For those instances where individual users may
be granted summary and statistical query access
to confidential data to which they normally are
denied access, which type of control is most
suitable? INFERENCE CONTROLS (MC)
Flat-file model eliminates data redundancy and
reduces data collection and storage costs. TRUE
Provides an audit trail of all processed
transactions. TRANSACTION LOG
Used to prevent users from inferring, through
query features, specific data values that they
have no authority to access. INFERENCE
CONTROLS
Audit procedures for testing database access
controls: ONLY 2 ARE CORRECT
User’s ability to obtain another information as
his needs change. TASK-DATA DEPENDENCY
Replication of the same data in multiple files.
DATA REDUNDANCY
Used to restrict employees who are sharing the
same computers to specific directories,
programs, and data files. MULTILEVEL
PASSOWRD
Access privileges to the database should be
commensurate with the user’s legitimate need.
TRUE
As an audit procedure to test the database
backup controls, the auditor may verify that
backup is performed routinely and frequently to
facilitate the recovery of lost data without
excessive reprocessing. TRUE
Audit Objectives: Verify that backup procedures
are in place to prevent data and program loss
due to system failures and errors. Which of the
ff is the most appropriate audit procedure? THE
AUDITOR COMPARES… OF BACKUP
PROCEDURES
Possible audit procedures to test backup
transaction file: THE AUDITOR SHOULD…
MASTER FILE
Used in database systems to protect highly
sensitive stored data making it difficult for the
intruder to read the stored data. ENCRYPTION
PROCEDURE
Users the logs and backup files to restart the
system after a failure. RECOVERY MODULE
Database model centralized the organization’s
data into a common database that is shared by
other users. TRUE
Backup controls are designed to prevent
unauthorized individuals from viewing,
retrieving, corrupting, or destroying the entity’s
data. FALSE
It promotes a single-user view approach to data
management whereby end users own their data
files rather than share them with other users.
FLAT-FILE ENVIRONMENT
Subset of total database that defines the user’s
data domain and provides access to the
database. USER VIEW OR SUBSCHEMA
User-defined procedures contain rules that limit
the actions a user can take. FALSE
ECHO CHECK- The receiver of the message returns
the message to the sender and the sender compares
it with the original message.
OPERATING SYSTEM SECURITY- Policies, procedures,
and controls that determine who can access the
operating system, which resources they can use, and
what actions they can take.
No single user should obtain control of the operating
system. True
In a pure electronic data interchange, authorizations,
mutual obligations, and business practices that apply
to transactions are all specified under the trading
partner agreement. True
Audit procedures relating to access privileges,
except. Verify…
IP spoofing – form of masquerading to gain
unauthorized access to a web server and/ perpetrate
unlawful act
Audit in passwords- its audit objectives is to verify
that effective management policies and procedures
are in place to prevent the introduction and spread
of destructive programs
Digital signatures prove that the message received
was not tampered during transmission and was
being sent by the legitimate sender. True
Firewall – system of software & hardware that
prevents unauthorized access to or from private
network
If the user cannot provide the correct password, the
operating system should deny access. True
Failure to change passwords regularly, post-it
syndrome, possibility of forgetting the passwords are
among the problems that may be encountered in
using passwords. True
Request-response technique – control message from
sender and response from receiver are sent at
periodic, synchronized intervals
Distributed denial of service (DDoS)- Zombie –
called bot(robot) computers, virtual army that
perpetrator launch to attack.
If the company is using EDI, there is no need for the
system to provide an audit trail. False
Password – secret code the user enters to gain
access to systems, applications, data files, or a
network server.
Access token – created if log-on attempt is
successful, it contains key info about the user (user
ID, password, user group, & privileges granted)
- It contains key information about the user
and privileges granted.
Encryption – conversion of data into secret code for
storage in databases & transmission over networks
– sender uses an encryption algorithm to
convert original message (called cleartext) into coded
equivalent (called ciphertext)
System audit trails – logs that record activity at the
system, application & user level
Audit procedures relating to subversive threats. 1,3,4
Benefits of electric data interchange: All
To test authorization and validation controls of EDI,
the auditor should determine that only authorized
employees an obtain access to the valid vendor file
or customer file. True
Control log – one technique for restoring audit trail –
records the transaction’s flow thru each phase of EDI
system
Keystroke Monitoring- Used to reconstruct the
details of an event or as a real-time control to
prevent unauthorized intrusion
Deep packet inspection (DPI)- Searches the
individual packets for protocol noncompliance and
employs predefined criteria to decide if a packet can
proceed to its destination.
Flat files are data files that contains record with
no structured relationship to other files.
Data storage efficient data management
captures and stores data only once and makes
this single source available to all users who need
it.
Data updating requires periodic updating to
reflect changes. Users keep separate and
exclusive files.
Currency of information performing multiple
updates is the problem of failing to update all
users. If update is not properly disseminated
DATA MANAGEMENT SYSTEM is a special
software system that programmed to know
which data element each user is authorized to
access.

Access controls are designed to prevent

unauthorized individuals from viewing,
retrieving, corrupting, or destroying the entity’s
data.

Backup controls ensure that in the event of data

loss due to unauthorized access, equipment
failure, or physical disaster the org can recover
its database.

Database authorization table contains rules

that limit the actions a user can take.

User-defined procedures allows user to create a

personal security or routine to provide more
positive user ID than a single password.

Biometric devices which measure various

personal characteristics such as fingerprints

Positive compromise determines the specific

values of a data item

Negative compromise does not have a specific

value

Approximate compromise the user is unable to

determine the exact value of an item but is able
to estimate it with sufficient accuracy

Encryption controls verify sensitive data such as

passwords, are properly encrypted

Grandfather-father-son backup technique that

is used in sequential file batch system

Father or master file processed against the

transaction file to produce a new master file

Destructive replacement data values in direct

access are changed in place