Accounting Information Systems Basic Concepts and Current Issues 3rd Edition Hurt Test Bank 1

ACCOUNTING INFORMATION SYSTEMS BASIC
CONCEPTS AND CURRENT ISSUES 3RD EDITION HURT
Full download link at:

Test Bank: https://testbankpack.com/p/test-bank-for-accounting-information-
systems-basic-concepts-and-current-issues-3rd-edition-hurt-0078025338-
9780078025334/
Solution Manual: https://testbankpack.com/p/solution-manual-for-accounting-
information-systems-basic-concepts-and-current-issues-3rd-edition-hurt-
0078025338-9780078025334/
11
Student:
1. According to Carter’s taxonomy, use of a computer to further a criminal end refers to which of the
following categories?
A. Target
B. Instrumentality
C. Incidental
D. Associated
2. Which category of computer crime in Carter’s taxonomy recognizes that the presence of computers has
generated new versions of traditional crimes?
A. Target
B. Instrumentality
C. Incidental
D. Associated
3. George received an e-mail that threatened to release his personal financial data unless he paid a
fee. Which category of computer crime best describes that situation?
A. Target
B. Instrumentality
C. Incidental
D. Associated
4. A bank’s information system was hacked in an effort to obtain clients’ personal financial
information. Which category of computer crime best describes that situation?
A. Target
B. Instrumentality
C. Incidental
D. Associated
5. The terms target, instrumentality, incidental and associated from Carter’s taxonomy are most closely
associated with which form of risk from Brown’s taxonomy?
A. Human error
B. Liquidity
C. Systems
D. Market
6. Computer crimes that fall under Carter’s “target” category are most closely associated with which generic
element of an accounting information system?
A. Processing
B. Storage
C. Both A and B
D. Neither A nor B
10. Business risks and threats to information systems include all of the following except:
A. Error
B. Intrusions
C. Malicious software
D. Instrumentality
11. George received an e-mail that threatened to release his personal financial data unless he paid a fee. That
situation is an example of:
A. Extortion
B. Intrusion
C. Information manipulation
D. Error
12. An information systems development company routinely creates a password that they do not disclose to
their clients. In that way, the development company can bypass any security the client adds on later if the
system needs maintenance. The client’s information system is therefore at greatest risk for:
A. Error
B. Intrusion
C. Web site defacement
D. Extortion
13. The risk of disclosure of confidential information is most closely related to which category in Carter’s
taxonomy?
A. Target
B. Instrumentality
C. Both A and B
D. Neither A nor B
14. Malicious software, such as a logic bomb, is most closely related to which generic element of the
accounting information system?
A. Inputs
B. Processing
C. Outputs
D. Storage
15. Disclosure of confidential information is one risk associated with information technology. Which of the
following would be considered confidential information?
A. The stock price of Microsoft

B. The book value of Disney Corporation’s fixed assets
C. The social security numbers of GE’s board of directors
D. All of the above are examples of confidential information.
16. The difference between “error” and “information manipulation” as business risks associated with
information technology is:
A. The person’s intent

B. The kind of information involved
C. The potential dollar amount of the loss
D. The classification on Carter’s taxonomy
19. are driven by financial gain.
A. Hackers, cyber-criminals
B. Cyber-criminals, hackers
C. Corporate spies, terrorists
D. Terrorists, corporate spies
20. Which of the following types of computer criminal is least likely to be motivated by financial gain?
A. Script kiddie
B. Cyber-criminal
C. Corporate spies
D. Organized crime
21. Which type of computer criminal is likely to launch a denial-of-service attack?
A. Terrorist
B. Hacker
C. Both A and B
D. Neither A nor B
22. Organized crime and hackers are most likely to be included in which element of an enterprise risk
management plan based on the COSO framework?
A. Internal environment
B. Event identification
C. Objective setting
D. Control activities
27. All of the following are elements of the CIA triad except:
A. Clarity
B. Confidentiality
C. Availability
D. Data integrity
28. A firewall is an example of which type of control?
A. Physical security
B. Technical security
C. Administrative security
D. Enterprise security
29. WER Corporation forces its employees to change their system password every six months. Which type of
security control best describes the company’s policy?
A. Physical
B. Technical
C. Administrative
D. Hacking
30. At HCK Corporation, only employees in the information systems department can install new software on
a computer. Which type of security control best describes that practice?
A. Physical
B. Technical
C. Administrative
D. Practice
31. Consider the following short case as you respond to the next question:
Melissa is an internal auditor for the County of Bufflufia. Her job responsibilities include providing
training on information systems security and checking the work of data entry clerks. Melissa is also part
of a team that responds to denial-of-service attacks on the county’s information system. Her co-worker,
Eugene, ensures that all the county’s computers have the most up-to-date antivirus software; he also
enforces the county’s policy of backing up sensitive data, such as employee social security numbers
and other payroll information, at least once a day. The back-ups are dated and stored in a locked filing
cabinet.
Which employee has responsibilities related to technical security controls?
A. Melissa only
B. Eugene only
C. Both Melissa and Eugene
D. Neither Melissa nor Eugene
cabinet.
Which employee has responsibilities related to all three elements of the CIA triad?
A. Melissa only
B. Eugene only
cabinet.
Which of the following statements is most true?
A. Eugene’s responsibilities span both physical and technical controls.

B. Melissa’s responsibilities are related to at least one element of the CIA triad.
C. Both A and B are true.
D. Neither A nor B is true.
cabinet.
Melissa’s responsibilities relate to which elements of the CIA triad?
A. Confidentiality and availability

B. Confidentiality and data integrity
C. Availability and data integrity
D. None of the above
35. CoBIT’s information criteria include all of the following except:
A. The elements of the CIA triad.

B. Effectiveness and efficiency.
C. Truthfulness.
D. Compliance and reliability.
36. Randall works in the information security department of RDN Corporation; Felix is on the board of
directors of RDN. Which of the following statements is most true?
A. Randall should inform Felix about information governance control.

B. Felix should inform Randall about information governance control.
C. Only Felix is accountable to RDN’s shareholders.
D. Felix can never interact with RDN’s external auditors.
37. Based on the CoBIT accountability framework, which of the following statements is most true?
A Maria, a member of the Board of Directors, should give information on information governance control
. to any corporate stakeholder who asks for it.
B. Erin, the lead partner on a corporation’s external audit team, should share information only with the
board of directors.
A. Julie, an employee of SNB Corporation, is accountable to SNB’s board of directors.

B.Mark, a member of SNB Corporation’s board of directors, is accountable to SNB’s information
security management employees.
39. The CoBIT framework discusses seven information criteria. Consider the pairs of items below; which one
violates the criterion indicated?
A. Effectiveness: market value of short-term investments
B. Confidentiality: employee payroll data are kept in a locked filing cabinet
C. Integrity: variances between expected sales and actual sales
D. Compliance: general-purpose financial statements included in a 10-K filing
40. BSD Corporation developed an internal control plan using the COSO framework. Based on the CoBIT
accountability framework, which of the following statements is most true?
A. External auditors are responsible to all organizational stakeholders for communicating information
from the plan.
B. The board of directors is responsible to all organizational stakeholders for communicating information
from the plan.
41. The CoBIT framework identifies seven information criteria; the FASB conceptual framework includes
four qualitative characteristics of accounting information, as well as several assumptions, principles and
constraints. Which of the following statements about them is most true?
A The “effectiveness” criterion in CoBIT is related to the primary qualitative characteristic of “relevance”
. in the FASB conceptual framework.
B The “cost effectiveness” constraint in the FASB conceptual framework and the “effectiveness” criterion
. in CoBIT express the same idea in different ways.
four qualitative characteristics of accounting information, as well as several assumptions, principles and
constraints. Which of the following statements about them is most true?
A.The “confidentiality” criterion in CoBIT contradicts the “full disclosure” principle in the FASB
conceptual framework.
BThe “reliability of information” criterion in CoBIT is most closely related to one of the secondary
. qualitative characteristics in the FASB conceptual framework.
43. CoBIT can be used to strengthen internal controls against computer crime by:
A. Ensuring that information produced by the AIS conforms to the framework’s seven information
criteria.
B. Clarifying reporting relationships and responsibilities via the accountability framework.
44. A denial-of-service attack prevents computer systems from functioning in accordance with their intended
purpose. Thus, a denial-of-service attack is most closely related to which information criterion from the
CoBIT framework?
A. Availability
B. Confidentiality
C. Compliance
D. Information governance
45. The CoBIT framework looks at the issue of internal control from three points of view. An organization’s
hardware and software configuration is most closely related to:
A. Business objectives.
B. Information technology resources.
C. Information technology processes.
D. Information criteria.
46. The CoBIT framework looks at the issue of internal control from three points of view. If NTS
Corporation’s strategic plan includes a statement about planned increases in sales, which of the following
statements is most true?
A. The statement is unrelated to any of the three points of view.

B. The statement is related to the “business objective” point of view.
C. The statement is meaningful only if the planned increases were predicted with a computer model.
D. The statement ensures that sales figures conform to all seven information criteria in the CoBIT
framework.
47. The CoBIT framework is divided into four domains of knowledge. Suppose TPC Corporation uses the
systems development life cycle for new IT projects. Which of the following statements is most true?
A The systems development life cycle cannot be used as a form of internal control; it is therefore
. unrelated to the CoBIT framework.
B.The seven steps in the systems development life cycle span all four domains of knowledge from the
CoBIT framework.
C. The CoBIT framework requires the use of the systems development life cycle as a form of internal
control.
D. Using the systems development life cycle prohibits TPC from using CoBIT.
48. The CoBIT framework is divided into four domains of knowledge; the text discussed three types of
controls related to information security. Which of the following statements is most true?
A. In the “plan and organize” domain, systems designers should think about all three types of controls.
B. Only technical security controls are relevant in the “deliver and support” domain.
C. Administrative security controls are relevant only in the “plan and organize” domain.
D. No controls are necessary in the “monitor and evaluate” domain.
49. An organization that uses the CoBIT framework to strengthen internal controls wants to improve the
confidentiality of its information. Which of the following internal controls will best help achieve that
goal?
A. Encryption
B. Security guards
C. Use of the COSO internal control framework
D. Adherence to the steps in the systems development life cycle
50. PCA Corporation maintains its fixed asset records in an Excel spreadsheet, as well as in its general ledger
software. An internal auditor for PCA downloaded the Excel spreadsheet, then verified the information
in it against both the general ledger software and the actual fixed assets in use. Which of the following
statements is most true?
A. Internal auditors should not be viewed as a form of internal control.

B PCA is legally required to follow the CoBIT accountability framework, which includes internal
. auditors, to meet the information criterion of compliance.
C. The internal auditor’s actions help PCA achieve integrity in its information.
D Information about fixed assets is confidential; the internal auditor’s actions conflict with the
. information criterion of confidentiality.
51. Based on the list provided in the text, indicate the type of computer criminal described in each of the
following.
a. A young, inexperienced hacker who uses tools written by others for the purpose of attacking systems
b. Could seriously disrupt power grids, telecommunications and transportation
c. Hackers driven by financial gain
d. Recruit talented hackers to handle the technical aspects of crime
e. Someone who invades an information system for malicious purposes
f. Take advantage of networked systems by turning to computer intrusion techniques to gather the
information they desire
g. The largest threat to a company’s information systems
52. Which element of Carter’s taxonomy of computer crime is associated with each item below?
a. Computer is not required for the crime but is related to the criminal act
b. Computer is used to commit the crime
c. Computer use may make a crime more difficult to trace
d. Growth of the Internet creates new ways of reaching victims
e. Objective is to impact the confidentiality, availability and / or integrity of data
f. Presence of computers has generated new versions of fairly traditional crimes
g. Targets the system or its data
h. Technological growth creates new crime targets
i. Use of the computer simplifies criminal actions
j. Uses the computer to further a criminal end
53. In each statement that follows, circle the business risk or threat that most clearly applies based on the list
provided in the text.
a. Disclosure of confidential information or intrusion: Employee data are made available on the Internet.
b. DOS attacks or extortion: Prevent computer systems from functioning in accordance with their
intended purpose.
c. Error or web site defacement: Digital graffiti
d. Fraud or error: Losses can vary widely depending on where the problem originated.
e. Information theft or information manipulation: An employee creates fake refunds to benefit a family
member.
f. Intrusion or extortion: Main objective is to gain access to a network.
g. Intrusion or service interruption: Classified as accidental, willful neglect or malicious behavior.
h. Malicious software or information theft: Logic bombs, replicating worm, Trojan horse.
i. Service interruption or disclosure of confidential information: Can lead to missed deadlines for
receivables or payables.
j. Web site defacement or extortion: Criminal contacts an organization after successfully stealing
information.
54. For each IT control listed below, indicate the group which most clearly applies: (a) physical security
control, (b) technical security control or (c) administrative security control.
1. Audible alarm when a computer detects a virus-infected e-mail attachment
2. Conflict of interest policy
3. Different passwords for each ERP module
4. Filing cabinets requiring keys
5. Fire suppression systems
6. Keystroke monitoring software
7. Locking compartments in desks
8. Log-ins requiring fingerprint identification
9. Mandatory password rotation
10. Periodic internal audits
55. Information technology controls can be classified as physical, technical or administrative. Consider each
independent situation below; suggest one control from the indicated classification that would address
(prevent / detect / correct) the risk.
a) A bank’s customer database is hacked.

Administrative:
b) A careless employee spills coffee on a network server.
Physical:
c) A corporation’s sales data are manipulated by a member of the sales staff.
Technical:
d) A former employee introduces a logic bomb to a company’s payroll system.
Administrative:
e) A political candidate’s web site is defaced.
Technical:
f) A senior citizen sends money to a fake religious organization based on a fraudulent e-mail.
Administrative:
g) A waitress steals a customer’s credit card number.
Physical:
h) An employee uses work time to shop online using the company’s computer.
Administrative:
i) Corporate spies steal research and development information.
Technical:
j) Fake compromising photos of a corporate CEO are posted to a social networking site.
Technical:
58.
The CoBIT framework identifies seven information criteria. In each example below, indicate one
criterion that is met AND one that is not met in the space provided.
Criterion met Criterion not met
a. Employees’ social security numbers are stored in a locked filing cabinet.
b. A production manager records complete information about inventory counts before taking a two-
week vacation.
c. Sales staff can always tell customers how much inventory was on hand at the end of the previous
month.
d. Information technology is used to count 25% of a corporation’s inventory every week.
e. A secretary generates required Sarbanes-Oxley reports from memory, then shares them with
management.
60.
The chapter discussed the four elements of Carter’s taxonomy of computer crime, eleven business risks /
threats to information systems and seven common types of computer criminals. Classify each item below
using each of them.
Carter’s Business risk / Type of

threat computer
criminal
taxonomy
a. A payroll clerk sells employees’ Social Security numbers.
b. A CEO uses a program found online to report false rumors about a competitor’s stock price.
c. A gang member plants an explosive device in a government computer, then threatens to

detonate it if his demands are not met.
d. A consultant creates a computer program that sends letters to customers erroneously

informing them they have an extra 30 days to pay their bill, then sells the program to the highest
bidder.
61. List the elements of Carter’s taxonomy of computer crime.

63. A private university maintains sensitive information about its donors in both a paper file and an electronic
database. Using the three-part control taxonomy discussed in the chapter, identify and describe two
controls in each category that should be implemented to prevent / detect / correct the risk that such
information might be compromised.
65. Ethan is an information technology security consultant. He has been asked to speak to a local professional
organization about ways to strengthen internal controls against computer crime, and wants to relate his
comments to the CoBIT framework. Prepare a short summary of the key points Ethan should make in his
presentation; ensure that each one has a clear relationship to the CoBIT framework.
11 Key
1. According to Carter’s taxonomy, use of a computer to further a criminal end refers to which of the
following categories?
A. Target
B. Instrumentality
C. Incidental
D. Associated
BLOOM: Knowledge
Difficulty: Easy
Hurt - Chapter 11 #1
LO 1
2. Which category of computer crime in Carter’s taxonomy recognizes that the presence of computers
has generated new versions of traditional crimes?
A. Target
B. Instrumentality
C. Incidental
D. Associated
BLOOM: Knowledge
Difficulty: Easy
LO 1
fee. Which category of computer crime best describes that situation?
A. Target
B. Instrumentality
C. Incidental
D. Associated
BLOOM: Comprehension
Difficulty: Medium
LO 1
4. A bank’s information system was hacked in an effort to obtain clients’ personal financial
information. Which category of computer crime best describes that situation?
A. Target
B. Instrumentality
C. Incidental
D. Associated
Difficulty: Medium
LO 1
5. The terms target, instrumentality, incidental and associated from Carter’s taxonomy are most closely
associated with which form of risk from Brown’s taxonomy?
A. Human error
B. Liquidity
C. Systems
D. Market
BLOOM: Application
Difficulty: Medium
LO 1
6. Computer crimes that fall under Carter’s “target” category are most closely associated with which
generic element of an accounting information system?
A. Processing
B. Storage
C. Both A and B
D. Neither A nor B
BLOOM: Application
Difficulty: Medium
LO 1
10. Business risks and threats to information systems include all of the following except:
A. Error
B. Intrusions
C. Malicious software
D. Instrumentality
BLOOM: Knowledge
Difficulty: Easy
LO 2
fee. That situation is an example of:
A. Extortion
B. Intrusion
C. Information manipulation
D. Error
Difficulty: Medium
LO 2
12. An information systems development company routinely creates a password that they do not disclose
to their clients. In that way, the development company can bypass any security the client adds on later
if the system needs maintenance. The client’s information system is therefore at greatest risk for:
A. Error
B. Intrusion
C. Web site defacement
D. Extortion
Difficulty: Medium
LO 2
13. The risk of disclosure of confidential information is most closely related to which category in Carter’s
taxonomy?
A. Target
B. Instrumentality
C. Both A and B
D. Neither A nor B
BLOOM: Application
Difficulty: Medium
LO 2
14. Malicious software, such as a logic bomb, is most closely related to which generic element of the
accounting information system?
A. Inputs
B. Processing
C. Outputs
D. Storage
BLOOM: Application
Difficulty: Medium
LO 2
15. Disclosure of confidential information is one risk associated with information technology. Which of
the following would be considered confidential information?
A. The stock price of Microsoft

B. The book value of Disney Corporation’s fixed assets
C. The social security numbers of GE’s board of directors
D. All of the above are examples of confidential information.
BLOOM: Analysis
Difficulty: Hard
LO 2
16. The difference between “error” and “information manipulation” as business risks associated with
information technology is:
A. The person’s intent

B. The kind of information involved
C. The potential dollar amount of the loss
D. The classification on Carter’s taxonomy
BLOOM: Analysis
Difficulty: Hard
LO 2
19. are driven by financial gain.
A. Hackers, cyber-criminals
B. Cyber-criminals, hackers
C. Corporate spies, terrorists
D. Terrorists, corporate spies
BLOOM: Knowledge
Difficulty: Easy
lo 3
20. Which of the following types of computer criminal is least likely to be motivated by financial gain?
A. Script kiddie
B. Cyber-criminal
C. Corporate spies
D. Organized crime
Difficulty: Medium
lo 3
21. Which type of computer criminal is likely to launch a denial-of-service attack?
A. Terrorist
B. Hacker
C. Both A and B
D. Neither A nor B
BLOOM: Application
Difficulty: Medium
lo 3
22. Organized crime and hackers are most likely to be included in which element of an enterprise risk
management plan based on the COSO framework?
A. Internal environment
B. Event identification
C. Objective setting
D. Control activities
BLOOM: Application
Difficulty: Medium
lo 3
27. All of the following are elements of the CIA triad except:
A. Clarity
B. Confidentiality
C. Availability
D. Data integrity
BLOOM: Knowledge
Difficulty: Easy
LO 4
28. A firewall is an example of which type of control?
A. Physical security
B. Technical security
C. Administrative security
D. Enterprise security
Difficulty: Medium
LO 4
29. WER Corporation forces its employees to change their system password every six months. Which
type of security control best describes the company’s policy?
A. Physical
B. Technical
C. Administrative
D. Hacking
BLOOM: Application
Difficulty: Medium
LO 4
30. At HCK Corporation, only employees in the information systems department can install new software
on a computer. Which type of security control best describes that practice?
A. Physical
B. Technical
C. Administrative
D. Practice
BLOOM: Application
Difficulty: Medium
LO 4
training on information systems security and checking the work of data entry clerks. Melissa is also
part of a team that responds to denial-of-service attacks on the county’s information system. Her co-
worker, Eugene, ensures that all the county’s computers have the most up-to-date antivirus software;
he also enforces the county’s policy of backing up sensitive data, such as employee social security
numbers and other payroll information, at least once a day. The back-ups are dated and stored in a
locked filing cabinet.
Which employee has responsibilities related to technical security controls?
A. Melissa only
B. Eugene only
BLOOM: Analysis
Difficulty: Hard
LO 4
Which employee has responsibilities related to all three elements of the CIA triad?
A. Melissa only
B. Eugene only
BLOOM: Analysis
Difficulty: Hard
LO 4
Which of the following statements is most true?
A. Eugene’s responsibilities span both physical and technical controls.

B. Melissa’s responsibilities are related to at least one element of the CIA triad.
Bloom: Synthesis
Difficulty: Hard
LO 4
Melissa’s responsibilities relate to which elements of the CIA triad?
A. Confidentiality and availability

B. Confidentiality and data integrity
C. Availability and data integrity
D. None of the above
Bloom: Synthesis
Difficulty: Hard
LO 4
35. CoBIT’s information criteria include all of the following except:
A. The elements of the CIA triad.

B. Effectiveness and efficiency.
C. Truthfulness.
D. Compliance and reliability.
BLOOM: Knowledge
Difficulty: Easy
LO 5
36. Randall works in the information security department of RDN Corporation; Felix is on the board of
directors of RDN. Which of the following statements is most true?
A. Randall should inform Felix about information governance control.

B. Felix should inform Randall about information governance control.
C. Only Felix is accountable to RDN’s shareholders.
D. Felix can never interact with RDN’s external auditors.
Difficulty: Medium
LO 5
A Maria, a member of the Board of Directors, should give information on information governance
. control to any corporate stakeholder who asks for it.
B. Erin, the lead partner on a corporation’s external audit team, should share information only with the
board of directors.
BLOOM: Application
Difficulty: Medium
LO 5
A. Julie, an employee of SNB Corporation, is accountable to SNB’s board of directors.

B.Mark, a member of SNB Corporation’s board of directors, is accountable to SNB’s information
security management employees.
BLOOM: Application
Difficulty: Medium
LO 5
39. The CoBIT framework discusses seven information criteria. Consider the pairs of items below; which
one violates the criterion indicated?
A. Effectiveness: market value of short-term investments
B. Confidentiality: employee payroll data are kept in a locked filing cabinet
C. Integrity: variances between expected sales and actual sales
D. Compliance: general-purpose financial statements included in a 10-K filing
BLOOM: Analysis
Difficulty: Hard
LO 5
40. BSD Corporation developed an internal control plan using the COSO framework. Based on the CoBIT
accountability framework, which of the following statements is most true?
A. External auditors are responsible to all organizational stakeholders for communicating information
from the plan.
B. The board of directors is responsible to all organizational stakeholders for communicating
information from the plan.
BLOOM: Analysis
Difficulty: Hard
LO 5
four qualitative characteristics of accounting information, as well as several assumptions, principles
and constraints. Which of the following statements about them is most true?
A The “effectiveness” criterion in CoBIT is related to the primary qualitative characteristic

. of “relevance” in the FASB conceptual framework.
B The “cost effectiveness” constraint in the FASB conceptual framework and the “effectiveness”
. criterion in CoBIT express the same idea in different ways.
Bloom: Synthesis
Difficulty: Hard
LO 5
four qualitative characteristics of accounting information, as well as several assumptions, principles
and constraints. Which of the following statements about them is most true?
A. The “confidentiality” criterion in CoBIT contradicts the “full disclosure” principle in the FASB
conceptual framework.
B The “reliability of information” criterion in CoBIT is most closely related to one of the secondary
. qualitative characteristics in the FASB conceptual framework.
Bloom: Synthesis
Difficulty: Hard
LO 5
43. CoBIT can be used to strengthen internal controls against computer crime by:
A. Ensuring that information produced by the AIS conforms to the framework’s seven information
criteria.
B. Clarifying reporting relationships and responsibilities via the accountability framework.
BLOOM: Knowledge
Difficulty: Easy
LO 6
44. A denial-of-service attack prevents computer systems from functioning in accordance with their
intended purpose. Thus, a denial-of-service attack is most closely related to which information
criterion from the CoBIT framework?
A. Availability
B. Confidentiality
C. Compliance
D. Information governance
Difficulty: Medium
LO 6
45. The CoBIT framework looks at the issue of internal control from three points of view. An
organization’s hardware and software configuration is most closely related to:
A. Business objectives.
B. Information technology resources.
C. Information technology processes.
D. Information criteria.
BLOOM: Application
Difficulty: Medium
LO 6
46. The CoBIT framework looks at the issue of internal control from three points of view. If NTS
Corporation’s strategic plan includes a statement about planned increases in sales, which of the
following statements is most true?
A. The statement is unrelated to any of the three points of view.

B. The statement is related to the “business objective” point of view.
C. The statement is meaningful only if the planned increases were predicted with a computer model.
D. The statement ensures that sales figures conform to all seven information criteria in the CoBIT
framework.
BLOOM: Application
Difficulty: Medium
LO 6
47. The CoBIT framework is divided into four domains of knowledge. Suppose TPC Corporation uses the
systems development life cycle for new IT projects. Which of the following statements is most true?
A.The systems development life cycle cannot be used as a form of internal control; it is therefore
unrelated to the CoBIT framework.
B. The seven steps in the systems development life cycle span all four domains of knowledge from the
CoBIT framework.
C. The CoBIT framework requires the use of the systems development life cycle as a form of internal
control.
D. Using the systems development life cycle prohibits TPC from using CoBIT.
BLOOM: Analysis
Difficulty: Hard
LO 6
48. The CoBIT framework is divided into four domains of knowledge; the text discussed three types of
controls related to information security. Which of the following statements is most true?
A. In the “plan and organize” domain, systems designers should think about all three types of controls.
B. Only technical security controls are relevant in the “deliver and support” domain.
C. Administrative security controls are relevant only in the “plan and organize” domain.
D. No controls are necessary in the “monitor and evaluate” domain.
BLOOM: Analysis
Difficulty: Hard
LO 6
49. An organization that uses the CoBIT framework to strengthen internal controls wants to improve the
confidentiality of its information. Which of the following internal controls will best help achieve that
goal?
A. Encryption
B. Security guards
C. Use of the COSO internal control framework
D. Adherence to the steps in the systems development life cycle
Bloom: Synthesis
Difficulty: Hard
LO 6
50. PCA Corporation maintains its fixed asset records in an Excel spreadsheet, as well as in its general
ledger software. An internal auditor for PCA downloaded the Excel spreadsheet, then verified the
information in it against both the general ledger software and the actual fixed assets in use. Which of
the following statements is most true?
A. Internal auditors should not be viewed as a form of internal control.

B PCA is legally required to follow the CoBIT accountability framework, which includes internal
. auditors, to meet the information criterion of compliance.
C. The internal auditor’s actions help PCA achieve integrity in its information.
D.Information about fixed assets is confidential; the internal auditor’s actions conflict with the
information criterion of confidentiality.
Bloom: Synthesis
Difficulty: Hard
LO 6
51. Based on the list provided in the text, indicate the type of computer criminal described in each of the
following.
a. A young, inexperienced hacker who uses tools written by others for the purpose of attacking
systems b. Could seriously disrupt power grids, telecommunications and transportation
c. Hackers driven by financial gain
d. Recruit talented hackers to handle the technical aspects of crime
e. Someone who invades an information system for malicious purposes
f. Take advantage of networked systems by turning to computer intrusion techniques to gather the
information they desire
g. The largest threat to a company’s information systems
BLOOM: Knowledge
Difficulty: Easy
lo 3
52. Which element of Carter’s taxonomy of computer crime is associated with each item below?
a. Computer is not required for the crime but is related to the criminal act
b. Computer is used to commit the crime
c. Computer use may make a crime more difficult to trace
d. Growth of the Internet creates new ways of reaching victims
e. Objective is to impact the confidentiality, availability and / or integrity of data
f. Presence of computers has generated new versions of fairly traditional crimes
g. Targets the system or its data
h. Technological growth creates new crime targets
i. Use of the computer simplifies criminal actions
j. Uses the computer to further a criminal end
BLOOM: Knowledge
Difficulty: Easy
LO 1
53. In each statement that follows, circle the business risk or threat that most clearly applies based on the
list provided in the text.
a. Disclosure of confidential information or intrusion: Employee data are made available on the
Internet.
b. DOS attacks or extortion: Prevent computer systems from functioning in accordance with their
intended purpose.
c. Error or web site defacement: Digital graffiti
d. Fraud or error: Losses can vary widely depending on where the problem originated.
e. Information theft or information manipulation: An employee creates fake refunds to benefit a

family member.
f. Intrusion or extortion: Main objective is to gain access to a network.
g. Intrusion or service interruption: Classified as accidental, willful neglect or malicious behavior.
h. Malicious software or information theft: Logic bombs, replicating worm, Trojan horse.
i. Service interruption or disclosure of confidential information: Can lead to missed deadlines for
receivables or payables.
j. Web site defacement or extortion: Criminal contacts an organization after successfully stealing
information.
Difficulty: Medium
LO 2
54. For each IT control listed below, indicate the group which most clearly applies: (a) physical security
control, (b) technical security control or (c) administrative security control.
1. Audible alarm when a computer detects a virus-infected e-mail attachment
2. Conflict of interest policy
3. Different passwords for each ERP module
4. Filing cabinets requiring keys
5. Fire suppression systems
6. Keystroke monitoring software
7. Locking compartments in desks
8. Log-ins requiring fingerprint identification
9. Mandatory password rotation
10. Periodic internal audits
Difficulty: Medium
LO 4
55. Information technology controls can be classified as physical, technical or administrative. Consider
each independent situation below; suggest one control from the indicated classification that would
address (prevent / detect / correct) the risk.
a) A bank’s customer database is hacked.

Administrative:
b) A careless employee spills coffee on a network server.
Physical:
c) A corporation’s sales data are manipulated by a member of the sales staff.
Technical:
d) A former employee introduces a logic bomb to a company’s payroll system.
Administrative:
e) A political candidate’s web site is defaced.
Technical:
f) A senior citizen sends money to a fake religious organization based on a fraudulent e-mail.
Administrative:
g) A waitress steals a customer’s credit card number.
Physical:
h) An employee uses work time to shop online using the company’s computer.
Administrative:
i) Corporate spies steal research and development information.
Technical:
j) Fake compromising photos of a corporate CEO are posted to a social networking site.
Technical:
a. regular security audits b. encase the server in a cabinet c. system access log d. policy to
remove employees from the system when they leave the company e. password rotation f. security
training g. customers pay at the register h. appropriate use policy i. encryption j. firewall
BLOOM: Application
Difficulty: Medium
LO 4
58.
The CoBIT framework identifies seven information criteria. In each example below, indicate one
criterion that is met AND one that is not met in the space provided.
Criterion met Criterion not met
a. Employees’ social security numbers are stored in a locked filing cabinet.
b. A production manager records complete information about inventory counts before taking a
two-week vacation.
c. Sales staff can always tell customers how much inventory was on hand at the end of the
previous month.
d. Information technology is used to count 25% of a corporation’s inventory every week.
e. A secretary generates required Sarbanes-Oxley reports from memory, then shares them with
management.
BLOOM: Analysis
Difficulty: Hard
LO 5
60.
The chapter discussed the four elements of Carter’s taxonomy of computer crime, eleven business
risks / threats to information systems and seven common types of computer criminals. Classify each
item below using each of them.
Carter’s Business risk Type of

/ threat computer
criminal
taxonomy
a. A payroll clerk sells employees’ Social Security numbers.
b. A CEO uses a program found online to report false rumors about a competitor’s stock
price.
c. A gang member plants an explosive device in a government computer, then threatens to

detonate it if his demands are not met.
d. A consultant creates a computer program that sends letters to customers erroneously

informing them they have an extra 30 days to pay their bill, then sells the program to the
highest bidder.
Bloom: Synthesis
Difficulty: Hard
LO 1
61. List the elements of Carter’s taxonomy of computer crime.
BLOOM: Knowledge
Difficulty: Easy
LO 1
63. A private university maintains sensitive information about its donors in both a paper file and an
electronic database. Using the three-part control taxonomy discussed in the chapter, identify and
describe two controls in each category that should be implemented to prevent / detect / correct the risk
that such information might be compromised.
BLOOM: Application
Difficulty: Medium
LO 4
65. Ethan is an information technology security consultant. He has been asked to speak to a local
professional organization about ways to strengthen internal controls against computer crime, and
wants to relate his comments to the CoBIT framework. Prepare a short summary of the key points
Ethan should make in his presentation; ensure that each one has a clear relationship to the CoBIT
framework.
Bloom: Synthesis
Difficulty: Hard
LO 6
11 Summary
Category # of Questions
BLOOM: Analysis 15
BLOOM: Application 15
BLOOM: Comprehension 11
BLOOM: Knowledge 10
Bloom: Synthesis 14
Difficulty: Easy 10
Difficulty: Hard 29
Difficulty: Medium 26
Hurt - Chapter 11 65
LO 1 12
LO 2 11
lo 3 11
LO 4 11
LO 5 11
LO 6 10

Accounting Information Systems Basic Concepts and Current Issues 3rd Edition Hurt Test Bank 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Accounting Information Systems Basic Concepts and Current Issues 3rd Edition Hurt Test Bank 1

Uploaded by

Copyright:

Available Formats

ACCOUNTING INFORMATION SYSTEMS BASIC

CONCEPTS AND CURRENT ISSUES 3RD EDITION HURT

Full download link at:

A. The stock price of Microsoft

A. The person’s intent

A. Eugene’s responsibilities span both physical and technical controls.

A. Confidentiality and availability

A. The elements of the CIA triad.

A. Randall should inform Felix about information governance control.

A. Julie, an employee of SNB Corporation, is accountable to SNB’s board of directors.

A. The statement is unrelated to any of the three points of view.

A. Internal auditors should not be viewed as a form of internal control.

c. Error or web site defacement: Digital graffiti

f. Intrusion or extortion: Main objective is to gain access to a network.

g. Intrusion or service interruption: Classified as accidental, willful neglect or malicious behavior.

a) A bank’s customer database is hacked.

Criterion met Criterion not met

a. Employees’ social security numbers are stored in a locked filing cabinet.

d. Information technology is used to count 25% of a corporation’s inventory every week.

Carter’s Business risk / Type of

a. A payroll clerk sells employees’ Social Security numbers.

c. A gang member plants an explosive device in a government computer, then threatens to

d. A consultant creates a computer program that sends letters to customers erroneously

61. List the elements of Carter’s taxonomy of computer crime.

A. The stock price of Microsoft

A. The person’s intent

A. Eugene’s responsibilities span both physical and technical controls.

A. Confidentiality and availability

A. The elements of the CIA triad.

A. Randall should inform Felix about information governance control.

A. Julie, an employee of SNB Corporation, is accountable to SNB’s board of directors.

A The “effectiveness” criterion in CoBIT is related to the primary qualitative characteristic

A. The statement is unrelated to any of the three points of view.

A. Internal auditors should not be viewed as a form of internal control.

c. Error or web site defacement: Digital graffiti

e. Information theft or information manipulation: An employee creates fake refunds to benefit a

f. Intrusion or extortion: Main objective is to gain access to a network.

g. Intrusion or service interruption: Classified as accidental, willful neglect or malicious behavior.

a) A bank’s customer database is hacked.

Criterion met Criterion not met

a. Employees’ social security numbers are stored in a locked filing cabinet.

d. Information technology is used to count 25% of a corporation’s inventory every week.

Carter’s Business risk Type of

a. A payroll clerk sells employees’ Social Security numbers.

c. A gang member plants an explosive device in a government computer, then threatens to

d. A consultant creates a computer program that sends letters to customers erroneously

You might also like