Final Exam 2

In addition to focusing on controls, COBIT 5 expands its scope by incorporating which of the following broad perspectives?

How IT brings value to the firm.

How IT can automate specific business processes.

IT networking requirements.

IT cost reductions.

The Sarbanes-Oxley Act (SOX) was passed as a response to which of the following events?

The savings & loan scandals of the 1980s.

The bust of dot-com bubble companies such as pets.com and Webvan.

Corporate reporting scandals by companies such as WorldCom, Enron, and Tyco.

Securities manipulation and insider trading in the 1930s.

Which of the following best describes why firms choose to create codes of ethics?

Because most people will not behave ethically without a written set of guidelines.

Codes of ethics protect firms against lawsuits that may be filed due to corporate fraud.

They allow firms to create a formal set of expectations for employees who may have different sets of personal values.

Companies must have a written code of ethics in order to conduct interstate commerce in the U.S.

Internal controls guarantee the accuracy and reliability of accounting records.

true

false

According to COSO 2013, which of the following components of the enterprise risk management addresses an entity’s integrity and ethical values?

Information and communication.

Internal environment.

Risk assessment.

Control activities.

Which of the following represents an inherent risk for a financial institution?

Bank reconciliations are not performed on a timely basis.

The economy goes into a recession.

Customer credit check not performed.

An error occurs in a loan loss calculation.

Which of the following is the best way to compensate for the lack of adequate segregation of duties in a small organization?

Disclosing lack of segregation of duties to external auditors during the annual review.

Replacing personnel every three or four years.

Requiring accountants to pass a yearly background check.

Providing greater management oversight of incompatible activities.

Which of the following is not a component of internal control as defined by COSO?

Control environment.

Control activities.

Inherent risk.

Monitoring.

All of the following are the primary functions of internal controls except:

Prevention.

Reflection.

Detection.

Correction.

The framework to be used by management in its internal control assessment under requirements of SOX is the:

COSO internal control framework.

COSO enterprise risk management framework.

COBIT framework.

All of the choices are correct.

The internal control provisions of SOX apply to which companies in the United States?

All companies.

SEC registrants.

All issuer (public) companies and nonissuer (nonpublic) companies with more than $100,000,000 of net worth.

All nonissuer companies.

The ISO 27000 Series of standards are designed to address which of the following?

Corporate governance.

Internal controls.

Information security issues.

IT value.

Blockchain was built to minimize the use of:

US Dollars.

Regulators.

Intermediaries.

Accountants.

What is not a general function of blockchain technology?

Transfer digital assets.

Authenticate identities.

Generation of bitcoin.

Ability to create value.

Which of the following is not benefit of blockchain?

Past information is easily edited.

New transactions are propagated to all participants.

Consensus must be reached to propagate transactions.

Participating parties do not need to trust each other.

In which of the following situations would blockchain add value?

Multiple parties that do not trust each other want to collaborate.

Management would like to automate routine tasks.

A prediction on weather related losses is needed.

Contracts need to be reviewed for revenue recognition.

To be considered blockchain a technology must have all of the following except:

Rewardability.

Consensus.

Immutability.

Decentralization.

When an accounting team automates account reconciliations this is an example of:

Robotic process automation.

Spreadsheet automation.

Natural language automation.

Internet automation.

When a bank has an input file of FICO scores and uses machine learning to help predict credit losses for each customer, they are likely using which type of learning?

Reinforcement Learning.

Unsupervised Learning.

Supervised Learning.

Matrix Learning.

Which of the following is the best description of neural networks?

Mathematical models that convert inputs to outputs/predictions.

Intelligence exhibited by machines rather than humans.

A blockchain network where participants need permission to join the network.

A ledger where individual entries are separate in time and location.

Artificial Intelligence can include all of the following except:

Database programming.

Visual perception.

Logical thinking.

Language translation.

One of the largest challenges across the accounting industry for auditing firms which use blockchain is:

Understanding business activities.

Continuous monitoring.

Deciphering cryptocurrency.

A gap in skillset.

When using an analytical mindset which of the following is the first task?

Master the data.

Share the story.

Ask the right question.

Request data.

Which type of analysis assists with understanding why something happened during the third step of the AMPS model, performing the analysis?

Descriptive.

Diagnostic.

Predictive.

Prescriptive.

Which type of analysis assists with defining how to optimize performance based on a potential constraint?

Descriptive.

Diagnostic.

Predictive.

Prescriptive.

Which type of analysis assists with understanding what is happening right now?

Descriptive.

Diagnostic.

Predictive.

Prescriptive.

Which of the following best summarizes the two key limiting factors for business systems when dealing with Big Data?

Data storage capacity and processing power.

Data availability and software tools.

Database organization and transaction volume.

Analytic skills and software tools.

As described in the text, which of the following best defines the term data analytics?

The ability extra and load large datasets.

The science of moving data from Access to Enterprise Reporting Tools to draw conclusions for decision making.

The process of organizing extremely large datasets to create more manageability.

The science of examining raw data, removing excess noise, and organizing it in order to draw conclusions for decision making.

The four Vs are considered a defining feature of big data. Which of the following is the best definition of the term big data?

Volition, veracity, velocity & variety.

Variety, visibility, velocity & valuation.

Volume, veracity, velocity, & variety.

Volume, variability, variety & veracity.

How does data analytics play a vital role in today’s business world?

By allowing data to be organized into predefined tables and fields.

By defining three main categories of classes that help organize a company’s data structure models.

By examining data to generate models for predictions of patterns and trends.

By capturing the ever-increasing transaction activity of large companies.

Which of the following is not a part of the AMPS model?

Ask the right questions.

Share the story.

Master the data.

Parse the data.

Which of the following is the best definition of the term big data?

Databases measured in terms of zettabytes.

Datasets that are too large and complex for businesses’ existing systems utilizing traditional capabilities.

Databases for businesses that generate more than one million electronic transactions per month.

Datasets generated by social media applications such as Facebook, Twitter, Tencent QQ, and Instagram.

Select a correct statement regarding encryption methods?

To use symmetric-key encryption, each user needs two different keys

Most companies prefer using symmetric-key encryption than asymmetric-key encryption method

Both symmetric-key and asymmetric-key encryption methods require the involvement of a certificate authority

When conducting e-business, most companies use both symmetric-key and asymmetric-key encryption methods

Which of the following describes the primary goals of the CIA approach to information security management

Controls, Innovation, Analysis

Confidentiality, Integrity, Availability

Convenience, Integrity, Awareness

Confidentiality, Innovation, Availability

Which of the following best illustrates the use of multifactor authentication?

Requiring password changes every 30, 60, 90 days

Requiring the use of a smart card and a password

Requiring the use of upper case, lower case, numeric, and special characters for a password

The use of fingerprint scanner for access to a device

For businesses considering a cloud computing solution, which of the following should they ask the cloud vendor to provide before entering into a contract for critical business operations?

FASB 51

Report Audit Report

SAS 3 Report

SOC 2 Report

In general, the goal of information security management is to protect all of the following except:

Confidentiality

Integrity

Availability

Redundancy

What is the primary objective of data security controls?

To establish a framework for controlling the design, security, and use of computer programs throughout the organization

To ensure that the data storage media are subject to authorization prior to access, change, or destruction

To formalize standard rules and procedures to ensure the organization’s control are properly executed

To monitor the use of system software to prevent unauthorized access to system software and computer programs

An entity doing business on the internet most likely could use any of the following methods to prevent unauthorized intruders from accessing proprietary information except:

Password management

Data encryption

Digital certificates

Batch processing

An information technology director collecting the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?

Data restoration plan

Disaster recovery plan

System security policy

System hardware policy

Which of the following is a password security weakness?

Users are assigned passwords when accounts are created, but do not change them

Users have accounts on several systems with different passwords

Users write down their passwords on a note paper and carry it with them

Users select passwords that are not part of an online password directory

To prevent invalid data input, a bank added an extra number at the end of each account number and subjected the new number to an algorithm. This technique is known as:

A validation check

Check digit verification

A dependency check

A format check

Why would companies want to use digital signatures when conducting e-business?

They are cheap

They are always the same so it can be verified easily

They are more convenient that requiring a real signature

They can authenticate the document sender and maintain data integrity

Ben goes to his bank to wire transfer $1,000 to his sister Jennifer. The role of the bank in this transaction is best described as:

miner.

blockchain.

middleman.

consensus.

Which of the following statements is true?

Because blockchain transactions are stored in chronological order, you may trace a block from an earlier transaction block to the most recent block in the blockchain.

Both permissioned and public blockchains need miners to determine which transaction block should be added next.

Ethereum is a private blockchain.

Smart contract was introduced in Ethereum.

Which feature cannot be found in bitcoin?

Double spend

Anyone can join and leave the bitcoin network at any time

Immutable history of transactions

A new block is added every 10 minutes

In the Ethereum network:

mining of Ether occurs at a constant rate.

transaction fees are higher than Bitcoin.

miner uses SHA256 to determine if a block is a valid block.

because a smart contract describes business rules and is also flexible for different industries, it can be modified to fit the business after a block is inserted to the Ethereum network.

A selected set of organizations may run a blockchain node separately for keeping the transaction records. Administrators from the organizations establish the access rights and permissions for each participant. This type of blockchain is often called:

public blockchain.

permissionless blockchain.

private blockchain.

consortium blockchain.

Which of the following statement is false?

A distributed ledger contains many copies of the same ledger.

A distributed ledger stores the same set of transaction records.

Because a distributed ledger exists in a blockchain network, a computer consisting of all transaction records may crash and cause the syncing issue in the blockchain network.

A transaction record cannot be added to the blockchain unless there is network consensus.

Which of the following statement is false?

Hyperledger is an open source blockchain platform created by the Linux foundation.

Hyperledger is a permissioned blockchain with capabilities of handling smart contracts.

The main objective of Hyperledger is to achieve cross-industry collaboration with blockchain technology.

Hyperledger is a public blockchain.

When we refer to smart contract in blockchain, we mean:

a contract that can be edited at any time for business rules.

a digital copy of paper contract such as a Word file.

a piece of software code that can be executed or triggered by business activities.

a digital contract that can be distributed all to the participants with all terms defined.

What information does a block in the Bitcoin network not contain?

The sender

The receiver

The quantity of bitcoins to transfer

The sender and the receiver

None, a block contains all of this information.

Which of the following is not true with respect to artificial intelligence?

AI is a broad field in computer science.

AI is intelligence exhibited by machines rather than humans.

AI began in the 1990s.

AI is also called cognitive technologies.

None of these is true.

Which of the following best describes the difference between artificial intelligence and machine learning?

Machine learning is a subset of AI.

Machine learning only applies to deep learning algorithms.

AI and machine learning are the same thing.

Machine learning requires less data than AI.

None of these choices are correct.

Which of the following best describes artificial neural networks?

Training a neural network involves the use of real-world data.

Deep learning is required for a neural network.

Neural networks consist of inputs, neurons or nodes, and outputs.

Neural networks only have two layers.

None of these choices are correct.

Which of the following best describes supervised learning?

The training data contain missing labels or incomplete data.

The training data match inputs to nodes in the network.

The training data contain input—output pairs.

The training data only include input values.

None of these choices are correct.

Which of the following best describes a confusion matrix?

It is a table summarizing the prediction results.

It has as many rows and columns as classifications to predict.

It can be used to calculate other performance metrics.

All of these choices are correct.

If a confusion matrix shows 46 TP, 6 FN, 500 TN, and 4 FP, what is the precision ratio? (Round your answer to 2 decimal places.)

0.90

0.92

0.98

0.88

None of these choices are correct.

If a confusion matrix shows 46 TP, 6 FN, 500 TN, and 4 FP, what is the recall ratio? (Round your answer to 2 decimal places.)

0.90

0.92

0.98

0.88

None of these choices are correct.

If a confusion matrix shows 46 TP, 6 FN, 500 TN, and 4 FP, what is the accuracy ratio? (Round your answer to 2 decimal places.)

0.90

0.92

0.98

0.88

None of these choices are correct.

If a confusion matrix shows 25 TP, 5 FN, 1000 TN, and 5 FP, what is the precision ratio? (Round your answer to 2 decimal places.)

0.90

0.92

0.99

0.83

None of these choices are correct.

If a confusion matrix shows 25 TP, 5 FN, 1000 TN, and 5 FP, what is the recall ratio? (Round your answer to 2 decimal places.)

0.90

0.92

0.99

0.83

None of these choices are correct.

If a confusion matrix shows 25 TP, 5 FN, 1000 TN, and 5 FP, what is the accuracy ratio? (Round your answer to 2 decimal places.)

0.90

0.92

0.99

0.83

None of these choices are correct.

Which of the following statements is false?

private blockchain requires permission to join the network

bitcoin uses smart contract to specify the business rules

in Ethereum, a new block is added evert 12 to 15 seconds

blockchain transactions are immutable

Which of the following is created mainly for cryptocurrency application?

ethereum

hyperledger

corda

bitcoin

What is a requirement of the proof of authority algorithm?

a few members have known identities

a portion of the miner's blocks will be locked until it is validated

large quantities of computer power are requires to solve a complex mathematical problem

none of these are a requirement of the proof of authority algorithm

Which of the following best describes the difference between AI and machine learning?

machine learning is a subset of AI

machine learning only applies to deep learning algorithm

AI and machine learning are the same thing d. machine learning requires less data than AI

Which of the following best describes machine learning?

machine learning is driven by programming instructions.

machine learning is a different branch of computer science from AI

machine learning is a technique where a software model is trained using data

machine learning is the ability of a machine to think on its own.

e. none of these

which of the following is not part of the virtuous cycle of machine learning?

model

learn.

predict

data

none of these

which of the following best describes artificial neural networks?

training a neural network involves the use of real-world data

deep learning is required for a neural network

neural networks consist of inputs, neurons or nodes, and output

neural networks only have two layers e. none of these

Which of the following best describes deep learning?

deep learning is used to solve philosophical problems.

deep learning involves complex, multilayer neural networks

deep learning is different from machine learning in fundamental ways

deep learning provides more output values than machine learning

none of these

Which of the following is not directly related to one of the five questions that machine learning/AI is best suited to answer?

which business strategy will be most successful?

is the firm a good merger candidate?

what type of customer will like this new product

how much can we sell this product for?

none of these

Which of the following best describes unsupervised learning?

the training data contain missing labels or incomplete data

the training data match inputs to nodes in the network

the training data contain d. the training data only include values

none of these

Which of the following best describes semi-supervised learning?

the training data contain missing labels or incomplete data

the training data match inputs to nodes in the network

the training data contain input-output pairs

the training data only include values

none of these

Which of the following best describes reinforcement learning?

the model determines how elements of the dataset are alike

the training data match inputs to nodes in the network

the training data contain input-output pairs

the model learns by trial and error

none of these

(CISA exam, adapted) Authentication is the process by which the:

system verifies that the user is entitled to enter the transaction requested. user identifies him- or herself to the system. system verifies the identity of the user. user indicates to the system that the transaction was processed correctly.

(CMA exam, adapted) Data processing activities may be classified in terms of three stages or processes: input, processing, and output. An activity that is not normally associated with the input stage is:

batching. verifying. recording. reporting.

(CISA exam, adapted) To ensure confidentiality in an asymmetric-key encryption system, knowledge of which of the following keys is required to decrypt the receive message?

Private Public I II Both I and II Neither I nor II

To authenticate the message sender in an asymmetric-key encryption system, which of the following keys is required to decrypt the received message?

Sender's private key Receiver's private key Sender's public key Receiver's public key

To ensure the data sent over the Internet are protected, which of the following keys is required to encrypt the data (before transmission) using an asymmetric-key encryption method?

Sender's public key Sender's private key Receiver's public key Receiver's private key

Which of the following groups/laws was the earliest to encourage auditors to

PCAOB COBIT SAS No. 99 COSO Sarbanes-Oxley Act

Incentive to commit fraud usually will include all of the following, except:

inadequate segregation of duties. alcohol, drug, or gambling addiction. feelings of resentment. personal habits and lifestyle. financial pressure.

(CPA exam, adapted) An information technology director collected the names and locations of key vendors, current hardware configuration, names of team members, and an alternative processing location. What is the director most likely preparing?

System hardware policy Internal control policy Disaster recovery plan Supply chain management policy System security policy

A message digest is the result of hashing. Which of the following statements about the hashing process is true?

It is reversible. Comparing the hashing results can ensure confidentiality. Hashing is the best approach to make sure that two files are identical. None of the choices are true.

Which one of the following vulnerabilities would create the most serious risk to a firm?

Employees writing instant messages with friends during office hours Unauthorized access to the firm's network Employees recording passwords in Excel files Using open source software (downloaded for free) on the firm's network

Which of the following statements is correct?

SOC 1 reports provide the evaluations on a broader set of controls implemented by the service provider. A spam will send a network packet that appears to come from a source other than its actual source. Multifactor authentication is less secure than requiring a user always entering a password to access a network. Fault tolerance uses redundant units to provide a system with the ability to continue functioning when part of the system fails.

Which of the following can be considered as a good alternative to back up data and applications?

Continuous monitoring Business continuity management Cloud computing Disaster recover planning

A digital certificate:

indicates that the subscriber identified has sole control and access to the private key. is used to certify public-key and private-key pairs. ensures that the symmetric-key encryption method functions well. is a trusted entity to certify and revoke Certificate Authorities (CA).

The symmetric-key encryption method:

is slow. solves problems in key distribution and key management. uses the same key for both senders and receivers for encryption and decryption. is not appropriate for encrypting large data sets.

The fraud triangle indicates which of the following condition(s) exist for a fraud to be perpetrated?

rationalization. pressure. legal environment. a and b are correct a, b, and c are correct

To prevent repudiation in conducting e-business, companies must be able to authenticate their trading partners. Which of the following encryption methods can be used for authentication purpose?

Symmetric-key encryption method Asymmetric-key encryption method Both symmetric-key and asymmetric-key encryption methods are good for authentication.

Regarding GDPR, which of the following statements is/are correct?

It is a regulation enforced by EU. It is to protect EU citizens' personal data. It is not relevant to the companies in the U.S. a and b are correct a, b, and c are correct

Which organization created the Reporting on an Entity's Cybersecurity Risk Management Program and Controls: Attestation Guide in 2017?

SEC AICPA US Congress Department of Homeland Security

Business continuity management is a

preventive control. detective control. corrective control. Two of the choices are correct.

Encryption is a

preventive control. detective control. corrective control. Two of the choices are correct.

What is fault tolerance?

A policy allowing employees to make mistakes Using redundant units to continue functioning when a system is failing An application that can detect mistakes and correct mistakes automatically Two of the choices are correct.

Comparing encryption with hashing, which one of the following is correct?

Hashing process is reversible. Encryption is used to ensure data integrity. Hashing results are large data. Encryption results are called cypher text.

Disaster recovery plan is a

preventive control. detective control. corrective control. Two of the choices are correct.

Select a correct statement describing encryption or hashing process.

Encryption process is reversible. Hashing results are called message digests. Hashing process is used to obtain a digital signature. Encryption process is to maintain confidentiality. All of the choices are correct.

Select a correct statement regarding encryption methods.

Most companies prefer using asymmetric-key encryption method for data transmission. Symmetric-key encryption method is used to authenticate trading partners. Only asymmetric-key encryption method can ensure confidentiality. Asymmetric-key encryption method is used to create digital signatures.