ACCT 351
ACCT 351 EXAM 5 CHAP 14-18 STUDY
QUESTIONS AND ANSWERS 2025-2026
What is the most widely used international standard for IT governance?
a. ISACA
b. COSO ERM
c. COBIT
d. COSO Internal Control—Integrated Framework
c. COBIT
Select the statement that is not true about COBIT 2019.
a. Its organizational focus is IT governance.
b. It focuses on all controls for assessing risk and providing assurance throughout
an organization.
c. It is a living document that welcomes feedback.
d. It has five domains and 40 control objectives.
b. It focuses on all controls for assessing risk and providing assurance throughout
an organization.
Which item is not an objective of the IT Evaluate, Direct, and Monitor domain?
a. Ensure IT governance framework setting and maintenance.
b. Ensure IT risk realization.
c. Ensure stakeholder transparency.
d. Manage an IT system of internal control.
d. Manage an IT system of internal control.
One important purpose of COBIT is to
a. guide managers, users, and auditors in adopting best practices related to the
management of information technology.
b. identify specific control plans that could be implemented to reduce the
occurrence of fraud.
c. specify the components of an information system that should be installed in an e-
commerce environment.
ACCT 351
,ACCT 351
d. suggest the type of information that should be made available for management
decision making.
a. guide managers, users, and auditors in adopting best practices related to the
management of information technology.
Which of these logical access controls relates to authorization rather than
authentication?
a. Role-based access
b. Username and password
c. Fingerprint scan
d. Smart card
a. Role-based access
Which of these access roles would you assign to the internal audit manager of a
public company?
a. Administration
b. Creator
c. Read-only
d. Manager
c. read-only
Eleanor Rigby's Crematorium and Pet Custodian Services wants to choose the
strongest control method for accessing its systems. Eleanor should choose
a. a sign-in log.
b. biometrics.
c. passwords.
d. a two-way mirror.
b. biometrics.
When a client's accounts payable computer system was relocated, the administrator
provided support through a dial-up connection to a server. Subsequently, the
administrator left the company. No changes were made to the accounts payable
system at that time. Which of the following situations represents the greatest
security risk?
a. User passwords are not required to be in alphanumeric format.
ACCT 351
, ACCT 351
b. Management procedures for user accounts are not documented.
c. User accounts are not removed upon termination of employees.
d. Security logs are not periodically reviewed for violations.
c. User accounts are not removed upon termination of employees.
Why did Amazon and Google choose to not build their new data centers near their
headquarters?
a. It wasn't financially feasible.
b. They already owned land elsewhere.
c. It was against regulations.
d. They plan to leave those areas and relocate their headquarters.
a. It wasn't financially feasible.
A security guard opens the door to allow an authenticated person into the data
center. A second person enters behind the first person without properly scanning
through security. This method of circumventing physical access controls is called
a. piggybacking, or tailgating.
b. the access control vestibule.
c. a backup plan.
d. unlawful access.
a. piggybacking, or tailgating.
Which of the following best characterizes the function of a physical access
control?
a. Protects systems from Trojan horses
b. Provides authentication of users attempting to log into the system
c. Separates unauthorized individuals from computer resources
d. Minimizes the risk of a power or hardware failure
c. Separates unauthorized individuals from computer resources
The inside environment of a data center should include all the following except
a. cable management system.
b. backup power supply.
c. fire response systems.
d. heated floors.
ACCT 351
ACCT 351 EXAM 5 CHAP 14-18 STUDY
QUESTIONS AND ANSWERS 2025-2026
What is the most widely used international standard for IT governance?
a. ISACA
b. COSO ERM
c. COBIT
d. COSO Internal Control—Integrated Framework
c. COBIT
Select the statement that is not true about COBIT 2019.
a. Its organizational focus is IT governance.
b. It focuses on all controls for assessing risk and providing assurance throughout
an organization.
c. It is a living document that welcomes feedback.
d. It has five domains and 40 control objectives.
b. It focuses on all controls for assessing risk and providing assurance throughout
an organization.
Which item is not an objective of the IT Evaluate, Direct, and Monitor domain?
a. Ensure IT governance framework setting and maintenance.
b. Ensure IT risk realization.
c. Ensure stakeholder transparency.
d. Manage an IT system of internal control.
d. Manage an IT system of internal control.
One important purpose of COBIT is to
a. guide managers, users, and auditors in adopting best practices related to the
management of information technology.
b. identify specific control plans that could be implemented to reduce the
occurrence of fraud.
c. specify the components of an information system that should be installed in an e-
commerce environment.
ACCT 351
,ACCT 351
d. suggest the type of information that should be made available for management
decision making.
a. guide managers, users, and auditors in adopting best practices related to the
management of information technology.
Which of these logical access controls relates to authorization rather than
authentication?
a. Role-based access
b. Username and password
c. Fingerprint scan
d. Smart card
a. Role-based access
Which of these access roles would you assign to the internal audit manager of a
public company?
a. Administration
b. Creator
c. Read-only
d. Manager
c. read-only
Eleanor Rigby's Crematorium and Pet Custodian Services wants to choose the
strongest control method for accessing its systems. Eleanor should choose
a. a sign-in log.
b. biometrics.
c. passwords.
d. a two-way mirror.
b. biometrics.
When a client's accounts payable computer system was relocated, the administrator
provided support through a dial-up connection to a server. Subsequently, the
administrator left the company. No changes were made to the accounts payable
system at that time. Which of the following situations represents the greatest
security risk?
a. User passwords are not required to be in alphanumeric format.
ACCT 351
, ACCT 351
b. Management procedures for user accounts are not documented.
c. User accounts are not removed upon termination of employees.
d. Security logs are not periodically reviewed for violations.
c. User accounts are not removed upon termination of employees.
Why did Amazon and Google choose to not build their new data centers near their
headquarters?
a. It wasn't financially feasible.
b. They already owned land elsewhere.
c. It was against regulations.
d. They plan to leave those areas and relocate their headquarters.
a. It wasn't financially feasible.
A security guard opens the door to allow an authenticated person into the data
center. A second person enters behind the first person without properly scanning
through security. This method of circumventing physical access controls is called
a. piggybacking, or tailgating.
b. the access control vestibule.
c. a backup plan.
d. unlawful access.
a. piggybacking, or tailgating.
Which of the following best characterizes the function of a physical access
control?
a. Protects systems from Trojan horses
b. Provides authentication of users attempting to log into the system
c. Separates unauthorized individuals from computer resources
d. Minimizes the risk of a power or hardware failure
c. Separates unauthorized individuals from computer resources
The inside environment of a data center should include all the following except
a. cable management system.
b. backup power supply.
c. fire response systems.
d. heated floors.
ACCT 351
