Practice Examination in AUD6 PDF

Preview

Summary

Taking into consideration the password format, which of the following is the most likely secured password for employee Maria Mercedes? MmErcedes123!When auditing information systems controls, the auditor should consider I, II, and III.I. Input controlsII. Processing controlsIII. Output controlsWhich...

Description

Taking into consideration the password format, which of the following is the most likely secured password for employee Maria Mercedes? MmErcedes123!

When auditing information systems controls, the auditor should consider I, II, and III. I. II. III.

Input controls Processing controls Output controls

Which of the following logical security control is recommended to prevent unauthorized users from logging into multiple times into a system using a stolen user ID and guessing its password? Automatically disabling user IDs after three consecutive unsuccessful login attempts.

In business operations, segregation of duties can exist in I, II, and III. I. II. III.

Data entry area Data processing area Business operating areas in which processing output is utilized.

Granularity of system access controls refers to the degree of specificity with which system access parameters can be controlled. The granularity of system access controls should be determined in the Design stage of a system.

Setting the time of day and days of week is good control for unauthorized attempts during nonbusiness hours and days by persons who have physical access to the facility. This control is applicable to Individual or regular user IDs and backup system security administrator in the system.

Select all controls that can be used for output media. I and II only. I. II. III.

There should be an output distribution area who only have access to the SPOOL and perform these activities. Purging of output files from the spool done on a regular basis. Testing the backup by restoring it.

Physical security controls Can be a preventive, detective or corrective type of controls.

In business resumption program, this is an information processing facility that is fully equipped and configured with lights, electricity, air-conditioning equipment, computer equipment, and supplies such that it can be fully operational in less than 24 hours. Hot site

Select the statements that is/are true regarding edit and reasonableness checks. Statement 1: It can prevent letters from being entered into a field in the application screen that should only have numbers, or vice versa. Statement 2: It can prevent invalid codes from being entered into a particular field and can prevent dates or amounts outside of predetermined ranges from being entered. Both statements 1 and 2.

Which of the following is not a physical security control? Login credentials

For commercial business systems, password normally expires 60 days

Problem management procedures of computer operations includes documentation of I, II, and III.

I. II. III.

Details of the system problems encountered by users. The resolution and the date and time it got implemented. Name of the user who reported the issue.

All of the following are system security administration activities except Documenting the logic of user IDs and passwords

Which backup procedure is the best for critical systems such as servers with voluminous data? Hourly backup

Periodic backups can be performed for System software, application programs, and data.

It is a control that helps prevent invalid data from being entered into a system. Edit and reasonableness check

All of the following statements about biometric locks is correct except Biometric locks are the most secured type of physical lock and not susceptible to any risks.

It is an automated control providing assurance that the data are intact, without any alterations or missing information. Integrity/completeness check

It refers to the actual use and management of information systems including internal controls at data processing facilities as well as those in place in end-user environments, which are designed to help an organization’s operational processes function as efficiently and effectively as possible within the constraints imposed by the economic, financial, political, legal, and regulatory environments. Information systems operations

It is a person who will be responsible for system security administration in the absence of the primary system security administrator. Backup system security administrator

Which of the following general and emergency detection controls is/are by nature detective type of controls? Control 1: Heat-activated overhead sprinkler systems Control 2: Fire alarms Control 3: Fire extinguishers Controls 1 and 2 only.

Insurance should be maintained to cover computer hardware and software at replacement cost and the costs to re-create lost data. Which of the following statements is true about insurance? Insurance is a corrective type of control.

Which of the following statements is least likely true regarding remote access? Remote computer is used to connect to a network and access a local computer.

The initial key to protecting an information system from unauthorized access lies in the Both the design and programming of logical security controls in the system.

Use of login credentials is the most common and critical type of logical security control. Login credentials should be implemented to I, II, and III. I. II. III.

Operating system DBMS Critical and non-critical application programs

Emergency power systems such as UPS and power generators are best examples of Corrective controls

Which of the following is/ are example(s) of control totals? Both I and II. I. II.

Total number of records in a data file. Total monetary amount of all the records in the data file.

To make it more difficult for third parties to track user’s activities online and steal data, virtual private network (choose the correct statements) Both I and II. I. II.

Encrypts the user’s internet traffic. Disguises user’s online identity

Which of the following can be insured by a company? I, II, and III. I. II. III.

Computer hardware Software Data

TRUE To monitor the effectiveness of the automated job-scheduling software, management of the computer operations area should receive a system-generated daily production report

indicating the start and end times of each job, preferably with a comparison to the planned production schedule, and any job that abnormally terminated. An example of business resumption program is that a company has prepared an available site, which is usually situated on a different place and readily available for relocating employees and business operations when a fortuitous event such as earthquake and fire occurred in the current or existing site of the business For high-risk systems, longer minimum password length is a must. Two-factor authentication is typically applied to remote users. Recorded videos of the surveillance cameras are detective type of control.

FALSE Emergency power and UPS system are preventive type of control. – These are corrective type of control. The risk of losing of power is unavoidable.

Security guards are a combination of preventive and corrective controls. The presence of a security guard is a preventive control and the inspection and record keeping done by them is the corrective control. – Security guards are a combination of preventive and detective type of control.

There is no risk of having a system security administrator. However, the absence of a system security system administrator exposes an entity to potential risks of loss and unauthorized access of data. – There is also a risk of having a system security administrator who have full access in the system. It is vital to implement certain measures to control the activities of the system security administrator.

Management may maintain accurate records of all maintenance of computer hardware performed for future reference and audit trail purposes. – Maintaining accurate records of all maintenance is not optional. It is a must.

Concurrent sign-on session happens when two different user IDs are allowed to be signed on from two or more workstations simultaneously. – Concurrent sign-on session happens when the same user ID is allowed to be signed on from two or more workstations simultaneously

Which of the following digital security methods ensures integrity of data being transmitted electronically? Hashing

Based from the internal control framework called COCO, internal control is defined as Those elements of an organization, including its resources, systems, processes, culture, structure and tasks, that, taken together, support people in the achievement of the organization’s objectives.

What characteristic of information being transmitted electronically is ensured by hashing? Integrity

This internal control framework is published by the Information Systems Audit and Control Foundation in 1996 and updated in 1998 and 2000. It is a comprehensive internal control framework specifically pertaining to internal control issues associated with information technology. COBIT

Which of the following is/are certificate authorities? I, II, and III.

I. II. III.

GoDaddy Symantec Digicert

It is the process by which the quality of internal control design and operation can be assessed. This may be accomplished by separate procedures or by ongoing activities. Monitoring

What information systems auditors can do to help secure evidence for potential use in criminal investigations? Ensure that an action plan that adequately addresses proper handling of computer evidence in such a way that it does not become tainted and includes specific procedures on how to create a complete and accurate chain of evidence.

Which of the following situation encryption takes place? When a user sends the message via his e-mail.

Before engaging a computer forensic expert, the company must ensure that the former proves his or her Both technical computer forensic analysis and courtroom testimony.

These are person or group of persons who are able to obtain and access computer information and explain it in court using legally accepted methodologies and procedures. Computer forensics experts

A tainted evidence (choose all correct statement/s) Statement 1: Information which has been obtained by illegal means. Statement 2: Evidence acquired by legal search or seizure. Statement 3: Admissible to the court. Statement 1 only.

One of the widely known internal control framework is COSO. Who is responsible for an entity’s control system based from this internal control framework? Management

Which of the following situation(s) can be considered a cybercrime? Situations 1 and 2 only.

Situation 1: Natsu found a credit card of someone else in the mall. He used the credit card information to purchase food via a food delivery application. Situation 2: Lucy created a Facebook account using the name of one of her friends who was aware of it. Lucy used this social media account to chat with her classmates who have a crush with her friend.

Situation 3: Gray visits an apparel website to browse for items that he had been wanting to purchase for so long. He used the chat option on the website to seek inquiry with the apparel company’s marketing agent.

Control environment sets the tone for the organization and influences the control awareness of its management and employees. Which of the following is not an element of control environment? Information and communication of accounting information

In asymmetric encryption (choose the incorrect statement) A same key is used for encryption and decrypting messages.

Risk assessment is a component of internal control objectives of COSO. The risk assessment process includes I, II, and III. I. II. III.

Identification of risks. Evaluation of risks. Determination of acceptable level of risk.

A certificate authority A trusted third-party entity that issues digital certificates and manages the public keys and credentials for data encryption for the end user.

Chain of evidence is vital in computer forensics. Which of the following is/are documented to ensure proper chain of custody? I, II, and III. I. II. III.

Date and time individual items of physical or electronic evidence are collected. Methods use to collect physical or electronic evidence. Name of person or persons who collected the physical or electronic evidence.

It is the science pertaining to the relationship of computer facts and evidence to legal issues. Computer forensics

In an e-crime, the computer

I. II.

May have been used in the commission of a crime. May be the target of the crime.

Both I and II.

A digital certificate Statement 1: Identifies the sender and contains the sender’s public key as well as the digital signature of the trusted certificate authority. Statement 2: A process that guarantees that the contents of a message have not been altered in transit. Statement 1: True; Statement 2: False.

Cryptographic controls aim to ensure all of the following characteristic of electronic information being transmitted, while providing nonrepudiation by the sender except Reliability

The Control Self-Assessment (CSA) Sentinel was originally launched by Institute of Internal Auditors (IIA)

Why is sound computer forensics should be considered by a company in their computer incident response program? Both I and II. I. II.

It will help an organization ensure the overall integrity and survivability of their computer network infrastructure. It is defensive mechanisms are layered in order to protect valuable data and information.

Which internal control framework provide sound guidance on control and audit of information systems and technology? SAC and Esac

Cybercrime occurs when An individual or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks and mobile phones

Decryption is The act or process of translating a hidden message into its original, readable form..

Which of the following is/are the functions of internal auditors? I, II, and III. I. II. III.

Communicate control strengths and weaknesses to management. Gather evidence of control adequacy by testing controls. Express an opinion about the effectiveness and efficiency of operations.

Control self-assessment (CSA) is a leading-edge process in which auditors facilitate a group of staff members who have expertise in a specific process, with the objective of identifying opportunities for internal control enhancement pertaining to critical operating areas designated by management. In a CSA workshop, who is responsible for identifying and assessing effectiveness of internal controls? Staffs

Hashing Generates a value or values from a string of text using a mathematical function.

TRUE

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. COBIT is an internationally developed, comprehensive IT evaluation tool that envelops virtually every major generally accepted standard in the world pertaining to controls and IT. CoCo guidance builds on the understanding of control set out in COSO. Encryption is almost embedded in the digital products you used, purchased, download and installed on your devices. In an event of e-crime, a computer evidence must always be in the physical custody of an identifiable, legally-authorized person from the time it is collected until it appears in court.

FALSE

Cadbury, an internal control framework, requires directors to state their opinion on the effectiveness of the system of internal financial control. – Cadbury encourages, but does not require directors to state their opinion on the effectiveness of the system of internal financial control. The goals of the computer security incident response plan are to detect and react to computer security incidents, determine their scope and risk, respond appropriately to the incident, communicate the results and risk to all stakeholders, and elimination of the likelihood of the incident from reoccurring. – All are goals of the computer security incident response plan except the elimination of the likelihood of the incident from reoccurring. Computer security incidents are unavoidable and there are no perfect internal controls to completely eliminate computer risks. The goal should be to reduce the likelihood of the incident from happening and not elimination of it. The digital signature, digital certificates, and hashing ensure authenticity of data in its electronic transmission. – Digital signature and digital certificates ensure authenticity of data. Hashing ensures integrity of data. The integrity of information, that is transmitted electronically, can be achieved when only the intended recipients of transmitted information can read it. – The integrity of information is achieved when the transmitted information has not been altered, other information has not been added to the transmission, and information has not been deleted from the transmission. Decryption converts a readable message into ciphertext. – Decryption transforms ciphertext into its original readable message.

Which of the following is/are tests of information systems operating controls? I and II only.

I.

II. III.

Verifying whether duties are adequately segregated in the operating areas supporting the information system such as, but not limited, programmers should not have the capability to execute production programs and transactions should be authorized only by the originating department. Assessment of the adequacy, timeliness, and documentation of resolution efforts of significant software problems with the system. Assessment of the adequacy of procedures to review the log of system securityrelated events.

Indicate whether statements regarding a computing system is true or false. Statement 1: A computing system is a basic, complete and functional computer, including all the hardware and software required to make functional to a user. Statement 2: The computing system should have the ability to accept input, process data, and create information for storage and/or output. Statement 1: True; Statement 2: True.

Which of the following is/are examples of logical security controls? I. II. III.

Password masking Password policy File encryption

These are high-level overall statements describing the general goals of an organization with regard to the control and security over its information system. Information system security policies

Which of the following is/are not considered operating systems of a computer? II only I. II. III.

MS-DOS Safari Windows

IV.

Android

It is a category of IT audit that involves verification about correct, accurate, and timely working of information processing, in normal as well as disruptive conditions.

A service auditor report

Instead of a service auditor report, a client organization can send its internal auditors to the service organization’s processing facilities to perform an audit of applicable general controls. What level of assurance will be provided by this audit option? Limited assurance

Which of the following audit procedure(s) can be used by an auditor to obtain an understanding of the information system structure of an organization? Audit procedures 1, 2, and 3.

Audit Procedure 1: Requesting a complete inventory of computing systems. Audit Procedur...