Domain 3: 5
An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? A.Consider the feasibility of a separate user acceptance environment. B.Schedule user testing to occur at a given time each day. C.Implement a source code version control tool. D.Only retest high-priority defects.
A
An IS auditor is reviewing an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate? A.Senior IS and business management must approve use before production data can be used for testing. B.Production data can be used if they are copied to a secure test environment. C.Production data can never be used. All test data must be developed and based on documented test cases. D.Production data can be used provided that confidentiality agreements are in place.
A
An IS auditor is reviewing the software development process for an organization. Which of the following functions are appropriate for the end users to perform? A.Program output testing B.System configuration C.Program logic specification D.Performance tuning
A
An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the test phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy? A.Test and release a pilot with reduced functionality. B.Fix and retest the highest-severity functional defects. C.Eliminate planned testing by the development team, and proceed straight to acceptance testing. D.Implement a test tool to automate defect tracking.
A
An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: A.correlation of semantic characteristics of the data migrated between the two systems. B.correlation of arithmetic characteristics of the data migrated between the two systems. C.correlation of functional characteristics of the processes between the two systems. D.relative efficiency of the processes between the two systems.
A
The PRIMARY objective of performing a postincident review is that it presents an opportunity to: A.improve internal control procedures. B.harden the network to industry good practices. C.highlight the importance of incident response management to management. D.improve employee awareness of the incident response process.
A
Which of the following is an advantage of the top-down approach to software testing? A.Interface errors are identified early. B.Testing can be started before all programs are complete. C.It is more effective than other testing approaches. D.Errors in critical modules are detected sooner.
A
An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? A.Undocumented approval of some project changes B.Faulty migration of historical data from the old system to the new system C.Incomplete testing of the standard functionality of the ERP subsystem D.Duplication of existing payroll permissions on the new ERP subsystem
B
At the completion of a system development project, a post-project review should include which of the following? A.Assessing risk that may lead to downtime after the production release B.Identifying lessons learned that may be applicable to future projects C.Verifying that the controls in the delivered system are working D.Ensuring that test data are deleted
B
During a postimplementation review, which of the following activities should be performed? A.User acceptance testing B.Return on investment analysis C.Activation of audit trails D.Updates of the state of enterprise architecture diagrams
B
When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should: A.not be concerned because there may be other compensating controls to mitigate the risk. B.ensure that overrides are automatically logged and subject to review. C.verify whether all such overrides are referred to senior management for approval. D.recommend that overrides not be permitted.
B
Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? A.A sufficient quantity of data for each test case B.Data representing conditions that are expected in actual processing C.Completing the test on schedule D.A random sample of actual data
B
During the system testing phase of an application development project the IS auditor should review the: A.conceptual design specifications. B.vendor contract. C.error reports. D.program change requests.
C
During which phase of software application testing should an organization perform the testing of architectural design? A.Acceptance testing B.System testing C.Integration testing D.Unit testing
C
From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: A.a major deployment after proof of concept. B.prototyping and a one-phase deployment. C.a deployment plan based on sequenced phases. D.to simulate the new infrastructure before deployment.
C
The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy? A.Significant cost savings over other testing approaches B.Assurance that new, faster hardware is compatible with the new system C.Assurance that the new system meets functional requirements D.Increased resiliency during the parallel processing time
C
The specific advantage of white box testing is that it: A.verifies a program can operate successfully with other parts of the system. B.ensures a program's functional operating effectiveness without regard to the internal program structure. C.determines procedural accuracy or conditions of a program's specific logic paths. D.examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.
C
Which of the following is of GREATEST concern to an IS auditor when performing an audit of a client relationship management (CRM) system migration project? A.The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks. B.Employees pilot-testing the system are concerned that the data representation in the new system is completely different from the old system. C.A single implementation is planned, immediately decommissioning the legacy system. D.Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system's software.
C
Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? A.Bottom-up testing B.Sociability testing C.Top-down testing D.System testing
C
A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? A.IS auditor B.Database administrator C.Project manager D.Data owner
D
An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? A.Use of a capability maturity model B.Regular monitoring of task-level progress against schedule C.Extensive use of software development tools to maximize team productivity D.Post iteration reviews that identify lessons learned for future use in the project
D
An IS auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation? A.The test environment may not have adequate controls to ensure data accuracy. B.The test environment may produce inaccurate results due to use of production data. C.Hardware in the test environment may not be identical to the production environment. D.The test environment may not have adequate access controls implemented to ensure data confidentiality.
D
By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: A.reliable products are guaranteed. B.programmers' efficiency is improved. C.security requirements are designed. D.predictable software processes are followed.
D
What kind of software application testing is considered the final stage of testing and typically includes users outside of the development team? A.Alpha testing B.White box testing C.Regression testing D.Beta testing
D
Which of the following system and data conversion strategies provides the GREATEST redundancy? A.Direct cutover B.Pilot study C.Phased approach D.Parallel run
D
