SET 1.

ACCOUNTING 503-Auditing in CIS Environment

ASSIGNMENT

1. Goals of Enterprise Resource Planning (ERP) system include all of the following except a. improved customer service b. improvements of legacy systems c. reduced production time d. increased production 2. Core applications are a. sales and distribution b. business planning c. shop floor control and logistics d. all of the above 3. Data warehousing processes does not include a. modeling data b. condensing data c. extracting data d. transforming data 4. Which of the following is usually not part of an ERPs core applications? a. On-line Transaction Processing (OLTP) applications b. sales and distribution applications c. business planning applications d. On-line Analytical Processing (OLAP) applications 5. Which of the following is usually not part of an ERPs OLAP applications? a. logistics b. decision support systems c. ad hoc analysis d. what-if analysis 6. Which of the following statements is least likely to be true about a data warehouse? a. It is constructed for quick searching and ad hoc queries. b. It was an original part of all ERP systems. c. It contains data that are normally extracted periodically from the operating databases. d. It may be deployed by organizations that have not implemented an ERP. 7. Which of the following statements is not true? a. In a typical two-tier client server system, the server handles both application and database duties. b. Client computers are responsible for presenting data to the user and passing user input back to the server. c. In three-tier client server architecture, one tier is for user presentations, one is for database and applications, and the third is for Internet access. d. The database and application functions are separate in the three-tier model. 8. Which statements about data warehousing is not correct? a. The data warehouse should be separate from the operational system. b. Data cleansing is a process of transforming data into standard form. c. Drill-down is a data-mining tool available to users of OLAP. d. Normalization is an requirement of databases included in a data warehouse. 9. Which statement about ERP installation is least accurate? a. For the ERP to be successful, process reengineering must occur.

b. ERP fails because some important business process is not supported. c. When a business is diversified, little is gained from ERP installation. d. The phased-in approach is more suited to diversified businesses. 10. Which statement is true? a. ERPs are infinitely scalable. b. Performance problems usually stem from technical problems, not business process reengineering. c. The better ERP can handle any problems an organization can have. d. ERP systems can be modified using bolt-on software. 11. Auditors of ERP systems a. need not worry about segregation of duties. b. may feel that the data warehouse is too clean and free from errors. c. find independent verification easy. d. need not worry about system access since the ERP determines it. 12. Legacy systems are a. old manual systems that are still in place. b. flat file mainframe systems developed before client-server computing became standard. c. stable database systems after debugging. d. advanced systems without a data warehouse. 13. A data mart is a. another name for a data warehouse. b. a database that provides data to an organizations customers. c. an enterprise resource planning system. d. a data warehouse created for a single function or department. 14. Most ERPs are based on which network model? a. peer to peer b. client-server c. ring topology d. bus topology 15. On-line transaction processing programs a. are bolt-on programs used with commercially available ERSs. b. are available in two modelstwo-tier and three-tier. c. handle large numbers of relatively simple transactions. d. allow users to analyze complex data relationships. 16. Supply chain management software a. is typically under the control of external partners in the chain. b. links all of the partners in the chain, including vendors, carriers, third-party firms, and information systems providers. c. cannot be integrated into an overall ERP. d. none of the above 17. The setup of a data warehouse includes a. modeling the data b. extracting data from operational databases c. cleansing the data d. all of the above 18. Extracting data for a data warehouse a. cannot be done from flat files.

b. should only involve active files. c. requires that the files be out of service. d. follows the cleansing of data. 19. Data cleansing involves all of the following except a. filtering out or repairing invalid data b. summarizing data for ease of extraction c. transforming data into standard business terms d. formatting data from legacy systems 20. Separating the data warehouse from the operations databases occurs for all of the following reasons except a. to make the management of the databases more economical b. to increase the efficiency of data mining processes c. to integrate legacy system data into a form that permits entity-wide analysis d. to permit the integration of data from diverse sources 21. Closed database architecture is a. a control technique intended to prevent unauthorized access from trading partners. b. a limitation inherent in traditional information systems that prevents data sharing. c. a data warehouse control that prevents unclean data from entering the warehouse. d. a technique used to restrict access to data marts. e. a database structure that many of the leading ERPs use to support OLTP applications. 22. Which of the following is NOT as a risk associated with ERP implementation.? a. A drop in firm performance after implementation because the firm looks and works differently than it did while using a legacy system. b. Implementing companies have found that staff members, employed by ERP consulting firms, do not have sufficient experience in implementing new systems. c. Implementing firms fail to select systems that properly support their business activities. d. The selected system does not adequately meet the adopting firms economic growth. e. ERPs are too large, complex, and generic for them to be well integrated into most company cultures.

23. Which statement is LEAST accurate? a. Implementing an ERP system has as much to do with changing the way an organization does business than it does with technology. b. The big-bang approach to ERP implementation is generally riskier than the phased in approach. c. To take full advantage of the ERP process, reengineering will need to occur. d. A common reason for ERP failure is that the ERP does not support one or more important business processes of the organization 24. Auditors of ERP systems a. are concerned about segregation of duties just as they would be in traditional systems. b. focus on output controls such as independent verification because internal processing controls are known to be correct since best practices are used.. c. routinely audit data in the data warehouse because it is know to be clean and free from errors. d. need not review access levels granted to users since these are determined when the system is configured and never change.

25. Which statement is most correct? a. SAP is more suited to service industries than manufacturing clients. b. J.D. Edwardss ERP is designed to accept the best practices modules of other vendors. c. Oracle evolved from a human resources system. d. PeopleSoft is the worlds leading supplier of software for information management. e. SoftBrands provides enterprise software for the hospitality and manufacturing sectors. 26. Auditors of ERP systems a. need not be concerned about segregation of duties because these systems possess strong computer controls. b. focus on output controls such as independent verification to reconcile batch totals. c. are concerned that managers fail to exercise adequate care in assigning permissions. d. do not view the data warehouse as an audit or control issue at all because financial records are not stored there. e. need not review access levels granted to users because these are determined when the system is configured and never change. 27. All of the following are issues of computer security except a. releasing incorrect data to authorized individuals b. permitting computer operators unlimited access to the computer room c. permitting access to data by unauthorized individuals d. providing correct data to unauthorized individuals 28. Segregation of duties in the computer-based information system includes a. separating the programmer from the computer operator b. preventing management override c. separating the inventory process from the billing process d. performing independent verifications by the computer operator 29. In a computer-based information system, which of the following duties needs to be separated? a. program coding from program operations b. program operations from program maintenance c. program maintenance from program coding d. all of the above duties should be separated 30. Supervision in a computerized environment is more complex than in a manual environment for all of the following reasons except a. rapid turnover of systems professionals complicates management's task of assessing the competence and honesty of prospective employees b. many systems professionals have direct and unrestricted access to the organization's programs and data c. rapid changes in technology make staffing the systems environment challenging d. systems professionals and their supervisors work at the same physical location 31. Adequate backups will protect against all of the following except a. natural disasters such as fires b. unauthorized access c. data corruption caused by program errors d. system crashes 32. Which is the most critical segregation of duties in the centralized computer services function? a. systems development from data processing b. data operations from data librarian c. data preparation from data control d. data control from data librarian

33. Systems development is separated from data processing activities because failure to do so a. weakens database access security b. allows programmers access to make unauthorized changes to applications during execution c. results in inadequate documentation d. results in master files being inadvertently erased 34. Which organizational structure is most likely to result in good documentation procedures? a. separate systems development from systems maintenance b. separate systems analysis from application programming c. separate systems development from data processing d. separate database administrator from data processing 35. All of the following are control risks associated with the distributed data processing structure except a. lack of separation of duties b. system incompatibilities c. system interdependency d. lack of documentation standards 36. Which of the following is not an essential feature of a disaster recovery plan? a. off-site storage of backups b. computer services function c. second site backup d. critical applications identified 37. A cold site backup approach is also known as a. internally provided backup b. recovery operations center c. empty shell d. mutual aid pact 38. The major disadvantage of an empty shell solution as a second site backup is a. the host site may be unwilling to disrupt its processing needs to process the critical applications of the disaster stricken company b. intense competition for shell resources during a widespread disaster c. maintenance of excess hardware capacity d. the control of the shell site is an administrative drain on the company 39. An advantage of a recovery operations center is that a. this is an inexpensive solution b. the initial recovery period is very quick c. the company has sole control over the administration of the center d. none of the above are advantages of the recovery operations center 40. For most companies, which of the following is the least critical application for disaster recovery purposes? a. month-end adjustments b. accounts receivable c. accounts payable d. order entry/billing 41. The least important item to store off-site in case of an emergency is a. backups of systems software b. backups of application software c. documentation and blank forms

d. results of the latest test of the disaster recovery program 42. Some companies separate systems analysis from programming/program maintenance. All of the following are control weaknesses that may occur with this organizational structure except a. systems documentation is inadequate because of pressures to begin coding a new program before documenting the current program b. illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of time c. a new systems analyst has difficulty in understanding the logic of the program d. inadequate systems documentation is prepared because this provides a sense of job security to the programmer 43.All of the following are recommended features of a fire protection system for a computer center except a. clearly marked exits b. an elaborate water sprinkler system c. manual fire extinguishers in strategic locations d. automatic and manual alarms in strategic locations 44. All of the following tests of controls will provide evidence about the physical security of the computer center except a. review of fire marshal records b. review of the test of the backup power supply c. verification of the second site backup location d. observation of procedures surrounding visitor access to the computer center 45. All of the following tests of controls will provide evidence about the adequacy of the disaster recovery plan except a. inspection of the second site backup b. analysis of the fire detection system at the primary site c. review of the critical applications list d. composition of the disaster recovery team 46. The following are examples of commodity assets except a. network management b. systems operations c. systems development d. server maintenance 47. The following are examples of specific assets except a. application maintenance b. data warehousing c. highly skilled employees d. server maintenance 48. Which of the following is true? a. Core competency theory argues that an organization should outsource specific core assets. b. Core competency theory argues that an organization should focus exclusively on its core business competencies c. Core competency theory argues that an organization should not outsource specific commodity assets. d. Core competency theory argues that an organization should retain certain specific non core assets in-house. 49. Which of the following is not true?

a. Large-scale IT outsourcing involves transferring specific assets to a vendor b. Specific assets, while valuable to the client, are of little value to the vendor c. Once an organization outsources its specific assets, it may not be able to return to its pre-outsource state. d. Specific assets are of value to vendors because, once acquired, vendors can achieve economies of scale by employing them with other clients 50. Which of the following is not true? a. When management outsources their organizations IT functions, they also outsource responsibility for internal control. b. Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendors performance. c. IT outsourcing may affect incongruence between a firms IT strategic planning and its business planning functions. d. The financial justification for IT outsourcing depends upon the vendor achieving economies of scale. 51. Which of the following is not true? a. Management may outsource their organizations IT functions, but they cannot outsource their management responsibilities for internal control. b. section 404 requires the explicit testing of outsourced controls. c. The SAS 70 report, which is prepared by the outsourcers auditor, attests to the adequacy of the vendors internal controls. d. Auditors issue two types of SAS 70 reports: SAS 70 Type I report and SAS 70 Type II report. 52. Segregation of duties in the computer-based information system includes separating the programmer from the computer operator preventing management override separating the inventory process from the billing process performing independent verifications by the computer operator

53. A disadvantage of distributed data processing is a. the increased time between job request and job completion. b. the potential for hardware and software incompatibility among users. c. the disruption caused when the mainframe goes down. d. that users are not likely to be involved. 54. Which of the following is NOT a control implication of distributed data processing? a. redundancy b. user satisfaction c. incompatibility d. lack of standards 55. Which of the following disaster recovery techniques may be least optimal in the case of a disaster? a. empty shell b. mutual aid pact c. internally provided backup d. they are all equally beneficial 56. Which of the following is a feature of fault tolerance control? a. interruptible power supplies b. RAID

c. d.

DDP MDP

57. Which of the following disaster recovery techniques is has the least risk associated with it? a. empty shell b. ROC c. internally provided backup d. they are all equally risky 58. Which of the following is NOT a potential threat to computer hardware and peripherals? a. low humidity b. high humidity c. carbon dioxide fire extinguishers d. water sprinkler fire extinguishers 59. Which of the following would strengthen organizational control over a large-scale data processing center? a. Requiring the user departments to specify the general control standards necessary for processing transactions. b. Requiring that requests and instructions for data processing services be submitted directly to the computer operator in the data center. c. Having the database administrator report to the manager of computer operations. d. Assigning maintenance responsibility to the original system designer who best knows its logic. 60. Which of the following is true? a. Core competency theory argues that an organization should outsource specific core assets. b. Core competency theory argues that an organization should focus exclusively on its core business competencies c. Core competency theory argues that an organization should not outsource specific commodity assets. d. Core competency theory argues that an organization should retain certain specific non-core assets in-house. 61. The operating system performs all of the following tasks except a. translates third-generation languages into machine language b. assigns memory to applications c. authorizes user access d. schedules job processing 62. Which of the following is considered an unintentional threat to the integrity of the operating system? a. a hacker gaining access to the system because of a security flaw b. a hardware flaw that causes the system to crash c. a virus that formats the hard drive d. the systems programmer accessing individual user files 63. A software program that replicates itself in areas of idle memory until the system fails is called a a. Trojan horse b. worm c. logic bomb d. none of the above 64. A software program that allows access to a system without going through the normal logon procedures is called a a. logic bomb

b. Trojan horse c. worm d. back door 65. All of the following will reduce the exposure to computer viruses except a. install antivirus software b. install factory-sealed application software c. assign and control user passwords d. install public-domain software from reputable bulletin boards 66. Hackers can disguise their message packets to look as if they came from an authorized user and gain access to the hosts network using a technique called a. spoofing. b. spooling. c. dual-homed. d. screening. 67. Which is not a biometric device? a. password b. retina prints c. voice prints d. signature characteristics 68. All of the following are objectives of operating system control except a. protecting the OS from users b. protesting users from each other c. protecting users from themselves d. protecting the environment from users 69. Passwords are secret codes that users enter to gain access to systems. Security can be compromised by all of the following except a. failure to change passwords on a regular basis b. using obscure passwords unknown to others c. recording passwords in obvious places d. selecting passwords that can be easily detected by computer criminals 70. Audit trails cannot be used to a. detect unauthorized access to systems b. facilitate reconstruction of events c. reduce the need for other forms of security d. promote personal accountability 71. Which control will not reduce the likelihood of data loss due to a line error? a. echo check b. encryption c. vertical parity bit d. horizontal parity bit 72. Which method will render useless data captured by unauthorized receivers? a. echo check b. parity bit c. public key encryption d. message sequencing 73. Which method is most likely to detect unauthorized access to the system? a. message transaction log

b. data encryption standard c. vertical parity check d. request-response technique 74. All of the following techniques are used to validate electronic data interchange transactions except a. value added networks can compare passwords to a valid customer file before message transmission b. prior to converting the message, the translation software of the receiving company can compare the password against a validation file in the firm's database c. the recipient's application software can validate the password prior to processing d. the recipient's application software can validate the password after the transaction has been processed 75. In an electronic data interchange environment, customers routinely access a. the vendor's price list file b. the vendor's accounts payable file c. the vendor's open purchase order file d. none of the above 76. All of the following tests of controls will provide evidence that adequate computer virus control techniques are in place and functioning except a. verifying that only authorized software is used on company computers b. reviewing system maintenance records c. confirming that antivirus software is in use d. examining the password policy including a review of the authority table 77. Audit objectives for communications controls include all of the following except a. detection and correction of message loss due to equipment failure b. prevention and detection of illegal access to communication channels c. procedures that render intercepted messages useless d. all of the above 78. When auditors examine and test the call-back feature, they are testing which audit objective? a. incompatible functions have been segregated b. application programs are protected from unauthorized access c. physical security measures are adequate to protect the organization from natural disaster d. illegal access to the system is prevented and detected 79. In an electronic data interchange (EDI) environment, when the auditor compares the terms of the trading partner agreement against the access privileges stated in the database authority table, the auditor is testing which audit objective? a. all EDI transactions are authorized b. unauthorized trading partners cannot gain access to database records c. authorized trading partners have access only to approved data d. a complete audit trail is maintained 80. Audit objectives in the electronic data interchange (EDI) environment include all of the following except a. all EDI transactions are authorized b. unauthorized trading partners cannot gain access to database records c. a complete audit trail of EDI transactions is maintained d. backup procedures are in place and functioning properly 81. In determining whether a system is adequately protected from attacks by computer viruses, all of the following policies are relevant except

a. b. c. d.

the policy on the purchase of software only from reputable vendors the policy that all software upgrades are checked for viruses before they are implemented the policy that current versions of antivirus software should be available to all users the policy that permits users to take files home to work on them

82. Which of the following is not a test of access controls? a. biometric controls b. encryption controls c. backup controls d. inference controls 83. In an electronic data interchange environment, customers routinely a. access the vendor's accounts receivable file with read/write authority b. access the vendor's price list file with read/write authority c. access the vendor's inventory file with read-only authority d. access the vendor's open purchase order file with read-only authority 84. In an electronic data interchange environment, the audit trail a. is a printout of all incoming and outgoing transactions b. is an electronic log of all transactions received, translated, and processed by the system c. is a computer resource authority table d. consists of pointers and indexes within the database 85. All of the following are designed to control exposures from subversive threats except a. firewalls b. one-time passwords c. field interrogation d. data encryption 86. Many techniques exist to reduce the likelihood and effects of data communication hardware failure. One of these is a. hardware access procedures b. antivirus software c. parity checks d. data encryption 87. Which of the following deal with transaction legitimacy? a. transaction authorization and validation b. access controls c. EDI audit trail d. all of the above 88. Firewalls are a. special materials used to insulate computer facilities b. a system that enforces access control between two networks c. special software used to screen Internet access d. none of the above 89. An integrated group of programs that supports the applications and facilitates their access to specified resources is called a (an) a. operating system. b. database management system. c. utility system d. facility system. e. object system.

90. Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, is a. a smurf attack. b. IP Spoofing. c. an ACK echo attack d. a ping attack. e. none of the above 91. Which of the following is true? a. Deep Packet Inspection uses a variety of analytical and statistical techniques to evaluate the contents of message packets. b. An Intrusion prevention system works in parallel with a firewall at the perimeter of the network to act as a filer that removes malicious packets from the flow before they can affect servers and networks. c. A distributed denial of service attack is so named because it is capable of attacking many victims simultaneously who are distributed across the internet. d. None of the above are true statements. 92. Advance encryption standard (AES) is a. a 64 -bit private key encryption technique b. a 128-bit private key encryption technique c. a 128-bit public key encryption technique d. a 256-bit public encryption technique that has become a U.S. government standard 93. What do you call a system of computers that connects the internal users of an organization that is distributed over a wide geographic area? a. LAN b. decentralized network c. multidrop network d. Intranet 94. Network protocols fulfill all of the following objectives except a. facilitate physical connection between network devices b. provide a basis for error checking and measuring network performance c. promote compatibility among network devices d. result in inflexible standards 95. To physically connect a workstation to a LAN requires a a. file server b. network interface card c. multiplexer d. bridge 96. Packet switching a. combines the messages of multiple users into one packet for transmission. At the receiving end, the packet is disassembled into the individual messages and distributed to the intended users. b. is a method for partitioning a database into packets for easy access where no identifiable primary user exists in the organization. c. is used to establish temporary connections between network devices for the duration of a communication session. d. is a denial of service technique that disassembles various incoming messages to targeted users into small packages and then reassembles them in random order to create a useless

garbled message. 97. One advantage of network technology is a. bridges and gateways connect one workstation with another workstation b. the network interface card permits different networks to share data c. file servers permit software and data to be shared with other network users d. a universal topology facilitates the transfer of data among networks 98. A virtual private network: a. is a password-controlled network for private users rather than the general public. b. is a private network within a public network. c. is an Internet facility that links user sites locally and around the world. d. defines the path to a facility or file on the web. e. none of the above is true.

99. Which topology has a large central computer with direct connections to a periphery of smaller computers? Also in this topology, the central computer manages and controls data communications among the network nodes. a. star topology b. bus topology c. ring topology d. client/server topology 100. A ping signal is used to initiate a. URL masquerading b. digital signature forging c. Internet protocol spoofing d. a smurf attack e. none of the above is true SET 2. ACCOUNTING 503-Auditing in CIS Environment ASSIGNMENT

1. In a star topology, when the central site fails a. individual workstations can communicate with each other b. individual workstations can function locally but cannot communicate with other workstations c. individual workstations cannot function locally and cannot communicate with other workstations d. the functions of the central site are taken over by a designated workstation 2. Which of the following statements is correct? The client-server model a. is best suited to the token-ring topology because the random-access method used by this model detects data collisions. b. distributes both data and processing tasks to the servers node. c. is most effective used with a bus topology. d. is more efficient than the bus or ring topologies. 3. A star topology is appropriate a. for a wide area network with a mainframe for a central computer b. for centralized databases only c. for environments where network nodes routinely communicate with each other

d. when the central database does not have to be concurrent with the nodes 4. In a ring topology a. the network consists of a central computer which manages all communications between nodes b. has a host computer connected to several levels of subordinate computers c. all nodes are of equal status; responsibility for managing communications is distributed among the nodes d. information processing units rarely communicate with each other 5. A distributed denial of service (DDoS) attack a. is more intensive that a Dos attack because it emanates from single source b. may take the form of either a SYN flood or smurf attack c. is so named because it effects many victims simultaneously, which are distributed across the internet d. turns the target victim's computers into zombies that are unable to access the Internet e. none of the above is correct 6. Which of the following statements is correct? TCP/IP a. is the basic protocol that permits communication between Internet sites. b. controls Web browsers that access the WWW. c. is the file format used to produce Web pages. d. is a low-level encryption scheme used to secure transmissions in HTTP format. 7. FTP a. b. c. d. e. is the document format used to produce Web pages. controls Web browsers that access the Web. is used to connect to Usenet groups on the Internet is used to transfer text files, programs, spreadsheets, and databases across the Internet. is a low-level encryption scheme used to secure transmissions in higher-level () format.

8. IP spoofing a. combines the messages of multiple users into a spoofing packet where the IP addresses are interchanged and the messages are then distributes randomly among the targeted users. b. is a form of masquerading to gain unauthorized access to a web server. c. is used to establish temporary connections between network devices with different IP addresses for the duration of a communication session. d. is a temporary phenomenon that disrupts transaction processing. It will resolve itself when the primary computer completes processing its transaction and releases the IP address needed by other users. 9. HTML a. is the document format used to produce Web pages. b. controls Web browsers that access the Web. c. is used to connect to Usenet groups on the Internet. d. is used to transfer text files, programs, spreadsheets, and databases across the Internet. e. is a low-level encryption scheme used to secure transmissions in higher-level () format. 10. Which one of the following statements is correct? a. Cookies always contain encrypted data. b. Cookies are text files and never contain encrypted data. c. Cookies contain the URLs of sites visited by the user.

d. Web browsers cannot function without cookies. 11. A message that is made to look as though it is coming from a trusted source but is not is called a. a denial of service attack b. digital signature forging c. Internet protocol spoofing d. URL masquerading 12. An IP Address: a. defines the path to a facility or file on the web. b. is the unique address that every computer node and host attached to the Internet must have. c. is represented by a 64-bit data packet. d. is the address of the protocol rules and standards that governing the design of internet hardware and software. e. none of the above is true. 13. A digital signature is a. the encrypted mathematical value of the message senders name b. derived from the digest of a document that has been encrypted with the senders private key c. the computed digest of the senders digital certificate d. allows digital messages to be sent over analog telephone lines 14. HTTP a. is the document format used to produce Web pages. b. controls Web browsers that access the Web. c. is used to connect to Usenet groups on the Internet d. is used to transfer text files, programs, spreadsheets, and databases across the Internet. e. is a low-level encryption scheme used to secure transmissions in higher-level () format. 15. Which of the following statements is correct? a. Packet switching combines the messages of multiple users into a packet for transmission. At the receiving end, the packet is disassembled into the individual messages and distributed to the intended users. b. The decision to partition a database assumes that no identifiable primary user exists in the organization. c. Packet switching is used to establish temporary connections between network devices for the duration of a communication session. d. A deadlock is a temporary phenomenon that disrupts transaction processing. It will resolve itself when the primary computer completes processing its transaction and releases the data needed by other users.

16. All of the following are basic data management tasks except a. data deletion b. data storage c. data attribution d. data retrieval 17. The task of searching the database to locate a stored record for processing is called

a. b. c. d.

data deletion data storage data attribution data retrieval

18. Which of the following is not a problem usually associated with the flat-file approach to data management? a. data redundancy b. restricting access to data to the primary user c. data storage d. currency of information 19. Which characteristic is associated with the database approach to data management? a. data sharing b. multiple storage procedures c. data redundancy d. excessive storage costs 20. Which characteristic is not associated with the database approach to data management? a. the ability to process data without the help of a programmer b. the ability to control access to the data c. constant production of backups d. the inability to determine what data is available 21. The textbook refers to four interrelated components of the database concept. Which of the following is not one of the components? a. the database management system b. the database sdministrator c. the physical database d. the conceptual database 22. Which of the following is not a responsibility of the database management system? a. provide an interface between the users and the physical database b. provide security against a natural disaster c. ensure that the internal schema and external schema are consistent d. authorize access to portions of the database 23. A description of the physical arrangement of records in the database is a. the internal view b. the conceptual view c. the subschema d. the external view 24. Which of the following may provide many distinct views of the database? a. the schema b. the internal view c. the user view d. the conceptual view 25. Users access the database a. by direct query b. by developing operating software c. by constantly interacting with systems programmers d. all of the above 26. The data definition language

a. identifies, for the database management system, the names and relationships of all data elements, records, and files that comprise the database b. inserts database commands into application programs to enable standard programs to interact with and manipulate the database c. permits users to process data in the database without the need for conventional programs d. describes every data element in the database 27. The data manipulation language a. defines the database to the database management system b. transfers data to the buffer area for manipulation c. enables application programs to interact with and manipulate the database d. describes every data element in the database 28. Which statement is not correct? A query language like SQL a. is written in a fourth-generation language b. requires user familiarity with COBOL c. allows users to retrieve and modify data d. reduces reliance on programmers 29. Which duty is not the responsibility of the database administrator? a. to develop and maintain the data dictionary b. to implement security controls c. to design application programs d. to design the subschema 30. In a hierarchical model a. links between related records are implicit b. the way to access data is by following a predefined data path c. an owner (parent) record may own just one member (child) record d. a member (child) record may have more than one owner (parent) 31. Which term is not associated with the relational database model? a. tuple b. attribute c. collision d. relation 32. In the relational database model a. relationships are explicit b. the user perceives that files are linked using pointers c. data is represented on two-dimensional tables d. data is represented as a tree structure 33. In the relational database model all of the following are true except a. data is presented to users as tables b. data can be extracted from specified rows from specified tables c. a new table can be built by joining two tables d. only one-to-many relationships can be supported 34. In a relational database a. the users view of the physical database is the same as the physical database b. users perceive that they are manipulating a single table c. a virtual table exists in the form of rows and columns of a table stored on the disk d. a programming language (COBOL) is used to create a users view of the database 35. Which of the following is not a common form of conceptual database model?

a. b. c. d.

hierarchical network sequential relational

36. Which statement is false? a. The DBMS is special software that is programmed to know which data elements each user is authorized to access. b. User programs send requests for data to the DBMS. c. During processing, the DBMS periodically makes backup copies of the physical database. d. The DBMS does not control access to the database. 37. All of the following are elements of the DBMS which facilitate user access to the database except a. query language b. data access language c. data manipulation language d. data definition language 38. Which of the following is a level of the database that is defined by the data definition language? a. user view b. schema c. internal view d. all are levels or views of the database 39. An example of a distributed database is a. partitioned database b. centralized database c. networked database d. all are examples of distributed databases 40. Data currency is preserved in a centralized database by a. partitioning the database b. using a lockout procedure c. replicating the database d. implementing concurrency controls 41. Which procedure will prevent two end users from accessing the same data element at the same time? a. data redundancy b. data replication c. data lockout d. none of the above 42. The advantages of a partitioned database include all of the following except a. user control is enhanced b. data transmission volume is increased c. response time is improved d. risk of destruction of entire database is reduced 43. A replicated database is appropriate when a. there is minimal data sharing among information processing units b. there exists a high degree of data sharing and no primary user c. there is no risk of the deadlock phenomenon d. most data sharing consists of read-write transactions 44. What control maintains complete, current, and consistent data at all information processing units? a. deadlock control

b. replication control c. concurrency control d. gateway control 45. Data concurrency a. is a security issue in partitioned databases b. is implemented using time stamping c. may result in data lockout d. occurs when a deadlock is triggered 46. All of the following are advantages of a partitioned database except a. increased user control by having the data stored locally b. deadlocks are eliminated c. transaction processing response time is improved d. partitioning can reduce losses in case of disaster 47. Which backup technique is most appropriate for sequential batch systems? a. grandparent-parent-child approach b. staggered backup approach c. direct backup d. remote site, intermittent backup 48. When creating and controlling backups for a sequential batch system, a. the number of backup versions retained depends on the amount of data in the file b. off-site backups are not required c. backup files can never be used for scratch files d. the more significant the data, the greater the number of backup versions 49. In a direct access file system a. backups are created using the grandfather-father-son approach b. processing a transaction file against a maser file creates a backup file c. files are backed up immediately before an update run d. if the master file is destroyed, it cannot be reconstructed 50. Which of the following is not an access control in a database system? a. antivirus software b. database authorization table c. passwords d. voice prints 51. Which of the following is not a basic database backup and recovery feature? a. checkpoint b. backup database c. transaction log d. database authority table 52. Audit objectives for the database management system include all of the following except a. verifying that the security group monitors and reports on fault tolerance violations b. confirming that backup procedures are adequate c. ensuring that authorized users access only those files they need to perform their duties d. verifying that unauthorized users cannot access data files 53. All of the following tests of controls will provide evidence that access to the data files is limited except a. inspecting biometric controls b. reconciling program version numbers

c. comparing job descriptions with access privileges stored in the authority table d. attempting to retrieve unauthorized data via inference queries 54. Which of the following is not a test of access controls? a. biometric controls b. encryption controls c. backup controls d. inference controls 55. The database attributes that individual users have permission to access are defined in a. operating system. b. user manual. c. database schema. d. user view. e. application listing. 56. Which control is not associated with new systems development activities? a. reconciling program version numbers b. program testing c. user involvement d. internal audit participation 57. Which test of controls will provide evidence that the system as originally implemented was free from material errors and free from fraud? Review of the documentation indicates that a. a cost-benefit analysis was conducted b. the detailed design was an appropriate solution to the user's problem c. tests were conducted at the individual module and total system levels prior to implementation d. problems detected during the conversion period were corrected in the maintenance phase 58. Routine maintenance activities require all of the following controls except a. documentation updates b. testing c. formal authorization d. internal audit approval 59. Which statement is correct? a. compiled programs are very susceptible to unauthorized modification b. the source program library stores application programs in source code form c. modifications are made to programs in machine code language d. the source program library management system increases operating efficiency 60. Which control is not a part of the source program library management system? a. using passwords to limit access to application programs b. assigning a test name to all programs undergoing maintenance c. combining access to the development and maintenance test libraries d. assigning version numbers to programs to record program modifications 61. Which control ensures that production files cannot be accessed without specific permission? a. Database Management System b. Recovery Operations Function c. Source Program Library Management System d. Computer Services Function 62. Program testing a. involves individual modules only, not the full system

b. requires creation of meaningful test data c. need not be repeated once the system is implemented d. is primarily concerned with usability 63. Which statement is not true? a. An audit objective for systems maintenance is to detect unauthorized access to application databases. b. An audit objective for systems maintenance is to ensure that applications are free from errors. c. An audit objective for systems maintenance is to verify that user requests for maintenance reconcile to program version numbers. d. An audit objective for systems maintenance is to ensure that the production libraries are protected from unauthorized access. 64. When the auditor reconciles the program version numbers, which audit objective is being tested? a. protect applications from unauthorized changes b. ensure applications are free from error c. protect production libraries from unauthorized access d. ensure incompatible functions have been identified and segregated 65. Which is not a level of a data flow diagram? a. conceptual level b. context level c. intermediate level d. elementary level 66. Which statement is not correct? The structured design approach a. is a top-down approach b. is documented by data flow diagrams and structure diagrams c. assembles reusable modules rather than creating systems from scratch d. starts with an abstract description of the system and redefines it to produce a more detailed description of the system 67. The benefits of the object-oriented approach to systems design include all of the following except a. this approach does not require input from accountants and auditors b. development time is reduced c. a standard module once tested does not have to be retested until changes are made d. system maintenance activities are simplified 68.Which level of a data flow diagram is used to produce program code and database tables? a. context level b. elementary level c. intermediate level d. prototype level 69. Evaluators of the detailed feasibility study should not include a. the internal auditor b. the project manager c. a user representative d. the system designer 70. A cost-benefit analysis is a part of the detailed a. operational feasibility study b. schedule feasibility study

c. legal feasibility study d. economic feasibility study 71. Examples of one-time costs include all of the following except a. hardware acquisition b. insurance c. site preparation d. programming 72. Examples of recurring costs include a. software acquisition b. data conversion c. personnel costs d. systems design 73. A commercial software system that is completely finished, tested, and ready for implementation is called a a. backbone system b. vendor-supported system c. benchmark system d. turnkey system 74. Which of the following is not an advantage of commercial software? Commercial software a. can be installed faster than a custom system b. can be easily modified to the users exact specifications c. is significantly less expensive than a system developed in-house d. is less likely to have errors than an equivalent system developed in-house 75. Which step is least likely to occur when choosing a commercial software package? a. a detailed review of the source code b. contact with user groups c. preparation of a request for proposal d. comparison of the results of a benchmark problem 76. The output of the detailed design phase of the Systems Development Life Cycle (SDLC) is a a. fully documented system report b. systems selection report c. detailed system design report d. systems analysis report 77. The detailed design report contains all of the following except a. input screen formats b. alternative conceptual designs c. report layouts d. process logic 78. System documentation is designed for all of the following groups except a. systems designers and programmers b. end users c. accountants d. all of the above require systems documentation 79. Which type of documentation shows the detailed relationship of input files, programs, and output files? a. structure diagrams b. overview diagram

c. system flowchart d. program flowchart 80. Typical contents of a run manual include all of the following except a. run schedule b. logic flowchart c. file requirements d. explanation of error messages 81. Computer operators should have access to all of the following types of documentation except a. a list of users who receive output b. a program code listing c. a list of all master files used in the system d. a list of required hardware devices 82. Which task is not essential during a data conversion procedure? a. decomposing the system b. validating the database c. reconciliation of new and old databases d. backing up the original files 83. When converting to a new system, which cutover method is the most conservative? a. cold turkey cutover b. phased cutover c. parallel operation cutover d. data coupling cutover 84. Site preparation costs include all of the following except a. crane used to install equipment b. freight charges c. supplies d. reinforcement of the building floor 85. The testing of individual program modules is a part of a. software acquisition costs b. systems design costs c. data conversion costs d. programming costs 86. When implementing a new system, the costs associated with transferring data from one storage medium to another is an example of a. a recurring cost b. a data conversion cost c. a systems design cost d. a programming cost 87. An example of a tangible benefit is a. increased customer satisfaction b. more current information c. reduced inventories d. faster response to competitor actions 88. An example of an intangible benefit is a. expansion into other markets b. reduction in supplies and overhead c. more efficient operations

d. reduced equipment maintenance 89. A tangible benefit a. can be measured and expressed in financial terms b. might increase revenues c. might decrease costs d. all of the above 90. Intangible benefits a. are easily measured b. are of relatively little importance in making information system decisions c. are sometimes estimated using customer satisfaction surveys d. when measured, do not lend themselves to manipulation 91. Which technique is least likely to be used to quantify intangible benefits? a. opinion surveys b. simulation models c. professional judgment d. review of accounting transaction data 92. The formal product of the systems evaluation and selection phase of the Systems Development Life Cycle is a. the report of systems analysis b. the systems selection report c. the detailed system design d. the systems plan 93. One time costs include all of the following except a. site preparation b. insurance c. programming and testing d. data conversion 94. Typically a systems analysis a. results in a formal project schedule b. does not include a review of the current system c. identifies user needs and specifies system requirements d. is performed by the internal auditor 95. A disadvantage of surveying the current system is a. it constrains the generation of ideas about the new system b. it highlights elements of the current system that are worth preserving c. it pinpoints the causes of the current problems d. all of the above are advantages of surveying the current system 96. Systems analysis involves all of the following except a. gathering facts b. surveying the current system c. redesigning bottleneck activities d. reviewing key documents 97. The systems analysis report does not a. identify user needs b. specify requirements for the new system c. formally state the goals and objectives of the system

d. specify the system processing methods 98. After the systems analysis phase of the System Development Life Cycle (SDLC) is complete, the company will have a formal systems analysis report on a. the conceptual design of the new system b. an evaluation of the new system c. users needs and requirements for the new system d. a comparison of alternative implementation procedures for the new system 99. The accountants role in systems analysis includes all of the following except a. specify audit trail requirements b. prepare data gathering questionnaires c. suggest inclusion of advanced audit features d. ensure mandated procedures are part of the design 100. The role of the steering committee includes a. designing the system outputs b. resolving conflicts that arise from a new system c. selecting the programming techniques to be used d. approving the accounting procedures to be implemented