1.

Which of the following is NOT a requirement in organization’s internal controls over financial

management’s report on the effectiveness of internal reporting.

controls over financial reporting? d. Management must disclose any material changes

a. A statement of management’s responsibility for in the company’s internal controls that have

establishing and maintaining adequate internal occurred during the most recent fiscal quarter.

control user satisfaction.

b. A statement that the organization’s internal 3. Which of the following statements is true?

auditors have issued an attestation report on a. Both the SEC and the PCAOB require the use

management’s assessment of the company’s internal of the COSO framework.

controls. b. Both the SEC and the PCAOB require the

c. A statement identifying the framework COBIT framework.

management
c. The SEC recommends COBIT, and the PCAOB
uses to conduct its assessment of internal
recommends COSO.
controls.
d. Any framework can be used that encompass all
d. An explicit written conclusion as to the
of COSO’s general themes.
effectiveness
e. Both c and d are true.
of internal control over financial

reporting.
4. Which of the following is NOT a control implication

of distributed data processing?

2. Which of the following is NOT an implication of
a. redundancy
Section 302 of SOX?
b. user satisfaction
a. Auditors must determine whether changes in
c. incompatibility
internal control have materially affected, or are
d. lack of standards
likely to materially affect, internal control over

financial reporting.
5. Which of the following disaster recovery
b. Auditors must interview management regarding
techniques
significant changes in the design or operation of
may be least optimal in the case of a
internal control that occurred since the last
widespread natural disaster?
audit.
a. empty shell
c. Corporate management (including the CEO)
b. ROC
must certify monthly and annually their
c. internally provided backup
d. they are all equally beneficial

9. Which of the following risks does the auditor least

control?
6. Which of the following is NOT a potential threat
a. inherent risk
to computer hardware and peripherals? b. control risk
c. detection risk
a. low humidity d. all are equally controllable

b. high humidity 10. Which of the following would strengthen

c. carbon dioxide fire extinguishers
d. water sprinkler fire extinguishers
7. Computer accounting control procedures are
referred to as general or application controls. The
primary objective of application controls in a
computer
environment is to
a. ensure that the computer system operates
organizational
control over a large-scale data processing
center?
a. Requiring the user departments to specify the
general control standards necessary for processing
transactions.
b. Requiring that requests and instructions for
data processing services be submitted directly
to the computer operator in the data center.
c. Having the database administrator report to
the manager of computer operations.
d. Assigning maintenance responsibility to the
original system designer who best knows its
logic.
e. None of the above

efficiently.

b. ensure the validity, completeness, and accuracy

of financial transactions.

c. provide controls over the electronic functioning

of the hardware.

d. plan for the protection of the facilities and

backup for the systems.

8. Which of the following is NOT a task performed

in the audit planning phase?

a. reviewing an organization’s policies and

practices

b. determining the degree of reliance on controls

c. reviewing general controls
d. planning substantive testing procedures

1. The database attributes that individual users have

permission to access are defined in the b. spooling.
a. operating system. c. dual-homed.
b. user manual. d. screening.
c. database schema. 9. Transmitting numerous SYN packets to a targeted
d. user view. receiver, but NOT responding to an ACK, is
e. application listing. a. a DES message.
2. An integrated group of programs that supports the b. the request-response technique.
applications and facilitates their access to specified c. a denial of service attack.
resources is called a(n) d. a call-back device.
a. operating system.
b. database management system.
c. utility system.
d. facility system.
e. object system.
3. The purpose of a checkpoint procedure is to
facilitate
restarting after
a. data processing errors.
b. data input errors.
c. the failure to have all input data ready on time.
d. computer operator intervention.
e. echo check failures.
4. Auser’s applicationmay consist of severalmodules
stored in separatememory locations, each with its
own data.Onemodulemust not be allowed to destroy
or corrupt anothermodule. This is an objective of
a. operating system controls.
b. data resource controls.
c. computer center and security controls.
d. application controls.
5. A program that attaches to another legitimate
program
but does NOT replicate itself is called a
a. virus.
b. worm.
c. Trojan horse.
d. logic bomb.
6. Which of the following is NOT a data
communications
control objective?
a. maintaining the critical application list
b. correcting message loss due to equipment
failure
c. preventing illegal access
d. rendering useless any data that a perpetrator
successfully captures
7. Reviewing database authority tables is a(n)
a. access control.
b. organizational structure control.
c. data resource control.
d. operating resource control.
8. Hackers can disguise their message packets to look
as if they came from an authorized user and gain
access to the host’s network using a technique
called
a. spoofing.