Professional Documents
Culture Documents
1. Data warehouses work together with operational systems to provide necessary insight, particularly in the
case of customer relationship management (CRM) and supply chain management (SCM) systems.
True False
2. Data warehouses are often designed to facilitate decision making such as those often used in managerial
accounting and facilitate management by exception, such as variance reports, trend reports, variance
analysis reports, and reports that show actual performance are compared to budgeted information.
True False
3. If data mining may finds a statistical correlation or relationship between two data items, then there exists a
plausible relationship between those two data items in the real world.
True False
4. XBRL is based on the XML language.
True False
5. XBRL produces standardized reports and is not customizable.
True False
6. XBRL GL (also known as XBRL Global Ledger Taxonomy) serves as a means to facilitate efficient
communication within a firm.
True False
7. XBRL serves as a means to electronically communicate business information to facilitate business
reporting of financial and nonfinancial data to users. XBRL greatly enhances the speed and accuracy of
business reporting.
True False
8. XBRL instance documents describe each key data element (e.g., total assets, accounts, payable, net income,
etc.).
True False
9-1
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
9. XBRL allows highly disaggregated data so not only is it possible to know the level of sales, but it is
possible to know sales revenue in much more detail.
True False
10. Data warehouses gather information from external databases, but not from internal databases.
True False
11. XBRL style sheets take the instance documents and add presentation elements to make XBRL filings
readable by humans.
True False
12. Bank loan officers and the IRS will likely have different XBRL style sheets for the various XBRL filings.
True False
13. Since both are regulators, the SEC and the IRS will likely have similar XBRL style sheets for the various
XBRL filings.
True False
14. XBRL (eXtensible Business Reporting Language) is an open, global standard for exchanging financial
reporting information.
True False
15. Data Mining is a process of using sophisticated statistical techniques to extract and analyze data from large
databases to discern patterns and trends that were not previously known.
True False
16. XBRL Instance Documents define and describe each key data element (e.g., total assets, accounts, payable,
net income, etc.).
True False
A. Data Warehousing
B. Project Management
C. Data Martian
D. Business Intelligence
9-2
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
18. A data warehouse may include a:
A. Business intelligence
B. Data Warehouse
C. Digital Dashboard
D. XBR
L
21. The steps in business intelligence include:
A. Airplane speed
B. Critical business failures
C. Critical business processes
D. Critical business projects
23. The first person to propose using XML be used as a means to electronically deliver financial information
was:
A. Albert Gore
B. Charles Hoffman
C. Manuel Sanchez
D. Kevin Kobelsky
9-3
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
24. XBRL GL, or XBRL Global Ledger Taxonomy, is different from XBRL US GAAP because it facilitates:
A. Flexibility
B. Wide acceptance by the market
C. Scalability
D. Network Effects
26. XBRL assurance is generally expected to include:
9-4
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
30. A document containing XBRL elements is called a:
A. Data Mart
B. Data Mining
C. Data Warehouse
D. Business Intelligence
32. The tool that defines and describes each key data element (e.g., total assets, accounts, payable, net income,
etc.) in XBRL is called _________
A. XBRL specification.
B. XBRL taxonomy.
C. XBRL style sheet.
D. XBRL instance document.
33. A computer-based information system that facilitates business decision-making activities is called a:
A. Data Warehouse
B. Digital Dashboard
C. Decision Support System
D. Data Mart
Essay Questions
34. Name three internal and three external databases that you think should be included in a data warehouse for
Ford, Chrysler or General Motors. Support your answer.
9-5
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
35. Name three internal and three external databases that you think should be included in a data warehouse for
Apple or Google. Support your answer.
36. Name five items that you think would be included in a digital dashboard for your university. Why are these
critical business processes for them?
37. Name five items that you think would be included in a digital dashboard for an organization that you are
familiar with (church, sorority, local not-for-profit, etc.) Why are these critical business processes for
them?
38. Why would general economic information (GDP, interest rates, etc.) be included in a data warehouse?
Would they be more helpful for some companies than for others?
9-6
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
39. How would Apple Computer use a data mart in its marketing area? How does that help designers of the
data warehouse know what to include?
40. Why would competitor information be included in a data warehouse? How would it be used?
41. Name five items that you think would be included in a digital dashboard for EBay. Why are these critical
business processes for them?
42. Why is assurance needed on XBRL data? Why will financial analysts need assurance that the XBRL data is
correct? Support your answer.
9-7
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
43. Why would the company want XBRL assurance if the IRS or SEC were going to be using its data?
44. There is a different XBRL taxonomy for each country, including XBRL Australia, XBRL Canada, XBRL
Germany, XBRL Japan, XBRL-Netherlands, XBRL-US, and XBRL-UK. What would happen if there were
only one XBRL taxonomy for all countries?
45. How would the XBRL style sheets be different for financial analysts as compared to the Internal Revenue
Service?
46. Why is XBRL needed in the financial community? In your opinion, why did the Securities and Exchange
Commission mandate its usage? What does it provide that was not available before XBRL?
9-8
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
47. How would XBRL GL be used for internal uses such as management accounting?
48. How would XBRL GL facilitate the SEC-required XBRL submission of a company's regulatory filings?
49. Data mining is often used to find patterns in stock prices to assist technical financial stock market analysts,
or in commodities or currency trading. What are the benefits and concerns with using data mining to find
patterns in stock prices? What would you need to feel comfortable enough to trade on these patterns?
50. Data warehouses often serve as the main repository of the firm's historical data, or in other words, its
corporate memory, and will often serve as an archive of past firm performance. Besides past financial
performance, what historical data would a firm like McDonald's be interested in archiving in its data
warehouse?
9-9
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Chapter 09 Reporting Processes and eXtensible Business Reporting Language
(XBRL) Answer Key
1. Data warehouses work together with operational systems to provide necessary insight, particularly in
the case of customer relationship management (CRM) and supply chain management (SCM) systems.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-01 Explain how data warehouses are created and used.
Source: Original
Topic: Data Warehouse
2. Data warehouses are often designed to facilitate decision making such as those often used in managerial
accounting and facilitate management by exception, such as variance reports, trend reports, variance
analysis reports, and reports that show actual performance are compared to budgeted information.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-01 Explain how data warehouses are created and used.
Source: Original
Topic: Data Warehouse
3. If data mining may finds a statistical correlation or relationship between two data items, then there
exists a plausible relationship between those two data items in the real world.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-02 Describe the basic components of business intelligence and how they are utilized in a firm.
Source: Original
Topic: Business Intelligence
4. XBRL is based on the XML language.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
9-10
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Source: Original
Topic: XBR
5. XBRL produces standardized reports and is not customizable.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
6. XBRL GL (also known as XBRL Global Ledger Taxonomy) serves as a means to facilitate efficient
communication within a firm.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
7. XBRL serves as a means to electronically communicate business information to facilitate business
reporting of financial and nonfinancial data to users. XBRL greatly enhances the speed and accuracy of
business reporting.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
8. XBRL instance documents describe each key data element (e.g., total assets, accounts, payable, net
income, etc.).
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
9-11
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
9. XBRL allows highly disaggregated data so not only is it possible to know the level of sales, but it is
possible to know sales revenue in much more detail.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
10. Data warehouses gather information from external databases, but not from internal databases.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-01 Explain how data warehouses are created and used.
Source: Original
Topic: Data Warehouse
11. XBRL style sheets take the instance documents and add presentation elements to make XBRL filings
readable by humans.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
12. Bank loan officers and the IRS will likely have different XBRL style sheets for the various XBRL
filings.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
13. Since both are regulators, the SEC and the IRS will likely have similar XBRL style sheets for the
various XBRL filings.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
9-12
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
14. XBRL (eXtensible Business Reporting Language) is an open, global standard for exchanging financial
reporting information.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
15. Data Mining is a process of using sophisticated statistical techniques to extract and analyze data from
large databases to discern patterns and trends that were not previously known.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-02 Describe the basic components of business intelligence and how they are utilized in a firm.
Source: Original
Topic: Business Intelligence
16. XBRL Instance Documents define and describe each key data element (e.g., total assets, accounts,
payable, net income, etc.).
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
9-13
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 09-02 Describe the basic components of business intelligence and how they are utilized in a firm.
Source: Original
Topic: Data Mining
18. A data warehouse may include a:
9-14
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
21. The steps in business intelligence include:
9-15
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
24. XBRL GL, or XBRL Global Ledger Taxonomy, is different from XBRL US GAAP because it
facilitates:
A. Flexibility
B. Wide acceptance by the market
C. Scalability
D. Network Effects
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
26. XBRL assurance is generally expected to include:
9-16
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
27. XBRL stands for
9-17
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
30. A document containing XBRL elements is called a:
9-18
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
33. A computer-based information system that facilitates business decision-making activities is called a:
Essay Questions
34. Name three internal and three external databases that you think should be included in a data warehouse
for Ford, Chrysler or General Motors. Support your answer.
Answers will vary depending on the student knowledge of a car company, but could include supplier
info, financial statements and other financial reporting, general economics info, past car buying
behavior, buyer demographics, etc.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-01 Explain how data warehouses are created and used.
Source: Original
Topic: Data Warehouse
35. Name three internal and three external databases that you think should be included in a data warehouse
for Apple or Google. Support your answer.
Answers will vary depending on the student knowledge of Apple and Google, but could include supplier
info, financial statements and other financial reporting, general economics info, past smartphone buying
behavior, buyer demographics, advertising models, etc.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-01 Explain how data warehouses are created and used.
Source: Original
Topic: Data Warehouse
9-19
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
36. Name five items that you think would be included in a digital dashboard for your university. Why are
these critical business processes for them?
Answers will vary depending on the student knowledge of the university. Universities always seem
interest in total student credit hours, retention rate, recruiting information, high school GPA of incoming
students, etc.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards
37. Name five items that you think would be included in a digital dashboard for an organization that you are
familiar with (church, sorority, local not-for-profit, etc.) Why are these critical business processes for
them?
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards
38. Why would general economic information (GDP, interest rates, etc.) be included in a data warehouse?
Would they be more helpful for some companies than for others?
Answers will vary! All companies and their business models are affected by the general economic
performance. Some businesses do better in a poor economy, but the majority has worse performance.
Some are tightly correlated to the economy and others are not; therefore, some companies will have
more interest in general economic information in their data warehouse than others.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards
9-20
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
39. How would Apple Computer use a data mart in its marketing area? How does that help designers of the
data warehouse know what to include?
Answers will vary! Designers of the data warehouse need to carefully query users of Apple's data mart
to see what information is needed and what information might potentially be useful to know what to
include.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-01 Explain how data warehouses are created and used.
Source: Original
Topic: Data Warehouse
40. Why would competitor information be included in a data warehouse? How would it be used?
Answers will vary! Generally, companies generally cannot get too much information about their
competitors. Any prior trends or information that might be useful to predict competitor (and/or industry)
performance might be useful.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-01 Explain how data warehouses are created and used.
Source: Original
Topic: Data Warehouse
41. Name five items that you think would be included in a digital dashboard for EBay. Why are these
critical business processes for them?
Answers will vary! EBay might want to know that information that it's daily sales, the daily average
dollar amount of each sale, some measure of its product mix, the number of new listings, referrals from
its web site to other websites, etc. These all seem like critical data for its object of selling products and
scooping up margins.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards
9-21
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
42. Why is assurance needed on XBRL data? Why will financial analysts need assurance that the XBRL
data is correct? Support your answer.
Answers will vary! A potential solution might include that since XBRL can be quickly edited, changed
and manipulated; it would be nice to have some assurances as to what standards were followed and that
the numbers that come out of the XBRL have assurances associated with them.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards
43. Why would the company want XBRL assurance if the IRS or SEC were going to be using its data?
Answers will vary! A potential solution might include why the company wants to ensure that its
information is getting to banks, shareholders, potential investors, financial analysts in a way that
provides assurance would be very useful to the company even if the IRS and SEC are using that data.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards
44. There is a different XBRL taxonomy for each country, including XBRL Australia, XBRL Canada,
XBRL Germany, XBRL Japan, XBRL-Netherlands, XBRL-US, and XBRL-UK. What would happen if
there were only one XBRL taxonomy for all countries?
Answers will vary! A potential solution might include a discussion of the differences in accounting
standards between countries and even that tagging/wording for a very similar account might be quite
different due to culture and language.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
9-22
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
45. How would the XBRL style sheets be different for financial analysts as compared to the Internal
Revenue Service?
Answers will vary! A potential solution might include of the different roles of the IRS and financial
analysts. The IRS is primarily interested in whether firms are paying sufficient taxes. Financial analysts
are interested in earnings prediction and stock market valuation which often requires very different
information; hence, a very different style sheet.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
46. Why is XBRL needed in the financial community? In your opinion, why did the Securities and
Exchange Commission mandate its usage? What does it provide that was not available before XBRL?
Answers will vary! A potential solution might include a discussion of the SEC and its role in
establishing a level playing field for all investors. It might also include a discussion of the efficiencies
gained by the SEC.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-04 Explain how XBRL works and how it makes business reporting more efficient.
Source: Original
Topic: XBRL
47. How would XBRL GL be used for internal uses such as management accounting?
Answers will vary! A potential answer might include a discussion of how XBRL GL might be used to
quickly and efficiently share financial and managerial information throughout the organization.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards
9-23
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
48. How would XBRL GL facilitate the SEC-required XBRL submission of a company's regulatory
filings?
Answers will vary! A potential answer might include a discussion of how XBRL GL might be used to
quickly and efficiently transmit information required by the SEC.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards
49. Data mining is often used to find patterns in stock prices to assist technical financial stock market
analysts, or in commodities or currency trading. What are the benefits and concerns with using data
mining to find patterns in stock prices? What would you need to feel comfortable enough to trade on
these patterns?
Answers will vary! A potential answer might include a discussion of the power of data mining in
finding patterns. However, to the extent that these patterns of past performance do not correlate with
future performance, an investor may not feel comfortable trading based on those patterns.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
Topic: Digital Dashboards
50. Data warehouses often serve as the main repository of the firm's historical data, or in other words, its
corporate memory, and will often serve as an archive of past firm performance. Besides past financial
performance, what historical data would a firm like McDonald's be interested in archiving in its data
warehouse?
Answers will vary! A potential answer might include discussion of how data warehouses might detail
past special promotions, special products, details on store locations that worked well, customer
demographics, customer eating palette information, employee incentive programs, customer
satisfaction, etc.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Analyze
Difficulty: 3 Hard
Learning Objective: 09-03 Describe how digital dashboards allow for continuous tracking of key metrics.
Source: Original
9-24
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Topic: Digital Dashboards
Chapter 10
1. The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their auditors
to assess and report on the design and effectiveness of internal control over financial reporting annually.
True False
2. According to the Sarbanes-Oxley Act of 2002, it is the responsibility of the Board of Directors to establish
and maintain the effectiveness of internal control.
True False
3. In a computerized environment, internal controls can be categorized as general controls and application
controls.
True False
4. Internal controls guarantee the accuracy and reliability of accounting records.
True False
5. Segregation of duties reduces the risk of errors and irregularities in accounting records.
True False
6. The chief executive officer is ultimately responsible for enterprise risk management.
True False
7. The risk of a company's internal auditing processes failing to catch the misstated dollar amount of revenue
on the company's income statement is classified as inherent risk.
True False
8. Processing controls are IT general controls.
True False
9. COBIT (Control Objectives for Information and related Technology) is a generally accepted framework for
IT governance in the U.S.
True False
9-25
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
10. The main objective of the ISO 27000 series is to provide a model for establishing, implementing, operating,
monitoring, maintaining, and improving information security.
True False
11. Given the requirement of the Sarbanes-Oxley Act of 2002 (SOX), the Public Company Accounting
Oversight Board (PCAOB) established the Securities and Exchange Commission (SEC) to provide
independent oversight of public accounting firms.
True False
12. Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS 5) encourages
auditors to start from the basic/bottom of financial records to identify the key controls.
True False
13. Corporate governance is a set of processes and policies in managing an organization with sound ethics to
safeguard the interests of its stakeholders.
True False
14. Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in
itself.
True False
15. A firm must establish control policies, procedures, and practices that ensure the firm's business objectives
are achieved and its risk mitigation strategies are carried out.
True False
16. According to COSO, which of the following components of the enterprise risk management addresses an
entity's integrity and ethical values?
A. Operations.
B. Reporting.
C. Monitoring.
D. Compliance.
9-26
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
18. In a large pubic corporation, evaluating internal control procedures should be responsibility of:
A. Disclosing lack of segregation of duties to external auditors during the annual review.
B. Replacing personnel every three or four years.
C. Requiring accountants to pass a yearly background check.
D. Allowing for greater management oversight of incompatible activities.
21. Review of the audit log is an example of which of the following types of security control?
A. Governance.
B. Detective.
C. Preventive.
D. Corrective.
22. Which of the following is not a component of internal control as defined by COSO?
A. Control environment.
B. Control activities.
C. Inherent risk
D. Monitoring.
23. Which of the following is considered an application input control?
9-27
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
24. Which of the following control activities should be taken to reduce the risk of incorrect processing in a
newly installed computerized accounting system?
A. Segregation of duties.
B. Ensure proper authorization of transactions.
C. Adequately safeguard assets.
D. Independently verify the transactions.
25. Which of the following statement is correct regarding internal control?
A. A well-designed internal control environment ensures the achievement of an entity's control objectives.
B. An inherent limitation to internal control is the fact that controls can be circumvented by management
override.
C. A well-designed and operated internal control environment should detect collusion perpetrated by two
people.
D. Internal control in a necessary business function and should be designed and operated to detect errors
and fraud.
26. Obtaining an understanding of an internal control involves evaluating the design of the control and
determining whether the control has been:
A. Authorized.
B. Implemented.
C. Tested.
D. Monitored.
27. A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to
relocate its production facilities. According to COSO, this decision represents which of the following
response to the risk?
A. Risk reduction.
B. Prospect theory.
C. Risk sharing.
D. Risk acceptance.
28. Each of the following types of controls is considered to be an entity-level control, except those:
9-28
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
29. Controls in the information technology area are classified into preventive, detective, and corrective
categories. Which of the following is preventive control?
A. Contingency planning.
B. Hash total.
C. Echo check.
D. Access control software.
30. All of the following are examples of internal control procedures except
A. Accounting practice.
B. Attestation.
C. Auditing.
D. Quality control over attestation and/or assurance.
32. Which of the following most likely would not be considered as an inherent limitation of the effectiveness of
a firm's internal control?
A. Incompatible duties.
B. Management override.
C. Mistakes in judgment.
D. Collusion among employees.
33. According to COSO which of the following is not a component of internal control?
A. Control risk.
B. Control activities.
C. Monitoring.
D. Control environment.
34. When considering internal control, an auditor should be aware of reasonable assurance, which recognizes
that
A. Internal control may be ineffective due to mistakes in judgment and personal carelessness.
B. Adequate safeguards over access to assets and records should permit an entity to maintain proper
accountability.
C. Establishing and maintaining internal control is an important responsibility of management.
D. The cost of an entity's internal control should not exceed the benefits expected to be derived.
9-29
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
35. Proper segregation of duties calls for separation of the following functions:
A. Computer-based controls.
B. System of segregation of duties.
C. Control environment.
D. Safeguards over access to assets.
38. Management philosophy and operating style would have a relatively less significant influence on a firm's
control environment when
A. Specific controls.
B. Types of potential fraud.
C. Financial statement assertions.
D. Control environment factors.
40. An auditor assesses control risk because it
9-30
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
41. The framework could be used by management in its internal control assessment under requirements of SOX
is the:
A. All companies.
B. SEC registrants.
C. All issuer (public) companies and nonissuer (nonpublic) companies with more than $100,000,000 of net
worth.
D. All nonissuer companies.
43. Reconciliation of cash accounts may be referred to as what type of control?
A. Detective.
B. Preventive.
C. Adjustive.
D. Non-routine.
44. Sound internal control dictates that immediately upon receiving checks from customers by mail, a
responsible employee should
A. Hash total.
B. Parity check.
C. Encryption.
D. Check digit.
9-31
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
47. A customer intended to order 100 units of a product A, but incorrectly ordered nonexistent product B.
Which of the following controls most likely would detect this error?
A. Validity check
B. Record count
C. Hash total
D. Parity check
48. Which of the following is an example of a validity check?
A. The computer ensures that a numerical amount in a record does not exceed some predetermined amount.
B. As the computer corrects errors and data are successfully resubmitted to the system, the causes of the
errors are printed out.
C. The computer flags any transmission for which the control field value did not match that of an existing
file record.
D. After data for a transaction are entered, the computer sends certain data back to the terminal for
comparison with data originally sent.
49. Which of the following is a computer test made to ascertain whether a given characteristic belongs to the
group?
A. Check digit.
B. Validity check.
C. Echo check.
D. Limit check.
Essay Questions
9-32
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
50. Put the listed steps in the corresponding parentheses in the risk assessment and response approach diagram
below.
9-33
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
51. What is the impact of the Sarbanes-Oxley Act of 2002 (SOX) on public companies and public accounting
firms?
52. Describe the three categories of objectives and five essential components of the COSO 2.0 framework.
53. What are the three main functions of COSO ERM?
54. What are the definitions of "governance" and "management" in the COBIT 5.0 framework?
9-34
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
55. Discuss the ethical values created in Starbucks. How do they help to form the firm's control environment?
56. The information system of Company ABC is deemed to be 90% reliable. A major threat has been identified
with an exposure of $5,000,000. Two control procedures exist to deal with the threat. Implementation of
control A would cost of $140,000 and reduce the risk to 4%. Implementation of control B would cost
$100,000 and reduce the risk to 6%. Implementation of both controls would cost $220,000 and reduce the
risk to 2%. Given the data and based solely on an economic analysis of costs and benefits, which control
procedure should you choose?
57. Which internal control(s) would you recommend to prevent the following situations from occurring?
a. While entering the details about a large credit sale, a clerk mistakenly typed in a nonexistent account
number. Consequently, the company never received the payment from this customer.
b. A customer filled in a wrong account number on the remittance advice. Consequently, a clerk entered the
same number into the system, and the payment was credited to another customer's account.
c. After processing a large sales transaction, the inventory records showed negative quantities on hand for
several items.
9-35
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Chapter 10 Accounting Information Systems and Internal Controls Answer Key
1. The Sarbanes-Oxley Act of 2002 (SOX) 2002 requires the management of all companies and their
auditors to assess and report on the design and effectiveness of internal control over financial reporting
annually.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Reporting
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance
2. According to the Sarbanes-Oxley Act of 2002, it is the responsibility of the Board of Directors to
establish and maintain the effectiveness of internal control.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance
3. In a computerized environment, internal controls can be categorized as general controls and application
controls.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Control and Governance Frameworks
4. Internal controls guarantee the accuracy and reliability of accounting records.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
9-36
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance
5. Segregation of duties reduces the risk of errors and irregularities in accounting records.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
6. The chief executive officer is ultimately responsible for enterprise risk management.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
7. The risk of a company's internal auditing processes failing to catch the misstated dollar amount of
revenue on the company's income statement is classified as inherent risk.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Risk Analysis
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
8. Processing controls are IT general controls.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
9-37
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
9. COBIT (Control Objectives for Information and related Technology) is a generally accepted framework
for IT governance in the U.S.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Risk Analysis
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-03 Describe the overall COBIT framework and its implications for IT governance.
Source: Original
Topic: Control and Governance Frameworks
10. The main objective of the ISO 27000 series is to provide a model for establishing, implementing,
operating, monitoring, maintaining, and improving information security.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Risk Analysis
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-04 Describe other governance frameworks related to information systems management and security.
Source: Original
Topic: Control and Governance Frameworks
11. Given the requirement of the Sarbanes-Oxley Act of 2002 (SOX), the Public Company Accounting
Oversight Board (PCAOB) established the Securities and Exchange Commission (SEC) to provide
independent oversight of public accounting firms.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance
12. Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 (AS 5) encourages
auditors to start from the basic/bottom of financial records to identify the key controls.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance
13. Corporate governance is a set of processes and policies in managing an organization with sound ethics
to safeguard the interests of its stakeholders.
TRUE
AACSB: Reflective Thinking
9-38
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance
14. Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an
end in itself.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance
15. A firm must establish control policies, procedures, and practices that ensure the firm's business
objectives are achieved and its risk mitigation strategies are carried out.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
16. According to COSO, which of the following components of the enterprise risk management addresses
an entity's integrity and ethical values?
9-39
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
17. Which of the following items is one of the eight components of COSO's enterprise risk management
framework?
A. Operations.
B. Reporting.
C. Monitoring.
D. Compliance.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: CPA 2012 examination, adapted
Topic: Control and Governance Frameworks
18. In a large pubic corporation, evaluating internal control procedures should be responsibility of:
9-40
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
20. Which of the following is the best way to compensate for the lack of adequate segregation of duties in a
small organization?
A. Disclosing lack of segregation of duties to external auditors during the annual review.
B. Replacing personnel every three or four years.
C. Requiring accountants to pass a yearly background check.
D. Allowing for greater management oversight of incompatible activities.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: CPA 2012 examination, adapted
Topic: Control and Governance Frameworks
21. Review of the audit log is an example of which of the following types of security control?
A. Governance.
B. Detective.
C. Preventive.
D. Corrective.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: CPA 2012 examination, adapted
Topic: Control and Governance Frameworks
22. Which of the following is not a component of internal control as defined by COSO?
9-41
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
23. Which of the following is considered an application input control?
A. A well-designed internal control environment ensures the achievement of an entity's control
objectives.
B. An inherent limitation to internal control is the fact that controls can be circumvented by
management override.
C. A well-designed and operated internal control environment should detect collusion perpetrated by
two people.
D. Internal control in a necessary business function and should be designed and operated to detect
errors and fraud.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: CPA 2011 examination, adapted
Topic: Control and Governance Frameworks
9-42
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
26. Obtaining an understanding of an internal control involves evaluating the design of the control and
determining whether the control has been:
A. Authorized.
B. Implemented.
C. Tested.
D. Monitored.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: CPA 2012 examination, adapted
Topic: Control and Governance Frameworks
27. A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it
decided to relocate its production facilities. According to COSO, this decision represents which of the
following response to the risk?
9-43
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
29. Controls in the information technology area are classified into preventive, detective, and corrective
categories. Which of the following is preventive control?
9-44
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
32. Which of the following most likely would not be considered as an inherent limitation of the
effectiveness of a firm's internal control?
A. Internal control may be ineffective due to mistakes in judgment and personal carelessness.
B. Adequate safeguards over access to assets and records should permit an entity to maintain proper
accountability.
C. Establishing and maintaining internal control is an important responsibility of management.
D. The cost of an entity's internal control should not exceed the benefits expected to be derived.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Risk Analysis
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
9-45
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
35. Proper segregation of duties calls for separation of the following functions:
9-46
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
38. Management philosophy and operating style would have a relatively less significant influence on a
firm's control environment when
9-47
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
41. The framework could be used by management in its internal control assessment under requirements of
SOX is the:
A. Detective.
B. Preventive.
C. Adjustive.
D. Non-routine.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
9-48
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
44. Sound internal control dictates that immediately upon receiving checks from customers by mail, a
responsible employee should
9-49
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
47. A customer intended to order 100 units of a product A, but incorrectly ordered nonexistent product B.
Which of the following controls most likely would detect this error?
A. The computer ensures that a numerical amount in a record does not exceed some predetermined
amount.
B. As the computer corrects errors and data are successfully resubmitted to the system, the causes of
the errors are printed out.
C. The computer flags any transmission for which the control field value did not match that of an
existing file record.
D. After data for a transaction are entered, the computer sends certain data back to the terminal for
comparison with data originally sent.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
49. Which of the following is a computer test made to ascertain whether a given characteristic belongs to
the group?
9-50
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Essay Questions
9-51
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
50. Put the listed steps in the corresponding parentheses in the risk assessment and response approach
diagram below.
G D H E F C A (No) B (yes)
9-52
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
9-53
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
51. What is the impact of the Sarbanes-Oxley Act of 2002 (SOX) on public companies and public
accounting firms?
SOX requires public companies registered with the SEC and their auditors to annually assess and report
on the design and effectiveness of internal control over financial reporting.
SOX also established the Public Company Accounting Oversight Board (PCAOB) to provide
independent oversight of public accounting firms. The PCAOB issues auditing standards and oversees
quality controls of public accounting firms.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 10-01 Explain essential control concepts and why a code of ethics and internal controls are important.
Source: Original
Topic: Ethics, Sarbanes-Oxley Act 2002 and Corporate Governance
52. Describe the three categories of objectives and five essential components of the COSO 2.0 framework.
Objectives:
1) Control Environment — include the management's philosophy and operating style, integrity and
ethical values of employees, organizational structure, the role of the audit committee, proper board
oversight for the development and performance of internal control, and personnel policies and practices.
2) Risk Assessment — Risk assessment involves a dynamic process for identifying and analyzing a
firm's risks from external and internal environments.
3) Control Activities — A firm must establish control policies, procedures, and practices that ensure the
firm's objectives are achieved and risk mitigation strategies are carried out.
4) Information and Communication — Relevant information should be identified, captured, and
communicated in a form and timeframe that enables employees to carry out their duties.
5) Monitoring Activities — The design and effectiveness of internal controls should be monitored by
management and other parties outside the process in an ongoing basis.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
9-54
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
53. What are the three main functions of COSO ERM?
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
54. What are the definitions of "governance" and "management" in the COBIT 5.0 framework?
COBIT 5.0 defines "governance" as ensuring that firm objectives are achieved by evaluating
stakeholder needs; setting direction through decision making; and monitoring performance, compliance
and progress. In most firms, the board of directors is responsible for governance. Per COBIT 5,
"management" includes planning, building, running and monitoring activities in alignment with the
direction in achieving the firm objectives.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Reporting
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 10-03 Describe the overall COBIT framework and its implications for IT governance.
Source: Original
Topic: Control and Governance Frameworks
55. Discuss the ethical values created in Starbucks. How do they help to form the firm's control
environment?
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
9-55
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Topic: Control and Governance Frameworks
56. The information system of Company ABC is deemed to be 90% reliable. A major threat has been
identified with an exposure of $5,000,000. Two control procedures exist to deal with the threat.
Implementation of control A would cost of $140,000 and reduce the risk to 4%. Implementation of
control B would cost $100,000 and reduce the risk to 6%. Implementation of both controls would cost
$220,000 and reduce the risk to 2%. Given the data and based solely on an economic analysis of costs
and benefits, which control procedure should you choose?
Estimate value of control A: 5,000,000*(10% - 4%) = $300,000 (problem states that Control A reduces
the risk TO 4%)
Estimate value of control B: 5,000,000*(10% - 6%) = $200,000 (problem states that Control A reduced
the risk TO 6%)
Estimate value of control A&B: 5,000,000*(10% - 2%) = $400,000
Benefits exceed cost of A: 300,000 - 140,000 = 160,000
Benefits exceed cost of B: 200,000 - 100,000 = 100,000
Benefits exceed cost of A&B: 400,000 - 220,000 = 180,000
Choose Control C.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
57. Which internal control(s) would you recommend to prevent the following situations from occurring?
a. While entering the details about a large credit sale, a clerk mistakenly typed in a nonexistent account
number. Consequently, the company never received the payment from this customer.
b. A customer filled in a wrong account number on the remittance advice. Consequently, a clerk entered
the same number into the system, and the payment was credited to another customer's account.
c. After processing a large sales transaction, the inventory records showed negative quantities on hand
for several items.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 10-02 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk
management framework.
Source: Original
Topic: Control and Governance Frameworks
9-56
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Chapter 11
1. Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.
True False
2. The goal of information security management is to maintain confidentiality, integrity and availability of a
firm's information.
True False
3. Encryption is a preventive control ensuring data confidentiality and privacy during transmission and for
storage.
True False
4. Asymmetric-key encryption is suitable for encrypting large data sets or messages.
True False
5. Key distribution and key management are problematic under the symmetric-key encryption.
True False
6. Symmetric-key encryption method is used to authenticate users.
True False
7. Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a private
key.
True False
8. A company's audit committee is responsible for fraud risk assessments.
True False
9. One type of fault tolerance is using redundant units to provide a system the ability to continue functioning
when part of the system fails.
True False
9-57
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
10. Disaster recovery planning and business continuity management are preventive controls.
True False
11. Information security is a critical factor in maintaining systems integrity.
True False
12. The goal of information security management is to enhance the confidence, integrity and authority (CIA) of
a firm's management.
True False
13. Virus is a self-replicating, self-propagating, self-contained program that uses networking mechanisms to
spread itself.
True False
14. Spam is a self-replicating program that runs and spreads by modifying other programs or files.
True False
15. Encryption and hashing are similar process to maintain data confidentiality.
True False
A. Accurate
B. Complete
C. Accessible
D. A and B are correct.
17. Which of the following statements is incorrect about digital signature?
9-58
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
18. What is the primary objective of data security controls?
A. To establish a framework for controlling the design, security, and use of computer programs throughout
an organization.
B. To ensure that data storage media are subject to authorization prior to access, change, or destruction.
C. To formalize standard, rules, and procedures to ensure the organization's control are properly executed.
D. To monitor the use of system software to prevent unauthorized access to system software and computer
programs.
19. An entity doing business on the internet most likely could use any of the following methods to prevent
unauthorized intruders from accessing proprietary information except:
A. Password management.
B. Data encryption.
C. Digital certificates.
D. Batch processing.
20. When client's accounts payable computer system was relocated, the administrator provided support through
a dial-up connection to server. Subsequently, the administrator left the company. No changes were made to
the accounts payable system at that time. Which of the following situations represents the greatest security
risk?
9-59
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
23. In a large multinational organization, which of the following job responsibilities should be assigned to be
network administrator?
A. Daily backup.
B. Network security.
C. Business continuity.
D. Backup power.
26. Which of the following statements regarding authentication in conducting e-business is incorrect?
A. It is a process that establishes the origin of information or determines the identity of a user, process, or
device.
B. One key is used for encryption and decryption purposes in the authentication process.
C. Successful authentication can prevent repudiation in electronic transactions.
D. We need to use asymmetric-key encryption to authenticate the sender of a document or data set.
27. Which of the following is not included in the remediation phrase for vulnerability management?
9-60
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
28. Which of the following does not represent a viable data backup method?
A. When using asymmetric-key encryption method, a total of two keys are necessary in electronic
communication between two parties.
B. Employees in the same company share the same public key.
C. Most companies would like to manage the private keys for their employees.
D. Most companies would like to use a Certificate Authority to manage the public keys of their employees.
E. Two of the above are correct.
30. Which of the following statements is incorrect?
A. A fraud prevention program starts with a fraud risk assessment across the entire firm.
B. The audit committee typically has an oversight role in risk assessment process.
C. Communicating a firm's policy file to employees is one of the most important responsibilities of
management.
D. A fraud prevention program should include an evaluation on the efficiency of business processes.
31. A disaster recovery approach should include which of the following elements:
A. Encryption.
B. Firewalls.
C. Regular backups.
D. Surge protectors.
32. Which of the following passwords would be most difficult to crack?
A. Go2Ca!ifornia4fun
B. language
C. jennyjenny
D. pass56word
33. Which of the following is a password security weakness?
A. Users are assigned passwords when accounts are created, but do not change them.
B. Users have accounts on several systems with different passwords.
C. Users write down their passwords on a note paper, and carry it with them.
D. Users select passwords that are not part of online password dictionary.
9-61
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
34. To prevent invalid data input, a bank added an extra number at the end of each account number and
subjected the new number to an algorithm. This technique is known as:
A. Parity check.
B. Password as a personal identification code.
C. Check digit.
D. Echo check.
38. Which of the following controls would most likely assure that a company can reconstruct its financial
records?
A. It is cheap.
B. It is always the same so it can be verified easily.
C. It is more convenient than requiring a real signature.
D. It can authenticate the document sender and maintain data integrity.
9-62
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
40. Select a correct statement regarding encryption methods?
A. To use symmetric-key encryption, each user needs two different keys.
B. Most companies prefer using symmetric-key encryption than asymmetric-key encryption method.
C. Both symmetric-key and asymmetric-key encryption methods require the involvement of a certificate
authority.
D. When conducting e-business, most companies use both symmetric-key and asymmetric-key encryption
methods.
Essay Questions
41. A magnetic tape used to store data backups was lost while it was being transported to an offsite storage
location. The data on the tape includes customers' credit card and personal information. Which preventive
control(s) should have been used to minimize the potential loss?
42. List the following steps regarding computer fraud risk assessments in sequence.
(a) Assessing the likelihood and business impact of a control failure and/or a fraud incident.
(b) Mapping existing controls to potential fraud schemes and identifying gaps.
(c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
(d) Identifying relevant IT fraud risk factors.
(e) Testing operating effectiveness of fraud prevention and detection controls.
9-63
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
43. Describe the process of using asymmetric-key encryption to authenticate the trading partner involved in e-
business.
44. What are the two prerequisites for vulnerability management?
45. Describe the framework for vulnerability assessment and vulnerability management.
46. What are included in disaster recovery planning and business continuity management? Are these concepts
related?
9-64
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
47. What is a digital signature? How could a digital signature ensure data integrity when conducting e-
business?
9-65
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Chapter 11 Information Security and Computer Fraud Answer Key
1. Fraud triangle includes incentive, opportunity and an attitude to rationalize the fraud.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.
Source: Original
Topic: Computer fraud and abuse
2. The goal of information security management is to maintain confidentiality, integrity and availability of
a firm's information.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-01 Describe the risks related to information security and systems integrity.
Source: Original
Topic: Information security and systems integrity
3. Encryption is a preventive control ensuring data confidentiality and privacy during transmission and for
storage.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
4. Asymmetric-key encryption is suitable for encrypting large data sets or messages.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
9-66
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
5. Key distribution and key management are problematic under the symmetric-key encryption.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
6. Symmetric-key encryption method is used to authenticate users.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
7. Certificate Authority (CA) issues digital certificates to bond the subscriber with a public key and a
private key.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
8. A company's audit committee is responsible for fraud risk assessments.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.
Source: Original
Topic: Computer fraud and abuse
9. One type of fault tolerance is using redundant units to provide a system the ability to continue
functioning when part of the system fails.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity.
9-67
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Source: Original
Topic: System availability, disaster recovery and business continuity
10. Disaster recovery planning and business continuity management are preventive controls.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity.
Source: Original
Topic: System availability, disaster recovery and business continuity
11. Information security is a critical factor in maintaining systems integrity.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-01 Describe the risks related to information security and systems integrity.
Source: Original
Topic: Information security and systems integrity
12. The goal of information security management is to enhance the confidence, integrity and authority
(CIA) of a firm's management.
TRUE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-01 Describe the risks related to information security and systems integrity.
Source: Original
Topic: Information security and systems integrity
13. Virus is a self-replicating, self-propagating, self-contained program that uses networking mechanisms to
spread itself.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-01 Describe the risks related to information security and systems integrity.
Source: Original
Topic: Information security and systems integrity
14. Spam is a self-replicating program that runs and spreads by modifying other programs or files.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
9-68
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-01 Describe the risks related to information security and systems integrity.
Source: Original
Topic: Information security and systems integrity
15. Encryption and hashing are similar process to maintain data confidentiality.
FALSE
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
A. Accurate
B. Complete
C. Accessible
D. A and B are correct.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
17. Which of the following statements is incorrect about digital signature?
9-69
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
18. What is the primary objective of data security controls?
A. To establish a framework for controlling the design, security, and use of computer programs
throughout an organization.
B. To ensure that data storage media are subject to authorization prior to access, change, or destruction.
C. To formalize standard, rules, and procedures to ensure the organization's control are properly
executed.
D. To monitor the use of system software to prevent unauthorized access to system software and
computer programs.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities.
Source: CPA 2011 Examination, adapted
Topic: Vulnerability management and assessments
19. An entity doing business on the internet most likely could use any of the following methods to prevent
unauthorized intruders from accessing proprietary information except:
9-70
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
21. Which of the following statement present an example of a general control for a computerized system?
9-71
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
24. An information technology director collected the names and locations of key vendors, current hardware
configuration, names of team members, and an alternative processing location. What is the director most
likely preparing?
A. It is a process that establishes the origin of information or determines the identity of a user, process,
or device.
B. One key is used for encryption and decryption purposes in the authentication process.
C. Successful authentication can prevent repudiation in electronic transactions.
D. We need to use asymmetric-key encryption to authenticate the sender of a document or data set.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-01 Describe the risks related to information security and systems integrity.
Source: Original
Topic: Information security and systems integrity
9-72
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
27. Which of the following is not included in the remediation phrase for vulnerability management?
A. When using asymmetric-key encryption method, a total of two keys are necessary in electronic
communication between two parties.
B. Employees in the same company share the same public key.
C. Most companies would like to manage the private keys for their employees.
D. Most companies would like to use a Certificate Authority to manage the public keys of their
employees.
E. Two of the above are correct.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
9-73
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
30. Which of the following statements is incorrect?
A. A fraud prevention program starts with a fraud risk assessment across the entire firm.
B. The audit committee typically has an oversight role in risk assessment process.
C. Communicating a firm's policy file to employees is one of the most important responsibilities of
management.
D. A fraud prevention program should include an evaluation on the efficiency of business processes.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.
Source: Original
Topic: Computer fraud and abuse
31. A disaster recovery approach should include which of the following elements:
A. Encryption.
B. Firewalls.
C. Regular backups.
D. Surge protectors.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity.
Source: Original
Topic: System availability, disaster recovery and business continuity
32. Which of the following passwords would be most difficult to crack?
A. Go2Ca!ifornia4fun
B. language
C. jennyjenny
D. pass56word
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 11-01 Describe the risks related to information security and systems integrity.
Source: Original
Topic: Information security and systems integrity
9-74
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
33. Which of the following is a password security weakness?
A. Users are assigned passwords when accounts are created, but do not change them.
B. Users have accounts on several systems with different passwords.
C. Users write down their passwords on a note paper, and carry it with them.
D. Users select passwords that are not part of online password dictionary.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.
Source: Original
Topic: Computer fraud and abuse
34. To prevent invalid data input, a bank added an extra number at the end of each account number and
subjected the new number to an algorithm. This technique is known as:
9-75
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
36. Why do Certificate Authority (CA) play an important role in a company's information security
management?
9-76
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
39. Why would companies want to use digital signatures when conducting e-business?
A. It is cheap.
B. It is always the same so it can be verified easily.
C. It is more convenient than requiring a real signature.
D. It can authenticate the document sender and maintain data integrity.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.
Source: Original
Topic: Computer fraud and abuse
40. Select a correct statement regarding encryption methods?
A. To use symmetric-key encryption, each user needs two different keys.
B. Most companies prefer using symmetric-key encryption than asymmetric-key encryption method.
C. Both symmetric-key and asymmetric-key encryption methods require the involvement of a
certificate authority.
D. When conducting e-business, most companies use both symmetric-key and asymmetric-key
encryption methods.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
Essay Questions
41. A magnetic tape used to store data backups was lost while it was being transported to an offsite storage
location. The data on the tape includes customers' credit card and personal information. Which
preventive control(s) should have been used to minimize the potential loss?
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.
Source: Original
Topic: Computer fraud and abuse
9-77
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
42. List the following steps regarding computer fraud risk assessments in sequence.
(a) Assessing the likelihood and business impact of a control failure and/or a fraud incident.
(b) Mapping existing controls to potential fraud schemes and identifying gaps.
(c) Identifying potential IT fraud schemes and prioritizing them based on likelihood and impact.
(d) Identifying relevant IT fraud risk factors.
(e) Testing operating effectiveness of fraud prevention and detection controls.
d, c, b, e, a
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 11-03 Describe computer fraud and misuse of AIS and corresponding risk-mitigation techniques.
Source: Original
Topic: Computer fraud and abuse
43. Describe the process of using asymmetric-key encryption to authenticate the trading partner involved in
e-business.
To authenticate a trading partner (TP), the contact person (CP) of a company sends a challenge message
to TP. TP uses her private key to encrypt the challenge message and send it to CP. If CP is able to use
TP's public key to decrypt and get the plaintext of the challenge message, CP has authenticated TP
successfully.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
44. What are the two prerequisites for vulnerability management?
First, determine the main objectives of its vulnerability management. In some case, the firm should
determine which laws, regulations, and standards it should comply with. Second, a firm should assign
roles and responsibilities for vulnerability management. The management may designate a team to be
responsible for developing and implementing the vulnerability management program.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities.
Source: Original
9-78
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Topic: Vulnerability management and assessments
45. Describe the framework for vulnerability assessment and vulnerability management.
Remediation process: making a risk response plan, preparing the policy and requirements for
remediation, as well as control implementation.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-04 Define vulnerabilities; and explain how to manage and assess vulnerabilities.
Source: Original
Topic: Vulnerability management and assessments
46. What are included in disaster recovery planning and business continuity management? Are these
concepts related?
Disaster recovery planning (DRP) must include a clearly defined and documented plan that covers key
personnel, resources including IT infrastructure and applications, and actions required to be carried out
in order to continue or resume the systems for critical business functions within planned levels of
disruption. Business continuity management (BCM) includes the activities required to keep a firm
running during a period of displacement or interruption of normal operations. DRP is a key component
of the BCM. BCM is broader than DRP and is concerned about the entire business processes rather than
particular assets, such as IT infrastructure and applications.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-05 Explain issues in system availability; disaster recovery; and business continuity.
Source: Original
Topic: System availability, disaster recovery and business continuity
9-79
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
47. What is a digital signature? How could a digital signature ensure data integrity when conducting e-
business?
Digital signature is a message digest (MD) of a document (or data file) that is encrypted using the
document creator's private key.
1) Both the sender (A) and receiver (B) use an asymmetric-key encryption method to authenticate each
other.
2) Sender A makes a copy of the document and uses SHA-256 to hash the copy and get an MD.
3) Sender A encrypts the MD using Sender A's private key to get Sender A's digital signature.
4) Sender A uses Receiver B's public key to encrypt the original document and Sender A's digital
signature (for confidentiality).
5) Sender A sends the encrypted package to Receiver B.
6) Receiver B receives the package and decrypts it using Receiver B's private key. Receiver B now has
the document and Sender A's digital signature.
7) Receiver B decrypts Sender A's digital signature using Sender A's public key to get the sent-over
MD. Receiver B also authenticates that Sender A is the document creator.
8) Receiver B makes a copy of the received document and uses SHA-256 to hash the copy and get a
calculated MD.
9) If the sent-over MD is the same as the calculated MD, Receiver B ensures data integrity.
AACSB: Reflective Thinking
AICPA BB: Industry
AICPA FN: Decision Making
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 11-02 Understand the concepts of encryption and authentication.
Source: Original
Topic: Information security and systems integrity
Chapter 13
9-80
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
3. In the business process perspective, the firm describes its objectives for improvements in tangible and
intangible infrastructure.
True False
4. A strategy map depicts the cause and effect relationship between objectives across the balanced scorecard
perspectives.
True False
5. When the firm's value proposition meets or exceeds customers' requirements, customer satisfaction results
in customer retention and new customer acquisition, which drives sales growth.
True False
6. Besides presenting financial performance information to shareholders, the financial perspective provides
information that can confirm the success of investments in learning and growth.
True False
7. Network IT changes the way that work if performed and decisions are made.
True False
8. Function IT can be used without affecting more than one skilled worker.
True False
9. Supply chain management systems are an example of Network IT.
True False
10. The success of Enterprise IT investments often depends on whether the company makes complementary
changes in business processes.
True False
11. The balanced scorecard management process starts with the Formulate step.
True False
12. Investments in business analytics systems support the balanced scorecard management process during the
Link to Operations step.
True False
13. Research shows that standardized, integrated, and networked technology enhances decision making and
performance management.
True False
14. The value of IT investments often depend on the level of complementary resources, which can change over
time.
True False
9-81
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
15. The impact of an IT investment can depend on managers' decision-making abilities.
True False
16. Which of the following is the best description of the balanced scorecard?
A. Stakeholder
B. Financial
C. Business process
D. Customer
18. Which of the following is not a general type of business process found on generic strategy maps?
A. Innovation processes
B. Administrative processes
C. Operations management processes
D. Customer management processes
19. Which of the following is not a value proposition characteristic expected to influence customer value?
A. Product attributes
B. Image
C. Innovation
D. Relationship
20. Which of the following is not included in Information Capital as described in the balanced scorecard
learning and growth perspective?
A. IT Infrastructure
B. Employees' abilities to use technology
C. Intangible assets
D. Applications
9-82
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
21. Which of the following is not an example of Enterprise IT?
A. Process definition
B. Process integration
C. Customer service
D. Transaction automation
23. Which of the following is the best reason that companies find it hard to assess the benefit of IT
investments?
A. Invest
B. Translate
C. Monitor
D. Adapt
25. Which of the following is the best description of the Link to Operations step in the balanced scorecard
management process?
Essay Questions
9-83
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
26. Review the following list of company objectives. Prepare a strategy map that places each objective in the
correct balanced scorecard perspective.
9-84
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
27. Your company has elected to implement a balanced scorecard management process following the steps
outlined by Kaplan and Norton. After examining the process closely, your company's senior management
team (CEO, CFO, CIO, etc.) decides to modify the process to make the steps more specific. First of all,
they identified three different organizational levels involved in the process: senior management, middle
management, and the rest of the workforce.
After a brainstorming session, they decide to break the five steps into pieces as follows: the formulate step
would include a) assessing the company's value proposition relative to the competition, and b) determining
the appropriate elements of the value proposition to emphasize in order to achieve competitive advantage.
The translate step would include a) setting long-term strategic objectives for customer and shareholder
value, and b) set priorities for long-term capital improvements necessary to achieve the long-term strategic
objectives. The Link step would then include a) establishing necessary IT initiatives, b) setting
departmental budgets, c) implementing new IT systems, and d) operating business processes. The monitor
step would include a) produce reports to track performance, and b) review reports to evaluate performance.
Then, they decided to insert a new step, titled Adjust. This step would include making adjustments
necessary to improve business processes, basically revisiting the Link to Operations step but making minor
changes. If the adjustments failed to achieve objectives, then they would continue to the Adapt step to a)
reconsider their assumptions about the competitive environment, and b) reconsider alternatives for those
parts of the value proposition to emphasize to achieve competitive success.
Required: Draw a BPMN activity diagram that outlines your company's approach to the balanced
scorecard management process. Then, describe in writing whether you agree with your senior management
team's breakdown of the steps and the approach they propose. What would you do differently? Why?
9-85
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Chapter 13 The Balanced Scorecard and Business Value of Information
Technology Answer Key
9-86
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Topic: Business Value
5. When the firm's value proposition meets or exceeds customers' requirements, customer satisfaction
results in customer retention and new customer acquisition, which drives sales growth.
TRUE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-02 Explain the purpose of strategy maps.
Source: Original
Topic: Business Value
6. Besides presenting financial performance information to shareholders, the financial perspective provides
information that can confirm the success of investments in learning and growth.
TRUE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-02 Explain the purpose of strategy maps.
Source: Original
Topic: Business Value
7. Network IT changes the way that work if performed and decisions are made.
FALSE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 13-03 Describe different types of IT and why IT initiatives can be difficult to evaluate.
Source: Original
Topic: Business Value
8. Function IT can be used without affecting more than one skilled worker.
TRUE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-03 Describe different types of IT and why IT initiatives can be difficult to evaluate.
Source: Original
Topic: Business Value
9. Supply chain management systems are an example of Network IT.
FALSE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
9-87
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Difficulty: 2 Medium
Learning Objective: 13-03 Describe different types of IT and why IT initiatives can be difficult to evaluate.
Source: Original
Topic: Business Value
10. The success of Enterprise IT investments often depends on whether the company makes complementary
changes in business processes.
TRUE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-03 Describe different types of IT and why IT initiatives can be difficult to evaluate.
Source: Original
Topic: Business Value
11. The balanced scorecard management process starts with the Formulate step.
TRUE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 13-04 Define the balanced scorecard management process.
Source: Original
Topic: Business Value
12. Investments in business analytics systems support the balanced scorecard management process during
the Link to Operations step.
FALSE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-04 Define the balanced scorecard management process.
Source: Original
Topic: Business Value
13. Research shows that standardized, integrated, and networked technology enhances decision making and
performance management.
TRUE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-05 Describe how an AIS system contributes to a balanced scorecard management process.
Source: Original
Topic: Business Value
9-88
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
14. The value of IT investments often depend on the level of complementary resources, which can change
over time.
TRUE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-05 Describe how an AIS system contributes to a balanced scorecard management process.
Source: Original
Topic: Business Value
15. The impact of an IT investment can depend on managers' decision-making abilities.
TRUE
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-05 Describe how an AIS system contributes to a balanced scorecard management process.
Source: Original
Topic: Business Value
16. Which of the following is the best description of the balanced scorecard?
A. Stakeholder
B. Financial
C. Business process
D. Customer
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
9-89
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
Blooms: Remember
Difficulty: 1 Easy
Learning Objective: 13-01 Describe the balanced scorecard framework.
Source: Original
Topic: Business Value
18. Which of the following is not a general type of business process found on generic strategy maps?
A. IT Infrastructure
B. Employees' abilities to use technology
C. Intangible assets
D. Applications
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-02 Explain the purpose of strategy maps.
Source: Original
Topic: Business Value
9-90
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
21. Which of the following is not an example of Enterprise IT?
9-91
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
24. Which of the following is not a step in the balanced scorecard management process?
A. Invest
B. Translate
C. Monitor
D. Adapt
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Understand
Difficulty: 2 Medium
Learning Objective: 13-04 Define the balanced scorecard management process.
Source: Original
Topic: Business Value
25. Which of the following is the best description of the Link to Operations step in the balanced scorecard
management process?
Essay Questions
9-92
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
26. Review the following list of company objectives. Prepare a strategy map that places each objective in
the correct balanced scorecard perspective.
9-93
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Apply
Difficulty: 3 Hard
Learning Objective: 13-02 Explain the purpose of strategy maps.
Source: Original
Topic: Business Value
27. Your company has elected to implement a balanced scorecard management process following the steps
outlined by Kaplan and Norton. After examining the process closely, your company's senior
management team (CEO, CFO, CIO, etc.) decides to modify the process to make the steps more
specific. First of all, they identified three different organizational levels involved in the process: senior
management, middle management, and the rest of the workforce.
After a brainstorming session, they decide to break the five steps into pieces as follows: the formulate
step would include a) assessing the company's value proposition relative to the competition, and b)
determining the appropriate elements of the value proposition to emphasize in order to achieve
competitive advantage. The translate step would include a) setting long-term strategic objectives for
customer and shareholder value, and b) set priorities for long-term capital improvements necessary to
achieve the long-term strategic objectives. The Link step would then include a) establishing necessary
IT initiatives, b) setting departmental budgets, c) implementing new IT systems, and d) operating
business processes. The monitor step would include a) produce reports to track performance, and b)
review reports to evaluate performance.
Then, they decided to insert a new step, titled Adjust. This step would include making adjustments
necessary to improve business processes, basically revisiting the Link to Operations step but making
minor changes. If the adjustments failed to achieve objectives, then they would continue to the Adapt
step to a) reconsider their assumptions about the competitive environment, and b) reconsider
alternatives for those parts of the value proposition to emphasize to achieve competitive success.
Required: Draw a BPMN activity diagram that outlines your company's approach to the balanced
scorecard management process. Then, describe in writing whether you agree with your senior
management team's breakdown of the steps and the approach they propose. What would you do
differently? Why?
AACSB: Analytic
AICPA BB: Leveraging Technology
AICPA FN: Leveraging Technology
Blooms: Evaluate
Difficulty: 3 Hard
Learning Objective: 13-04 Define the balanced scorecard management process.
Source: Original
Topic: Business Value
9-94
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of
McGraw-Hill Education.