Domain 3: IS Acquisition, Development & Implementation

An IT system that now allows the corporate office to view data from their individual sales offices introduces the most change to:

Company politics. This change would affect the dynamics of the organization giving more authority to individual sales units leading inevitably to company politics.

Why is the Function Point Analysis (FPA) methodology used?

Forecast of resources, and the complexity of requirements. Function Point Analysis technique uses parameters such as the inputs' number or the total count of outputs, and the intricacy to estimate all requirements in terms of size and schedule.

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed?

Foreign key structure. Referential integrity in a relational database refers to consistency between coupled tables. Referential integrity is usually enforced by the combination of a primary key or candidate key (alternate key) and a foreign key.

Which of these keys best ensures referential integrity between the data elements in different database tables?

Foreign. A foreign key ensures linking of common data between different database tables, and is used with tables to decompose information in the database.

Which of these reflects the need for a system accreditation?

Management becomes accountable. Management is responsible for the system to befit for use, and becomes accountable for the success or liable for a failure.

Which technique should the IS auditor use as a testing process to identify specific program logic that has not been tested?

Mapping. Mapping identifies specific program logic that has not been tested and analyzes programs to signify whether program statements have been implemented during the execution or not.

In the SDLC model, the software certification testing actually occurs in:

Phase 4 (Development) and phase 5 (Implementation). Software certification testing starts during phase 4 that is the development phase and continues into phase 5 which is implementation testing.

It is imperative to follow stringent change control processes, which are most complex in _________?

Prototyping. Change control is most complex during prototyping, because rapid changes are often not documented, and do not go through formal approvals.

Name the terminology that defines a program's coding by using a template within an integrated software development environment?

Pseudocoding. Software developers make use of pseudocoding for writing programs into a project template. This template lies within the integrated development environment (IDE).

An IS auditor noted that there was a system crash incident on the first day of fieldwork after a security patch was installed. To provide reasonable assurance that this event would not recur, an IS auditor should ensure that:

the client's change management process is adequate. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly.

An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the testing phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risks associated with reduced testing. Which of the following is a suitable risk mitigation strategy?

Test and release a pilot with reduced functionality. Option A reduces risks in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risks associated with a full implementation.

An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability?

That test plans and procedures exist and are closely followed. The most important control for ensuring system availability is to implement a sound testing plan and procedures which are consistently followed.

Define atomicity.

Transactions completed in entirety, or backed out of the database. Database integrity is assured by completely backing out transactions that could not be completed in their entirety.

The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it:

shortens the development time frame. The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily always true.

What kind of software application testing is considered the final stage of testing and typically includes users outside the development team?

Beta. Beta testing is the final stage of testing and typically includes users outside the development area. Beta testing is a form of user acceptance testing (UAT), and generally involves a limited number of users who are external to the development effort.

Various types of testing is used in software development for ensuring proper functionality. Name the type of testing for assessing the functionality on a commercially compiled software.

Black-box. We humans can't read complied software. Black-box testing helps in running a sample transaction all through the system. In order to verify if the output is correct or not; the original input is compared then. This shows what the customer needed from the system.

When selecting a supplier package, organizations should consider all of the following except:

A. Stability of the supplier company B. Supplier' s ability to provide support C. Required modifications to the base software D. Sales and marketing literature Answer: D. The Sales and marketing literature would provide all the facts required to make a judgment decision for selecting a package. All other choices are pertinent

At what phase of testing does user acceptance appear for a new app software?

Acceptance. The last stage before installing the software which is available for use is the stage of acceptance testing.

Differentiate between accreditation and certification.

Accreditation describes if a view of the management is fit or not and certification is a test that is technical. Certification is a technical process of testing. Accreditation is a management process that gives out any approval that is based on its aptness of usage.

Development projects can be complex, and plan their outputs and deliverables as a result of work breakdown over several phases. What does a work breakdown structure imply?

Activity decomposition into tasks for delivering an output. A work breakdown structure decomposes the activities into tasks that are required to run the project and produce deliverables.

Software development projects with dynamic requirements, short schedules, quick wins, and limited resources would use which of the given options?

Agile Software Development. Agile Software Development uses time-boxes management with fixed scope and identified deliverables that trades-off between software quality and project schedule. Every additional iterations provide additional software modules.

Which of the following methods are referred by the programming software modules that use a time-box style of management?

Agile. Agile uses time-box management for quick iterations of software prototypes. This is made possible by small associations of talented programmers.

In a small organization, emergency changes may be suggested by the developers for release to production directly. How will the risk in this scenario be BEST controlled?

Approving the change and documenting it on the next day. It may be apt to let programmers make emergency changes, provided they are approved and documented in the first place.

Name the principle that comprises the concept of all or nothing.

Atomicity, consistency, isolation, and durability. The ACID principle of database transaction talks about consistency, atomicity (all or nothing), isolation (independent transactions that operate on their own), and durability (where data is properly maintained).

In order to maintain data integrity in an online transaction processing system, it is important to make sure that a transaction is either completed fully or not. This principle of data integrity refers to:

Atomicity. The principle of atomicity needs a transaction that is either fully completed or not. This is required because in case an error or interruption takes place, all the changes that were undertaken to that point would be backed out. Consistency surely maintains each integrity condition in the database with each transaction. Isolation is done so that each transaction isolates from other transactions. Therefore, a transaction will only able to access data that is within a steady database state. Durability makes it a point that when a transaction is sent to a user in the complete status, the final changes to the database are not impacted by the subsequent software or hardware failures.

An IS auditor has undertaken a review of the configuration parameters in a software development project. Why is this review done?

Change settings must set the minimum requirements for adequate and essential security. Change security settings define the accountability and integrity of data. Beyond this, changes should be studied for impact analysis, and properly approved by the Change Control Board. Evidence of inadequate security is revealed through the study of folders under configuration management.

A laptop computer belonging to a company database administrator (DBA) and containing a file of production database passwords has been stolen. What should the organization do FIRST?

Change the database password. The password should be changed immediately since there is no way to know whether it has been compromised. While the IS audit department should be notified, this should not be the first action. Changing the DBA account name could impact production database servers and thus would not be a good idea. Similarly, suspending the DBA account could impact the production database servers.

While assessing an organization's data file control procedures, an IS auditor realizes that transactions are run for the most current files, while the restart procedures used previous versions. What should the IS auditor recommend to imply?

Controlling version usage. For correct processing, it is important that the file is used in its proper version. Transactions should be run for the latest database and restart procedures should use previous versions.

Which of the following is the best method of assessing the logic used in software of a programming script?

Crystal box. Crystal-box testing which is also called white-box testing helps in reviewing the logic in the software that is formulated using a programming script. The script is readable till the time it is not compiled. Compiled programs can be tested using a black-box method.

An IS team has decided to code a new application in a 4GL software. What is the advantage of this technology?

Cuts developmental time and effort for functions, but has no business logic rules built-in. GL's built-in script authoring and report writing utilities automates access to the database.

Which of the given tests checks the authorization and completeness of information contained in a record?

Data integrity. A data integrity test checks the correctness of data traced through the processing cycle, and reviews the input authorization and extensiveness of data processing. It also verifies if the results are correct.

Which of the following represents a search for correlations in the data?

Data mining. The process of data mining is to search the available data in the data warehouse for correlations. Data is collected from various databases with a snapshot utility, and copied to the data warehouse. The data is searched for correlations that may provide useful information. These correlations are then stored in the data mart for the user to review.

Online banking transactions are added to the database when the processing suddenly stops. By what means can one ensure the integrity of the transaction processing?

Database commits and rollbacks. When the transaction is under process, the database commits ensure the data are getting saved to the disk. Rollback makes sure that the already completed processing is reversed, and the data that was already processed are not saved to the disk all over again when the transaction processing has completed or failed.

One of the primary responsibilities of a database team is to normalize the database. What does this imply?

Decrease data duplication by sizing smaller data tables. Database normalization minimizes data duplication by standardizing the database table layout, and minimizing individual table sizes for quicker search.

Systems and Data modeling have various diagramming methods of representation. A popular method is the Entity-relationship diagrams (ERD). In which of the following options are these methods used?

Defining database design schema for requirements. ERD diagrams are used to define the database structure. An entity-relationship diagram (ERD) details how to structure the data, and the interrelationships with other data. Data flow diagrams are then used to show the business logic and data-transformation procedures.

The main objective of a post-implementation review is:

Determining if its organizational objectives are fulfilled. Post-implementation review can manage to estimate if the organizational objectives are fulfilled or not. The review will verify if the internal controls are existing and in use or not.

'Segregation of duties' is a cardinal security principle. Which category of employees under this principle cannot move software system changes from the system development environment to the production environment?

Developers. Under the "segregation of duties" principle, developers do not have the write access into the production system, as older versions or incorrectly compiled mode might be put to live use by error. The configuration administrator is responsible for checking the latest and correct system software into the production environment.

A project of software development has to be audited in its post-implementation phase by an IS auditor development project. During which of the following stages should the actual software certification testing be carried out?

Development, Implementation, and Post-implementation. Software certification testing is run during development, implementation, and post-implementation. First, certification tests are run during the development and repeated several times during implementation before it goes live in production. The performance or requirements are rechecked during post-implementation. After the documented improvements are implemented, the system is recertified and must undergo at least one check annually.

Which of the following would BEST prevent power outages?

Dual power leads. The best way to prevent power outages is to install power leads from two different power substations. It is not uncommon for a power transfer switch to fail during a power outage; it would not prevent a power outage, but is used to handle the impact of such outages.

Which of the given entities can initiate a change request in a process?

End users, Testing team, Development team. Any of the given entities can request changes to a development system. But change control must be monitored and approved, and a risk assessment should be made before the change is implemented.

An IS auditor is not competent to review a technology product, and has requested expert help. What should the auditor keep in mind?

Ensure an expert's competence and independence. If the auditor is not an expert, other subject matter experts are used to audit after reviewing their competence, experience, and independence. However, oversight is required and risk assessment run on this service.

An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation?

Ensure that supervisory approval and review are performed for critical changes. Supervisory approval and review of critical changes by accountable managers in the enterprise are required to avoid any unauthorized change.

Which of the following is the use of regression testing?

Ensures that changes do not have undesirable effect on other components. Regression testing checks the software for problems that would have a negative effect on other components.

An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess:

Fallback procedures. Fallback procedures are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process—a process which specifies what procedures should be followed when software is being upgraded.

During software development projects, estimation of size and scope are very significant factors. Several methodologies are available to estimate the work during the initial phase. Which of these methods use parameters such as user inputs, user outputs, reports, screens, and interfaces to generate an estimate?

Function Point Analysis methodology. Function Point Analysis methodology is used by several software organizations. It is computed by taking various pertinent parameters such as the number of inputs, outputs, reports, screens, and interfaces and their degree of complexity to arrive at a size estimate. This is further translated into timelines based on the number of developers available and cost. The other methodologies, Lines of Cod

Describe the benefits of the integrated development environment (IDE).

Generating and debugging the program code. The integrated development environment runs a program code generation automatically and ensures online debugging for certain types of errors. It does not substitute the traditional planning process. IDE does not amend the testing requirements in SDLC phase 4. Full testing needs to take place.

In expert systems, which of the following reflect an inference engine?

Heuristics are used for decision making. The inference engine uses heuristic programming, which is self-learning by sorting through several knowledge bases for possible answers. It's recorded in objects or semantic networks, and gets better with experience.

Interfaces are another form of:

Input. Interfaces transmit data from one system to another and are therefore inputs.

When is user acceptance testing carried out in the Waterfall software development cycle?

Implementation. User acceptance tests are run during the Implementation phase of the Waterfall cycle. The user determines whether the requirements are met and the end product is acceptable.

User acceptance testing should occur in which of the following environments?

In the configuration controlled testing or staging library. One can perform acceptance testing in an ideal configuration controlled environment with versioned software modules.

Which of the following business process re-engineering strategies requires large amounts of time for reviewing the current process?

Incremental. An incremental process requires longer time to review the current process, and therefore has little or no impact.

Why is reverse engineering considered unsafe for an organization?

Is often in violation of the user license agreement. A user's license agreements are directly violated by reverse engineering and this leads to stringent legal actions.

Choose among the following to explain a program object in the best way when it is a part of an object-oriented programming?

It comprises methods as well as data. Program objects comprise methods as well as data so a desired task can be easily performed. The object can be delegated to another object in OOP.

To simplify complex development systems, a variety of techniques are used. A popular technique is the Unified Modeling Language (UML). What is it used for?

It is a notational language used for specifying and visualizing object-oriented software. Unified Modeling Language (UML) is a complex development tool for object-oriented software development. It normally needs good domain understanding in addition to the development techniques.

During a software development project audit, the CISA finds the requirements fuzzy. What potential impact could this primarily have on the project quality?

Lack of adherence to specifications. Quality is primarily the result of conformance to specifications. Requirements must reflect the specifications intended for use. The lack of requirement controls significantly impact the quality, and lead to customer dissatisfaction.

Software Reverse Engineering occurs when a source code is taken apart to see how it operates to replicate or improve. Which of the given risks are incurred when Reverse Engineering is undertaken?

License agreement violation. Reverse Engineering of the source or a compiled code is legally not permissible, and would imply a legal violation of end-user licensing agreements. Legal issues also arise due to copyright violation, and calls for legal action pertaining to theft of copyright.

In auditing an automated change control system, an auditor reviews all of the following except:

License agreements. The license agreement is not required to be reviewed by the auditor when reviewing the change controls. All others are pertinent.

What could be solved through denormalization?

Loss of data integrity. Normalization means getting rid of redundant data elements from the database structure. Deactivating normalization in relational databases will result in redundanc

Viruses pose all of the following risks except:

Loss of paper documents. Virus affects only electronic forms and systems so paper documents would not be impacted.

What should be the log in procedure for a database administrator (DBA) who wants to make emergency changes to a database after normal working hours?

Make the changes with their named account. Before making use of the DBA account, the named user account must be used for logging in. This will provide accountability of the one who is incorporating the changes.

An IS auditor is reviewing an IS operation that is substantially outsourced. Which of these is an incorrect fact about outsourcing?

Minimizes key personnel loss. Highly skilled and experienced employees are down-scaled or made redundant, hence would be difficult to replace. However, outsourcing also provides efficiencies through economies of scale, but are difficult or expensive to bring back.

A project development team is considering using production data for their test deck. The team scrubbed sensitive data elements from the bed before loading it into the test environment. Which of the following additional concerns should an IS auditor have with this practice?

Not all functionality will be tested. A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement.

For how long a full system accreditation normally last?

One year. Full accreditation runs for one year. Annual renewal is needed. Management must reaccredit systems on a yearly basis. Temporary or restricted accreditation lasts only for 90 or 180 days

Which of these entities contains methods and programming that can be modified by the user or operator?

Open systems. An open system includes the source code that can be read as well as utilized to design documents for the user or operator to make the required changes.

How can one justify the price of designing with the management of a quality program?

Price of failure. Quality conforms to specifications and is measured in the same way. Price of nonconformance or cost of failure means when added costs for failing to meet the specification are known. Costs of failure facilitate an excellent tool for justifying the funding of preventative controls.

Which type of audit would the auditor use to check the characteristics against design conditions?

Product. Product audits compare design specifications against the attributes of a finished product. Auditors' use this audit during certification of a customized software or before a software product releases.

In software development, which of these is popularly used for showing a project's critical route?

Program Evaluation Review Technique. Program Evaluation Review Technique networks show the critical path of a project.

Software projects can use either Gantt Charts or Program Evaluation Review Techniques. What is the difference between using either of these techniques in a developmental project?

Program Evaluation Review Techniques create work packages sequentially derived from the work breakdown structure to show different paths. Gantt Charts are bar charts showing sequence of activities on a calendar using Work Breakdown structures. A Program Evaluation Review Technique diagram represents various paths a project can take to complete its activities including the critical route. It is the shortest way possible to accomplish the project. Project Managers use data from the Gantt chart, which has sequenced and scheduled activities on a calendar to build a PERT diagram.

In a software development project, which entity is accountable and responsible for the entire project including it's schedule, quality and budget?

Project Governance Committee. While all the project team members are responsible for project success, and the Project Manager for operational project management, it is the Project Governance committee that controls the requirements and overall scope and needs to bear accountability and responsibility for the project schedule, scope, and budget.

Which of these organizational structures gives the greatest power to a Project Manager?

Projectized. It is in a projectized organization that the highest power can be enjoyed by a Project manager. Then, comes the matrix. The functional structure has no involvement or power.

Which of these development methodologies do not require extensive planning and requirement analysis for a major system?

Rapid Application Development. Rapid Application Development enables building systems rapidly at low cost using time boxed schedules. 42. In software analysis

Which of these processes is not required by the configuration management?

Release schedule. Configuration management requires three essential components: Configuration of each item, version control of every change, and reporting of the current configuration as it is built and has been facilitated to the customer. Release schedule is not required

In software systems, relational databases are frequently used. What is the output of normalizing the database?

Removing redundant and duplicate data. In order to perform a meaningful search, database tables need to be optimized. Normalization implies removing redundant or excessive data from the database tables. The requirement here is to improve speed and efficiency during a database search. Each additional data is positioned in other database tables, while referring links that allow retrieval when required.

What are the primary risks in a system development project?

Risk of indisciplined development and poor project management practices. Indiscipline in system development and poor project management practices are the primary risks in a project.

The IS auditor has reviewed application security and found several inadequacies. Which of these can the IS team use to fix the inadequacies without recurring issues?

Run a regression test before putting the final version into production. To ensure the bugs are not introduced before a system goes into production, the IS team must run a regression test to ensure the controls are not mitigated in a development environment prior to implementation in production.

Which SDLC phase makes use of Function Point Analysis (FPA)?

SDLC phase 1: Feasibility Study. Function Point Analysis (FPA) helps in estimating the effort needed to develop the software. FPA is used during SDLC phase 1 which is the Feasibility Study phase, to formulate estimates by calculating the multiplication of the number of inputs and outputs against a mathematical factor.

An IS auditor is reviewing an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate?

Senior IS and business management must approve use before production data can be utilized for testing. There are risks associated with the use of production data for testing. These include compromising customer or employee confidentiality (which may also involve breaching legislation) and corrupting production of the data. Additionally, there are certain cases in which effective testing requires specifically designed data.

How many phases are there in a Software Development Life Cycle?

Seven. The Software Development Life Cycle contains seven phases: Feasibility, Requirements, Design, Development, Implementation, Post-implementation, and Disposal.

Software systems need to be tested at various stages to ensure they are fit for use. In a target environment, what type of testing is undertaken to ensure the system is not in conflict with other systems?

Sociability. Sociability testing tests a software system in a target environment. All other tests are run to ensure the software systems and it's functions are fit for use.

Data warehousing is increasingly used for churning large amounts of data. Which of the following best defines a data mart?

Stores data mining results. Data mart stores the results of data mining, which drills down the data available in data warehouses checking for associations.

What is the meaning of critical path in project scheduling?

Successive activities with the longest total time. A critical path is a series of successive project activities necessary to fulfill the minimum requirement, and is represented by the longest total time and the shortest route to completion.

In regard with the software escrow, which of the following is the most significant issue.

The client can only use the software and not own it, unless more amount is paid. The client can only use the software and does not have the right of ownership. The client may request for software escrow to gain full rights over the software if the vendor runs out of business.

An enterprise is evaluating the adoption of cloud computing and web virtualization instead of acquiring new IT infrastructure for a development environment. What is the IS auditor's GREATEST concern?

The project's business case has not been established. As with any IT investment, it is always recommended that the benefits and return on investment (ROI) be documented with a clear business case that can be shared and approved by management. All IT investments must support the business. Benchmarks are good indicators, but not sufficient to demonstrate the optimal aspect of this IT investment.

Which of the following does the RFP process considers as a major concern?

The proposals of the vendor go through an objective review to ensure their alignment with the objectives of the organization. Each proposal has to go through an objective review to figure out whether the offer is is in proper alignment with the organizational objectives. RFP review is the formal process that is supposed to be handled as a project.

An IS auditor is reviewing system development for a healthcare organization with two application environments- production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation?

The test environment may not have adequate access controls implemented to ensure data on confidentiality. In many cases the test environment is not configured with the same access controls that are enabled in the production environment.

Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed and an impact study has not been performed?

The time and cost implications caused by the change. Any scope change might have an impact on duration and cost of the project; that is the reason why an impact study is conducted and the client is informed of the potential impact on the schedule and cost. A change in scope does not necessarily impact the risk that regression tests will fail, that users will reject the change or that the project team will lack the skills to make the change.

Which of the following situations is addressed by a software escrow agreement?

The vendor of custom-written software goes out of business. A software escrow is a legal agreement between a software vendor and a customer, to guarantee access to source code. The application source code is held by a trusted third party, according to the contract.

How is the completed software development rendered for the end-users?

Through release management. Software development is compiled and released to the end-users through a formal release procedure that reviews all changes and incorporates them into a final release. This is moved out of the development environment to production, and made available to the end users.

What are the three parameters that projects need to balance to derive a successful outcome?

Time, cost, and scope. Scope, cost, and time are the three parameters known as the Iron Triangle in all projects. The cost comprises personnel and resources whereas the scope encompasses the authority. The project's scope and cost is impacted by time, wherein the scope needs to be achieved as per the decided plan. 24.

In software analysis, why are the entity-relationship diagrams used?

To detail data relationships. The ERD are used to detail the relationships of data records and data attributes.

Why should one use the international standards such as ISO 15489 and ISO 9126:2003 with SDLC?

To use them as inputs for starting specifications for the requirements in phase 2. These standards help to plan the secondary software specifications. International standards such as ISO 15489 (record management), ISO 15504 (CMM/SPICE), and ISO 9126:2003 (quality management) are best used as inputs for starting specifications in phase 2 requirements. Primary specifications are achieved by gathering information from the user for defining their main objectives for the software, specifying the steps in its intended mission

Which among these has the project ownership, and takes part in acceptance testing and user training?

User organization. User organizations review software functions, and declares them fit for use at the end of development phase.

Several risks can become serious issues during the SDLC. The biggest problem for the auditor will be:

User requirements and objectives were not fulfilled. The biggest concern would be failure to meet the user requirements or user objectives. Cost overruns can take place. Comparatively, the auditor's interest would be to know why the overrun that took place would be less important.

The IS auditor is in the phase of a change control audit of a production system and realizes that the change management process is not having a formal documentation and some of the migration procedures have failed. What should be the next action that the IS auditor take?

Using root cause analysis and gaining more security on the process. A change management process is important for IT production systems. IS auditor should gain confidence before suggesting that the organization can take any other action (e.g., ceasing migrations, designing the change management process again), that the incidents taken in notice are related to gaps in the change management process and because of any other process other than change management.

An IS auditor evaluating some database controls finds out that the revisions made to the database during regular working hours were managed with the help of standard procedures. Eventually, it was discovered that the changes undertaken after the regular hours just needed an abbreviated sequence of steps. In such a situation, which of the following would prove to be a suitable set of compensating controls?

Using the DBA user account to execute changes, log them, and review them in the log on the next day. Using a DBA user account is usually meant for logging all the changes that have been made. This is the most appropriate way of monitoring the changes made outside the regular hours. Therefore, logging along with reviewing prove to be an applicable set of compensating controls.

Object-oriented database management systems normally indicate database capabilities with object-oriented programming capabilities. For which of the following data types are they designed?

Variable. Object-oriented database management systems can manipulate data with variable data formats, unlike relational databases that are tabular in implementation.

In regard to life cycle management, which of the following make for the IS auditor's primary purpose.

Verifying if the evidence favors the organizational objective and that the management has authorized all decisions. Evidence must favor the decided organizational objectives. Software that has been newly created or bought needs to be properly researched. This is needed to ensure it meets the organization's objectives. The management has to review and approve each phase of the life cycle before moving on to the next phase.

When is a project's management oversight needed?

When major changes show up in assumptions, methodology, or requirements. Management oversight review is important for the cases where there is an anticipation that the estimates are not right by more than 10 percent. It is also needed if major changes appear in the used assumptions, methodology, or requirements.

When is the waterfall life cycle model most appropriately used? This cycle belongs to the software development.

When requirements are well known and expect to stay stable, just like the business environment wherein the system will operate. Historically, the waterfall model is most suitable to the stable conditions. When the degree of system's uncertainty that is to be delivered and the conditions where it will be used rise, it means that the waterfall model was unsuccessful. In these scenarios, the various forms of iterative development life cycle yearns the advantage of segregating the scope of the overall system that is to be delivered. This makes the gathering of the requirements and design activities more manageable.

An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a:

transition clause from the old supplier to a new supplier in the case of expiration or termination. The delivery of IT services for a specific customer always implies a close linkage between the client and the supplier of the service. If there are no contract terms to specify how the transition to a new supplier may be performed, there is the risk that the old supplier may simply "pull the plug" if the contract expires or is terminated.