THE FINAL

The primary reason for reviewing the organizational chart is as follows: A. To understand the structure of the organization B. To understand various communication channels C. To understand the roles and responsibilities of individuals D. To understand the network and system architecture

C. To understand the roles and responsibilities of individualsMM

An appropriate control for ensuring the authenticity of orders received in an electronic data interchange system application is to: A. acknowledge receipt of electronic orders with a confirmation message. B. perform reasonableness checks on quantities ordered before filling orders. C. verify the identity of senders and determine if orders correspond to contract terms. D. encrypt electronic orders.

C. verify the identity of senders and determine if orders correspond to contract terms.

Which of the following audit is mainly designed to evaluate the internal control structure in a given process or area? A. Compliance Audit B. Financial Audit C. Operational Audit D. Forensic audit

C. Operational Audit

A small company cannot segregate duties between its development processes and its change control function. What is the BEST way to ensure that the tested code that is moved into production is the same? A. Release management software B. Manual code comparison C. Regression testing in preproduction D. Management approval of changes

A is the correct answer. Justification A. Automated release management software can prevent unauthorized changes by moving code into production without any manual intervention. B. This can detect whether the wrong code has been moved into production; however, code comparison does not prevent the code from being migrated and is not as good a control as using release management software. In addition, manual code comparison is not always efficient and requires highly skilled personnel. C. Regression testing ensures that changes do not break the current system functionality or unwittingly overwrite previous changes. Regression testing does not prevent untested code from moving into production. D. Although management should approve every change to production, approvals do not prevent untested code from being migrated into the production environment.

Which of the following is the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? A. Requirements should be tested in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automated tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes.

A is the correct answer. Justification A. Maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements, because complexity tends to increase the likelihood of defects. B. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. C. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. D. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress (i.e., introduced errors in parts of the system that were previously working correctly). For this reason, it is a good practice to undertake formal regression testing after defect fixes have been implemented.

An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the test phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy? A. Test and release a pilot with reduced functionality. B. Fix and retest the highest-severity functional defects. C. Eliminate planned testing by the development team, and proceed straight to acceptance testing. D. Implement a test tool to automate defect tracking.

A is the correct answer. Justification A. Testing and releasing a pilot with reduced functionality reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risk associated with a full implementation. All of the benefits of releasing the system to the full user population will not be realized, but some benefits should start to flow. Additionally, some useful comments from real users should be obtained to guide what extra functionality and other improvements need to be included in a full release. B. When testing starts, a significant number of defects is likely to exist. Focusing only on the highest-severity functional defects runs the risk that other important aspects such as usability problems and nonfunctional requirements of performance and security will be ignored. The system may go live, but users may struggle to use the system as intended to realize business benefits. C. Eliminating testing by development is usually a bad idea. Before system acceptance testing begins, some prior testing should occur to establish that the system is ready to proceed to acceptance evaluation. If prior testing by the development team does not occur, there is a considerable risk that the software will have a significant number of low-level defects, such as transactions that cause the system to hang and unintelligible error messages. This can prove frustrating for users or testers tasked with acceptance testing and, ultimately, could cause the overall test time to increase rather than decrease. D. The use of a defect tracking tool could help in improving test efficiency, but it does not address the fundamental risk caused by reducing the testing effort on a system in which quality is uncertain. Given the build problems experienced, there is reason to suspect that quality problems could exist.

A peer review of risk management process is best enable by: A. Capability maturity model B. Industry benchmarking C. Internal audit D. Balance score card

A. Capability maturity model CMM is based on standard, repeatable and measurable.

An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted as defect fixes are implemented by developers. Which of the following would be the BEST recommendation for an IS auditor to make? A. Consider feasibility of a separate user acceptance environment B. Schedule user testing to occur at a given time each day C. implement a source code version control tool D. Only retest high priority defects

A. Consider feasibility of a separate user acceptance environment

Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program? A. A system downtime log B. Vendors reliability figures C. Regularly scheduled maintenance log D. A written preventive maintenance schedule

A. A system downtime log

Time constraints and expanded needs have been found by an IS auditor to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? A. Achieve standards alignment through an increase of resources devoted to the project B. Align the data definition standards after completion of the project C. Delay the project until compliance with standards can be achieved D. Enforce standard compliance by adopting punitive measures against violators

A. Achieve standards alignment through an increase of resources devoted to the project

Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? A. Applications may not be subject to testing and IT general controls B. increased development and maintenance costs C. increased application development time D. Decision-making may be impaired due to diminished responsiveness to requests for information

A. Applications may not be subject to testing and IT general controls Explanation: End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. End-user computing (EUC) systems typically result in reduced application development and maintenance costs, and a reduced development cycle time. EUC systems normally increase flexibility and responsiveness to managements information requests.

During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: A. review access control configuration B. evaluate interface testing. C. review detailed design documentation. D. evaluate system testing.

A. review access control configuration Explanation: Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system.

Policy compliance can be best ensured by: A. An existing IT mechanism that supports compliance B. The alignment of the policy with the business strategy C. Technological initiatives D. The compliance objective as defined in the policy

A. Existing IT mechanisms that support compliance. Explanation: The most important factor is the ability of an organization to comply with a policy. Existing IT systems should be able to enable compliance. Other factors are important, but they do not enable compliance directly.

Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions? A. Response B. Correction C. Detection D. Monitoring

A. Response Explanation: A sound IS security policy will most likely outline a response program to handle suspected intrusions. Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement.

Which of the following procedures should be implemented to help ensure the completeness of inbound transactions via electronic data interchange (EDI)? A. Segment counts built into the transaction set trailer B. A log of the number of messages received, periodically verified with the transaction originator C. An electronic audit trail for accountability and tracking D. Matching acknowledgment transactions received to the log of EDI messages sent

A. Segment counts built into the transaction set trailer

When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? A. The point at which controls are exercised as data flow through the system B. Only preventive and detective controls are relevant C. Corrective controls are regarded as compensating D. Classification allows an IS auditor to determine which controls are missing

A. The point at which controls are exercised as data flow through the system

A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately, and the corresponding products are produced? A. Verifying production of customer orders B. Logging all customer orders in the ERP system C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production

A. Verification of the products produced will ensure that the produced products match the orders in the order system.

Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: A. existence of a set of functions and their specified properties. B. ability of the software to be transferred from one environment to another. C. capability of software to maintain its level of performance under stated conditions. D. relationship between the performance of the software and the amount of resources used.

A. existence of a set of functions and their specified properties. Explanation: Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functions are those that satisfy stated or implied needs. Choice B refers to portability; choice C refers to reliability and choice D refers to efficiency.

An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? A. User acceptance testing occurs for all reports before release into production B. Organizational data governance practices are put in place C. Standard software tools are used for report development D. Management signs-off on requirements for new reports

B is the correct answer. Justification A. Recommending that user acceptance testing occur for all reports before release into production does not address the root cause of the problem described. B. This choice directly addresses the problem. An organization-wide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative. C. Recommending standard software tools be used for report development does not address the root cause of the problem described. D. Recommending that management sign off on requirements for new reports does not address the root cause of the problem described.

An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: A. it has not been determined how the project fits into the overall project portfolio. B. the organizational impact of the project has not been assessed. C. not all IT stakeholders have been given an opportunity to provide input. D. the environmental impact of the data center has not been considered.

B is the correct answer. Justification A. While projects must be assigned a priority and managed as a portfolio, this most likely occurs after the feasibility study determines that the project is viable. B. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy. C. A feasibility study is ordinarily conducted by those with the knowledge to make the decision because the involvement of the entire IT organization is not needed. D. The environmental impact should be part of the feasibility study however the organizational impact is more important.

The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is: A. control design testing. B. substantive testing. C. inspection of relevant documentation. D. perform tests on risk prevention.

B is the correct answer. Justification Testing of control design assesses whether the control is structured to meet a specific control objective. It does not help determine whether the control is operating effectively. Among other methods, such as document review or walkthrough, tests of controls are the most effective procedures to assess whether controls accurately support operational effectiveness. Control documents may not always describe the actual process in an accurate manner. Therefore, auditors relying on document review have limited assurance that the control is operating as intended. Performing tests on risk prevention is incorrect. This is considered compliance testing and is used to determine whether policies are adhered to.

An IS auditor has identified the lack of an authorization process for users of an application. The IS auditors main concern should be that: A. more than one individual can claim to be a specific user. B. there is no way to limit the functions assigned to users. C. user accounts can be shared. D. users have a need-to-know privilege.

B. there is no way to limit the functions assigned to users.

An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations.Which of the following would be a strength of an IDE? A. Controls the proliferation of multiple versions of programs B. Expands the programming resources and aids available C. Increases program and processing integrity D. Prevents valid changes from being overwritten by other changes

B. Expands the programming resources and aids available Explanation: A strength of an IDE is that it expands the programming resources and aids available. The other choices are IDE weaknesses.

Which of the following controls would provide the GREATEST assurance of database integrity? A. Audit log procedures B. Table link/reference checks C. Query/table access time checks D. Rollback and roll forward database features

B. Table link/reference checks

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: A. meets or exceeds industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization.

B. agrees to be subject to external security reviews. Explanation: It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify or prove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.

Which of the following will MOST successfully identify overlapping key controls in business application systems? A. Reviewing system functionalities that are attached to complex business processes B. Submitting test transactions through an integrated test facility C. Replacing manual monitoring with an automated auditing solution D. Testing controls to validate that they are effective

C is the correct answer. Justification A. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure was established from the beginning, finding any overlap in key controls will not be possible. B. An integrated test facility is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls. C. As part of the effort to realize continuous audit management, there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts can discover unnecessary or overlapping key controls in existing systems. D. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.

Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A. Define a balanced scorecard for measuring performance. B. Consider user satisfaction in the key performance indicators. C. Select projects according to business benefits and risk. D. Modify the yearly process of defining the project portfolio.

C is the correct answer. Justification A. Measures such as a balanced scorecard are helpful, but do not guarantee that the projects are aligned with business strategy. B. Key performance indicators are helpful to monitor and measure IT performance, but they do not guarantee that the projects are aligned with business strategy. C. Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the best measure for achieving alignment of the project portfolio to an organization's strategic priorities. D. This definition might improve the situation, but only if the portfolio definition process is closely tied to organizational strategies.

***Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? A. The reporting of the mean time between failures over time B. The overall mean time to repair failures C. The first report of the mean time between failures D. The overall response time to correct failures

C is the correct answer. Justification A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. B. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues. C. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. D. The response time reflects the agility of the response team or the help desk team in addressing reported issues.

Which technique would BEST test for the existence of dual control when auditing the wire transfer systems of a bank? A. Analysis of transaction logs B. Re-performance C. Observation D. Interviewing personnel

C is the correct answer. Justification A. This would help to show that dual control is in place but does not necessarily guarantee that this process is being followed consistently. Therefore, observation is the better test technique. B. Although re-performance could provide assurance that dual control was in effect, re-performing wire transfers at a bank would not be an option for an IS auditor. C. Dual control requires that two people carry out an operation. The observation technique helps to ascertain whether two individuals do get involved in execution of the operation and an element of oversight exists. It is obvious if one individual is masquerading and filling in the role of the second person. D. This is useful to determine the level of awareness and understanding of the personnel carrying out the operations. However, it does not provide direct evidence confirming the existence of dual control, because the information provided may not accurately reflect the process being performed.

Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: A. assess whether the planned cost benefits are being measured, analyzed and reported. B. review control balances and verify that the system is processing data accurately. C. review the impact of program changes made during the first phase on the remainder of the project. D. determine whether the system's objectives were achieved.

C is the correct answer. Justification A. While all choices are valid, the post-implementation focus and primary objective should be understanding the impact of the problems in the first phase on the remainder of the project. B. The review should assess whether the control is working correctly but should focus on the problems that led to project overruns in budget and time. C. Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects. D. Ensuring that the system works is a primary objective for the IS auditor, but in this case because the project planning was a failure, the IS auditor should focus on the reasons for, and impact of, the failure.

An IS auditor is reviewing a project risk assessment and notices that the overall residual risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of unauthorized users the project may affect? A. Control risk B. Compliance risk C. Inherent risk D. Residual risk

C is the correct answer. Justification This can be high, but it is not due to internal controls not being identified, evaluated or tested, and is not due to the number of users or business areas affected. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations and may not be impacted by the number of users and business areas affected. This is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without considering the actions that management has taken or might take. This is the remaining risk after management has implemented a risk response and is not based on the number of users or business areas affected.

Which of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users? Variable sampling Judgmental sampling Stratified random sampling Systematic sampling

C is the correct answer. Justification This is used for substantive testing to determine the monetary or volumetric impact of characteristics of a population. This is not the most appropriate in this case. In judgmental sampling, professionals place a bias on the sample (e.g., all sampling units over a certain value, all for a specific type of exception or all negatives). It should be noted that a judgmental sample is not statistically based, and results should not be extrapolated over the population because the sample is unlikely to be representative of the population. Stratification is the process of dividing a population into subpopulations with similar characteristics explicitly defined, so that each sampling unit can belong to only one stratum. This method of sampling ensures that all sampling units in each subgroup have a known, nonzero chance of selection. It is the most appropriate in this case. This involves selecting sampling units using a fixed interval between selections with the first interval having a random start. This is not the most appropriate in this case.

Which of the following is the BEST type of program for an organization to implement to aggregate, correlate and store different log and event files, and then produce weekly and monthly reports for IS auditors? A. A security information event management (SIEM) product B. An open-source correlation engine C. A log management tool D. An extract, transform, load (ETL) system

C. A log management tool Explanation: A log management tool is a product designed to aggregate events from many log files (with distinct formats and from different sources), store them and typically correlate them offline to produce many reports (e.g., exception reports showing different statistics including anomalies and suspicious activities), and to answer time-based queries (e.g., how many users have entered the system between 2 a.m. and 4 a.m. over the past three weeks?).

An IS auditor finds that client requests were processed multiple times when received from different independent departmental databases, which are synchronized weekly. What would be the BEST recommendation? A. increase the frequency for data replication between the different department systems to ensure timely updates. B. Centralize all request processing in one department to avoid parallel processing of the same request. C. Change the application architecture so that common data are held in just one shared database for all departments. D. implement reconciliation controls to detect duplicates before orders are processed in the systems.

C. Change the application architecture so that common data are held in just one shared database for all departments.

***By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: A. reliable products are guaranteed. B. programmers' efficiency is improved. C. security requirements are designed. D. predictable software processes are followed.

D is the correct answer. Justification A. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. B. The capability maturity model does not evaluate technical processes such as programming efficiency. C. The capability maturity model does not evaluate security requirements or other application controls. D. By evaluating the organization's development projects against the capability maturity model, an IS auditor determines whether the development organization follows a stable, predictable software development process.

An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? A. Controls are implemented based on cost-benefit analysis. B. The risk management framework is based on global standards. C. The approval process for risk response is in place. D. IT risk is presented in business terms.

D is the correct answer. Justification A. Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms. B. A risk management framework based on global standards helps in ensuring completeness; however, organizations must adapt it to suit specific business requirements. C. Approvals for risk response come later in the process. D. For risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.

***Which of the following BEST helps ensure that deviations from the project plan are identified? A. A project management framework B. A project management approach C. A project resource plan D. Project performance criteria

D is the correct answer. Justification A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project but does not define the criteria used to measure project success. B. This defines guidelines for project management processes and deliverables but does not define the criteria used to measure project success. C. This defines the responsibilities, relationships, authorities and performance criteria of project team members but does not wholly define the criteria used to measure project success. D. To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success.

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? A. Advise on the adoption of application controls to the new database software. B. Provide future estimates of the licensing expenses to the project team. C. Recommend to the project manager how to improve the efficiency of the migration. D. Review the acceptance test case documentation before the tests are carried out.

D is the correct answer. Justification Independence can be compromised if the IS auditor advises on the adoption of specific application controls. Independence can be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for management approval of the project. Advising the project manager on how to increase the efficiency of the migration may compromise the IS auditor's independence. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.

Which of the following types of testing would determine whether a new or modifies system can operate in its target environment without adversely impacting other existing systems? A. Parallel testing B. Pilot testing C. Interface/integration testing D. Sociability testing

D. Sociability testing

An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures B. Hashing C. Parsing D. Steganography

D. Steganography

To determine which users can gain access to the privileged supervisory state, which of the following should an IS auditor review? A. System access log files B. Enabled access control software parameters C. Logs of access control violations D. System configuration files for control options used

D. System configuration files for control options used Explanation: A review of system configuration files for control options used would show which users have access to the privileged supervisory state. Both systems access log files and logs of access violations are detective in nature. Access control software is run under the operating system.

When introducing thin client architecture, which of the following types of risk regarding servers is significantly increased? A. Integrity B. Concurrency C. Confidentiality D. Availability

D. Availability

Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized? A. Release-to-release source and object comparison reports B. Library control software restricting changes to source code C. Restricted access to source code and object code D. Date and time-stamp reviews of source and object code

D. Date and time-stamp reviews of source and object code

Most important factor in quantitative risk analysis process is: A. Net Present Value (NPV) B. Earned Value Analysis (EVA) C. Decision Support System D. Expected Monetary Value (EMV)

D. Expected Monetary Value (EMV) NPV is used for calculating present value for future cash flow. EVA is used for monitoring the progress of the project. DDS helps in supporting the decision making by providing detailed analysis

What should an organization do before providing an external agency physical access to its information processing facilities (IPFs)? A. The processes of the external agency should be subjected to an IS audit by an independent agency. B. Employees of the external agency should be trained on the security procedures of the organization. C. Any access by an external agency should be limited to the demilitarized zone (DMZ). D. The organization should conduct a risk assessment and design and implement appropriate controls.

D. The organization should conduct a risk assessment and design and implement appropriate controls.

An example of a direct benefit to be derived from a proposed IT-related business investment is: A. enhanced reputation. B. enhanced staff morale. C. the use of new technology. D. increased market penetration

D. increased market penetration. Explanation: A comprehensive business case for any proposed IT-related business investment should have clearly defined business benefits to enable the expected return to be calculated. These benefits usually fall into two categories: direct and indirect, or soft. Direct benefits usually comprise the quantifiable financial benefits that the new system is expected to generate. The potential benefits of enhanced reputation and enhanced staff morale are difficult toquantify, but should be quantified to the extent possible. IT investments should not be made just for the sake of new technology but should be based on a quantifiable business need.

The MAJOR advantage of a component-based development approach is the: A. ability to manage an unrestricted variety of data types. B. provision for modeling complex relationships. C. capacity to meet the demands of a changing environment. D. support of multiple development environments.

D. support of multiple development environments. Explanation: Components written in one language can interact with components written in other languages or running on other machines, which can increase the speed of development. Software developers can then focus on business logic. The other choices are not the most significant advantages of a component-based development approach.

Which of the following is the best way to ensure that the service provider adheres to the security requirements of the organization? - To include an indemnity clause in the agreement with the service provider

Explanation: An indemnity clause is a contractual transfer of risk between two contractual parties, generally to prevent loss or compensate for a loss that may occur as a result of a specified event. Once the service provider signs the indemnity agreement, the provider will be liable for a penalty in the case of any violations of security requirements, which will make the service provider more conscious about their security arrangements.

The most important clause to be included in an SLA for the outsourcing of an IT support service is which of the following? Uptime guarantees

The most significant aspect of an SLA is the measurable compliance requirements, such as uptime agreements.