November 12 Domain 3 200 Questions 50%

Change control for business application systems being developed using prototyping could be complicated by the: A. iterative nature of prototyping. B. rapid pace of modifications in requirements and design. C. emphasis on reports and screens. D. lack of integrated tools.

You answered A. The correct answer is B. A. A characteristic of prototyping is its iterative nature, but it does not have an adverse effect on change control. B. Changes in requirements and design happen so quickly that they are seldom documented or approved. C. A characteristic of prototyping is its emphasis on reports and screens, but it does not have an adverse effect on change control. D. Lack of integrated tools is a characteristic of prototyping, but it does not have an adverse effect on change control.

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? A. Intrusion detection systems (IDSs) B. Data mining techniques C. Firewalls D. Packet filtering routers

You answered A. The correct answer is B. A. An intrusion detection system (IDS) is effective in detecting network or host-based errors, but not effective in measuring fraudulent transactions. B. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card. C. A firewall is an excellent tool for protecting networks and systems, but not effective in detecting fraudulent transactions. D. A packet filtering router operates at a network level and cannot see a transaction.

A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? A. Confidentiality of the information stored in the database B. The hardware being used to run the database application C. Backups of the information in the overseas database D. Remote access to the backup database

You answered A. The correct answer is B. A. Confidentiality of the information stored in the database is not a major concern, because the information is intended for public use. B. The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users. C. Backups of the information in the overseas database are not a major concern, because the overseas database is a mirror of the local database; thus, a backup copy exists locally. D. Remote access to the backup database does not impact availability.

Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration? A. Function point analysis (FPA) B. Program evaluation review technique (PERT) chart C. Rapid application development D. Object-oriented system development

You answered A. The correct answer is B. A. Function point analysis (FPA) is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal files. While this will help determine the size of individual activities, it will not assist in determining project duration because there are many overlapping tasks. B. A program evaluation review technique (PERT) chart will help determine project duration once all the activities and the work involved with those activities are known. C. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. D. Object-oriented system development is the process of solution specification and modeling but will not assist in calculating project duration.

When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? A. The project budget B. The critical path for the project C. The length of the remaining tasks D. The personnel assigned to other tasks

You answered A. The correct answer is B. A. Given that there may be slack time available on some of the other tasks not on the critical path, the resource allocation should be based on the project segments that affect delivery dates. B. Because adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will, in fact, shorten the project duration. C. Given that there may be slack time available on some of the other tasks not on the critical path, a factor such as the length of other tasks may or may not be affected. D. Depending on the skill level of the resources required or available, the addition of resources may not, in fact, shorten the time line. Therefore, the first step is to examine what resources are required to address the times on the critical path.

While evaluating the "out of scope" section specified in a project plan, an IS auditor should ascertain whether the section: A. effectively describes unofficial project objectives. B. enhances project boundaries. C. clearly states the project's "nice to have" objectives. D. provides the necessary flexibility to the project team.

You answered A. The correct answer is B. A. Out of scope items are not part of the project. There should be no unofficial project objectives. Reasonable objectives should be considered by the project leadership and either accepted (in scope) or rejected (out of scope). B. The purpose of the out of scope section is to make clear to readers what items are not considered project objectives so that all project stakeholders understand the project boundaries and what is in scope vs. out of scope. This applies to all types of projects, including individual audits. C. Out of scope items are not part of the project, while nice to have items may be included in the project objectives. However, they may be the last priority on the list of all project objectives. D. Out of scope items are not part of the project; the project team's flexibility regarding project objectives should be managed through a robust change request process. This is particularly important to avoid scope creep.

Which of the following is an advantage of prototyping? A. The finished system normally has strong internal controls. B. Prototype systems can provide significant time and cost savings. C. Change control is often less complicated with prototype systems. D. It ensures that functions or extras are not added to the intended system.

You answered A. The correct answer is B. A. Prototyping often has poor internal controls because the focus is primarily on functionality, not on security. B. Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements; however, they also have several disadvantages, including loss of overall security focus, project oversight and implementation of a prototype that is not yet ready for production. C. Change control becomes much more complicated with prototyping. D. Prototyping often leads to functions or extras being added to the system that were not originally intended.

Which of the following types of risk is MOST likely encountered in a Software as a Service (SaaS) environment? A. Noncompliance with software license agreements B. Performance issues due to Internet delivery method C. Higher cost due to software licensing requirements D. Higher cost due to the need to update to compatible hardware

You answered A. The correct answer is B. A. Software as a Service (SaaS) is provisioned on a usage basis and the number of users is monitored by the SaaS provider; therefore, there should be no risk of noncompliance with software license agreements. B. The risk that could be most likely encountered in a SaaS environment is speed and availability issues, due to the fact that SaaS relies on the Internet for connectivity. C. The costs for a SaaS solution should be fixed as a part of the services contract and considered in the business case presented to management for approval of the solution. D. The open design and Internet connectivity allow most SaaS to run on virtually any type of hardware.

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? A. Bottom-up testing B. Sociability testing C. Top-down testing D. System testing

You answered A. The correct answer is C. A. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. B. Sociability testing takes place at a later stage in the development process. C. The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. D. System tests take place at a later stage in the development process.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? A. Project sponsor B. System development project team (SDPT) C. Project steering committee D. User project team (UPT)

You answered A. The correct answer is C. A. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. B. A system development project team (SDPT) completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The SDPT is not responsible for overseeing the progress of the project. C. A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. D. A user project team (UPT) completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A UPT is not responsible for reviewing the progress of the project.

An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to: A. acknowledge receipt of electronic orders with a confirmation message. B. perform reasonableness checks on quantities ordered before filling orders. C. verify the identity of senders and determine if orders correspond to contract terms. D. encrypt electronic orders.

You answered A. The correct answer is C. A. Acknowledging the receipt of electronic orders with a confirming message is good practice, but will not authenticate orders from customers. B. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the company's orders, not the authenticity of its customers' orders. C. An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. D. Encrypting sensitive messages is an appropriate step but does not prove authenticity of messages received.

Which of the following types of risk could result from inadequate software baselining? A. Sign-off delays B. Software integrity violations C. Scope creep D. Inadequate controls

You answered A. The correct answer is C. A. Sign-off delays may occur due to inadequate software baselining; however, these are most likely caused by scope creep. B. Software integrity violations can be caused by hardware or software failures, malicious intrusions or user errors. Software baselining does not help prevent software integrity violations. C. A software baseline is the cutoff point in the design and development of a system. Beyond this point, additional requirements or modifications to the scope must go through formal, strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage a system through baselining can result in uncontrolled changes in a project's scope and may incur time and budget overruns. D. Inadequate controls are most likely present in situations in which information security is not duly considered from the beginning of system development; they are not a risk that can be adequately addressed by software baselining.

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables C. Extrapolation of the overall end date based on completed work packages and current resources D. Calculation of the expected end date based on current resources and remaining available project budget

You answered A. The correct answer is C. A. The IS auditor cannot count on the accuracy of data in status reports for reasonable assurance. B. Interviews are a valuable source of information, but will not necessarily identify any project challenges because the people being interviewed are involved in project. C. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (80:20 rule). D. The calculation based on remaining budget does not take into account the speed at which the project has been progressing.

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? A. The reporting of the mean time between failures over time B. The overall mean time to repair failures C. The first report of the mean time between failures D. The overall response time to correct failures

You answered A. The correct answer is C. A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. B. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues. C. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. D. The response time is a reflection of the agility of the response team or the help desk team in addressing reported issues.

An organization recently deployed a customer relationship management (CRM) application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? A. User acceptance testing (UAT) B. Project risk assessment C. Postimplementation review D. Management approval of the system

You answered A. The correct answer is C. A. User acceptance testing (UAT) verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT could be performed on a subset of system functionality. The UAT review is a part of the postimplementation review. B. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed. C. The purpose of a postimplementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track. D. Management approval of the system could be based on reduced functionality and does not verify that the system is operating as designed. Review of management approval is a part of postimplementation review.

Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: A. assess whether the planned cost benefits are being measured, analyzed and reported. B. review control balances and verify that the system is processing data accurately. C. review the impact of program changes made during the first phase on the remainder of the project. D. determine whether the system's objectives were achieved.

You answered A. The correct answer is C. A. While all choices are valid, the postimplementation focus and primary objective should be understanding the impact of the problems in the first phase on the remainder of the project. B. The review should assess whether the control is working correctly, but should focus on the problems that led to project overruns in budget and time. C. Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects. D. Ensuring that the system works is a primary objective for the IS auditor, but in this case because the project planning was a failure, the IS auditor should focus on the reasons for, and impact of, the failure.

The most common reason for the failure of information systems to meet the needs of users is that: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the system's requirements was inadequate.

You answered A. The correct answer is D. A. Although changing user needs has an effect on the success or failure of many projects, the core problem is usually a lack of getting the initial requirements correct at the beginning of the project. B. Projects may fail as the needs of the users increase; however, this can be mitigated through better change control procedures. C. Rarely do hardware limitations affect the usability of the project as long as the requirements were correctly documented at the beginning of the project. D. Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are and, therefore, what the system should accomplish.

Which of the following BEST helps ensure that deviations from the project plan are identified? A. A project management framework B. A project management approach C. A project resource plan D. Project performance criteria

You answered A. The correct answer is D. A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project, but does not define the criteria used to measure project success. B. A project management approach defines guidelines for project management processes and deliverables, but does not define the criteria used to measure project success. C. A project resource plan defines the responsibilities, relationships, authorities and performance criteria of project team members, but does not wholly define the criteria used to measure project success. D. To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success.

A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of: A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing.

You answered A. The correct answer is D. A. Input and output validation controls are certainly valid controls, but will not detect and report lost transactions. B. Internal credibility checks are valid controls to detect errors in processing, but will not detect and report lost transactions. C. A clerical procedure could be used to summarize and compare inputs and outputs; however, an automated process is less susceptible to error. D. Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction.

Assignment of process ownership is essential in system development projects because it: A. enables the tracking of the development completion percentage. B. optimizes the design cost of user acceptance test (UAT) cases. C. minimizes the gaps between requirements and functionalities. D. ensures that system design is based on business needs.

You answered A. The correct answer is D. A. Process ownership assignment does not have a feature to track the completion percentage of deliverables. B. Whether the design cost of test cases will be optimized is not determined from the assignment of process ownership. It may help to some extent; however, there are many other factors involved in the design of test cases. C. For gap minimization, a specific requirements analysis framework should be in place and then applied; however, a gap may be found between the design and the as-built system that could lead to system functionality not meeting requirements. This will be identified during user acceptance testing (UAT). Process ownership alone does not have the capability to minimize requirement gaps. D. The involvement of process owners will ensure that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins.

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? A. Use of a capability maturity model (CMM) B. Regular monitoring of task-level progress against schedule C. Extensive use of software development tools to maximize team productivity D. Postiteration reviews that identify lessons learned for future use in the project

You answered A. The correct answer is D. A. The capability maturity model (CMM) places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. B. Task-level tracking is not used because daily meetings identify challenges and impediments to the project. C. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance. D. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from 4 to 8 weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant.

During an implementation review of a recent application deployment, it was determined that several incidents were assigned incorrect priorities and, because of this, failed to meet the business service level agreement (SLA). What is the GREATEST concern? A. The support model was not approved by senior management. B. The incident resolution time specified in the SLA is not realistic. C. There are inadequate resources to support the applications. D. The support model was not properly developed and implemented.

You answered A. The correct answer is D. A. While senior management involvement is important, the more critical issue is whether the support model was not properly developed and implemented. B. While the incident resolution time specified in the service level agreement (SLA) may not always be attainable, the more critical issue is whether the support model was not properly developed and implemented. C. While adequate support resources are important, the more critical issue is whether the support model was not properly developed and implemented. D. The greatest concern for the IS auditor is that the support model was not developed and implemented correctly to prevent or react to potential outages. Incidents could cost the business a significant amount of money and a support model should be implemented with the project. This should be a step within the system development life cycle (SDLC) and procedures and, if it is missed on one project, it may be a symptom of an overall breakdown in process.

The GREATEST benefit of implementing an expert system is the: A. capturing of the knowledge and experience of individuals in an organization. B. protection of proprietary knowledge in a secure central repository. C. enhancement of personnel productivity and performance. D. reduction of employee turnover in key departments.

You answered B. The correct answer is A. A. The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. This will allow other users to access information formerly held only by experts. B. The purpose of an expert system is facilitating access to expert knowledge, not the protection of it. C. Enhancing personnel productivity and performance is a benefit; however, it is not as important as capturing the knowledge and experience. D. Employee turnover is not necessarily affected by an expert system.

A project development team is considering using production data for its test deck. The team scrubbed sensitive data elements from the bed before loading it into the test environment. Which of the following additional concerns should an IS auditor have with this practice? A. Not all functionality will be tested. B. Production data are introduced into the test environment. C. Specialized training is required. D. The project may run over budget.

You answered B. The correct answer is A. A. A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement. B. The presence of production data in a test environment is not a concern if the sensitive elements have been scrubbed. C. Creation of a test deck from production data does not require specialized knowledge so this is not a concern. D. The risk of a project running over budget is always a concern, but it is not related to the practice of using production data in a test environment.

An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is: A. continuous improvement. B. quantitative quality goals. C. a documented process. D. a process tailored to specific projects.

You answered B. The correct answer is A. A. An organization would have reached the highest level of the software CMM at level 5, optimizing. B. Quantitative quality goals can be reached at level 4 and below. C. A documented process is executed at level 3 and below. D. A process tailored to specific projects can be achieved at level 2 or below.

When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST ensure that: A. a clear business case has been approved by management. B. corporate security standards will be met. C. users will be involved in the implementation plan. D. the new system will meet all required user functionality.

You answered B. The correct answer is A. A. The first concern of an IS auditor should be to ensure that the proposal meets the needs of the business, and this should be established by a clear business case. B. Compliance with security standards is essential, but it is too early in the procurement process for this to be an IS auditor's first concern. C. Having users involved in the implementation process is essential, but it is too early in the procurement process for this to be an IS auditor's first concern. D. Meeting the needs of the users is essential, and this should be included in the business case presented to management for approval.

Before implementing controls, management should PRIMARILY ensure that the controls: A. satisfy a requirement in addressing a risk. B. do not reduce productivity. C. are based on a minimized cost analysis. D. are detective or corrective.

You answered B. The correct answer is A. A. The purpose of a control is to mitigate a risk; therefore, the primary consideration when selecting a control is that it effectively mitigates an identified risk. When designing controls, it is necessary to consider all of the aspects in choices A through D. In an ideal situation, controls that address all of these aspects would be the best controls. Realistically, it may not be possible to design them all and the cost may be prohibitive; therefore, it is necessary to consider the controls related primarily to the treatment of existing risk in the organization. B. Controls will often affect productivity and performance; however, this must be balanced against the benefit obtained from the implementation of the control. C. The most important reason for a control is to mitigate a risk—and the selection of a control is usually based on a cost-benefit analysis, not on selecting just the least expensive control. D. A good control environment will include preventive, detective and corrective controls.

Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? A. User management B. Project steering committee C. Senior management D. Quality assurance staff

You answered B. The correct answer is A. A. User management assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented. B. A project steering committee provides overall direction, ensures appropriate representation of the major stakeholders in the project's outcome, reviews project progress regularly and holds emergency meetings when required. A project steering committee is ultimately responsible for all deliverables, project costs and schedules. C. Senior management demonstrates commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those who are needed to complete the project. D. Quality assurance staff review results and deliverables within each phase, and at the end of each phase confirm compliance with standards and requirements. The timing of reviews depends on the system development life cycle, the impact of potential deviation methodology used, the structure and magnitude of the system and the impact of potential deviation.

A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately and the corresponding products are produced? A. Verifying production to customer orders B. Logging all customer orders in the ERP system C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production

You answered B. The correct answer is A. A. Verification will ensure that produced products match the orders in the customer order system. B. Logging can be used to detect inaccuracies but does not, in itself, guarantee accurate processing. C. Hash totals will ensure accurate order transmission, but not accurate processing centrally. D. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.

Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process? A. The encryption algorithm format B. The detailed internal control procedures C. The necessary communication processes D. The proposed trusted third-party agreement

You answered B. The correct answer is C. A. Encryption algorithms are too detailed for this phase. They would only be outlined and any cost or performance implications shown. B. Internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. C. The communications processes must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization. D. Third-party agreements are too detailed for this phase. They would only be outlined and any cost or performance implications shown.

Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to: A. determine user feedback on the system has been documented. B. assess whether the planned cost benefits are being measured, analyzed and reported. C. review controls built into the system to assure that they are operating as designed. D. review subsequent program change requests.

You answered B. The correct answer is C. A. The IS auditor should check whether user feedback has been provided, but this is not the most important area for audit. B. It is important to assess the effectiveness of the project; however, assuring that the production environment is adequately controlled after the implementation is of primary concern. C. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. D. Reviewing change requests may be a good idea, but this is more important if the application is perceived to have a problem.

An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: A. the project manager. B. systems development management. C. business unit management. D. the quality assurance (QA) team.

You answered B. The correct answer is C. A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. The project manager cannot sign off on project requirements; that would be a violation of separation of duties. B. Systems development management provides technical support for hardware and software environments. C. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. D. The quality assurance (QA) team ensures the quality of the project by measuring adherence to the organization's system development life cycle (SDLC). They will conduct testing but not sign off on the project requirements.

Which of the following test techniques would the IS auditor use to identify specific program logic that has not been tested? A. A snapshot B. Tracing and tagging C. Logging D. Mapping

You answered B. The correct answer is D. A. A snapshot records the flow of designated transactions through logic paths within programs. B. Tracing and tagging shows the trail of instructions executed during an application. C. Logging is the activity of recording specific tasks for future review. D. Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed.

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should: A. conclude that the project is progressing as planned because dates are being met. B. question the project manager further to identify whether overtime costs are being tracked accurately. C. conclude that the programmers are intentionally working slowly to earn extra overtime pay. D. investigate further to determine whether the project plan may not be accurate.

You answered B. The correct answer is D. A. Even though the project is on time and budget, there may be problems with the project plan because considerable amounts of unplanned overtime have been required. B. There is a possibility that the project manager has hidden some costs to make the project look better; however, the real problem may be with whether the project plan is realistic, not just the accounting. C. It is possible that the programmers are trying to take advantage of the time system, but if the overtime has been required to keep the project on track it is more likely that the time lines and expectations of the project are unrealistic. D. While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a best practice. While overtime costs may be an indicator that something is wrong with the plan, in many organizations the programming staff may be salaried, so overtime costs may not be directly recorded.

A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future? A. Improve regression test cases. B. Activate audit trails for a limited period after release. C. Conduct an application user access review. D. Ensure that developers do not have access to code after testing.

You answered B. The correct answer is D. A. Improving the quality of the testing would not be applicable in this case because the more important issue is that developers have access to the production environment. B. Activating audit trails or performing additional logging may be useful; however, the more important issue is that developers have access to the production environment. C. Conducting an application user access review would not identify developers' access to code because they would not be included in this review. D. To ensure proper segregation of duties, developers should be restricted to the development environment only. If code needs to be modified after user acceptance testing (UAT), the process must be restarted in development.

A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? A. Key verification B. One-for-one checking C. Manual recalculations D. Functional acknowledgements

You answered B. The correct answer is D. A. Key verification is used for encryption and protection of data but not for data mapping. B. One-for-one checking validates that transactions are accurate and complete but does not map data. C. Manual recalculations are used to verify that the processing is correct but do not map data. D. Acting as an audit trail for electronic data interchange (EDI) transactions, functional acknowledgments are one of the main controls used in data mapping.

When performing a postimplementation review of a software development project for a highly secure application, it is MOST important to confirm that: A. vulnerability testing was performed. B. the project was formally closed. C. the project schedule and budget were met. D. business requirements were met.

You answered B. The correct answer is D. A. Vulnerability testing may be incorporated into the system development process; however, it is most important that business requirements were met. As stated in the question, the business requirements in this case included adequate security. B. Formally closing the project is important, but the primary goal of meeting business requirements is most important. C. Although meeting the designated project time line and budget is an important goal, the overall purpose of the project is to fulfill a business need. Therefore, validating that the project met the business requirements is the most important task for the IS auditor. D. Established procedures for postimplementation review should primarily ensure that business requirements were met.

The reason a certification and accreditation (C&A) process is performed on critical systems is to ensure that: A. security compliance has been technically evaluated. B. data have been encrypted and are ready to be stored. C. the systems have been tested to run on different platforms. D. the systems have followed the phases of a waterfall model.

You answered C. The correct answer is A. A. Certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration. B. Certification tests security functionality, including encryption where that is required, but that is not the primary objective of the certification and accreditation (C&A) process. C. Certified systems are evaluated to run in a specific environment. D. A waterfall model is a software development methodology and not a reason for performing a C&A process.

Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? A. Firewalls B. Routers C. Layer 2 switches D. Virtual local area networks (VLANs)

You answered C. The correct answer is A. A. Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls. B. Routers can filter packets based on parameters, such as source address, but are not primarily a security tool. C. Based on Media Access Control (MAC) addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic. D. A virtual local area network (VLAN) is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical LAN. Nevertheless, they do not effectively deal with authorized vs. unauthorized traffic.

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? A. Requirements should be tested in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automated tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes.

You answered C. The correct answer is A. A. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and, therefore, on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects. B. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. C. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. D. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress, i.e., introduced errors in parts of the system that were previously working correctly. For this reason, it is a best practice to undertake formal regression testing after defect fixes have been implemented.

The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: A. rules. B. decision trees. C. semantic nets. D. dataflow diagrams.

You answered C. The correct answer is B. A. Rules refer to the expression of declarative knowledge through the use of if-then relationships. B. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. C. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. D. A dataflow diagram is used to map the progress of data through a system and examine logic, error handling and data management.

During a postimplementation review, which of the following activities should be performed? A. User acceptance testing (UAT) B. Return on investment (ROI) analysis C. Activation of audit trails D. Updates of the state of enterprise architecture (EA) diagrams

You answered C. The correct answer is B. A. User acceptance testing (UAT) should be performed prior to the implementation (perhaps during the development phase), not after the implementation. B. Following implementation, a cost-benefit analysis or return on investment (ROI) should be re-performed to verify that the original business case benefits are delivered. C. The audit trail should be activated during the implementation of the application. D. While updating the enterprise architecture (EA) diagrams is a best practice, it would not normally be part of a postimplementation review.

An IS auditor is assigned to audit a software development project, which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take? A. Report that the organization does not have effective project management. B. Recommend the project manager be changed. C. Review the IT governance structure. D. Review the conduct of the project and the business case.

You answered C. The correct answer is D. A. The organization may have effective project management practices and still be behind schedule or over budget. B. There is no indication that the project manager should be changed without looking into the reasons for the overrun. C. The organization may have sound IT governance and still be behind schedule or over budget. D. Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to bringing the project over budget and over schedule.

Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities? A. The programming language B. The development environment C. A version control system D. Program coding standards

You answered C. The correct answer is D. A. The programming language may be a concern if it is not a commonly used language; however, program coding standards are more important. B. The development environment may be relevant to evaluate the efficiency of the program development process, but not future maintenance of the program. C. A version control system helps manage software code revisions; however, it does not ensure that coding standards are consistently applied. D. Program coding standards are required for efficient program maintenance and modifications. To enhance the quality of programming activities and future maintenance capabilities, program coding standards should be applied. Program coding standards are essential to writing, reading and understanding code, simply and clearly, without having to refer back to design specifications.

An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is the MOST likely cause of this issue? A. Project scope management B. Project time management C. Project risk management D. Project procurement management

You answered D. The correct answer is A. A. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project. B. Project time management is defined as the processes required to ensure timely completion of the project. The issue noted in the question does not mention whether projects were completed on time, so this is not the most likely cause. C. Project risk management is defined as the processes concerned with identifying, analyzing and responding to project risk. Although the budget overruns mentioned above represent one form of project risk, they appear to be caused by implementing too much functionality, which relates more directly to project scope. D. Project procurement management is defined as the processes required to acquire goods and services from outside the performing organization. Although purchasing goods and services that are too expensive can cause budget overruns, in this case the key to the question is that implemented functionality is greater than what was required, which is more likely related to project scope.

Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment? A. Lack of transaction authorizations B. Loss or duplication of EDI transmissions C. Transmission delay D. Deletion or manipulation of transactions prior to or after establishment of application controls

You answered D. The correct answer is A. A. Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. B. Loss or duplication of electronic data interchange (EDI) transmissions is an example of risk, but because all transactions should be logged, the impact is not as great as that of unauthorized transactions. C. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data. D. Deletion or manipulation of transactions prior to or after establishment of application controls is an example of risk, logging will detect any alteration to the data and the impact is not as great as that of unauthorized transactions.

Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? A. Load testing B. Stress testing C. Recovery testing D. Volume testing

You answered D. The correct answer is A. A. Load testing evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate. B. Stress testing determines the capacity of the software to cope with an abnormal number of users or simultaneous operations. Because the number of concurrent users in this question is within normal limits, the answer is load testing, not stress testing. C. Recovery testing evaluates the ability of a system to recover after a failure. D. Volume testing evaluates the impact of incremental volume of records (not users) on a system.

An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? A. Achieve standards alignment through an increase of resources devoted to the project. B. Align the data definition standards after completion of the project. C. Delay the project until compliance with standards can be achieved. D. Enforce standard compliance by adopting punitive measures against violators.

You answered D. The correct answer is A. A. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. B. The usage of nonstandard data definitions would lower the efficiency of the new development, and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion is risky and is not a viable solution. C. Delaying the project would be an inappropriate suggestion because of business requirements or the likely damage to entire project profitability. D. Punishing the violators would be outside the authority of the auditor and inappropriate until the reason for the violations have be determined.

Which of the following is the most important element in the design of a data warehouse? A. Quality of the metadata B. Speed of the transactions C. Volatility of the data D. Vulnerability of the system

You answered D. The correct answer is A. A. Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information. Companies that have built warehouses believe that metadata are the most important component of the warehouse. B. A data warehouse is used for analysis and research, not for production operations, so the speed of transactions is not relevant. C. Data in a data warehouse is frequently received from many sources and vast amounts of information may be received on an hourly or daily basis. Except to ensure adequate storage capability, this is not a primary concern of the designer. D. Data warehouses may contain sensitive information, or can be used to research sensitive information, so the security of the data warehouse is important. However, this is not the primary concern of the designer.

An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the test phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy? A. Test and release a pilot with reduced functionality. B. Fix and retest the highest-severity functional defects. C. Eliminate planned testing by the development team, and proceed straight to acceptance testing. D. Implement a test tool to automate defect tracking.

You answered D. The correct answer is A. A. Testing and releasing a pilot with reduced functionality reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risk associated with a full implementation. All of the benefits of releasing the system to the full user population will not be realized, but some benefits should start to flow. Additionally, some useful comments from real users should be obtained to guide what extra functionality and other improvements need to be included in a full release. B. When testing starts, a significant amount of defects is likely to exist. Focusing only on the highest-severity functional defects runs the risk that other important aspects such as usability problems and nonfunctional requirements of performance and security will be ignored. The system may go live, but users may struggle to use the system as intended to realize business benefits. C. Eliminating testing by development is usually a bad idea. Before system acceptance testing begins, some prior testing should occur to establish that the system is ready to proceed to acceptance evaluation. If prior testing by the development team does not occur, there is a considerable risk that the software will have a significant amount of low-level defects, such as transactions that cause the system to hang and unintelligible error messages. This can prove frustrating for users or testers tasked with acceptance testing and, ultimately, could cause the overall test time to increase rather than decrease. D. The use of a defect tracking tool could help in improving test efficiency, but it does not address the fundamental risk caused by reducing the testing effort on a system in which quality is uncertain. Given the build problems experienced, there is reason to suspect that quality problems could exist.

An IS auditor is performing a postimplementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management? A. Recalculations B. Limit checks C. Run-to-run totals D. Reconciliations

You answered D. The correct answer is B. A. A sample of transactions may be recalculated manually to ensure that processing is accomplishing the anticipated task. Recalculations are performed after the output phase. B. Processing controls should be implemented as close as possible to the point of data entry. Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered because values must fall within a predetermined limit. C. Run-to-run totals provide the ability to verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process. Run-to-run totals are performed after the output phase. D. Reconciliation of file totals should be performed on a routine basis. Reconciliations may be performed through the use of a manually maintained account, a file control record or an independent control file. Reconciliations are performed after the output phase.

When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those: A. whose sum of activity time is the shortest. B. that have zero slack time. C. that give the longest possible completion time. D. whose sum of slack time is the shortest.

You answered D. The correct answer is B. A. Attention should focus on the tasks within the critical path that have no slack time. B. A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing, i.e., for reduction in their time by payment of a premium for early completion. Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs vs. time can be obtained. C. The critical path is the longest time length of the activities, but is not based on the longest time of any individual activity. D. A task on the critical path has no slack time.

What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning (ERP) payroll system that is replacing an existing legacy system? A. Multiple testing B. Parallel testing C. Integration testing D. Prototype testing

You answered D. The correct answer is B. A. Multiple testing will not compare results from the old and new systems. B. Parallel testing is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommission of the legacy system. Parallel testing also results in better user adoption of the new system. C. Integration testing refers to how the system interacts with other systems, and it is not performed by end users. D. Prototype testing is used during design and development to ensure that user input is received; however, this method is not used for acquired systems or during user acceptance testing.

During which of the following phases in system development would user acceptance test plans normally be prepared? A. Feasibility study B. Requirements definition C. Implementation planning D. Postimplementation review

You answered D. The correct answer is B. A. The feasibility study is too early for such detailed user involvement. B. During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure that it meets their stated needs. An IS auditor should know at what point user testing should be planned to ensure that it is most effective and efficient. C. The implementation planning phase is when the tests are conducted. It is too late in the process to develop the test plan. D. User acceptance testing should be completed prior to implementation.

An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: A. check to ensure that the type of transaction is valid for the card type. B. verify the format of the number entered, then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. D. confirm that the card is not shown as lost or stolen on the master file.

You answered D. The correct answer is B. A. The initial validation would not be used to check the transaction type—just the validity of the card number. B. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered are valid (i.e., can be processed by the system). If the data captured in the initial validation are not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, other validations specific to the card and cardholder would be performed. C. The initial validation is to prove the card number entered is valid—only then can the transaction amount be checked for approval from the bank. D. The verification that the card has not been reported as lost or stolen is only done after the card number has been validated as correctly entered.

A new application has been purchased from a vendor and is about to be implemented. Which of the following choices is a key consideration when implementing the application? A. Preventing the compromise of the source code during the implementation process B. Ensuring that vendor default accounts and passwords have been disabled C. Removing the old copies of the program from escrow to avoid confusion D. Verifying that the vendor is meeting support and maintenance agreements

You answered D. The correct answer is B. A. The source code may not even be available to the purchasing organization, and it is the executable or object code that must be protected during implementation. B. Disabling vendor default accounts and passwords is a critical part of implementing a new application. C. Because this is a new application, there should not be any problem with older versions in escrow. D. It is not possible to ensure that the vendor is meeting support and maintenance requirements until the system is operating.

During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions? A. One-for-one checking B. Data file security C. Transaction logs D. File updating and maintenance authorization

You answered D. The correct answer is C. A. One-for-one checking is a control procedure in which an individual document agrees with a detailed listing of documents processed by the system. It would take a long time to complete the research using this procedure. B. Data file security controls prevent access by unauthorized users in their attempt to alter data files. This would not help identify the transactions posted to an account. C. Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. It also helps to determine which transactions have been posted to an account—by a particular individual during a particular period. D. File updating and maintenance authorization is a control procedure to update the stored data and ensure accuracy and security of stored data. This does provide evidence regarding the individuals who update the stored data; however, it is not effective in the given situation to determine transactions posted to an account.

Which of the following BEST ensures the integrity of a server's operating system (OS)? A. Protecting the server in a secure location B. Setting a boot password C. Hardening the server configuration D. Implementing activity logging

You answered D. The correct answer is C. A. Protecting the server in a secure location is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS). B. Setting a boot password is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS. D. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? A. Transaction logs B. Before and after image reporting C. Table lookups D. Tracing and tagging

You answered D. The correct answer is C. A. Transaction logs are a detective control and provide audit trails. B. Before and after image reporting makes it possible to trace the impact that transactions have on computer records. This is a detective control. C. Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered. D. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself.

The specific advantage of white box testing is that it: A. verifies a program can operate successfully with other parts of the system. B. ensures a program's functional operating effectiveness without regard to the internal program structure. C. determines procedural accuracy or conditions of a program's specific logic paths. D. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.

You answered D. The correct answer is C. A. Verifying the program can operate successfully with other parts of the system is sociability testing. B. Testing the program's functionality without knowledge of internal structures is black box testing. C. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. D. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing.

An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when: A. test systems run different configurations than do production systems. B. change management records are paper based. C. the configuration management database is not maintained. D. the test environment is installed on the production server.

You answered D. The correct answer is C. A. While, ideally, production and test systems should be configured identically, there may be reasons why this does not occur. The more significant concern is whether the configuration management database was not maintained. B. Paper-based change management records are inefficient to maintain and not easy to review in large volumes; however, they do not present a concern from a control point of view as long as they are properly and diligently maintained. C. The configuration management database (CMDB) is used to track configuration items (CIs) and the dependencies between them. An out-of-date CMDB in a large multinational company could result in incorrect approvals being obtained, or leave out critical dependencies during the test phase. D. While it is not ideal to have the test environment installed on the production server, it is not a control-related concern. As long as the test and production environments are kept separate, they can be installed on the same physical server(s).

An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit? A. To detect data transposition errors B. To ensure that transactions do not exceed predetermined amounts C. To ensure that data entered are within reasonable limits D. To ensure that data entered are within a predetermined range of values

You are correct, the answer is A. A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered. B. Ensuring that data have not exceeded a predetermined amount is a limit check. C. Ensuring that data entered are within predetermined reasonable limits is a reasonableness check. D. Ensuring that data entered are within a predetermined range of values is a range check.

An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? Correct A. Consider the feasibility of a separate user acceptance environment. B. Schedule user testing to occur at a given time each day. C. Implement a source code version control tool. D. Only retest high-priority defects.

You are correct, the answer is A. A. A separate environment or environments is normally necessary for testing to be efficient and effective, and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. B. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. C. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate test environment. D. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.

An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? A. Program output testing B. System configuration C. Program logic specification D. Performance tuning

You are correct, the answer is A. A. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. B. System configuration is usually too technical to be accomplished by a user and this situation could create security issues. This could introduce a segregation of duties issue. C. Program logic specification is a very technical task that is normally performed by a programmer. This could introduce a segregation of duties issue. D. Performance tuning also requires high levels of technical skill and will not be effectively accomplished by a user. This could introduce a segregation of duties issue.

A project manager for a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine: A. what amount of progress against schedule has been achieved. B. if the project budget can be reduced. C. if the project could be brought in ahead of schedule. D. if the budget savings can be applied to increase the project scope.

You are correct, the answer is A. A. Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project. B. To properly assess the project budget position it is necessary to know how much progress has actually been made and, given this, what level of expenditure would be expected. It is possible that project expenditure appears to be low because actual progress has been slow. Until the analysis of project against schedule has been completed, it is impossible to know whether there is any reason to reduce budget. If the project has slipped behind schedule, then not only may there be no spare budget but it is possible that extra expenditure may be needed to retrieve the slippage. The low expenditure could actually be representative of a situation where the project is likely to miss deadlines rather than potentially come in ahead of time. C. If the project is found to be ahead of budget after adjusting for actual progress, this is not necessarily a good outcome because it points to flaws in the original budgeting process; and, as said previously, until further analysis is undertaken, it cannot be determined whether any spare funds actually exist. D. If the project is behind schedule, then adding scope may be the wrong thing to do.

Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems? A. To collect evidence while transactions are processed B. To reduce requirements for periodic internal audits C. To identify and report fraudulent transactions D. To increase efficiency of the audit function

You are correct, the answer is A. A. Embedding a module for continuous auditing within an application processing a large number of transactions provides timely collection of audit evidence during processing and is the primary objective. The continuous auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer. B. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the question pertains to the development process for new application systems, and not to subsequent internal audits. C. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify fraudulent transactions inherently. D. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.

An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern? A. The implementation phase of the project has no backout plan. B. User acceptance testing (UAT) was not properly documented. C. Software functionality tests were completed, but stress testing was not performed. D. The go-live date is over a holiday weekend when key IT staff are on vacation.

You are correct, the answer is A. A. One of the benefits of deploying a new system in parallel with an existing system is that the original system can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can create significant issues because it can take considerable time and cost to restore operations to the prior state if there is no viable plan to do so. B. The documentation of user acceptance testing (UAT) is a much less important concern than not having a viable backout plan. C. The lack of stress testing is a much less important concern than not having a viable backout plan. D. If there are support issues, having the go-live date happen over a holiday weekend may create some delays, but project managers should account for this to ensure that the required staff are available as needed. The greater risk is if there is no backout plan.

During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: A. buffer overflow. B. brute force attack. C. distributed denial-of-service attack (DDoS). D. war dialing attack.

You are correct, the answer is A. A. Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. B. A brute force attack is used to crack passwords, but this is not related to coding standards. C. A distributed denial-of-service (DDoS) attack floods its target with numerous packets, to prevent it from responding to legitimate requests. This is not related to coding standards. D. War dialing uses modem-scanning tools to hack private branch exchanges (PBXs) or other telecommunications services.

A rapid application development (RAD) methodology has been selected to implement a new enterprise resource planning (ERP) system. All of the project activities have been assigned to the contracted consulting company because internal employees are not available. What is the IS auditor's FIRST step to compensate for the lack of resources? A. Review the project plan and approach. B. Ask the vendor to provide additional external staff. C. Recommend that the company hire more people. D. Stop the project until all human resources (HR) are available.

You are correct, the answer is A. A. Rapid methodologies require available resources with good expertise and a fast decision-making process because the plan duration is usually short. Reviewing the project plan and approach is the best recommendation to make the appropriate changes to compensate for the missing end users. B. Adding external people to the project will not resolve the problem because they will not be able to decide on behalf of the internal employees who are usually end users from the business side. C. Hiring new people will take time and does not guarantee the readiness of new hires to make appropriate decisions in this project. D. Stopping the project could be a good option, but reviewing the project and considering all of the aspects should be done first.

During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: A. review access control configuration. B. evaluate interface testing. C. review detailed design documentation. D. evaluate system testing.

You are correct, the answer is A. A. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. B. Because a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. C. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system because these are usually vendor packages with user manuals. System testing should be performed before final user signoff. Further, because the system has been implemented, the IS auditor would only check the detailed design if there appeared to be a gap between design and functionality. D. System testing should be performed before final user signoff. The IS auditor should not need to review the system tests postimplementation.

A private enterprise has a project in place to modify the financial accounting system to comply with major changes in tax laws. Prior to going live, the finance manager, who is the application owner, went on emergency leave and could not complete functional testing of the changes. The development team lead believes that the changes should be implemented without approval from the business process owner. Which of the following is TRUE? A. The changes can be moved to production without business process owner approval if appropriate testing is performed and the enterprise owner approves the move to production. B. Changes should never be promoted to production without application owner approval. If there is an urgent need to implement the change, the manager covering for the finance manager should review the testing and provide approval. C. The changes can be moved to production because the application has been in use for five years and has been stable; the development team lead can act as the backup to the finance manager approval and approve the changes. D. The changes can be moved to production without business process owner approval because the development team lead has significant knowledge in accounting and was also involved in development of the changes.

You are correct, the answer is A. A. The business process owner should be consulted for any changes to the application. The head of operations is ultimately accountable; in a privately owned enterprise, that would include the enterprise owner. B. Application owner approval is essential prior to implementing any application change; however, there may be particular circumstances that allow for a move to production without the formal approval of the application owner. This is a good answer, but because the enterprise owner is ultimately responsible and the manager filling in for the business process owner may not be experienced enough, it is better to have approval of the enterprise owner. C. Changes to the application always require prior independent testing to mitigate the risk of an inappropriate outcome from the changes. Application lifetime and stability are not significant factors for assessing whether changes are ready for a move to production. D. Changes to business-critical applications would always require independent testing to mitigate the risk of program or logic errors. Because the development head was involved in development of the changes, approval by the same individual would create a segregation of duties issue.

Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based approach to the IT system life cycle? A. Adequate involvement of stakeholders B. Selection of a risk management framework C. Identification of risk mitigation strategies D. Understanding of the regulatory environment

You are correct, the answer is A. A. The most important critical success factor (CSF) is the adequate involvement and support of the various quality assurance, privacy, legal, audit, regulatory affairs or compliance teams in high regulatory risk situations. Some IT system changes may, based on risk ratings, require sign-off from key stakeholders before proceeding. B. Selecting a risk management framework helps the organization define the approach to addressing risk, but still requires adequate involvement of stakeholders to be successful. C. Identifying risk mitigation strategies helps the organization define the approach to addressing risk, but still requires adequate involvement of stakeholders to be successful. D. Having an understanding of the regulatory environment is important to ensure that risk is addressed in the context of the applicable regulation, but adequate stakeholder involvement is required to ensure success.

When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that: A. increases in quality can be achieved, even if resource allocation is decreased. B. increases in quality are only achieved if resource allocation is increased. C. decreases in delivery time can be achieved, even if resource allocation is decreased. D. decreases in delivery time can only be achieved if quality is decreased.

You are correct, the answer is A. A. The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant. B. Increases in quality can be achieved if resource allocation is increased or through increases in delivery time, not only through increases in resource allocation. C. A decrease in both delivery time and resource allocation would mean that quality would have to decrease. D. A decrease in delivery time may also be addressed through an increase in resource allocation, even if the quality remains constant.

An IS auditor is reviewing an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate? A. Senior IS and business management must approve use before production data can be utilized for testing. B. Production data can be used if they are copied to a secure test environment. C. Production data can never be used. All test data must be developed and based on documented test cases. D. Production data can be used provided that confidentiality agreements are in place.

You are correct, the answer is A. A. There is risk associated with the use of production data for testing. This includes compromising customer or employee confidentiality (which may also involve breaching legislation) and corrupting production of the data. Additionally, there are certain cases in which effective testing requires specifically designed data. There are other cases in which using production data would provide insights that are difficult or impossible to get from manufactured test data. One example is testing of interfaces to legacy systems. Management information systems are a further example where access to "real" data is likely to enhance testing. Some flexibility on the use of production data is likely to be the best option. In addition to obtaining senior management approval, conditions that mitigate the risk associated with using production data can be agreed on, such as masking names and other identifying fields to protect privacy. B. Copying production data to a secure environment is a good practice, but this should only be done with the approval of management. Management must accept the risk of using production data for testing. C. Creating a complete set of test data would be an ideal situation but is not always possible due to the volume of test data that would be required. D. Production data could only be used with management's permission. Then it can be appropriate to require the use of confidentiality agreements.

While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: A. effectiveness of the QA function because it should interact between project management and user management. B. efficiency of the QA function because it should interact with the project implementation team. C. effectiveness of the project manager because the project manager should interact with the QA function. D. efficiency of the project manager because the QA function will need to communicate with the project implementation team.

You are correct, the answer is A. A. To be effective, the quality assurance (QA) function should be independent of project management. If not, project management may put pressure on the QA function to approve an inadequate product. B. The efficiency of the QA function would not be impacted by interacting with the project implementation team. The QA team would not release a product for implementation until it had met QA requirements. C. The project manager will respond to the issues raised by the QA team. This will not impact the effectiveness of the project manager. D. The QA function's interaction with the project implementation team should not impact the efficiency of the project manager.

When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should: A. not be concerned because there may be other compensating controls to mitigate the risk. B. ensure that overrides are automatically logged and subject to review. C. verify whether all such overrides are referred to senior management for approval. D. recommend that overrides not be permitted.

You are correct, the answer is B. A. An IS auditor should not assume that compensating controls exist. B. If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. C. The log may be reviewed by another manager, but does not require senior management approval. D. As long as the overrides are policy-compliant, there is no need for senior management approval or a blanket prohibition.

Which of the following will BEST ensure the successful offshore development of business applications? A. Stringent contract management practices B. Detailed and correctly applied specifications C. Awareness of cultural and political differences D. Postimplementation reviews

You are correct, the answer is B. A. Contract management practices, although important, will not ensure successful development if the specifications are incorrect. B. When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected. C. Cultural and political differences, although important, should not affect the delivery of a good product. D. Postimplementation reviews, although important, are too late in the process to ensure successful project delivery and are not as pivotal to the success of the project.

The MAIN purpose of a transaction audit trail is to: A. reduce the use of storage media. B. determine accountability and responsibility for processed transactions. C. help an IS auditor trace transactions. D. provide useful information for capacity planning.

You are correct, the answer is B. A. Enabling audit trails increases the use of disk space. B. Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. C. A transaction log file would be used to trace transactions, but the primary purpose of an audit trail is to support accountability, not to support the work of the IS auditor. D. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as CPU utilization, bandwidth and the number of users.

Which of the following factors is the MOST critical when evaluating the effectiveness of an IT governance implementation? A. Ensure that assurance objectives are defined. B. Determine stakeholder requirements and involvement. C. Identify the relevant risk and related opportunities. D. Determine the relevant enablers and their applicability.

You are correct, the answer is B. A. The stakeholder's needs and their involvement form the basis for scoping the IT governance implementation. This will be used to define assurance objectives. B. The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This will drive the success of the project. Based on this, the assurance scope and objectives would be determined. C. The relevant risk and related opportunities are identified and driven by the assurance objectives. D. The relevant enablers and their applicability for the IT governance implementation would be considered based on assurance objectives.

Which of the following is the BEST method of controlling scope creep in a system development project? A. Defining penalties for changes in requirements B. Establishing a software baseline C. Adopting a matrix project management structure D. Identifying the critical path of the project

You are correct, the answer is B. A. While defining penalties for changes in requirements may help to prevent scope creep, software baselining is a better way to accomplish this goal. B. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user requirements. Any changes thereafter will undergo strict formal change control and approval procedures. Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements. C. In a matrix project organization, management authority is shared between the project manager and the department heads. Adopting a matrix project management structure will not address the problem of scope creep. D. Although the critical path is important, it will change over time and will not control scope creep.

An IS auditor is conducting a postimplementation review of an enterprise's network. Which of the following findings would be of MOST concern? A. Wireless mobile devices are not password-protected. B. Default passwords are not changed when installing network devices. C. An outbound web proxy does not exist. D. All communication links do not utilize encryption.

You are correct, the answer is B. A. While mobile devices that are not password-protected would be a risk, it would not be as significant as unsecured network devices. B. The most significant risk in this case would be if the factory default passwords are not changed on critical network equipment. This could allow anyone to change the configurations of network equipment. C. The use of a web proxy is a best practice, but may not be required depending on the enterprise. D. Encryption is a good control for data security, but is not appropriate to use for all communication links due to cost and complexity.

An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: A. it has not been determined how the project fits into the overall project portfolio. B. the organizational impact of the project has not been assessed. C. not all IT stakeholders have been given an opportunity to provide input. D. the environmental impact of the data center has not been considered.

You are correct, the answer is B. A. While projects must be assigned a priority and managed as a portfolio, this most likely occurs after the feasibility study determines that the project is viable. B. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy. C. A feasibility study is ordinarily conducted by those with the knowledge to make the decision because the involvement of the entire IT organization is not needed. D. While an IT project such as the construction of a data center may require an environmental impact study, this occurs after the impact to the organization is determined.

During the system testing phase of an application development project the IS auditor should review the: A. conceptual design specifications. B. vendor contract. C. error reports. D. program change requests.

You are correct, the answer is C. A. A conceptual design specification is a document prepared during the requirements definition phase. The system testing will be based on a test plan. B. A vendor contract is prepared during a software acquisition process and may be reviewed to ensure that all the deliverables in the contract have been delivered, but the most important area of review is the error reports. C. Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. D. Program change requests would be reviewed normally as a part of the postimplementation phase.

From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: A. a major deployment after proof of concept. B. prototyping and a one-phase deployment. C. a deployment plan based on sequenced phases. D. to simulate the new infrastructure before deployment.

You are correct, the answer is C. A. A major deployment would pose a higher risk of implementation failure. B. Prototyping may reduce development failure, but a large environment will usually require a phased approach. C. When developing a large and complex IT infrastructure, the best practice is to use a phased approach to fit the entire system together. This will provide greater assurance of quality results. D. It is not usually feasible to simulate a large and complex IT infrastructure prior to deployment.

Which of the following controls helps prevent duplication of vouchers during data entry? A. A range check B. Transposition and substitution C. A sequence check D. A cyclic redundancy check (CRC)

You are correct, the answer is C. A. A range check works over a range of numbers. Even if the same voucher number reappears, it will satisfy the range and, therefore, not be useful. B. Transposition and substitution are used in encoding, but will not help in establishing unique voucher numbers. C. A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. D. A cyclic redundancy check (CRC) is used for completeness of data received over the network, but is not useful in application code level validations.

The project steering committee is ultimately responsible for: A. day-to-day management and leadership of the project. B. allocating the funding for the project. C. project deliverables, costs and timetables. D. ensuring that system controls are in place.

You are correct, the answer is C. A. Day-to-day management and leadership of the project is the function of the project manager. B. Providing the funding for the project is the function of the project sponsor. C. The project steering committee provides overall direction; ensures appropriate representation of the major stakeholders in the project's outcome; and takes ultimate responsibility for the deliverables, costs and timetables. D. Ensuring that system controls are in place is the function of the project security officer.

The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during: A. the internal lab testing phase. B. testing and prior to user acceptance. C. the requirements gathering process. D. the implementation phase.

You are correct, the answer is C. A. During testing, the IS auditor will ensure that the security requirements are met. This is not the time to assess the control specifications. B. The control specifications will drive the security requirements that are built into the contract and should be assessed before the product is acquired and tested. C. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues. D. During the implementation phase, the IS auditor may check whether the controls have been enabled; however, this is not the time to assess the control requirements.

An advantage in using a bottom-up vs. a top-down approach to software testing is that: A. interface errors are detected earlier. B. confidence in the system is achieved earlier. C. errors in critical modules are detected earlier. D. major functions and processing are tested earlier.

You are correct, the answer is C. A. Interface errors will not be found until later in the testing process—as a result of integration or system testing. B. Confidence in the system cannot be obtained until the testing is completed. C. The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that errors in critical modules are found earlier. D. Bottom-up testing tests individual components and major functions and processing will not be adequately tested until systems and integration testing is completed.

In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as: A. isolation. B. consistency. C. atomicity. D. durability.

You are correct, the answer is C. A. Isolation ensures that each transaction is isolated from other transactions; hence, each transaction can only access data if it is not being simultaneously accessed or modified by another process. B. Consistency ensures that all integrity conditions in the database be maintained with each transaction. C. The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. D. Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database will survive subsequent hardware or software failures.

To minimize the cost of a software project, quality management techniques should be applied: A. as close to their writing (i.e., point of origination) as possible. B. primarily at project start to ensure that the project is established in accordance with organizational governance standards. C. continuously throughout the project with an emphasis on finding and fixing defects primarily through testing to maximize the defect detection rate. D. mainly at project close-down to capture lessons learned that can be applied to future projects.

You are correct, the answer is C. A. Quality assurance (QA) should start as early as possible but continue through the entire development process. B. Only performing QA during the start of the project will not detect problems that appear later in the development cycle. C. While it is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is that the earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work. D. Capturing lessons learned will be too late for the current project. Additionally, applying quality management techniques throughout a project is likely to yield its own insights into the causes of quality problems and assist in staff development.

Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another? A. Compare the hash total before and after the migration. B. Verify that the number of records is the same for both databases. C. Perform sample testing of the migrated account balances. D. Compare the control totals of all of the transactions.

You are correct, the answer is C. A. The hash total will only validate the data integrity at a batch level rather than at a transaction level. B. Databases are composed of records that can contain multiple fields. The number of records will not allow an IS auditor to ascertain whether some of these fields have been successfully migrated. C. Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before and after the migration. D. Comparing the control totals does not imply that the records are complete or that individual values are accurate.

Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application? A. Total cost of ownership (TCO) of the application B. The resources required for implementation C. Return on investment (ROI) to the company D. The cost and complexity of security requirements .

You are correct, the answer is C. A. Total cost of ownership (TCO) of the application is important to understand the resource and budget requirements in the short and long term; however, decisions should be based on benefits realization from this investment. Therefore, return on investment (ROI) is the most important consideration. B. The resources required for implementation of the application are an important consideration; however, decisions should be based on benefits realization from this investment. Therefore, ROI should be carefully considered. C. The proposed ROI benefits, along with targets or metrics that can be measured, are the most important aspects of a business case. While reviewing the business case, it should be verified that the proposed ROI is achievable, does not make unreasonable assumptions and can be measured for success. (Benefits realization should look beyond project cycles to longer-term cycles that consider the total benefits and total costs throughout the life of the new system.) D. The cost and complexity of security requirements are important considerations, but they need to be weighed against the proposed benefits of the application. Therefore, ROI is more important

By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: A. reliable products are guaranteed. B. programmers' efficiency is improved. C. security requirements are designed. D. predictable software processes are followed.

You are correct, the answer is D. A. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. B. The capability maturity model (CMM) does not evaluate technical processes such as programming efficiency. C. The CMM does not evaluate security requirements or other application controls. D. By evaluating the organization's development projects against the CMM, an IS auditor determines whether the development organization follows a stable, predictable software development process.

During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing policy. D. ensure that the procedure had been approved.

You are correct, the answer is D. A. Because the software package has already been acquired, it is most likely that it is in use and therefore compatible with existing hardware. Further, the first responsibility of the IS auditor is to ensure that the purchasing procedures have been approved. B. Because there was no request for proposal (RFP), there may be no documentation of the expectations of the product and nothing to measure a gap against. The first task for the IS auditor is to ensure that the purchasing procedures were approved. C. The licensing policy should be reviewed to ensure proper licensing, but only after the purchasing procedures are checked. D. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities.

Which of the following is the PRIMARY purpose for conducting parallel testing? A. To determine whether the system is cost-effective B. To enable comprehensive unit and system testing C. To highlight errors in the program interfaces with files D. To ensure the new system meets user requirements

You are correct, the answer is D. A. Parallel testing may show that the old system is, in fact, more cost-effective than the new system, but this is not the primary reason for parallel testing. B. Unit and system testing are completed before parallel testing. C. Program interfaces with files are tested for errors during system testing. D. The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements by comparing the results of the old system with the new system to ensure correct processing.

An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning (ERP) system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be? A. Review the implementation of selected integrated controls. B. Request additional IS audit resources. C. Request vendor technical support to resolve performance issues. D. Review the results of stress tests during user acceptance testing (UAT).

You are correct, the answer is D. A. Reviewing the implementation of selected integrated controls validates the technical design and the control objective, but integrated controls over transactional tables consume large resources. They should be reviewed carefully to determine whether they are mandatory or can be implemented and integrated for only specific transactions over the enterprise resource planning (ERP) application. B. The inability to implement the automated tool may necessitate additional audit resources because many audits will require more manual effort; however, the first step should be to try to resolve the performance issues. C. Requesting vendor technical support to resolve performance issues is a good option, but not the first recommendation. D. The appropriate recommendation is to review the results of stress tests during user acceptance testing (UAT) that demonstrated the performance issues.

Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing? A. Test data covering critical applications B. Detailed test plans C. Quality assurance (QA) test specifications D. User acceptance test specifications

You are correct, the answer is D. A. Test data will usually be created during the system testing phase. B. Detailed test plans are created during system testing. C. Quality assurance (QA) test specifications are set out later in the development process. D. A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase.

An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider? A. A cost analysis B. The security risk of the current technology C. Compatibility with existing systems D. A risk analysis

You are correct, the answer is D. A. The information system solution should be cost-effective, but this is not the most important aspect. B. The security risk of the current technology is one of the components of the risk analysis, and alone is not the most important factor. C. Compatibility with existing systems is one consideration; however, the new system may be a major upgrade that is not compatible with existing systems, so this is not the most important consideration. D. Prior to implementing new technology, an organization should perform a risk assessment, which would then be presented to business unit management for review and acceptance.

When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? A. Using a cryptographic hashing algorithm B. Enciphering the message digest C. Calculating a checksum of the transaction D. Using a sequence number and time stamp

You are correct, the answer is D. A. Use of a cryptographic hashing algorithm against the entire message helps achieve data integrity but will not prevent duplicate processing. B. Enciphering the message digest using the sender's private key, which signs the sender's digital signature to the document, helps in authenticating the source and integrity of the transaction but will not prevent duplicate processing. C. A checksum can be used for data integrity but not to prevent duplicate transactions. D. When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used to verify that a payment instruction was not duplicated.

The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site.

You are correct, the answer is D. A. Validating data prior to transmission is the most efficient method and saves the effort of transmitting or processing invalid data. However, due to the risk of errors being introduced during transmission it is also good practice to re-validate the data at the central processing site. B. Validating data prior to transmission is the most efficient method and saves the effort of transmitting or processing invalid data. However, due to the risk of errors being introduced during transmission it is also good practice to re-validate the data at the central processing site. C. To validate the data after it has been transmitted is not a valid control. D. It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.