ACC 321 Exam 2 Flashcards
(160 cards)
1
Q
Creating cash using the lag between the time a check is deposited and the time it clears the bank.
A
Check kiting
2
Q
Concealing the theft of cash by means of a series of delays in posting collections to accounts receivable.
A
Lapping
3
Q
A text file created by a website and stored on a visitor’s hard drive.
- store information about who the user is and what the user has done on the site.
A
Cookie
4
Q
Dishonest conduct by those in power which often involves actions that are illegitimate, immoral, or incompatible with ethical standards. Examples include bribery and bid rigging.
A
Corruption
5
Q
Misrepresenting or leaving out facts in order to promote an investment that promises fantastic profits with little or no risk. Examples include Ponzi schemes and securities fraud.
A
Investment fraud
6
Q
Any type of fraud that requires computer technology to perpetrate.
A
Computer fraud or cybercrime
7
Q
Any and all means a person uses to gain an unfair advantage over another person.
A
Fraud
8
Q
Intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements
A
Fraudulent financial reporting
9
Q
Theft of company assets by employees.
A
Misappropriation of assets
10
Q
The condition or situation that allows a person or organization to commit and conceal a dishonest act and convert it to personal gain.
A
Opportunity
11
Q
A person’s incentive or motivation for committing fraud.
A
Pressure
12
Q
The excuse that fraud perpetrators use to justify their illegal behavior.
A
Rationalization
13
Q
An intentional act where the intent is to destroy a system or some of its components.
A
Sabotage
14
Q
Typically, businesspeople who commit fraud.
- usually resort to trickery or cunning, and their crimes usually involve a violation of trust or confidence.
A
White-collar criminals
15
Q
Spyware that causes banner ads to pop up on a monitor, collects information about the user’s web-surfing and spending habits, and forwards it to the adware creator, often an advertising or media organization.
- usually comes bundled with freeware and shareware downloaded from the Internet.
A
Adware
16
Q
Gaining control of someone else’s computer to carry out illicit activities, such as sending spam without the computer user’s knowledge.
A
Hijacking
17
Q
A network of powerful and dangerous hijacked computers that are used to attack systems or spread malware.
A
Botnet
18
Q
Hijacked computers, typically part of a botnet, that are used to launch a variety of Internet attacks.
A
Zombies
19
Q
The person who creates a botnet by installing software on PCs that responds to the bot herder’s electronic instructions. This control over the PCs allows the ______ to mount a variety of Internet attacks.
A
bot herder
20
Q
Trial-and-error method that uses software to guess information, such as the user ID and the password, needed to gain access to a system.
A
Brute force attack
21
Q
Recovering passwords by trying every possible combination of upperand lower-case letters, numbers, and special characters and comparing them to a cryptographic hash of the password.
A
Password cracking
22
Q
When the amount of data entered into a program is greater than the amount of the input buffer. The input overflow overwrites the next computer instruction, causing the system to crash. Hackers exploit this by crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system.
A
Buffer overflow attack
23
Q
(insertion) Inserting a malicious SQL query in input such that it is passed to and executed by an application program. This allows a hacker to convince the application to run SQL code that it was not intended to execute.
A
SQL injection attack
24
Q
Taking control of someone else’s phone to make or listen to calls, send or read text messages, connect to the Internet, forward the victim’s calls, and call numbers that charge fees.
A
Bluebugging
25
Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source.
E-mail spoofing
26
Displaying an incorrect number on the recipient’s caller ID display to hide the caller’s identity.
Caller ID spoofing
27
Activities performed on stolen credit cards, including making a small online purchase to determine whether the card is still valid and buying and selling stolen credit card numbers.
Carding
28
Planting a small chip that records transaction data in a legitimate credit card reader. The chip is later removed or electronically accessed to retrieve the data recorded on it.
Chipping
29
A fake EMV chip is inserted in a stolen card. When a purchase is declined, the perpetrator persuades the clerk to let the card be swiped, thereby bypassing the EMV verification.
EMV chip bypass
30
(XSS) A vulnerability in dynamic web pages that allows an attacker to bypass a browser’s security mechanisms and instruct the victim’s browser to execute code, thinking it came from the desired website.
Cross-site scripting
31
Hacking into and hijacking computing resources to mine cryptocurrency, thereby avoiding costs that can outweighs the value of the crypto mined.
Crypto jacking
32
Hacking into a wallet or using social engineering tactics to trick a person into revealing the digital keys needed to access their blockchain account.
Crypto wallet attacks
33
Manipulating the number of times an ad is clicked on to inflate advertising bills. Companies advertising online pay from a few cents to over $10 for each click on their ads.
Click fraud
34
The unauthorized copying or distribution of copyrighted software.
Software piracy
35
Threatening to harm a company or a person if a specified amount of money is not paid.
Cyberextortion
36
Software that encrypts programs and data until a ransom is paid to remove it.
Ransomware
37
Using computer technology to support deliberate, repeated, and hostile behavior that torments, threatens, harasses, humiliates, embarrasses, or otherwise harms another person.
Cyberbullying
38
A computer attack in which the attacker sends so many e-mail bombs or web page requests, often from randomly generated false addresses, that the Internet service provider’s e-mail server or the web server is overloaded and shuts down.
Denial-of-service attack (DoS)
39
Software that generates user ID and password guesses using information about the targeted company and a dictionary of possible user IDs and passwords to reduce the number of guesses required.
Dictionary attack
40
Listening to private communications or tapping into data transmissions intended for someone else. One way to intercept signals is by setting up a wiretap.
Eavesdropping
41
Double-swiping a credit card in a legitimate terminal or covertly swiping a credit card in a small, hidden, handheld card reader that records credit card data for later use.
Skimming
42
Theft of information, trade secrets, and intellectual property.
Economic espionage
43
Threats sent to victims by e-mail. The threats usually require some follow-up action, often at great expense to the victim.
E-mail threats
44
Using an Internet auction site to defraud another person.
Internet auction fraud
45
Techniques which use malware to infect online checkout pages and steal a customer’s personal and payment information.
E-skimming
46
A wireless network with the same name (Service Set Identifier) as a legitimate wireless access point.
Evil twin
47
Setting up similarly named websites so that users making typographical errors when entering a website name are sent to an invalid site.
Typosquatting/URL hijacking
48
Unauthorized access, modification, or use of an electronic device or some element of a computer system.
Hacking
49
Making a sender address and other parts of an e-mail header appear as though the e-mail originated from a different source.
E-mail spoofing
50
Assuming someone’s identity, usually for economic gain, by illegally obtaining confidential information such as a Social Security number or a bank account or credit card number.
Identity Theft
51
Using the Internet to spread false or misleading information.
Internet misinformation
52
Using the Internet to pump up the price of a stock and then sell it.
Internet pump-and-dump fraud
53
Software that records computer activity, such as a user’s keystrokes, e-mails sent and received, websites visited, and chat session participation.
Keylogger
54
Inserting a sleeve into an ATM that prevents it from ejecting the card. The perpetrator pretends to help the victim, tricking the person into entering the PIN again. Once the victim gives up, the thief removes the card and uses it and the PIN to withdraw money.
Lebanese looping
55
Any software that is used to do harm.
Malware
56
A hacker placing himself between a client and a host to intercept communications between them; also called session hijacking.
Man-in-the-middle attack (MITM)
57
Gaining access to a system by pretending to be an authorized user. This requires that the perpetrator know the legitimate user’s ID and passwords.
Masquerading/impersonation
58
(1) Tapping into a communications line and electronically latching onto a legitimate user who unknowingly carries the perpetrator into the system.
(2) The clandestine use of a neighbor’s Wi-Fi network.
(3) An unauthorized person following an authorized person through a secure door, bypassing physical security controls.
Piggybacking
59
Programs that capture data from information packets as they travel over the Internet or company networks. Captured data is sifted to find confidential or proprietary information.
Packet sniffers
60
A program that can merge confidential information with a seemingly harmless file, password protect the file, and send it anywhere in the world, where the file is unlocked and the confidential information is reassembled.
The host file can still be heard or viewed because humans are not sensitive enough to pick up the slight decrease in image or sound quality.
Steganography program
61
Software program flaws that a hacker can exploit to either crash a system or take control of it.
Vulnerabilities
62
An attack between the time a new software vulnerability is discovered and “released into the wild” and the time a software developer releases a patch to fix the problem.
Zero-day attack
63
Code released by software developers that fixes a particular vulnerability.
Patch
64
Attacking phone systems to obtain free phone line access; use phone lines to transmit malware; and to access, steal, and destroy data.
Phreaking
65
Sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of a consequence if it is not provided. The request is bogus, and the information gathered is used to commit identity theft or to steal funds from the victim’s account.
Phishing
66
Redirecting website traffic to a spoofed website.
Pharming
67
Using an invented scenario (the pretext) that creates legitimacy in the target’s mind in order to increase the likelihood that a victim will divulge information or do something.
Pretexting
68
Creating a seemingly legitimate business, collecting personal information while making a sale, and never delivering the product.
Posing
69
Using a small device with storage capacity (iPod, flash drive) to download unauthorized data from a computer.
Podslurping
70
Stealing tiny slices of money from many different accounts.
Salami technique
71
Instructing the computer to round down all interest calculations to two decimal places. The fraction of a cent rounded down on each calculation is put into the programmer’s account. Most frequently found in financial institutions that pay interest.
Round-down fraud
72
Exchanging sexually explicit text messages and revealing pictures with other people, usually by means of a phone.
Sexting
73
A means of concealing system components and malware from the operating system and other programs; can also modify the operating system.
Rootkit
74
A segment of executable code that attaches itself to a file, program, or some other executable system component. When the hidden program is triggered, it makes unauthorized alterations to the way a system operates.
Virus
75
Malicious software of no benefit that is sold using scare tactics.
Scareware
76
Searching documents and records to gain access to confidential information.
- methods include searching garbage cans, communal trash bins, and city dumps.
Scavenging/dumpster diving
77
When perpetrators look over a person’s shoulders in a public place to get information such as ATM PIN numbers or user IDs and passwords.
Shoulder surfing
78
The unauthorized copying or distribution of copyrighted software.
Software piracy
79
The techniques or psychological tricks used to get people to comply with the perpetrator’s wishes in order to gain physical or logical access to a building, computer, server, or network. It is usually to get the information needed to obtain confidential data.
Social engineering
80
Phishing except that texts are used to induce unsuspecting recipients to disclose personal information.
Smishing
81
Software that secretly monitors computer usage, collects personal information about users, and sends it to someone else, often without the computer user’s permission.
Spyware
82
Altering some part of an electronic communication to make it look as if someone else sent the communication in order to gain the trust of the recipient.
Spoofing
83
Using short message service (SMS) to change the name or number a text message appears to come from.
SMS spoofing
84
Sending an electronic message pretending to be a legitimate company, usually a financial institution, and requesting information or verification of information and often warning of a consequence if it is not provided. The request is bogus, and the information gathered is used to commit identity theft or to steal funds from the victim’s account.
Web-page spoofing
85
Simultaneously sending the same unsolicited message to many people, often in an attempt to sell them something.
Spamming
86
A program that lies idle until some specified circumstance or a particular time triggers it. Once triggered, the program sabotages the system by destroying programs or data.
Time bomb/logic bomb
87
A set of computer instructions that allows a user to bypass the system’s normal controls.
Trap door/back door
88
A set of unauthorized computer instructions in an authorized and otherwise properly functioning program.
Trojan horse
89
Software that destroys competing malware. This sometimes results in “malware warfare” between competing malware developers.
Torpedo software
90
Voice phishing; it is like phishing except the victim enters confidential data by phone.
Vishing
91
Programming a computer to dial thousands of phone lines searching for dialup modem lines. Hackers hack into the PC attached to the modem and access the network to which it is connected.
War dialing
92
Driving around looking for unprotected home or corporate wireless networks.
War driving
93
Similar to a virus, except that it is a program rather than a code segment hidden in a host program.
- also copies itself automatically and actively transmits itself directly to other systems.
Worm
94
The examination of the relationships between different sets of data; abnormal or unusual relationships and trends should be further investigated.
Analytical review
95
- Controls that prevent, detect, and correct transaction errors and fraud in application programs.
- They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered into the system, processed, stored, transmitted to other systems, and reported.
Application controls
96
The outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors.
Audit committee
97
- A path that allows a transaction to be traced through a data processing system from point of origin to output or backwards from output to point of origin.
- It is used to check the accuracy and validity of ledger postings and to trace changes in general ledger accounts from their beginning balance to their ending balance.
Audit trail
98
The process of restricting access of authenticated users to specific portions of the system and limiting what actions they are permitted to perform.
Authorization
99
An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.
Background checks
100
System that describes how a company creates value, helps employees understand management’s vision, communicates company core values, and inspires employees to live by those values.
Belief system
101
System that helps employees act ethically by setting boundaries on employee behavior. Instead of telling employees exactly what to do, they are encouraged to creatively solve problems and meet customer needs while meeting minimum performance standards, shunning off-limit activities, and avoiding actions that might damage their reputation.
Boundary system
102
Process of making sure changes are made smoothly and efficiently and do not negatively affect the system.
Change management
103
(CCO) An employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings.
Chief compliance officer
104
Cooperation between two or more people in an effort to thwart internal controls.
Collusion
105
(COSO) A privatesector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
Committee of Sponsoring Organizations
106
Computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges.
Computer forensics specialists
107
People who operate the company’s computers. They ensure that data are input properly, processed correctly, and that needed output is produced
Computer operators
108
(CSO) An employee independent of the information system function who monitors the system, disseminates information about improper system uses and their consequences, and reports to top management.
Computer security officer
109
Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.
Control activities
110
The company culture that is the foundation for all other internal control components, as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.
Control environment
111
(COBIT) A security and control framework that allows
(1) management to benchmark the security and control practices of IT environments,
(2) users of IT services to be assured that adequate security and control exist, and
(3) auditors to substantiate their internal control opinions and advise on IT security and control matters.
Control Objectives for Information and Related Technology
112
Controls that identify and correct problems as well as correct and recover from the resulting errors, such as maintaining backup copies of files, correcting data entry errors, and resubmitting transactions for subsequent processing.
Corrective controls
113
Controls designed to discover control problems that were not prevented, such as duplicate checking of calculations and preparing bank reconciliations and monthly trial balances.
Detective controls
114
Controls that deter problems before they arise, such as hiring qualified accounting personnel; appropriately segregating employee duties; and effectively controlling physical access to assets, facilities, and information.
Preventive controls
115
People who ensure that source data is approved, monitor the flow of work, reconcile input and output, handle input errors, and distribute systems output.
Data control
116
People responsible for making sure a system operates smoothly and efficiently.
Systems administrators
117
People who ensure that the organization’s networks operate properly.
Network Managers
118
People who make sure systems are secure and protected from internal and external threats.
Security Management
119
Process of making sure changes are made smoothly and efficiently and do not negatively affect the system.
Change management
120
An executive-level committee to plan and oversee the information systems function; it typically consists of management from systems and other areas affected by the information systems function
Steering committee
121
A multiple-year plan of the projects the company must complete to achieve its long-range goals.
Strategic master plan
122
Document showing project requirements (people, hardware, software, and financial), a cost–benefit analysis, and how a project will be completed (modules or tasks to be performed, who will perform them, and completion dates).
Project development plan
123
Points where progress is reviewed and actual and estimated completion times are compared.
Project milestones
124
A schedule that shows when each data processing task should be performed.
Data processing schedule
125
Ways to evaluate and assess a system. Common measurements include throughput (output per unit of time), utilization (percentage of time the system is being productively used), and response time (how long it takes the system to respond).
System performance measurements
126
(1) The total amount of useful work performed by a computer system during a given period of time.
(2) The number of “good” units produced in a given period of time.
Throughput
127
The percentage of time a system is used.
Utilization
128
How long it takes for a system to respond, such as the amount of time that elapses between making a query and receiving a response.
Response time
129
An outside party hired to manage a company’s systems development effort.
Systems integrator
130
System that measures, monitors, and compares actual company progress to budgets and performance goals; feedback helps management adjust and fine-tune inputs and processes so future outputs more closely match goals.
Diagnostic control system
131
A hash encrypted with the hash creator’s private key.
Digital signature
132
The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood).
Expected loss
133
Any potential adverse occurrence or unwanted event that could injure the AIS or the organization. Also referred to as an event.
Threat
134
The potential dollar loss if a particular threat becomes a reality.
Exposure/impact
135
The probability that a threat will come to pass.
Likelihood/risk
136
(FCPA) Legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintain a system of internal accounting controls.
Foreign Corrupt Practices Act
137
Individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have professional certifications such as Certified Fraud Examiner (CFE).
Forensic investigators
138
A phone number employees can call to anonymously report fraud and abuse.
Fraud hotline
139
The authorization given employees to handle routine transactions without special approval.
General authorization
140
Controls designed to make sure an organization’s information system and control environment is stable and well managed, such as security; IT infrastructure; and software acquisition, development, and maintenance controls.
General controls
141
The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control.
Inherent risk
142
The risk that remains after management implements internal controls or some other response to risk.
Residual risk
143
System that helps managers to focus subordinates’ attention on key strategic issues and to be more involved in their decisions; system data are interpreted and discussed in face-to-face meetings of superiors, subordinates, and peers.
Interactive control system
144
The processes and procedures implemented to provide reasonable assurance that control objectives are met.
Internal controls
145
(IC) A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems; widely accepted authority on internal controls incorporated into policies, rules, and regulations used to control business activities.
Internal Control—Integrated Framework
146
People who ensure that the organization’s networks operate properly.
Network managers
147
Computing systems that imitate the brain’s learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically.
Neural networks
148
A document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties; it includes the chart of accounts, copies of forms and documents, and is a helpful on-the-job reference and training tool.
Policy and procedures manual
149
Review made after a new system has been operating for a brief period to ensure that the new system is meeting its planned objectives, identify the adequacy of system standards, and review system controls.
Postimplementation review
150
People who use the analysts’ design to create and test computer programs.
Programmers
151
(PCAOB) A board created by SOX that regulates the auditing profession; created as part of SOX.
Public Company Accounting Oversight Board
152
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid must be in alignment with company strategy.
Risk appetite
153
(SOX) Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud.
Sarbanes–Oxley Act
154
Separating the accounting functions of authorization, custody, and recording to minimize an employee’s ability to commit fraud.
Segregation of accounting duties
155
Implementing control procedures to clearly divide authority and responsibility within the information system function.
Segregation of systems duties
156
Special approval an employee needs in order to be allowed to handle a transaction.
Specific authorization
157
An executive-level committee to plan and oversee the information systems function; it typically consists of management from systems and other areas affected by the information systems function.
Steering committee
158
People who help users determine their information needs, study existing systems and design new ones, and prepare specifications used by computer programmers
Systems analysts
159
An outside party hired to manage a company’s systems development effort.
Systems integrator
160
People who record transactions, authorize data processing, and use system output.
Users
