1

EXERCISES

Exercise 4- Control of Accounting Information Systems

Part I-Multiple Choice. Read each question and answer choice carefully and choose the ONE
best answer.
1. Which of the following is a fraud in which employees use the company’s computer time
to run their own data processing business?
a. Input fraud
b. Processor fraud
c. Computer instructions fraud
d. Output fraud

2. Which type of fraud is associated with 50% of all auditor lawsuits?

a. Kiting
b. Fraudulent financial reporting
c. Ponzi schemes
d. Lapping

3. Which of the following statements is false?

a. The psychological profiles of white collar criminals differ from those of violent
criminals.
b. The psychological profiles of white collar criminals are significantly different from
those of the general public.
c. There is little difference between computer fraud perpetrators and other types of
white collar criminals.
d. Some computer fraud perpetrators do not view themselves as criminals.

4. Which of the following conditions is/are usually necessary for a fraud to occur?
a. Pressure
b. Opportunity
c. Explanation
d. Rationalization

5. Which of the following is not an example of computer fraud?

a. Theft of money by altering computer records
b. Obtaining information illegally using a computer
c. Failure to perform preventive maintenance on a computer
d. Unauthorized modification of a software program

6. Which of the following causes the majority of computer security problems?

a. Human errors
b. Software errors
c. Natural disasters
d. Power outages

7. Which of the following is not one of the responsibilities of auditors in detecting fraud?
a. Evaluating the results of their audit tests
b. Incorporating a technology focus
c. Discussing the risks of material fraudulent misstatements
a. Catching the perpetrators in the act of committing the fraud

8. Which of the following control procedures is most likely to deter lapping?

a. Encryption
b. Continual update of the access control matrix
c. Background check on employees
 2

d. Periodic rotation of duties

9. Which of the following is the most important, basic, and effective control to deter fraud?
a. Enforced vacations
b. Logical access control
c. Segregation of duties
d. Virus protection controls

10. Once fraud has occurred, which of the following will reduce fraud losses?
a. Insurance
b. Regular back up of data and programs
c. Contingency plan
d. Segregation of duties

11. A set of instructions to increase a programmers pay rate by 10% is hidden inside an
authorized program. It changes and updates the payroll file. What is this computer fraud
technique called?
a. Virus
b. Worm
c. Trap door
d. Trojan horse

12. Which computer fraud technique involves a set of instructions hidden inside a calendar
utility that copies itself each time the utility is enabled until memory is filled and the
system crashes?
a. Logic bomb
b. Trap door
c. Virus
d. Trojan horse

13. Interest calculations are truncated at two decimal places, and the excess decimals are
put into an account the perpetrator controls. What is this fraud called?
a. Typosquatting
b. URL hijacking
c. Chipping
d. Round down fraud

14. A perpetrator attacks phone system to obtain free phone line access or uses telephone
lines to transmit viruses and to access, steal and destroy data. What is this computer
fraud technique called?
a. Phishing
b. Phreaking
c. Pharming
d. Vishing

15. Fraud perpetrators threaten to harm a company if it does not pay a specified amount of
money. What is this computer fraud technique called?
a. Cyber terrorism
b. Blackmailing
c. Cyber extortion
d. Scareware

16. Techniques used to obtain confidential information, often by tricking people, are referred
to as what?
a. Pretexting
b. Posing
c. Social engineering
 3

d. Identity theft

17. What type of software secretly collects personal information about users and sends it to
someone else without the user’s permission?
a. Rootkit
b. Torpedo software
c. Spyware
d. Malware

18. What is the name of the computer attack which captures data from information items as
it travels over networks?
a. Packet sniffers
b. Item sniffers
c. Malware
d. Adware

19. Which type of computer attack steals contact lists, images and other data using
Bluetooth?
a. Bluebugging
b. Bluesnarfing
c. Buffer overflow
d. Carding

20. Someone redirects a website’s traffic to a bogus website, usually to gain access to
personal and confidential information. What is this computer fraud technique called?
a. Vishing
b. Phishing
a. Phraming
b. Phreaking

21. Verifying the validity of credit or debit card numbers during an online transaction is an
example of
a. Physical controls
b. Logical access controls
c. Application controls
d. General controls

22. In the ERM model, COSO specified four types of objectives that management must meet
to achieve company goals. Which of the following is not one of those types?
a. Responsibility objectives
b. Strategic objectives
c. Compliance objectives
d. Reporting objectives
e. Operations objectives

23. Which of the following statements is true?

a. COSO’s enterprise risk management framework is narrow in scope and is limited
to financial controls
b. COSO’s internal control integrated framework has been widely accepted as the
authority on internal controls
c. The Foreign Corrupt Practices Act had no impact on internal accounting control
systems.
d. It is easier to add controls to an already designed system than to include them
during the initial design stage.

24. All other things being equal, which of the following is true?
a. Detective controls are superior to preventive controls.
 4

b. Corrective controls are superior to preventive controls.

c. Preventive controls are equivalent to detective controls.
d. Preventive controls are superior to detective controls.

25. Which of the following statements about the control environment is false?
a. Management’s attitudes toward internal control and ethical behaviour have little
impact on employee beliefs or actions.
b. An overly complex or unclear organizational structure may be indicative of
problems that are more serious.
c. A written policy and procedures manual is an important tool for assigning
authority and responsibility.
d. Supervision is especially important in organizations that cannot afford elaborate
responsibility reporting or are too small to have an adequate separation of duties.

26. To achieve effective segregation of duties, certain functions must be separated. Which
of the following is the correct listing of the accounting-related functions that must be
segregated?
a. Control, recording and monitoring
b. Authorization, recording and custody
c. Control, custody and authorization
d. Monitoring, recording and planning

27. Which of the following is not an independent check?

a. Bank reconciliation
b. Periodic comparison of subsidiary ledger totals to control accounts
c. Trial balance
d. Re-adding the total of a batch of invoice4s and comparing it with your first total

28. Which of the following is a control procedure relating to both the design and the use
documents and records?
a. Locking blank checks in a drawer
b. Reconciling the bank account
c. Sequentially prenumbering sales invoices
d. Comparing actual physical quantities with recorded amounts

29. Which of the following is the correct order of the risk assessment steps discussed in
this?
a. Identify threats, estimate risk and exposure, identify controls, and estimate costs
and benefits
b. Identify controls, estimate risk and exposure , identify threats, and estimate costs
and benefits
c. Estimate risk and exposure, identify controls, identify threats, and estimate costs
and benefits
d. Estimate costs and benefits, identify threats, identify controls, and estimate risk
and exposure

30. Your current system is deemed to be 90% reliable. A major threat has been identified
with an impact of Php 3,000,000. Two control procedures exist to deal with the threat.
Implementation of control A would cost Php100,000 and reduce the likelihood to 6%.
Implementation of control B would cost Php140,000 and reduce the likelihood to 4%.
Implementation of both controls would cost Php 220,000 and reduce the likelihood to
2%. Given the data, and based solely on an economic analysis of costs and benefits,
what should you do?
a. Implement control A only
b. Implement control B only
c. Implement both controls A and B
d. Implement neither control
 5

Part II- Short Answer Questions. Make your answer simple and clear.
1. What motives do people have for hacking? Why has hacking become so popular in recent
years? Do you regard it as a crime? Explain your position.
 The unauthorized access, modification, or use of an electronic device or a component of a
computer system is referred to as hacking. Hacking is considered illegal trespass and is
punishable as a federal crime under the Computer Fraud and Abuse Act of 1986. For a
variety of reasons, hacking has grown in popularity. Perhaps the most significant is the
growing use of personal computers and the Internet, as well as the corresponding increase
in the number and skill level of users. In other words, there are more systems to break into
and more people capable of breaking into them. The majority of hackers are motivated by
monetary rewards. Hackers have discovered numerous methods to profit handsomely from
their hacking activities. Others seek to destroy data, make unauthorized copies of data, or
otherwise disrupt the system. Some hackers are motivated by the challenge of breaking into
a system, and many do so with no malicious intent. They may believe that hacking is a
"right" that computer users have in a society of "free information." Many of these good
hackers also argue that hacking rarely causes harm to a computer system and is therefore
acceptable behavior.

2. Bank cards are commonly used for payment in electronic commerce and in physical
transactions. Customers are normally required to key in the card number as well as the
expiry date and /or security code before processing is performed on the Internet. In physical
transactions, a signature is required for processing. In mainland China, people often use
Union Pay. It is an association for China’s banking card industry.
On the Internet, when customers use their credit card form payment, they may use a
mechanism called “Verified by Visa” need to register this function with Visa. They are given
a password for their transaction with the merchant. Users are asked to present their
password before the transaction is completed.
Questions:
a. What is the purpose of asking additional information like expiry date and/or security code
when customers use bank cards for payment?
When customers use bank cards for payment, additional information such as expiry date
and/or security code is requested to protect cardholders from fraud, particularly in card-
not-present transactions. It is required to demonstrate that you have your card with you
and to grant the person paying with your credit card access to your funds. It is employed
in the prevention of online payment scams and frauds.

b. Do you think it is safe to reveal such information on the Internet?

I believe it is risky to reveal such information on the internet. Sharing personal information
with people you don't know is one of the most dangerous things you can do online.
Sharing sensitive information is dangerous and should be avoided at all costs.