Professional Documents
Culture Documents
Accounting Information Systems Basic Concepts and Current Issues 3rd Edition Hurt Test Bank 1
Accounting Information Systems Basic Concepts and Current Issues 3rd Edition Hurt Test Bank 1
11
Student:
1. According to Carter’s taxonomy, use of a computer to further a criminal end refers to which of the
following categories?
A. Target
B. Instrumentality
C. Incidental
D. Associated
2. Which category of computer crime in Carter’s taxonomy recognizes that the presence of computers has
generated new versions of traditional crimes?
A. Target
B. Instrumentality
C. Incidental
D. Associated
3. George received an e-mail that threatened to release his personal financial data unless he paid a
fee. Which category of computer crime best describes that situation?
A. Target
B. Instrumentality
C. Incidental
D. Associated
4. A bank’s information system was hacked in an effort to obtain clients’ personal financial
information. Which category of computer crime best describes that situation?
A. Target
B. Instrumentality
C. Incidental
D. Associated
5. The terms target, instrumentality, incidental and associated from Carter’s taxonomy are most closely
associated with which form of risk from Brown’s taxonomy?
A. Human error
B. Liquidity
C. Systems
D. Market
6. Computer crimes that fall under Carter’s “target” category are most closely associated with which generic
element of an accounting information system?
A. Processing
B. Storage
C. Both A and B
D. Neither A nor B
10. Business risks and threats to information systems include all of the following except:
A. Error
B. Intrusions
C. Malicious software
D. Instrumentality
11. George received an e-mail that threatened to release his personal financial data unless he paid a fee. That
situation is an example of:
A. Extortion
B. Intrusion
C. Information manipulation
D. Error
12. An information systems development company routinely creates a password that they do not disclose to
their clients. In that way, the development company can bypass any security the client adds on later if the
system needs maintenance. The client’s information system is therefore at greatest risk for:
A. Error
B. Intrusion
C. Web site defacement
D. Extortion
13. The risk of disclosure of confidential information is most closely related to which category in Carter’s
taxonomy?
A. Target
B. Instrumentality
C. Both A and B
D. Neither A nor B
14. Malicious software, such as a logic bomb, is most closely related to which generic element of the
accounting information system?
A. Inputs
B. Processing
C. Outputs
D. Storage
15. Disclosure of confidential information is one risk associated with information technology. Which of the
following would be considered confidential information?
A. Hackers, cyber-criminals
B. Cyber-criminals, hackers
C. Corporate spies, terrorists
D. Terrorists, corporate spies
20. Which of the following types of computer criminal is least likely to be motivated by financial gain?
A. Script kiddie
B. Cyber-criminal
C. Corporate spies
D. Organized crime
21. Which type of computer criminal is likely to launch a denial-of-service attack?
A. Terrorist
B. Hacker
C. Both A and B
D. Neither A nor B
22. Organized crime and hackers are most likely to be included in which element of an enterprise risk
management plan based on the COSO framework?
A. Internal environment
B. Event identification
C. Objective setting
D. Control activities
27. All of the following are elements of the CIA triad except:
A. Clarity
B. Confidentiality
C. Availability
D. Data integrity
28. A firewall is an example of which type of control?
A. Physical security
B. Technical security
C. Administrative security
D. Enterprise security
29. WER Corporation forces its employees to change their system password every six months. Which type of
security control best describes the company’s policy?
A. Physical
B. Technical
C. Administrative
D. Hacking
30. At HCK Corporation, only employees in the information systems department can install new software on
a computer. Which type of security control best describes that practice?
A. Physical
B. Technical
C. Administrative
D. Practice
31. Consider the following short case as you respond to the next question:
Melissa is an internal auditor for the County of Bufflufia. Her job responsibilities include providing
training on information systems security and checking the work of data entry clerks. Melissa is also part
of a team that responds to denial-of-service attacks on the county’s information system. Her co-worker,
Eugene, ensures that all the county’s computers have the most up-to-date antivirus software; he also
enforces the county’s policy of backing up sensitive data, such as employee social security numbers
and other payroll information, at least once a day. The back-ups are dated and stored in a locked filing
cabinet.
Which employee has responsibilities related to technical security controls?
A. Melissa only
B. Eugene only
C. Both Melissa and Eugene
D. Neither Melissa nor Eugene
32. Consider the following short case as you respond to the next question:
Melissa is an internal auditor for the County of Bufflufia. Her job responsibilities include providing
training on information systems security and checking the work of data entry clerks. Melissa is also part
of a team that responds to denial-of-service attacks on the county’s information system. Her co-worker,
Eugene, ensures that all the county’s computers have the most up-to-date antivirus software; he also
enforces the county’s policy of backing up sensitive data, such as employee social security numbers
and other payroll information, at least once a day. The back-ups are dated and stored in a locked filing
cabinet.
Which employee has responsibilities related to all three elements of the CIA triad?
A. Melissa only
B. Eugene only
C. Both Melissa and Eugene
D. Neither Melissa nor Eugene
33. Consider the following short case as you respond to the next question:
Melissa is an internal auditor for the County of Bufflufia. Her job responsibilities include providing
training on information systems security and checking the work of data entry clerks. Melissa is also part
of a team that responds to denial-of-service attacks on the county’s information system. Her co-worker,
Eugene, ensures that all the county’s computers have the most up-to-date antivirus software; he also
enforces the county’s policy of backing up sensitive data, such as employee social security numbers
and other payroll information, at least once a day. The back-ups are dated and stored in a locked filing
cabinet.
Which of the following statements is most true?
A Maria, a member of the Board of Directors, should give information on information governance control
. to any corporate stakeholder who asks for it.
B. Erin, the lead partner on a corporation’s external audit team, should share information only with the
board of directors.
C. Both A and B are true.
D. Neither A nor B is true.
38. Based on the CoBIT accountability framework, which of the following statements is most true?
A. External auditors are responsible to all organizational stakeholders for communicating information
from the plan.
B. The board of directors is responsible to all organizational stakeholders for communicating information
from the plan.
C. Both A and B are true.
D. Neither A nor B is true.
41. The CoBIT framework identifies seven information criteria; the FASB conceptual framework includes
four qualitative characteristics of accounting information, as well as several assumptions, principles and
constraints. Which of the following statements about them is most true?
A The “effectiveness” criterion in CoBIT is related to the primary qualitative characteristic of “relevance”
. in the FASB conceptual framework.
B The “cost effectiveness” constraint in the FASB conceptual framework and the “effectiveness” criterion
. in CoBIT express the same idea in different ways.
C. Both A and B are true.
D. Neither A nor B is true.
42. The CoBIT framework identifies seven information criteria; the FASB conceptual framework includes
four qualitative characteristics of accounting information, as well as several assumptions, principles and
constraints. Which of the following statements about them is most true?
A.The “confidentiality” criterion in CoBIT contradicts the “full disclosure” principle in the FASB
conceptual framework.
BThe “reliability of information” criterion in CoBIT is most closely related to one of the secondary
. qualitative characteristics in the FASB conceptual framework.
C. Both A and B are true.
D. Neither A nor B is true.
43. CoBIT can be used to strengthen internal controls against computer crime by:
A. Ensuring that information produced by the AIS conforms to the framework’s seven information
criteria.
B. Clarifying reporting relationships and responsibilities via the accountability framework.
C. Both A and B are true.
D. Neither A nor B is true.
44. A denial-of-service attack prevents computer systems from functioning in accordance with their intended
purpose. Thus, a denial-of-service attack is most closely related to which information criterion from the
CoBIT framework?
A. Availability
B. Confidentiality
C. Compliance
D. Information governance
45. The CoBIT framework looks at the issue of internal control from three points of view. An organization’s
hardware and software configuration is most closely related to:
A. Business objectives.
B. Information technology resources.
C. Information technology processes.
D. Information criteria.
46. The CoBIT framework looks at the issue of internal control from three points of view. If NTS
Corporation’s strategic plan includes a statement about planned increases in sales, which of the following
statements is most true?
A The systems development life cycle cannot be used as a form of internal control; it is therefore
. unrelated to the CoBIT framework.
B.The seven steps in the systems development life cycle span all four domains of knowledge from the
CoBIT framework.
C. The CoBIT framework requires the use of the systems development life cycle as a form of internal
control.
D. Using the systems development life cycle prohibits TPC from using CoBIT.
48. The CoBIT framework is divided into four domains of knowledge; the text discussed three types of
controls related to information security. Which of the following statements is most true?
A. In the “plan and organize” domain, systems designers should think about all three types of controls.
B. Only technical security controls are relevant in the “deliver and support” domain.
C. Administrative security controls are relevant only in the “plan and organize” domain.
D. No controls are necessary in the “monitor and evaluate” domain.
49. An organization that uses the CoBIT framework to strengthen internal controls wants to improve the
confidentiality of its information. Which of the following internal controls will best help achieve that
goal?
A. Encryption
B. Security guards
C. Use of the COSO internal control framework
D. Adherence to the steps in the systems development life cycle
50. PCA Corporation maintains its fixed asset records in an Excel spreadsheet, as well as in its general ledger
software. An internal auditor for PCA downloaded the Excel spreadsheet, then verified the information
in it against both the general ledger software and the actual fixed assets in use. Which of the following
statements is most true?
b. DOS attacks or extortion: Prevent computer systems from functioning in accordance with their
intended purpose.
d. Fraud or error: Losses can vary widely depending on where the problem originated.
e. Information theft or information manipulation: An employee creates fake refunds to benefit a family
member.
h. Malicious software or information theft: Logic bombs, replicating worm, Trojan horse.
i. Service interruption or disclosure of confidential information: Can lead to missed deadlines for
receivables or payables.
j. Web site defacement or extortion: Criminal contacts an organization after successfully stealing
information.
54. For each IT control listed below, indicate the group which most clearly applies: (a) physical security
control, (b) technical security control or (c) administrative security control.
1. Audible alarm when a computer detects a virus-infected e-mail attachment
2. Conflict of interest policy
3. Different passwords for each ERP module
4. Filing cabinets requiring keys
5. Fire suppression systems
6. Keystroke monitoring software
7. Locking compartments in desks
8. Log-ins requiring fingerprint identification
9. Mandatory password rotation
10. Periodic internal audits
55. Information technology controls can be classified as physical, technical or administrative. Consider each
independent situation below; suggest one control from the indicated classification that would address
(prevent / detect / correct) the risk.
b. A production manager records complete information about inventory counts before taking a two-
week vacation.
c. Sales staff can always tell customers how much inventory was on hand at the end of the previous
month.
e. A secretary generates required Sarbanes-Oxley reports from memory, then shares them with
management.
60.
The chapter discussed the four elements of Carter’s taxonomy of computer crime, eleven business risks /
threats to information systems and seven common types of computer criminals. Classify each item below
using each of them.
b. A CEO uses a program found online to report false rumors about a competitor’s stock price.
65. Ethan is an information technology security consultant. He has been asked to speak to a local professional
organization about ways to strengthen internal controls against computer crime, and wants to relate his
comments to the CoBIT framework. Prepare a short summary of the key points Ethan should make in his
presentation; ensure that each one has a clear relationship to the CoBIT framework.
11 Key
1. According to Carter’s taxonomy, use of a computer to further a criminal end refers to which of the
following categories?
A. Target
B. Instrumentality
C. Incidental
D. Associated
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #1
LO 1
2. Which category of computer crime in Carter’s taxonomy recognizes that the presence of computers
has generated new versions of traditional crimes?
A. Target
B. Instrumentality
C. Incidental
D. Associated
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #2
LO 1
3. George received an e-mail that threatened to release his personal financial data unless he paid a
fee. Which category of computer crime best describes that situation?
A. Target
B. Instrumentality
C. Incidental
D. Associated
BLOOM: Comprehension
Difficulty: Medium
Hurt - Chapter 11 #3
LO 1
4. A bank’s information system was hacked in an effort to obtain clients’ personal financial
information. Which category of computer crime best describes that situation?
A. Target
B. Instrumentality
C. Incidental
D. Associated
BLOOM: Comprehension
Difficulty: Medium
Hurt - Chapter 11 #4
LO 1
5. The terms target, instrumentality, incidental and associated from Carter’s taxonomy are most closely
associated with which form of risk from Brown’s taxonomy?
A. Human error
B. Liquidity
C. Systems
D. Market
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #5
LO 1
6. Computer crimes that fall under Carter’s “target” category are most closely associated with which
generic element of an accounting information system?
A. Processing
B. Storage
C. Both A and B
D. Neither A nor B
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #6
LO 1
10. Business risks and threats to information systems include all of the following except:
A. Error
B. Intrusions
C. Malicious software
D. Instrumentality
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #10
LO 2
11. George received an e-mail that threatened to release his personal financial data unless he paid a
fee. That situation is an example of:
A. Extortion
B. Intrusion
C. Information manipulation
D. Error
BLOOM: Comprehension
Difficulty: Medium
Hurt - Chapter 11 #11
LO 2
12. An information systems development company routinely creates a password that they do not disclose
to their clients. In that way, the development company can bypass any security the client adds on later
if the system needs maintenance. The client’s information system is therefore at greatest risk for:
A. Error
B. Intrusion
C. Web site defacement
D. Extortion
BLOOM: Comprehension
Difficulty: Medium
Hurt - Chapter 11 #12
LO 2
13. The risk of disclosure of confidential information is most closely related to which category in Carter’s
taxonomy?
A. Target
B. Instrumentality
C. Both A and B
D. Neither A nor B
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #13
LO 2
14. Malicious software, such as a logic bomb, is most closely related to which generic element of the
accounting information system?
A. Inputs
B. Processing
C. Outputs
D. Storage
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #14
LO 2
15. Disclosure of confidential information is one risk associated with information technology. Which of
the following would be considered confidential information?
A. Hackers, cyber-criminals
B. Cyber-criminals, hackers
C. Corporate spies, terrorists
D. Terrorists, corporate spies
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #19
lo 3
20. Which of the following types of computer criminal is least likely to be motivated by financial gain?
A. Script kiddie
B. Cyber-criminal
C. Corporate spies
D. Organized crime
BLOOM: Comprehension
Difficulty: Medium
Hurt - Chapter 11 #20
lo 3
21. Which type of computer criminal is likely to launch a denial-of-service attack?
A. Terrorist
B. Hacker
C. Both A and B
D. Neither A nor B
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #21
lo 3
22. Organized crime and hackers are most likely to be included in which element of an enterprise risk
management plan based on the COSO framework?
A. Internal environment
B. Event identification
C. Objective setting
D. Control activities
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #22
lo 3
27. All of the following are elements of the CIA triad except:
A. Clarity
B. Confidentiality
C. Availability
D. Data integrity
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #27
LO 4
28. A firewall is an example of which type of control?
A. Physical security
B. Technical security
C. Administrative security
D. Enterprise security
BLOOM: Comprehension
Difficulty: Medium
Hurt - Chapter 11 #28
LO 4
29. WER Corporation forces its employees to change their system password every six months. Which
type of security control best describes the company’s policy?
A. Physical
B. Technical
C. Administrative
D. Hacking
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #29
LO 4
30. At HCK Corporation, only employees in the information systems department can install new software
on a computer. Which type of security control best describes that practice?
A. Physical
B. Technical
C. Administrative
D. Practice
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #30
LO 4
31. Consider the following short case as you respond to the next question:
Melissa is an internal auditor for the County of Bufflufia. Her job responsibilities include providing
training on information systems security and checking the work of data entry clerks. Melissa is also
part of a team that responds to denial-of-service attacks on the county’s information system. Her co-
worker, Eugene, ensures that all the county’s computers have the most up-to-date antivirus software;
he also enforces the county’s policy of backing up sensitive data, such as employee social security
numbers and other payroll information, at least once a day. The back-ups are dated and stored in a
locked filing cabinet.
Which employee has responsibilities related to technical security controls?
A. Melissa only
B. Eugene only
C. Both Melissa and Eugene
D. Neither Melissa nor Eugene
BLOOM: Analysis
Difficulty: Hard
Hurt - Chapter 11 #31
LO 4
32. Consider the following short case as you respond to the next question:
Melissa is an internal auditor for the County of Bufflufia. Her job responsibilities include providing
training on information systems security and checking the work of data entry clerks. Melissa is also
part of a team that responds to denial-of-service attacks on the county’s information system. Her co-
worker, Eugene, ensures that all the county’s computers have the most up-to-date antivirus software;
he also enforces the county’s policy of backing up sensitive data, such as employee social security
numbers and other payroll information, at least once a day. The back-ups are dated and stored in a
locked filing cabinet.
Which employee has responsibilities related to all three elements of the CIA triad?
A. Melissa only
B. Eugene only
C. Both Melissa and Eugene
D. Neither Melissa nor Eugene
BLOOM: Analysis
Difficulty: Hard
Hurt - Chapter 11 #32
LO 4
33. Consider the following short case as you respond to the next question:
Melissa is an internal auditor for the County of Bufflufia. Her job responsibilities include providing
training on information systems security and checking the work of data entry clerks. Melissa is also
part of a team that responds to denial-of-service attacks on the county’s information system. Her co-
worker, Eugene, ensures that all the county’s computers have the most up-to-date antivirus software;
he also enforces the county’s policy of backing up sensitive data, such as employee social security
numbers and other payroll information, at least once a day. The back-ups are dated and stored in a
locked filing cabinet.
Which of the following statements is most true?
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #35
LO 5
36. Randall works in the information security department of RDN Corporation; Felix is on the board of
directors of RDN. Which of the following statements is most true?
A Maria, a member of the Board of Directors, should give information on information governance
. control to any corporate stakeholder who asks for it.
B. Erin, the lead partner on a corporation’s external audit team, should share information only with the
board of directors.
C. Both A and B are true.
D. Neither A nor B is true.
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #37
LO 5
38. Based on the CoBIT accountability framework, which of the following statements is most true?
A. External auditors are responsible to all organizational stakeholders for communicating information
from the plan.
B. The board of directors is responsible to all organizational stakeholders for communicating
information from the plan.
C. Both A and B are true.
D. Neither A nor B is true.
BLOOM: Analysis
Difficulty: Hard
Hurt - Chapter 11 #40
LO 5
41. The CoBIT framework identifies seven information criteria; the FASB conceptual framework includes
four qualitative characteristics of accounting information, as well as several assumptions, principles
and constraints. Which of the following statements about them is most true?
A. The “confidentiality” criterion in CoBIT contradicts the “full disclosure” principle in the FASB
conceptual framework.
B The “reliability of information” criterion in CoBIT is most closely related to one of the secondary
. qualitative characteristics in the FASB conceptual framework.
C. Both A and B are true.
D. Neither A nor B is true.
Bloom: Synthesis
Difficulty: Hard
Hurt - Chapter 11 #42
LO 5
43. CoBIT can be used to strengthen internal controls against computer crime by:
A. Ensuring that information produced by the AIS conforms to the framework’s seven information
criteria.
B. Clarifying reporting relationships and responsibilities via the accountability framework.
C. Both A and B are true.
D. Neither A nor B is true.
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #43
LO 6
44. A denial-of-service attack prevents computer systems from functioning in accordance with their
intended purpose. Thus, a denial-of-service attack is most closely related to which information
criterion from the CoBIT framework?
A. Availability
B. Confidentiality
C. Compliance
D. Information governance
BLOOM: Comprehension
Difficulty: Medium
Hurt - Chapter 11 #44
LO 6
45. The CoBIT framework looks at the issue of internal control from three points of view. An
organization’s hardware and software configuration is most closely related to:
A. Business objectives.
B. Information technology resources.
C. Information technology processes.
D. Information criteria.
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #45
LO 6
46. The CoBIT framework looks at the issue of internal control from three points of view. If NTS
Corporation’s strategic plan includes a statement about planned increases in sales, which of the
following statements is most true?
A.The systems development life cycle cannot be used as a form of internal control; it is therefore
unrelated to the CoBIT framework.
B. The seven steps in the systems development life cycle span all four domains of knowledge from the
CoBIT framework.
C. The CoBIT framework requires the use of the systems development life cycle as a form of internal
control.
D. Using the systems development life cycle prohibits TPC from using CoBIT.
BLOOM: Analysis
Difficulty: Hard
Hurt - Chapter 11 #47
LO 6
48. The CoBIT framework is divided into four domains of knowledge; the text discussed three types of
controls related to information security. Which of the following statements is most true?
A. In the “plan and organize” domain, systems designers should think about all three types of controls.
B. Only technical security controls are relevant in the “deliver and support” domain.
C. Administrative security controls are relevant only in the “plan and organize” domain.
D. No controls are necessary in the “monitor and evaluate” domain.
BLOOM: Analysis
Difficulty: Hard
Hurt - Chapter 11 #48
LO 6
49. An organization that uses the CoBIT framework to strengthen internal controls wants to improve the
confidentiality of its information. Which of the following internal controls will best help achieve that
goal?
A. Encryption
B. Security guards
C. Use of the COSO internal control framework
D. Adherence to the steps in the systems development life cycle
Bloom: Synthesis
Difficulty: Hard
Hurt - Chapter 11 #49
LO 6
50. PCA Corporation maintains its fixed asset records in an Excel spreadsheet, as well as in its general
ledger software. An internal auditor for PCA downloaded the Excel spreadsheet, then verified the
information in it against both the general ledger software and the actual fixed assets in use. Which of
the following statements is most true?
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #51
lo 3
52. Which element of Carter’s taxonomy of computer crime is associated with each item below?
a. Computer is not required for the crime but is related to the criminal act
b. Computer is used to commit the crime
c. Computer use may make a crime more difficult to trace
d. Growth of the Internet creates new ways of reaching victims
e. Objective is to impact the confidentiality, availability and / or integrity of data
f. Presence of computers has generated new versions of fairly traditional crimes
g. Targets the system or its data
h. Technological growth creates new crime targets
i. Use of the computer simplifies criminal actions
j. Uses the computer to further a criminal end
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #52
LO 1
53. In each statement that follows, circle the business risk or threat that most clearly applies based on the
list provided in the text.
a. Disclosure of confidential information or intrusion: Employee data are made available on the
Internet.
b. DOS attacks or extortion: Prevent computer systems from functioning in accordance with their
intended purpose.
d. Fraud or error: Losses can vary widely depending on where the problem originated.
h. Malicious software or information theft: Logic bombs, replicating worm, Trojan horse.
i. Service interruption or disclosure of confidential information: Can lead to missed deadlines for
receivables or payables.
j. Web site defacement or extortion: Criminal contacts an organization after successfully stealing
information.
BLOOM: Comprehension
Difficulty: Medium
Hurt - Chapter 11 #53
LO 2
54. For each IT control listed below, indicate the group which most clearly applies: (a) physical security
control, (b) technical security control or (c) administrative security control.
1. Audible alarm when a computer detects a virus-infected e-mail attachment
2. Conflict of interest policy
3. Different passwords for each ERP module
4. Filing cabinets requiring keys
5. Fire suppression systems
6. Keystroke monitoring software
7. Locking compartments in desks
8. Log-ins requiring fingerprint identification
9. Mandatory password rotation
10. Periodic internal audits
BLOOM: Comprehension
Difficulty: Medium
Hurt - Chapter 11 #54
LO 4
55. Information technology controls can be classified as physical, technical or administrative. Consider
each independent situation below; suggest one control from the indicated classification that would
address (prevent / detect / correct) the risk.
a. regular security audits b. encase the server in a cabinet c. system access log d. policy to
remove employees from the system when they leave the company e. password rotation f. security
training g. customers pay at the register h. appropriate use policy i. encryption j. firewall
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #55
LO 4
58.
The CoBIT framework identifies seven information criteria. In each example below, indicate one
criterion that is met AND one that is not met in the space provided.
b. A production manager records complete information about inventory counts before taking a
two-week vacation.
c. Sales staff can always tell customers how much inventory was on hand at the end of the
previous month.
e. A secretary generates required Sarbanes-Oxley reports from memory, then shares them with
management.
BLOOM: Analysis
Difficulty: Hard
Hurt - Chapter 11 #58
LO 5
60.
The chapter discussed the four elements of Carter’s taxonomy of computer crime, eleven business
risks / threats to information systems and seven common types of computer criminals. Classify each
item below using each of them.
b. A CEO uses a program found online to report false rumors about a competitor’s stock
price.
Bloom: Synthesis
Difficulty: Hard
Hurt - Chapter 11 #60
LO 1
61. List the elements of Carter’s taxonomy of computer crime.
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #61
LO 1
63. A private university maintains sensitive information about its donors in both a paper file and an
electronic database. Using the three-part control taxonomy discussed in the chapter, identify and
describe two controls in each category that should be implemented to prevent / detect / correct the risk
that such information might be compromised.
BLOOM: Application
Difficulty: Medium
Hurt - Chapter 11 #63
LO 4
65. Ethan is an information technology security consultant. He has been asked to speak to a local
professional organization about ways to strengthen internal controls against computer crime, and
wants to relate his comments to the CoBIT framework. Prepare a short summary of the key points
Ethan should make in his presentation; ensure that each one has a clear relationship to the CoBIT
framework.
Bloom: Synthesis
Difficulty: Hard
Hurt - Chapter 11 #65
LO 6
11 Summary
Category # of Questions
BLOOM: Analysis 15
BLOOM: Application 15
BLOOM: Comprehension 11
BLOOM: Knowledge 10
Bloom: Synthesis 14
Difficulty: Easy 10
Difficulty: Hard 29
Difficulty: Medium 26
Hurt - Chapter 11 65
LO 1 12
LO 2 11
lo 3 11
LO 4 11
LO 5 11
LO 6 10