of employees for access control


B. Conducting risk assessment on a regular basis
C. Conducting appropriate awareness training on wireless networks
D. Creating policies and procedures

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-22
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
22. What is the man-in-the-middle threat for wireless LANs?

A. The attacker impersonates an authorized user and gains certain unauthorized privileges to
the wireless network
B. The attacker passively monitors wireless networks for data, including authentication
credentials
C. The attacker steals or makes unauthorized use of a service
D. The attacker actively intercepts communications between wireless clients and access points
to obtain authentication credentials and data.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

23. Which of the following statements regarding the black-box approach for systems auditing is
correct?

A. The auditors need to gain detailed knowledge of the systems' internal logic
B. The black-box approach could be adequate when automated systems applications are
complicated
C. The auditors first calculating expected results from the transactions entered into the system.
Then, the auditors compare these calculations to the processing or output results.
D. All of the above are correct

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

12-23
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
24. What is data mining?

A. A particular attribute of information.


B. A common term for the representation of multidimensional data.
C. The process of analyzing data to extract of information that is not affected by the raw data
alone.
D. None of the above is correct.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

25. What is the test data technique?

A. It uses a set of input data to validate system integrity.


B. It requires auditors to prepare both valid and invalid data to examine critical logics and
controls of the system
C. It is an automated technique that enables test data to be continually evaluated during the
normal operation of a system
D. A and B are correct
E. None of the above is correct

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

12-24
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
26. Within a WAN, a router would perform which of the following functions?

A. Provide the communication within the network


B. Select network pathways within a network for the flow of data packets.
C. Amplify and rebroadcast signals in a network
D. Forward data packets to their internal network destination

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

27. Which of the following strategies will a CPA most likely consider in auditing an entity that
processes most of its financial data only in electronic form, such as a paperless system?

A. Continuous monitoring and analysis of transaction processing with an embedded audit


module.
B. Increased reliance on internal control activities that emphasize the segregation of duties.
C. Verification of encrypted digital certificates used to monitor the authorization of
transactions.
D. Extensive testing of firewall boundaries that restrict the recording of outside network traffic.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: CPA examination, adapted
Topic: Monitoring and auditing an AIS

12-25
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
28. Which of the following is the primary reason that many auditors hesitate to use embedded
audit modules?

A. Embedded audit modules cannot be protected from computer viruses.


B. Auditors are required to monitor embedded audit modules continuously to obtain valid
results.
C. Embedded audit modules can easily be modified through management tampering.
D. Auditors are required to be involved in the system design of the application to be
monitored.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: CPA examination, adapted
Topic: Monitoring and auditing an AIS

29. The results of a generalized audit software simulation of the aging of accounts receivable
revealed substantial differences in the aging contribution, even though grand totals reconciled.
Which of the following should the IS auditor do first to resolve the discrepancy?

A. Recreate the test, using different software.


B. List a sample of actual data to verify the accuracy of the test program.
C. Ignore the discrepancy because the grand totals reconcile and instruct the controller to
correct program.
D. Create test transactions and run test data on both the production and simulation program.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: CISA examination, adapted
Topic: Monitoring and auditing an AIS

12-26
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
30. Common IT techniques that are needed to implement continuous auditing include

A. Data warehouse and data mining


B. Transaction logging and query tools
C. Computer-assisted audit techniques.
D. All of the above.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

31. Which statements are incorrect about virtual private network (VPN)?

A. It is a way to use the public telecommunication infrastructure in providing secures access to


an organization's network.
B. It enables the employees to work remotely by accessing their firm's network securely using
the Internet
C. The packets sent through VPN are encrypted and with authentication technology.
D. The expensive cost is one major disadvantage of VPN.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-27
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
32. LAN is the abbreviation for

A. Large Area Network.


B. Local Area Network.
C. Longitudinal Analogue Network.
D. Low Analytical Nets.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

33. Which of the following is least likely to be considered a component of a computer network?

A. Application programs.
B. Computers.
C. Servers.
D. Routers.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-28
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
34. Which of the following statements regarding the purposes of an operating system is correct?

A. To ensure the integrity of a system


B. To control the flow of multiprogramming and tasks of scheduling in the computer
C. To allocate computer resources to users and applications
D. All of the above are correct

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

35. Which of the following is not a benefit of using wireless technology?

A. Mobility
B. Rapid deployment
C. Flexibility and Scalability
D. Security

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-29
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
36. Masquerading threat for wireless LANs is:

A. The attacker actively intercepts communications between wireless clients and access points
to obtain authentication credentials and data
B. The attacker alters a legitimate message sent via wireless networks by deleting, adding to,
changing, or reordering it
C. The attacker passively monitors wireless networks for data, including authentication
credentials
D. The attacker impersonates an authorized user and gains certain unauthorized privileges to
the wireless network

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

37. Which of the following statements is not correct?

A. The IP address of a desktop computer often changes


B. The MAC address of a desktop computer often changes
C. The IP address of a Web server does not change
D. Each hardware device must have a MAC address

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-30
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
38. Which of the following is not a use of CAATs in auditing?

A. Test of details of transactions and balances


B. Analytical review procedures
C. Fraud examination
D. Produce terms and conditions of employment

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-02 Understand and apply computer-assisted audit techniques.
Source: Original
Topic: Monitoring and auditing an AIS

39. Which of the following statements is wrong regarding continuous audit?

A. Continuous audit is to perform audit-related activities on a continuous basis


B. Testing in continuous audits often consists of continuous controls monitoring and
continuous data assurance
C. Technology plays a key role in continuous audit in analyzing trends and patterns of
transactions, identifying exceptions and anomalies, and testing controls
D. Continuous audit is frequently used to perform substantive tests and is used for testing of
controls through transactional-data analysis

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-02 Understand and apply computer-assisted audit techniques.
Source: Original
Topic: Monitoring and auditing an AIS

12-31
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
40. Which of the following statements about firewalls is wrong?

A. A firewall is a security system comprised of hardware and software that is built using routers,
servers, and a variety of software
B. A firewall allows individuals on the corporate network to send and receive data packets from
the Internet
C. A firewall can filter through packets coming from outside networks to prevent unauthorized
access
D. A firewall connects different LANs, software-based intelligent devices, examines IP addresses

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

Essay Questions

12-32
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
41. Identify each of the following statements with one of the five fundamental control objectives of
operating systems.

Control objectives:

(a) Protect operations systems from users.


(b) The operating system must protect users from each other.
(c) The operating system must be protected from itself.
(d) The operating system must be protected from its environment.
(e) The operating system must protect users from themselves.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Apply

12-33
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Difficulty: 3 Hard
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

42. Categorize the following scenarios as management, operational, or technical controls for
wireless networks' security controls.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-34
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
43. What are the two approaches of CAATs in auditing systems? What are the differences between
them?

The two approaches are auditing around the computer (the black-box approach) auditing
through the computer (the white-box approach).
Using the black-box approach, auditors do not need to gain detailed knowledge of the systems'
internal logic. The system will not be interrupted for auditing purposes. The approach applies
when the automated systems applications are relatively simple. Using the white-box approach
requires auditors to understand the internal logic of the system/application being tested.
Auditors need to create test cases to verify specific logic and controls in a system. Auditing
through the computer approach embraces a variety of techniques such as test data technique,
parallel simulation. The white-box approach is used when the automated systems applications
are complicated.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-02 Understand and apply computer-assisted audit techniques.
Source: Original
Topic: Monitoring and auditing an AIS

44. What are the differences between LANs and WANs? Have you ever used any LANs and WANS?

1) LANs covers a small area while WANs covers a significantly larger area.
2) LANs speeds are also significantly faster than WANs.
3) LANs is more secure than WANs.
4) WANs are much more expensive to implement than LANs.

The Internet is the most popular WAN. A local area network is often used in a computer lab on
campus. (Students' answers may vary.)

AACSB: Reflective Thinking


AICPA BB: Industry

12-35
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

45. What are the general security objectives for both wired LANs and wireless LANs?

1) Confidentiality: Ensure that communication cannot be read by unauthorized parties.


2) Integrity: Detect any intentional or unintentional changes to the data during transmission.
3) Availability: Ensure that devices and individuals can access a network and its resources
whenever needed.
4) Access Control: Restrict the rights of devices or individuals to access a network or resources
within a network.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-36
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
46. What are the benefits of conducting continuous audits (or monitoring)?

Using continuous audit/monitoring, most firms can reduce errors and frauds; increase
operational effectiveness; better comply with laws and regulations; and increase management
confidence in control effectiveness and financial information.
In addition, continuous auditing allows internal and external auditors to monitor transaction
data in a timely manner; better understand critical control points, rules, and exceptions; perform
control and risk assessments in real time or near real time; notify management of control
deficiencies in a timely manner; and reduce efforts on routine testing while focus on more
valuable investigation activities.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original
Topic: Monitoring and auditing an AIS

47. Discuss five significant barriers that are often encountered in implementing continuous
auditing?

1) Access to all relevant data in a timely manner


2) Readiness of the internal audit group to develop and adopt continuous auditing
3) Accumulating and quantifying the risks and the exposures that have been identified
4) Defining the appropriate analytic that will effectively identify exceptions to controls
5) Developing a suitable scoring/weighting mechanism to prioritize exceptions

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 12-03 Explain continuous auditing in AIS.
Source: Original

12-37
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Topic: Monitoring and auditing an AIS

48. List common security threats for wireless LANs. Find a specific case in which the security of
wireless LANs was threatened. Given the case you find, comment on how to prevent or mitigate
the threats?

1) Eavesdropping: The attacker passively monitors wireless networks for data, including
authentication credentials.
2) Man-in-the-Middle: The attacker actively intercepts communications between wireless clients
and access points to obtain authentication credentials and data.
3) Masquerading: The attacker impersonates an authorized user and gains certain unauthorized
privileges to the wireless network.
4) Message Modification: The attacker alters a legitimate message sent via wireless networks by
deleting, adding to, changing, or reordering it.
5) Message Replay: The attacker passively monitors transmissions via wireless networks and
retransmits messages, acting as if the attacker was a legitimate user.
6) Misappropriation: The attacker steals or makes unauthorized use of a service.
7) Traffic Analysis: The attacker passively monitors transmissions via wireless networks to
identify communication patterns and participants.
8) Rogue Access Points: The attacker sets up an unsecured wireless network near the enterprise
with an identical name and intercepts any messages sent by unsuspecting users that log onto it.

Students' answers vary on the specific case and the approaches to mitigate the threats.

AACSB: Reflective Thinking


AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 12-01 Understand the risks involved with computer hardware and software.
Source: Original
Topic: Hardware and software risks in AIS

12-38
Copyright 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.