COMMITTEE ON INFORMATION TECHNOLOGY

INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA

Certificate Course on Forensic Accounting & Fraud Detection

MODEL TEST PAPER -4

Total No. of Questions: 100

Total Marks: 100 Time Allowed: 1 Hour 40 Mins (i.e. 100 mins)

GENERAL INSTRUCTIONS

There is no negative marking

Answer all the 100 questions. All Questions carry equal marks and are compulsory.
Each question has four multiple choices for the answer. You are required to choose
only one Answer which according to you is most appropriate and/or correct.
Please do not write or mark on this question booklet.
The candidate should not turn or look at any other page, except this instruction page,
till the chief superintendent / invigilator announces to start.

OBJECTIVE TYPE QUESTIONS

(1×100)

1. Who are the primary victims of financial statement fraud?

A. Middle management
B. Organizations that buy goods or services
C. Analysts
 D. Stockholders
2. The type of forensics that involves examining malicious software
A. Software forensics
B. Hardware forensics
C. Network forensics
D. Digital forensics

3. A forensics certification provides _________.

A. a reason for continuing education
B. external validation of one's forensics skills
C. breadth in the computer industry
D. depth in a particular subject

4. Which of the following describes a firewall?

A. A copy of data
B. Data that cannot be lost
C. Digital forensic analysis
D. Device or software that acts as a checkpoint between a network or
stand-alone computer and the Internet

5. General financial statement fraud can be detected through

A. Internal audit
B. Surprise audits /cash counts.
C. Data mining
D. All of the above

6. Which is not a red flag among following:

A. Negative Cash flows
B. Significant sales to related parties
C. Sudden above-average profits for specific quarters
D. Paid dividend according to dividend payout ratio
7. Payment to vendors who aren’t on an approved vendor list, a -
A. Management Red flag
B. Red flag in purchasing
C. Red flag in payroll
D. Red flag in account receivable

8. Sudden activity in a dormant banking account, a-

A. Management Red flag
B. Red flag in purchasing
C. Red flag in payroll
Red flag in cash/ account receivable

9. What is the most cost-effective way to minimize the cost of fraud?

A. Prevention
B. Detection
C. Investigation
D. Prosecution

10. If pressures and opportunities are high and personal integrity is low, the chance of
fraud is:
A. High
B. Medium
C. Very Low
D. Low

11. How frequently do most people rationalize?

A. Sometimes
B. Often
C. Never
D. Rarely
12. Which of the following statements is most correct regarding errors and fraud?
A. An error is unintentional, whereas fraud is intentional.
B. Frauds occur more often than errors in financial statements.
C. Errors are always fraud and frauds are always errors.
D. Auditors have more responsibility for finding fraud than errors.

13. Fraudulent financial reporting is most likely to be committed by whom?

A. Line employees of the company
B. Outside members of the company’s board of directors
C. Company management
D. The company’s auditors

14. Who Commits Financial Statement Fraud:

A. Senior Management
B. Middle and lower level employees
C. Organized Criminals
D. All the above

15. The Auditor’s Responsibilities Relating to fraud in an audit of Financial Statements

are specified in :

A. SA 240
B. SA 250
C. SA 300
D. SA 450

16. SA 250 related to:

A. Auditor’s Responsibilities Relating to fraud in an audit of Financial Statements

B. Consideration of Laws and Regulations in an Audit of Financial Statements
 C. Both A and B
D. None of the above

17. Maximum Imprisonment Punishment for fraud for criminal liability as per Section 447
of Companies Act, 2013.
A. 3 Years
B. 5 Year
C. 7 Year
D. 10 Year

18. Why Do People Commit Financial Statement Fraud

A. To conceal true business performance
B. To preserve personal status/control
C. To maintain personal income/wealth
D. All the above

19. The use of _____________________ may be particularly valuable in cases of white- collar
crime.
A. Fingerprint examiners
B. Forensic photography
C. Forensic accountants
D. None of the above

20. Hashing, filtering and file header analysis make up which function of digital forensics
tools?
A. Validation and Verification
B. Acquisition
C. Extraction
D. Reconstruction

21. The reconstruction function is needed for which of the following purposes?
 A. Re create a suspect drive to show what happened
B. Create a copy of a drive for other investigators
C. Recover file headers
D. Re create a drive compromised by malware

22. ___ is the set of instructions compiled into a program that performs a particular
task.
A. Software
B. Hardware
C. OS
D. None of these

23. While interviewing/interrogating an investigator should look for following outer

personality/attributes in a person to conclude him as a suspect or a non-suspect

I. Person’s dressing sense: the chances of the one being a suspect is more who
dresses shabbily than the one who dresses immaculately
II. Person’s Gender : the chances of the one being a suspect is more if he is a Male
than the one who is a Female
III. Other Characteristics like Race, Religion, Community, Color, Hierarchy, Age,
Height Weight, no of years of service etc

A. All (I), (II) and (III) above

B. Only (III) above
C. Both (I) and (II) above
D. None

24. The following is used as forensic software except ____.

A. The Coroner’s Toolkit
B. Outlook
 C. ILook
D. Forensic Toolkit

25. When conducting _________ analysis, the first step is to recover undeleted files.
A. Research
B. Forensic
C. Process
D. Security

26. The purpose of the Red Flags Rule is:

A. To detect the warning signs – or “red flags” – of identity theft in day-to-day
operations
B. take steps to prevent the crime
C. Mitigate the damage it inflicts.
D. All of the above

27. Because the federal Red Flag Rules are so comprehensive, Minnesota’s state laws
concerning identity theft prevention no longer apply.
A. True
B. False
C. Depends on situation of identity theft
D. Can’t say

28. Among the following which would be the red flags for payroll –
A. Overtime time charged during a slack period
B. Excessive or unjustified transactions
C. Large no. of Write- off of accounts
D. All of the above
29. Theft of an employer’s property which was not entrusted to employee will be defined
as-
A. Lapping
B. Larceny
C. Check kitting
D. None of the above

30. A “habitual criminal” who steals for the sake of stealing is known as-
A. Psychotic
B. Egocentric
C. Ideological
D. Economic

31. A Personal prestige, goal achievement is termed as

A. Psychotic
B. Egocentric
C. Ideological
D. Economic

32. Which of the following statements is CORRECT: As per Beneish Model:

A. A score less than -2.22 indicates a strong likelihood of a firm being a
manipulator.
B. A score greater than -2.22 indicates a strong likelihood of a firm being a
manipulator.
C. A score between -2.22 and +2.22 indicates a strong likelihood of a firm being
a manipulator.
D. A score between -2.22 and +7.88 indicates a strong likelihood of a firm being
a manipulator.

33. Ideological means-

A. Personal prestige, goal achievement.
 B. Cause is morally superior, justified in making other victims
C. Desperate need for money, greed, economic achievement
D. None of the above

34. What is a telephone “phreaker”?

A. People who obtain free cellular phone service through theft or forgery of
subscriber information or through employee collusion.
B. People who exploit weaknesses in the cellular network’s technology to
defraud the cellular service provider.
C. People who stalk others on the Internet.
D. People who trick telephone systems into believing that long-distance and
airtime are being legitimately purchased.

35. Which of the following is not a tool utilized by computer criminals?

A. NMAP
B. ToneLoc
C. Cyber-stalker
D. Cryptanalysis

36. What is the purpose of cryptanalysis software?

A. Breaking encryption
B. Taking advantage of a security hole
C. Impairing or destroying function in a computer
D. Delivering attack software

37. What is the delivery vehicle of choice for exploit software?

A. NMAP
B. Cryptanalysis
C. Tone Loc
D. Trojan Horse Programs
38. What is the primary distinction between viruses and worms?
A. Worms do not rely on a host program to infect.
B. Worms masquerade as legitimate while causing damage.
C. Viruses do not rely on a host program to infect.
D. A computer virus is active without a host.

39. Which of the following is not a feature of a “cookie”?

A. It is saved on the user’s hard drive.
B. It tracks which sites a computer has visited.
C. It may assist in an investigation.
D. They are evil programs that scan the hard drive of a computer.

40. Which of the following describes the demographic profile of a hacker?

A. White male
B. 14 to 25 years of age
C. Highly intelligent, yet an underachiever in school
D. All of the above

41. ________________ is the science of acquiring, preserving, retrieving, and presenting data
that has been processed electronically and stored on computer media.
A. Anonymous remailing
B. Digital forensic analysis
C. Using a firewall
D. None of the above

42. Which of the following techniques is most effective in preventing computer crime?
A. Backups
B. Digital forensic analysis
C. Using a firewall
D. None of the above
43. The term disk geometry refers to ________.
A. the physical dimensions of the storage media
B. the number of blocks on the disk
C. the total size and number of cylinders, heads, and sectors
D. the number of bits that can be stored on the disk

44. The stored bits of flash media are located in ________.

A. rooms
B. cells
C. sectors
D. blocks

45. Which of the following are challenges to data recovery for "highly available" memory?
A. The data is distributed across several physical disks.
B. The data is encrypted.
C. The "highly available" solution contains unusually large and un-wieldy
capacity.
D. The data cannot be made unavailable for any length of time and therefore
proper.

46. Which of the following statements is true about a computer's boot process?
A. The boot process begins when the Central Processing Unit is initialized.
B. The user can accelerate the boot process by pressing "Windows" key (also
known as the turbo button).
C. The first process in Linux is called 'kernel'.
D. A Power-On Self-Test is performed once firmware is loaded

47. Which one of the following questions is NOT one to be answered by the investigation
plan?
A. Where is the evidence likely to be located?
B. What age is the suspect?
 C. What local laws and court processes will affect this investigation?
D. What skills are needed to extract the evidence?

48. Vulnerability assessment experts will perform the task of ________. (Select the three that
apply)
A. assessing the prevalence of a known weakness by scanning entire networks
B. assessing the damage and impact of an exploited vulnerability
C. scanning hosts for known weaknesses and vulnerabilities
D. validating the integrity of the host or network equipment

49. Which three of the following would help investigators set the scope for strategies to
extract evidence from acquired images?
A. The password of the suspect
B. The type of files that are not sought by a warrant
C. The question or questions to be answered by the evidence
D. Items found in pockets of clothing owned by the suspect

50. A process is best described as a _______.

A. list of steps to complete a procedure
B. list of steps which together complete a single task or part of a task for a
forensics investigation
C. list of tasks which together complete a forensics investigation
D. list of tasks that together complete one step in a procedure

51. Separation of duties within an investigation describes how _______ and _______ should be
accomplished by different staff.
A. collection of physical evidence / collection of digital evidence
B. extraction / acquisition
C. acquisition / validation
D. All of the above
52. In order to maintain the _________, both a single-evidence form and a multi-evidence
form are used to document and catalog evidence.
A. proper signatures
B. evidence validation
C. image reconstruction
D. chain of custody

53. According to the Federal Rules for Evidence (FRE) section 702, the opinion of an expert
witness can be based on all of the following EXCEPT ________.
A. the product of consultations from peers with other expertise
B. sufficient facts or data
C. the product of accepted and reliable principles or methods
D. application of accepted and reliable principles or methods

54. Which one of the following factors can sabotage the quality of digital evidence reports
between the investigation and the presentation of the evidence to a court?
A. A forensic professional reporting the work of a retired forensic investigator.
B. The promotion of the detective who had been leading a criminal investigation.
C. The procedures used to analyze the data may have been invalidated by court.
D. All of the above

55. The best evidence rule of a case is the expectation that the evidence of a case ________.
A. is the prime evidence that prove the theory of an attorney
B. has been collected with the best and most current software tools available
C. is the best and most scientific evidence collection procedures for that case
D. is the best available evidence given the nature of the case

56. Which three "off-the-job" characteristics below are used to determine the "quality" of
an expert witness?
A. Income level of the expert
 B. The nature of the expert's morals
C. Compliance with laws expected of average citizens
D. Compliance with ethic standards for average citizens

57. Examination can be described as telling a story that ________.

A. uses digital forensic investigators to support facts of the story with evidence
B. disproves alternative theories when necessary
C. presents evidence by asking digital forensic investigators to provide "question
answers"
D. All of the above

58. Employee embezzlement can be direct or indirect. Indirect fraud occurs when:
A. an employee uses company assets to run his/her private business
B. employees establish dummy companies and have their employers pay for
goods that are not actually delivered
C. an employee receives a kickback from a vendor
D. an employee steals company cash, inventory, tools, or other assets

59. Which of the following is NOT one of the major types of fraud classification schemes?
A. Employee embezzlement
B. Government fraud
C. Investment scams
D. Customer fraud

60. Which of the following is not a common type of fraud pressure?

A. Pressure to outsmart peers
B. Financial pressures
C. Work-related pressures
D. Vices

61. Which of the following is NOT a way in which fraud can be committed?
 A. By false representation
B. By failing to disclose information
C. By abuse of position
D. By obtaining property by deception

62. All of the following are methods that organization can adopt to proactively
eliminate fraud opportunities EXCEPT:
A. Accurately identifying sources and measuring risks
B. Implementing appropriate preventative and detective controls
C. Creating widespread monitoring by employees
D. Eliminating protections for whistle blowers

63. Audits, public record searches, and net worth calculations are used to gather what type
of evidence in fraud investigation?
A. Testimonial
B. Forensic
C. Documentary
D. Observation

64. Which of the following is NOT a part of the evidence square?

A. Management evidence
B. Documentary evidence
C. Testimonial evidence
D. Physical evidence

65. Which financial ratio is not useful in detecting revenue-related fraud?

A. Gross profit margin ratio
B. Account receivable ratio
C. Asset turnover ratio
D. All of the above
66. Section 447 of the Companies Act, 2013 defines fraud - Any act/ omission/
concealment of any fact committed by any person or other person (third party) with
connivance in any manner with intent to deceive/ gain undue advantage or to injure
interest of:
A. Company
B. Shareholders
C. Creditors
D. All the Above.

67. Fine/Penalty Punishment for fraud for civil liability as per Section 447 of Companies
Act, 2013
A. Equal to the amount of fraud
B. 2 times of amount of fraud
C. 3 times of amount of fraud
D. 4 times of amount of fraud

68. Which of the following is an example of the crime of counterfeit credit card fraud?
A. An illegally obtained credit card is used to pay for a purchase
B. An illegally created credit card is used to pay for a purchase
C. An illegally altered credit card is used to pay for a purchase
D. A credit card is obtained and used based on false application information

69. Which of the following is not an example of an antishoplifting technique?

A. “Scarecrooks”
B. “Anne Droid”
C. Trojan Horse
D. Ponzi scheme
70. Which of the following recommendations may prevent identity fraud?
A. Patrol residential areas on trash collection days
B. Enforce trespass laws at dump sites
C. Advise citizens to shred documents
D. All of the above

71. A computer crime that involves attacking phone lines is:

A. data diddling
B. phreaking
C. phishing
D. pharming

72. Hackers use all of the techniques except:

A. war dialing
B. war driving
C. war chalking
D. war walking

73. Social engineering facilitates what type of computer fraud?

A. Click fraud
B. Identity theft
C. Spoofing
D. Dictionary attacks

74. The computer crime of piggybacking

A. involves the clandestine use of another user's WIFI
B. usually results from spamming
C. requires the permission of another user to gain access
D. None of the above

75. A network of computers used in a denial-of-service (DoS) attack is called a (an):

 A. Worm
B. Botnet
C. Rootkit
D. Splog

76. Spyware infections came from:

A. worms/viruses
B. drive-by downloads
C. file-sharing programs
D. All of the above

77. Which of the following is not a characteristic of computer viruses?

A. They can lie dormant for a time without doing damage
B. They can mutate which increases their ability to do damage
C. They can hinder system performance
D. They are easy to detect and destroy

78. Which of the following is a method used to embezzle money a small amount at a
time from many different accounts?
A. Data diddling
B. Pretexting
C. Spoofing
D. Salami technique

79. Which of the following is NOT a method that is used for identity theft?
A. Dumpster diving
B. Phishing
C. Shoulder surfing
D. Spamming
80. A computer fraud and abuse technique that steals information, trade secrets, and
intellectual property.
A. Cyber-extortion
B. Data diddling
C. Economic espionage
D. Skimming

81. Which of the following is a threat that organizations need to take account of in
cyberspace?
A. Password
B. Objectionable content filter
C. Denial of service attack
D. Firewall

82. Desperate need for money, greed, economic achievement termed as-
A. Psychotic
B. Egocentric
C. Ideological
D. Economic

83. Stealing money from one customer account & crediting into another customer account
is known as-
A. Lapping
B. Larceny
C. Check kitting
D. None of the above

84. Which among the following will not be an example of Green flag-
A. Auditee nice behavior with auditor during audit (eg. Offering drinks during
lunch)
B. Auditee is too much friendly with staff and vendors
 C. Regular receipt of material of same qty
D. Employee with few or no payroll deductions

85. Factors contributing to red flag includes-

A. Poor Internal Controls
B. Management overrides Internal Control
C. Collusion between employees & third party
D. All of the above

86. Management Red Flags is/are-

A. Management decisions are dominated by an individual or small group
B. Managers engage in frequent disputes with auditors
C. Reluctance to provide information to auditors
D. All of the above

87. Common Types of Fraud in School Districts would be-

A. Unreimbursed personal calls
B. Theft of inventory items.
C. Inappropriate charges to a travel or account payable voucher
D. All of the above

88. Employees with duplicate social security numbers, names and addresses, a-
A. Management Red flag
B. Red flag in purchasing
C. Red flag in payroll
D. Red flag in cash/ account receivable

89. Excessive number of year end transaction, a

A. Management Red flag
B. Red flag in purchasing
C. Red flag in payroll
 D. Red flag in cash/ account receivable

90. The most popular software forensic tools include all of the following except:
A. Forensics Autopsy
B. QUICKEN
C. Forensics Toolkit
D. SMART

91. Hash values are used for which of the following purposes?
A. Determining file sizes
B. Filtering known good files from potentially suspicious data
C. Reconstruction file fragments
D. Validating that the original data hasn’t changed.

92. The verification function does the following?

A. Proves that a tool performs as intended
B. Creates segmented files.
C. Proves that two sets of data are identical via hash values
D. Verifies hex editors.

93. What are the function of Extraction:

A. GUI Acquisition
B. Command line acquisition
C. Carving
D. Hashing

94. Disc imaging

A. bit stream duplicate
B. no alterations to original media
 C. verify integrity
D. All of above

95. Acquisition to ISO standard 27037, which of the following is an important factor in
data acquisition?
A. The DEFR’s Competency
B. The DEFR’s skills in using the command lines
C. Use of validated tools
D. Condition at the acquisition setting
96. The physical Cheque tempering prevention method in which extremely small printing,
too small to be read with naked eye becomes distorted when photocopied is called
_______.
A. High resolution microprinting
B. Microline printing
C. Watermark backers
D. None of above

97. Which among the following are the three payroll fraud schemes
I. Ghost employees
II. Temporary employees
III. Falsified overtime
IV. Commission
Option:

A. I , II & III
B. I , III & IV
C. II , III & IV
D. I , II & IV
98. Which of the following is the Security feature provided by bank to its accountholders so
that only authorized electronic transaction are allowed.
A. ACH
B. AHC
C. CAH
D. CHA

99. The style of interviewer while handling fraud cases should be

I. He should be friendly and easy-going like cracking jokes and asking about
hobbies and favorite things because the information is easily extracted from
the anyone whom he gets friendly to
II. He should be strict, authoritative and accusatory because otherwise the
suspect can take the investigator for granted and tell lies or not answer to
what is being asked
III. He should be the one who does most of the talking and asking questions to
which the suspect answers in Yes or No
IV. He should maintain a non-accusatory tone and firm demeanor during an
interview. he should keep his questions brief and, whenever possible, elicit a
narrative response from the subject

A. Both (I) and (III) above

B. Only (IV) above
C. Only (II) above
D. None

100. While interviewing/interrogating a suspect, an investigator should do the following:

I. Listen only to what the suspect says and ignoring his behavioral attributes
II. Don’t believe at all to what he says and concentrate only to his behavioral
attributes
 III. Rely on the opinion of what others are talking about him (his supervisor, his
colleagues and his juniors) and on his past history of manipulation.
IV. Collect Documentary Evidence and corroborate it with explanation obtained
while interviewing/interrogating considering their behavior attributes on
non-judgmental basis

A. Both (I) and (III) above

B. Only (I) above
C. Both (II) and (III) above
D. Only (IV) above