CISA Chapter 3 Practice

Object modules can be reused. (OOSD is a programming technique to make program code that can be reusable and maintainable. The object here refers to a small piece of the program that can be used individually or in combination with other objects. The other options here are not normally benefits of the object-oriented technique.)

A benefit of object-oriented development technique is which of the following? A. Object modules can be reused. B. The use of a prototype that can be frequently updated to address the ever-changing user or business requirements. C. Enhanced control compared to the traditional SDLC. D. There is no need for the developer to design the system.

Encapsulation (OOSD is a programming technique to make program code reusable and maintainable. An object is a small piece of code in a program. The system is developed via the use and combination of different objects. OOSD uses a technique known as encapsulation, in which objects interact with each other. Encapsulation provides enhanced security for data. The ability of two or more objects to interpret a message is termed polymorphism.)

A characteristic of the OOSD method that enables greater security over data is which of the following? A. Encapsulation B. Polymorphism C. Prototyping D. Modulation

verifying production of customer orders (Verification will ensure that produced products match the orders in the customer order system. B is wrong because logging can be used to detect inaccuracies but does not, in itself, guarantee accurate processing. C is wrong because hash totals will ensure accurate order transmission but not accurate central processing. D is wrong because production supervisory approval is a time-consuming, manual process that does not guarantee proper control.)

A company has implemented a new client-server enterprise resource planning system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately, and the corresponding products are produced? A: verifying production of customer orders B: logging all customer orders in the ERP system C: using hash totals in the order transmitting process D: approving (production supervisor) orders prior to production

Whether key controls are in place to protect assets and information resources (The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. B is wrong because the system must meet all customers' requirements, not just corporate customers. This is not the IS auditor's main concern. C is wrong because the system must meet performance requirements, but this is of secondary concern to ensuring that key controls are in place. D is wrong because separation of duties is a key control—but only one of the controls that should be in place to protect the organization's assets.)

A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process? A. Whether key controls are in place to protect assets and information resources B. Whether the system addresses corporate customer requirements C. Whether the system can meet the performance goals (time and resources) D. Whether the new system will support separation of duties

Project responsibilities are not formally defined at the beginning of a project. (Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project. A is wrong because users verify prototypes. B is wrong because user acceptance testing (UAT) is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage. D is wrong because of the need for adequate program documentation. At the same time, a concern is less of a risk than the lack of assigned responsibilities during the initial stages of the project.)

A company's development team does not follow generally accepted system development life cycle (SDLC) practices. Which of the following is MOST likely to cause problems for software development projects? A. Functional verification of the prototypes is assigned to end users. B. The project is implemented while minor issues are open from user acceptance testing (UAT). C. Project responsibilities are not formally defined at the beginning of a project. D. Program documentation is inadequate.

make decisions based on data analysis and interactive models. (A DSS emphasizes flexibility in the management's decision-making approach through data analysis and the use of interactive models, not fixed criteria. A is wrong because a decision support system (DSS) is aimed at solving less structured problems. B is wrong because a DSS combines the use of models and analytic techniques with traditional data access and retrieval functions, but is not limited by predetermined criteria. D is wrong because a DSS supports semi structured decision-making tasks.)

A decision support system (DSS) is used to help high-level management: A. solve highly structured problems. B. combine the use of decision models with predetermined criteria. C. make decisions based on data analysis and interactive models. D. support only structured decision-making tasks.

Technical skills and knowledge within the organization related to sourcing and software development (Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. B is wrong because privacy regulations would apply to both solutions. C is wrong because while individuals with knowledge of the legacy system are helpful, they may not have the technical skills to build a new system. Therefore, this is not the primary factor influencing the make vs. buy decision. D is wrong because unclear business requirements (functionalities) will similarly affect either development process but are not the primary factor influencing the make vs. buy decision.)

A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision? A. Technical skills and knowledge within the organization related to sourcing and software development B. Privacy requirements as applied to the data processed by the application C. Whether the legacy system being replaced was developed in-house D. The users not devoting reasonable time to define the functionalities of the solution

Data owner (During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing off on the data being migrated completely and accurately and valid. An IS auditor is not responsible for reviewing and signing off on the accuracy of the converted data. A is wrong because an IS auditor should ensure a review and sign-off by the data owner during the data conversion stage of the project. B is wrong because a database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. C is wrong because a project manager provides day-to-day management and leadership of the project but is not responsible for the accuracy and integrity of the data.)

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? A. IS auditor B. Database administrator C. Project manager D. Data owner

A reduction in deployment time (In the prototyping approach, the system is developed through the trial-and-error method. A prototype is a preliminary version of a system to test a concept, process, or any assumptions about functionality, design, or internal logic. A prototype model helps to save a considerable amount of time and expenditure for the organization. One of the potential risks of the prototype approach is that the finished system may need more controls compared to the traditional system development approach. The prototype approach provides more emphasis on user requirements. In prototyping, frequent changes are made to the designs and requirements; hence, they are seldom documented or approved.)

A major benefit of using prototyping for system development is which of the following? A. More emphasis on system controls B. More emphasis on stringent change management processes C. A reduction in deployment time D. More emphasis on stringent approval processes

A lack of proper documentation due to time management. (A major limitation of the agile development approach is the lack of documentation. The other options here are not correct.)

A major limitation of the Agile software development methodology is which of the following? A. A limited budget may impact the quality of the system. B. The lack of a requirements gathering process. C. The lack of a review process to identify areas of improvement. D. A lack of proper documentation due to time management.

Inadequate documentation (The dictionary definition of agile is "able to move quickly and easily." In the Agile method, the programmer only spends a little bit of time on documentation. They are allowed to write their program straight away. Hence, inadequate documentation is considered one of the major risks of the Agile approach.)

A major risk in the Agile development process is which of the following? A. Inadequate documentation B. Inadequate testing C. Inadequate requirement gathering D. Inadequate user involvement

Not all functionality will be tested. (A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if no data meets the requirement. B is wrong because the presence of production data in a test environment is not a concern if the sensitive elements have been scrubbed. C is wrong because creating a test deck from production data does not require specialized knowledge, so this is not a concern. D is wrong because the risk of a project running over budget is always a concern, but it is not related to using production data in a test environment.)

A project development team is considering using production data for its test deck. The team removed sensitive data elements from the bed before loading it into the test environment. Which of the following additional concerns should an IS auditor have with this practice? A. Not all functionality will be tested. B. Production data are introduced into the test environment. C. Specialized training is required. D. The project may run over budget.

what amount of progress against schedule has been achieved. (Project cost performance can't be properly assessed in isolation from scheduled performance. B is wrong because, when determining project budget, it is necessary to know the progress and expenditure levels expected. Project expenditure may be low because of fast progress. Once the project analysis against the schedule is complete, it is possible to reduce the budget. If the project is behind, there may be no spare budget, but extra expenditures are needed to retrieve slippage. Low expenditure represents a situation where a project is expected to miss deadlines rather than come in ahead of time. C is wrong because there may be better outcomes if the project is ahead of budget after adjusting for actual progress. Further analysis is needed to determine if there are spare funds. D is wrong because you cannot add to the scope if the project is behind schedule.)

A project manager for a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine: A. what amount of progress against schedule has been achieved. B. if the project budget can be reduced. C. if the project could be brought in ahead of schedule. D. if the budget savings can be applied to increase the project scope.

Reverse engineering (Reverse engineering is the process of detailed analysis and study of a system to develop a similar system. Software reengineering and business process reengineering are the processes of updating a system or enhancing the system functionality to make the system or processes better and more efficient.)

A technique to study and analyze an application or a system, and to use that information to develop a similar system, is known as which of the following? A. Business process reengineering B. Agile development C. Software reengineering D. Reverse engineering

predictable software processes are followed.

By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: A. reliable products are guaranteed. B. programmers' efficiency is improved. C. security requirements are designed. D. predictable software processes are followed.

Trace a sample of modified programs to supporting change tickets.

An IS auditor is reviewing the change management process for an enterprise resource planning (ERP) application. Which of the following is the BEST method for testing program changes? A. Select a sample of change tickets and review them for authorization. B. Perform a walk-through by tracing a program change from start to finish. C. Trace a sample of modified programs to supporting change tickets. D. Use query software to analyze all change tickets for missing fields.

System (Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. System testing will test all the functionality and interfaces between modules. A is wrong because stress testing relates to capacity and availability and does not apply in these circumstances. B is wrong because black box testing would be performed on the individual modules, but the entire system should be tested because more than one module was changed. C is wrong because interface testing would test the interaction with external systems but would not validate the performance of the changed system.)

After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend? A. Stress B. Black box C. Interface D. System

The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. (Consolidated efforts should ensure alignment with overall strategy of the merger. If resource allocation is not centralized, separate projects are at risk of overestimating availability of key knowledge resources for in-house developed legacy applications. A is wrong because it is common in merger integration programs to form project management offices to ensure standardized and comparable information levels in planning and reporting structures and centralize project deliverables or resource dependencies. C is wrong because developing integrated systems can require legacy systems knowledge to understand business processes. D is wrong because mergers result in application changes and training needs as organizations and processes change to leverage intended synergy effects.)

After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the GREATEST risk? A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

business unit management. (Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. A is wrong because the project manager provides day-to-day management and leadership and ensures that project activities align with the overall direction. The project manager cannot sign off on project requirements; that would violate the separation of duties. B is wrong because systems development management provides technical support for hardware and software environments. D is wrong because the quality assurance (QA) team ensures the quality of the project by measuring adherence to the organization's system development life cycle (SDLC). They will conduct testing but not sign off on the project requirements.)

An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: A. the project manager. B. systems development management. C. business unit management. D. the quality assurance (QA) team.

Consider the feasibility of a separate user acceptance environment. (A separate environment or environment is usually necessary for testing to be efficient and effective and to ensure the integrity of production code. The development and test code bases must be separate. When defects are identified, they can be fixed in the development environment without interrupting testing before being migrated in a controlled manner to the test environment. B is wrong because developers and testers must work effectively at separate times of the day if they share the same environment. C is wrong because using a source code control tool is a good practice, but it must properly mitigate the lack of an appropriate test environment. D is wrong because even low-priority fixes risk introducing unintended results when combined with the rest of the system code.)

An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? A. Consider the feasibility of a separate user acceptance environment. B. Schedule user testing to occur at a given time each day. C. Implement a source code version control tool. D. Only retest high-priority defects.

Project sponsors (The project sponsor is the project owner and, therefore, the most appropriate person to discuss whether the business requirements defined as part of the project objectives have been met. B is wrong because project managers organize and ensure that the project's direction aligns with the overall direction, complies with standards, and monitors project milestones. The sponsor is better positioned to determine whether requirements have been met and is most likely to be consulted by the IS auditor. C is wrong because end-user groups can be a valuable resource; however, the project sponsor has managerial authority, is involved in strategic planning, and is a better answer. D is wrong because although business analysts have detailed knowledge of business requirements, the project sponsor has a more accurate view of actual past project performance.)

An IS auditor has been asked to look at past projects to determine how future projects can better meet business requirements. With which of the following would the auditors MOST likely consult? A. Project sponsors B. Project managers C. End-user groups D. Business analysts

stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans. (Most project risks can be identified before a project begins, allowing mitigation/avoidance plans to be implemented to deal with this risk. A project should have a clear link to corporate strategy, enterprise risk management, and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives, and developing tactical plans should include the consideration of risk. B is wrong because the project manager cannot accept responsibility for risk acceptance. C is wrong because appointing a risk manager is a good practice, but waiting until the project has been impacted by risk is misguided. D is wrong because IS auditors cannot provide risk review without impairing their independence.)

An IS auditor invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to: A. stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans. B. accept the project manager's position because the project manager is accountable for the outcome of the project. C. offer to work with the risk manager when one is appointed. D. inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project.

That test plans and procedures exist and are closely followed (The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. A is wrong because changes are usually required to be signed off by a business analyst, member of the change control board, or other authorized representative, not necessarily by IT management. B is wrong because UAT is important but not a critical element of change control and would not usually address the topic of availability as asked in the question. D is wrong because while capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process.)

An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability? A. That changes are authorized by IT managers at all times B. That user acceptance testing (UAT) is performed and properly documented C. That test plans and procedures exist and are closely followed D. That capacity planning is performed as part of each development project

The implementation phase of the project has no backout plan.

An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern? A. The implementation phase of the project has no backout plan. B. User acceptance testing (UAT) was not properly documented. C. Software functionality tests were completed, but stress testing was not performed. D. The go-live date is over a holiday weekend when key IT staff are on vacation.

Postiteration reviews that identify lessons learned for future use in the project (A key tenet of the agile approach to software project management is an ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is for the team to consider and document what worked well and what could have worked better at the end of each iteration and identify improvements to be implemented in subsequent iterations. A is wrong because the CMM places heavy emphasis on predefined formal processes and formal project management and software development deliverables. B is wrong because daily meetings identify challenges and impediments to the project. C is wrong because agile projects use suitable development tools but is not the primary means of achieving productivity.)

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? A. Use of a capability maturity model (CMM) B. Regular monitoring of task-level progress against schedule C. Extensive use of software development tools to maximize team productivity D. Postiteration reviews that identify lessons learned for future use in the project

Senior IS and business management must approve use before production data can be utilized for testing. (There is risk associated with the use of production data for testing. This includes compromising customer or employee confidentiality and corrupting data production. In other cases, using production data would provide insights that are difficult or impossible to get from manufactured test data. B is wrong because copying production data should only be done with management approval. Management must accept the risk of using production data for testing. C is wrong because creating a complete test data set is only sometimes possible due to the required volume. D is wrong because production data could only be used with management's permission. Then, it can be appropriate to use confidentiality agreements.)

An IS auditor is reviewing an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate? A. Senior IS and business management must approve use before production data can be utilized for testing. B. Production data can be used if they are copied to a secure test environment. C. Production data can never be used. All test data must be developed and based on documented test cases. D. Production data can be used provided that confidentiality agreements are in place.

Program output testing (A user can test program output by checking the program input and comparing it with the system output. Although usually done by the programmer, this task can also be done effectively by the user. B is wrong because system configuration is usually too technical for a user to accomplish, which could create security issues. This could introduce a segregation of duties issue. C is wrong because program logic specification is a very technical task normally performed by a programmer. This could introduce a segregation of duties issue. D is wrong because performance tuning also requires high levels of technical skill and will not be effectively accomplished by a user. This could introduce a segregation of duties issue.)

An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? A. Program output testing B. System configuration C. Program logic specification D. Performance tuning

investigate further to determine whether the project plan may not be accurate. (While completion dates are essential, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. The project plan is usually based on a certain number of hours, and requiring programmers to work overtime possibly is not a good practice. A is wrong because although the project is on time and budget, there may be problems with the project plan and potential unplanned overtime has been required. B is wrong because there is a possibility that the project manager has hidden some costs to make the project look better. C is wrong because the programmers may be trying to exploit the time system. Still, if overtime has been required to keep the project on track, the timelines and expectations of the project are likely unrealistic.)

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should: A. conclude that the project is progressing as planned because dates are being met. B. question the project manager further to identify whether overtime costs are being tracked accurately. C. conclude that the programmers are intentionally working slowly to earn extra overtime pay. D. investigate further to determine whether the project plan may not be accurate.

products are compatible with the current or planned OS (If the OS is currently being used, it is compatible with the existing hardware platform; if it were incompatible, it would not operate properly. The planned OS updates should be scheduled to minimize negative impacts on the organization, but this is not an issue when acquiring new software. The installed OS should have the most recent versions and updates (with sufficient history and stability). Because this is installed, it is not considered when acquiring a new application. In reviewing the proposed application, the auditor should ensure that the products to be purchased are compatible with the current or planned OS.)

An IS auditor reviewing a proposed application software acquisition should ensure that the: A: operating system (OS) being used is compatible with the existing hardware platform B: planned OS updates have been scheduled to minimize negative impacts on company needs C: OS has the latest versions and updates D: products are compatible with the current or planned OS

the organizational impact of the project has not been assessed. (The feasibility study determines the strategic benefits of the project. Therefore, the feasibility study's result determines the organizational impact—a comparison report of costs, benefits, risks, etc. The project portfolio is a part of measuring the organizational strategy. A is wrong because while projects must be assigned a priority and managed as a portfolio, this most likely occurs after the feasibility study determines that the project is viable. C is wrong because those with the knowledge to decide ordinarily conduct a feasibility study due to the involvement of the entire IT organization is not needed. D is wrong because while an IT project such as constructing a data center may require an environmental impact study, this occurs after the impact on the organization is determined.)

An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: A. it has not been determined how the project fits into the overall project portfolio. B. the organizational impact of the project has not been assessed. C. not all IT stakeholders have been given an opportunity to provide input. D. the environmental impact of the data center has not been considered.

Management review of user activities (If an individual requires roles with conflicting segregation of duties, the best control given the circumstances is to monitor that individual's access to the production environment. Although this is not the preferred method of resolving segregation of duties conflicts, it is the best-compensating control given the current business circumstances. A and B are wrong because the segregation of duties cannot be eliminated, and secondary controls in the form of management reviews can be applied. D is wrong because periodic independent reviews, such as an audit, while useful, would not serve as adequate control in this situation.)

An IS auditor who is auditing an application determines that, due to resource constraints, one user holds roles as both a developer and a release coordinator. Which of the following options would the IS auditor MOST likely recommend? A. Revoke the user's developer access. B. Revoke the user's release coordinator access. C. Management review of user activities D. Periodic audit of user activities

unauthorized access to sensitive data may result. (Unless the data is sanitized, disclosing sensitive data is a risk. A is wrong because production data is easier for users to use for comparison purposes. C is wrong because there is a risk that former production data may not test all error routines; however, this is not as serious as the risk of release of sensitive data. D is wrong because using a copy of production data may not test all functionality, but this is not as serious as the risk of disclosure of sensitive data.)

An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that: A. users may prefer to use contrived data for testing. B. unauthorized access to sensitive data may result. C. error handling and credibility checks may not be fully proven. D. the full functionality of the new process may not necessarily be tested.

Review the acceptance test case documentation before the tests are carried out. (The review of the test cases will facilitate the objective of successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases. A is wrong because independence could be compromised if the IS auditor advises on adopting specific application controls. B is wrong because independence could be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for project management approval. C is wrong because advising the project manager on increasing the migration's efficiency may compromise the IS auditor's independence.)

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? A. Advise on the adoption of application controls to the new database software. B. Provide future estimates of the licensing expenses to the project team. C. Recommend to the project manager how to improve the efficiency of the migration. D. Review the acceptance test case documentation before the tests are carried out.

Implement an online polling tool to monitor the application and record outages. (Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor application availability. Comparing internal reports with vendor's SLA reports would ensure that the vendor monitors the SLA accurately and that all conflicts resolve appropriately. A is wrong because weekly availability reports are helpful but only represent vendor's perspective. While monitoring these reports, the organization can raise concerns about inaccuracy. C is wrong because logging outage times are helpful but only gives an accurate picture of some outages and some may go unreported, especially if they are intermittent. D is wrong because contracting a third party to implement availability monitoring is not cost-effective and shifts from monitoring SaaS vendors to third parties.)

An organization has implemented an online customer help desk application using a Software as a Service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide? A. Ask the SaaS vendor to provide a weekly report on application uptime. B. Implement an online polling tool to monitor the application and record outages. C. Log all application outages reported by users and aggregate the outage time weekly. D. Contract an independent third party to provide weekly reports on application uptime.

Review the data flow diagram. (The review of user access would be important; however, regarding data integrity, reviewing the data flow diagram would be better. The lack of an adequate change control process could impact the integrity of the data; however, the system should be documented first to determine whether the transactions flow to other systems. This would help to ensure data integrity; however, it is more important to understand the application's data flows to ensure that the reconciliation controls are located in the correct place. The IS auditor should review the application data flow diagram to understand the data flow within the application and to other systems. This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls.)

An organization implemented a distributed accounting system, and the IS auditor is conducting a postimplementation review to provide assurance of the data integrity controls. Which of the following choices should the auditor perform FIRST? A .Review user access. B. Evaluate the change request process. C. Evaluate the reconciliation controls. D. Review the data flow diagram.

Direct cutover (Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in case of problems. This is the riskiest approach and may significantly impact the organization. A is wrong because a pilot implementation is the implementation of the system at a single location or region and then a rollout of the system to the rest of the organization after the application and implementation plan have been proven to work correctly at the pilot location. B is wrong because a parallel test requires running both the old and new systems simultaneously for some time. This would highlight any problems or inconsistencies between the old and new systems. D is wrong because a phased approach is used to implement the system in phases or sections—this minimizes the overall risk by only affecting one area at a time.)

An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk? A. Pilot B. Parallel C. Direct cutover D. Phased

Faulty migration of historical data from the old system to the new system (The most significant risk after a payroll system conversion is loss of data integrity and inability to pay employees promptly and accurately or have records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount. A is wrong because undocumented changes (leading to scope creep) are a risk, but the greatest risk is the loss of data integrity when migrating data from the old system to the new system. C is wrong because a lack of testing is always a risk; however, in this case, the new payroll system is a subsystem of an existing (and, therefore, probably well-tested) system. D is wrong because setting up the new system, including access permissions and payroll data, always presents some risk; however, the greatest risk is related to data migration from the old system to the new system.)

An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? A. Undocumented approval of some project changes B. Faulty migration of historical data from the old system to the new system C. Incomplete testing of the standard functionality of the ERP subsystem D. Duplication of existing payroll permissions on the new ERP subsystem

Postimplementation review (A postimplementation review aims to evaluate how successfully the project results match original goals, objectives, and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track. A is wrong because UAT verifies that the system functionality has been deemed acceptable by the system's end users; however, a review of UAT will not validate whether the system is performing as designed because UAT could be performed on a subset of system functionality. B is wrong because while a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed. D is wrong because management approval of the system could be based on reduced functionality and does not verify that the system is operating as designed.)

An organization recently deployed a customer relationship management (CRM) application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? A. User acceptance testing (UAT) B. Project risk assessment C. Postimplementation review D. Management approval of the system

Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for. (Automatic numerical sequencing is the only option that accounts for completeness of transactions because a gap would identify any missing transactions. A is wrong because totaling transactions on the sales system does not address the transfer of data from the online systems to the accounting system; instead, it considers only the sales system. C is wrong because checking for duplicates is a valid control; however, it does not address whether the sales transactions processed are complete (ensuring that all transactions are recorded). D is wrong because a date/time stamp does not help account for missing or incomplete transactions by the accounting and delivery department.)

An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems? A. Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled. B. Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for. C. Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected. D. System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.

recommend that problem resolution be escalated. (When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted, including escalation if necessary. A is wrong because recording it as a minor error and leaving it to the auditee's discretion would be inappropriate. Action should be taken before the application goes into production. B is wrong because the IS auditor is not authorized to resolve the error. D is wrong because neglecting the error would indicate that the IS auditor has not taken steps to probe the issue further to its logical end.)

At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: A. report the error as a finding and leave further exploration to the auditee's discretion. B. attempt to resolve the error. C. recommend that problem resolution be escalated. D. ignore the error because it is not possible to get objective evidence for the software error.

Return on investment (ROI) analysis (Following implementation, a cost-benefit analysis or ROI should be re-performed to verify that the original business case benefits are delivered. A is wrong because UAT should be performed before the implementation (perhaps during the development phase), not after the implementation. C is wrong because the audit trail should be activated during the implementation of the application. D is wrong because while updating the EA diagrams is a best practice, it would not normally be part of a postimplementation review.)

During a postimplementation review, which of the following activities should be performed? A. User acceptance testing (UAT) B. Return on investment (ROI) analysis C. Activation of audit trails D. Updates of the state of enterprise architecture (EA) diagrams

improper acceptance of a program. (The major risk of combining quality assurance testing and user acceptance testing is that the users may apply pressure to accept a program that meets their needs even though it does not meet quality assurance standards. A is wrong because the method of testing used will not affect the maintenance of the system. B is wrong because business representatives often lead quality assurance and user acceptance testing according to a defined test plan. The combination of these two tests will not affect documentation. D is wrong because the testing method should not affect the time lines for problem resolution.)

During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: A. increased maintenance. B. improper documentation of testing. C. improper acceptance of a program. D. delays in problem resolution.

Transaction logs (Transaction logs generate an audit trail by providing a detailed list of the input date, input time, user ID, terminal location, etc. There can be reduced research time in investigating exceptions because the review can be performed on the logs rather than the entire transaction file. It also helps to determine which transactions have been posted to an account. A is wrong because one-for-one checking is a control procedure in which an individual document agrees with a detailed listing of documents processed by the system. B is wrong because data file security controls prevent access by unauthorized users in their attempt to alter data files. D is wrong because file updating and maintenance authorization are control procedures to update the stored data and ensure the accuracy and security of stored data. It provides evidence regarding the individuals who update the stored data.)

During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions? A. One-for-one checking B. Data file security C. Transaction logs D. File updating and maintenance authorization

error reports. (Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase, review error reports for their precision in recognizing erroneous data, and review the procedures for resolving errors. A is wrong because a conceptual design specification is a document prepared during the requirements definition phase. The system testing will be based on a test plan. B is wrong because a vendor contract is prepared during a software acquisition process and may be reviewed to ensure that all the deliverables in the contract have been delivered. D is wrong because program change requests would be reviewed normally during the postimplementation phase.)

During the system testing phase of an application development project the IS auditor should review the: A. conceptual design specifications. B. vendor contract. C. error reports. D. program change requests.

Integration testing

During which phase of software application testing should an organization perform the testing of architectural design? A. Acceptance testing B. System testing C. Integration testing D. Unit testing

management reviews and approves the changes after they have occurred. (Because management cannot always be available when a system failure occurs, it is acceptable for changes to be reviewed and approved within a reasonable period after they occur. B is wrong because although peer review provides some accountability, management should review and approve all changes, even if that review and approval must occur after the fact. C is wrong because documenting the event does not replace the need for a review and approval process. D is wrong because it is not a good control practice for management to ignore its responsibility by preapproving all emergency changes in advance without reviewing them. Unauthorized changes could then be made without management's knowledge.)

Emergency changes that bypass the normal change control process are MOST acceptable if: A. management reviews and approves the changes after they have occurred. B. the changes are reviewed by a peer at the time of the change. C. the changes are documented in the change control system by the operations department. D. management has preapproved all emergency changes.

a deployment plan based on sequenced phases. (When developing a large and complex IT infrastructure, a good practice is to use a phased approach to fit the entire system together. This will provide greater assurance of quality results. A is wrong because major deployment would pose a higher risk of implementation failure. B is wrong because prototyping may reduce development failure, but a large environment usually requires a phased approach. D is wrong because it is not usually feasible to simulate a large and complex IT infrastructure before deployment.)

From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: A .a major deployment after proof of concept. B. prototyping and a one-phase deployment. C. a deployment plan based on sequenced phases. D. to simulate the new infrastructure before deployment.

Frequent changes in requirements and design (In prototyping, there are frequent changes in the designs and requirements; hence, they are seldom documented or approved. Change control becomes more complicated with prototyped systems. Other options do not harm change control.)

In the prototyping method, change control can be impacted by which of the following? A. User participation B. Frequent changes in requirements and design C. The trial-and-error method D. Limited budgets

Transaction journal

Information for detecting unauthorized input from a user workstation would be BEST provided by the: A: Console log printout B: Transaction journal C: Automated suspense file listing D: User error report

review subsequent program change requests for the first phase.

Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: A. assess whether the planned cost benefits are being measured, analyzed and reported. B: review control balances and verify that the system is processing data accurately. C. review subsequent program change requests for the first phase. D. determine whether the system's objectives were achieved.

post-BPR process flowcharts. (An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. A is wrong because an IS auditor must review the process as it is today, not as it was in the past. C is wrong because BPR project plans are a step within a BPR project. D is wrong because continuous improvement and monitoring plans are steps within a BPR project.)

Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: A. pre-BPR process flowcharts. B. post-BPR process flowcharts. C. BPR project plans. D. continuous improvement and monitoring plans.

A systematic review after the completion of each iteration to identify areas of improvement (As we are aware, the dictionary definition of agile is 'able to move quickly and easily.' The programmer only spends a little time on documentation in the Agile method. They are allowed to write their program straight away. The Agile approach aims to produce releasable software in short iterations without giving much importance to formal, paper-based deliverables. Once each iteration is completed, emphasis is placed on what went well and where there is scope for improvement in the following iterations. Agile is one of the most preferable approaches for programmers, saving them from a lot of planning, paperwork, and approvals.)

One of the important characteristics of the Agile approach is which of the following? A. A systematic review after the completion of each iteration to identify areas of improvement B. Systematic and detailed planning before writing a program C. The use of software development tools to improve productivity D. Detailed documentation

database commits and rollbacks. (Database commits to ensure the data are saved after the transaction is completed. Rollback ensures that the processing that has been partially completed as part of the transaction is reversed back and not saved if the entire transaction is not completed successfully. A is wrong because database integrity checks are important to ensure database consistency and accuracy. These include isolation, concurrency and durability controls, but the most important issue here is atomicity—the requirement for transactions to complete entirely and commit or roll back to the last known good point. B is wrong because validation checks will prevent the introduction of corrupt data but will not address system failure. C is wrong because input controls are important to protect the integrity of input data, but will not address system failure.)

Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: A. database integrity checks. B. validation checks. C. input controls. D. database commits and rollbacks.

A reduction in the development time frame (The objective of RAD is the quick development of a system while reducing costs and ensuring quality. The major benefit of RAD is the reduction of the time required to develop a system. Other options are true for both RAD and the traditional SDLC.)

RAD has which of the following advantages over the traditional SDLC? A. User involvement in system development B. UAT C. A reduction in the development time frame D. Enhanced technical support

routing verification procedures. (The communication's interface stage requires routing verification procedures. A is wrong because electronic data interchange (EDI) or ANSI X12 is a standard that must be interpreted by an application for transactions to be processed and invoiced, paid, and sent, whether for merchandise or services. C is wrong because there is no point in sending and receiving EDI transactions if an internal system cannot process them. D is wrong because unpacking transactions and recording audit logs are important elements that help follow business rules and establish controls but are outside the communication's interface stage.)

Receiving an electronic data interchange (EDI) transaction and passing it through the communication's interface stage usually requires: A. translating and unbundling transactions. B. routing verification procedures. C. passing data to the appropriate application system. D. creating a point of receipt audit log.

Load testing (Load testing evaluates the performance of the software under normal and peak conditions. Because this application does not support normal numbers of concurrent users, the load testing must not have been adequate. B is wrong because stress testing determines the software's capacity to cope with an abnormal number of users or simultaneous operations. Because this question's number of concurrent users is within normal limits, the answer is load testing, not stress testing. C is wrong because recovery testing evaluates the ability of a system to recover after a failure. D is wrong because volume testing evaluates the impact of incremental volume of records (not users) on a system.)

Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? A. Load testing B. Stress testing C. Recovery testing D. Volume testing

support of multiple development environments. (Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic. A is wrong because the data types must be defined within each component, and it is not sure that any component can handle multiple data types. B is wrong because component-based development is no better than many other development methods for modeling complex relationships. C is wrong because component-based development is one of the methodologies that can be effective at meeting changing requirements, but this is not its primary benefit or purpose.)

The MAJOR advantage of a component-based development approach is the: A. ability to manage an unrestricted variety of data types. B. provision for modeling complex relationships. C. capacity to meet the demands of a changing environment. D. support of multiple development environments.

support of multiple development environments. (Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic. A is wrong because the data types must be defined within each component, and it is not sure that any component can handle multiple data types. B is wrong because component-based development is no better than many other development methods for modeling complex relationships. C is wrong because component-based development is one of the methodologies that can effectively meet changing requirements, but this is not its primary benefit or purpose.)

The MAJOR advantage of a component-based development approach is the: A. ability to manage an unrestricted variety of data types. B. provision for modeling complex relationships. C. capacity to meet the demands of a changing environment. D. support of multiple development environments.

project objectives have been met. (A project manager performs a postimplementation review to obtain feedback regarding the project deliverables and business needs and to determine whether the project has successfully met them. A is wrong because it is important to ensure that lessons learned during the project are not forgotten; however, it is more important to ascertain whether the project solved the problem it was designed to address. B is wrong because identifying future enhancements is not the primary objective of a postimplementation review. C is wrong because although it is important to review whether the project was completed on time and within budget, it is more important to determine whether it met the business needs.)

The PRIMARY purpose of a postimplementation review is to ascertain that: A. the lessons learned have been documented. B. future enhancements can be identified. C. the project has been delivered on time and budget. D. project objectives have been met.

The business case was not established. (Because there was no established business case, it is most likely that there was not a full evaluation of the business risk strategies for outsourcing the application development, and the appropriate information was not provided to senior management for formal approval. A is wrong because the lack of the right to audit clause presents a risk to the organization. C is wrong because if the provider holds the source code and is not provided to the organization, the lack of source code escrow presents a risk. D is wrong because the lack of change management procedures presents a risk to the organization, especially with the possibility of extraordinary charges for any required changes; however, the risk is not as consequential as the lack of a business case.)

The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor? A. The right to audit clause was not included in the contract. B. The business case was not established. C. There was no source code escrow agreement. D. The contract does not cover change management procedures.

remote processing site prior to transmission of the data to the central processing site. (It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site. A and B are wrong because validating data prior to transmission is the most efficient method and saves the effort of transmitting or processing invalid data. However, due to the risk of introducing errors during transmission, it is also good practice to re-validate the data at the central processing site. C is wrong because to validate the data after it has been transmitted is not a valid control.)

The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site.

Significant time and cost savings (The system is developed through the trial-and-error method in the prototyping approach. A prototype is a preliminary version of a system to test a concept, process, or any assumptions about functionality, design, or internal logic. A prototype model helps to save a considerable amount of time and expenditure for the organization. One of the potential risks of the prototype approach is that the finished system may need more controls compared to the traditional system development approach. In prototyping, the design and requirements change too often and must be documented or approved.)

The major benefit of the prototype approach is which of the following? A. Significant time and cost savings B. A stringent approval process C. Strong change controls D. Proper documentation

RAD (The objective of RAD is the quick development of a system while reducing costs and ensuring quality. RAD relies on a prototype that can be frequently updated to address the ever-changing user or business requirements. The waterfall method is a traditional method that is comparatively costly and time-consuming. PERT and FPA are not the system development methodology. PERT is a system development evaluation tool while FPA is a software estimation method.)

The methodology for quick development at a reduced cost while ensuring high quality is which of the following? A. The Waterfall method B. PERT C. RAD D. FPA

user participation in defining the system's requirements was inadequate. (Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the user's needs. Only users can define what their needs are and, therefore, what the system should accomplish. A is wrong because although changing user needs has an effect on the success or failure of many projects, the core problem is usually a lack of getting the initial requirements correct at the beginning of the project. B is wrong because projects may fail as users' needs increase; however, this can be mitigated through better change control procedures. C is wrong because hardware limitations rarely affect the usability of the project as long as the requirements were correctly documented at the beginning of the project.)

The most common reason for the failure of information systems to meet the needs of users is that: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the system's requirements was inadequate.

Top-down testing (The top-down approach is the most effective testing method for the initial phase of prototyping. Top-down testing begins with the system's major functionality and moves to other functionality. In prototyping, more emphasis is given to major functionality such as screens and reports, thereby covering most of the proposed system's features quickly.)

The most effective testing method for the initial phase of prototyping is which of the following? A. Bottom-up testing B. Top-down testing C. Interface testing D. Unit testing

require that changes after that point be evaluated for cost-effectiveness. (Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost benefits are diminished because the project's cost has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period. A is wrong because the stop point is intended to provide greater control over changes but not to prevent them. B is wrong because the stop point is used for project control, but not to create an artificial fixed point that requires the design of the project to cease. D is wrong because a stop point is used to control requirements, not systems design.)

The reason for establishing a stop or freezing point on the design of a new system is to: A. prevent further changes to a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design.

determines procedural accuracy or conditions of a program's specific logic paths. (White box testing assesses the effectiveness of software program logic. Specifically, test data determine procedural accuracy or conditions of a program's logic paths. A is wrong because verifying the program can operate successfully with other system parts is sociability testing. B is wrong because testing the program's functionality without knowledge of internal structures is black-box testing. D is wrong because controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sandbox testing.)

The specific advantage of white box testing is that it: A. verifies a program can operate successfully with other parts of the system. B. ensures a program's functional operating effectiveness without regard to the internal program structure. C. determines procedural accuracy or conditions of a program's specific logic paths. D. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.

RAD (The objective of RAD is the quick development of a system while reducing cost and ensuring quality. RAD relies on a prototype, which can be frequently updated to address the ever-changing user or business requirements.)

The technique that relies on a prototype that can be frequently updated to address ever-changing user or business requirements is which of the following? A. Business process reengineering B. RAD C. Software reengineering D. Object-oriented system development

Well-defined requirements with no expected changes. (The waterfall method is the most commonly adopted approach for developing business applications. It works well when requirements are well-defined and do not undergo frequent changes. This model ensures that mistakes are identified in the early stages rather than during final acceptance testing. In the waterfall approach, UAT is done after the completion of each stage before moving on to the next stage.)

The waterfall life cycle approach is more suitable for which of the following? A. Well-defined requirements with no expected changes. B. Well-defined requirements in a context where the project is to be competed in a short time frame. C. Open requirements that are subject to frequent changes. D. Users do not want to spend much time on testing.

review controls built into the system to assure that they are operating as designed. (Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to ensure that they are functioning as designed. A is wrong because the IS auditor should check whether user feedback has been provided, but this is not the most important area for audit. B is wrong because it is important to assess the effectiveness of the project; however, assuring that the production environment is adequately controlled after the implementation is of primary concern. D is wrong because reviewing change requests may be a good idea, but this is more important if the application is perceived to have a problem.)

Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to: A. determine user feedback on the system has been documented. B. assess whether the planned cost benefits are being measured, analyzed and reported. C. review controls built into the system to assure that they are operating as designed. D. review subsequent program change requests.

The organization should conduct a risk assessment and design and implement appropriate controls.

What should an organization do before providing an external agency physical access to its information processing facilities (IPFs)? A. The processes of the external agency should be subjected to an IS audit by an independent agency. B. Employees of the external agency should be trained on the security procedures of the organization. C. Any access by an external agency should be limited to the demilitarized zone (DMZ). D. The organization should conduct a risk assessment and design and implement appropriate controls.

a clear business case has been approved by management. (The first concern of an IS auditor should be to ensure that the proposal meets the needs of the business, and a clear business case should establish this. B is wrong because compliance with security standards is essential, but it is too early in the procurement process for this to be an IS auditor's first concern. C is wrong because having users involved in the implementation process is essential, but it is too early in the procurement process for this to be an IS auditor's first concern. D is wrong because meeting the users' needs is essential, and this should be included in the business case presented to management for approval.)

When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST ensure that: A. a clear business case has been approved by management. B. corporate security standards will be met. C. users will be involved in the implementation plan. D. the new system will meet all required user functionality.

that have zero slack time. (A critical path's activity time is longer than any other path through the network. This path is critical because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing (i.e., for reduced time by paying a premium for early completion). Activities on the critical path have zero slack time; conversely, activities with zero slack time are on a critical path. A curve showing total project costs versus time can be obtained by relaxing activities on a critical path. A is wrong because attention should focus on the tasks within the critical path without slack time. C is wrong because the critical path is the longest duration of the activities but is not based on the longest time of any individual activity. D is wrong because a task on the critical path has no slack time.)

When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those: A. whose sum of activity time is the shortest. B. that have zero slack time. C. that give the longest possible completion time. D. whose sum of slack time is the shortest.

The first report of the mean time between failures (The mean time between failures first reported represents flaws in the software reported by users in the production environment. This information helps the IS auditor evaluate the quality of the developed and implemented software. A is wrong because the mean time between repetitive failures includes the inefficiency in fixing the first reported failures and reflects on the response or help desk teams in fixing the reported issues. B is wrong because the mean time repair reflects the response or help desk teams in addressing reported issues. D is wrong because the response time reflects the agility of the response team or the help desk team in addressing reported issues.)

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? A. The reporting of the mean time between failures over time B. The overall mean time to repair failures C. The first report of the mean time between failures D. The overall response time to correct failures

business requirements were met. (Established procedures for postimplementation review should primarily ensure that business requirements are met. A is wrong because vulnerability testing may be incorporated into the system development process; however, it is most important that business requirements are met. As stated in the question, the business requirements in this case included adequate security. B is wrong because formally closing the project is important, but the primary goal of meeting business requirements is most important. C is wrong because although meeting the designated project time line and budget is an important goal, the project's overall purpose is to fulfill a business need. Therefore, validating that the project met the business requirements is the most important task for the IS auditor.)

When performing a postimplementation review of a software development project for a highly secure application, it is MOST important to confirm that: A. vulnerability testing was performed. B. the project was formally closed. C. the project schedule and budget were met. D. business requirements were met.

systems sending and receiving data.

When two or more systems are integrated, the IS auditor must review input/output controls in the: A. systems receiving the output of other systems. B. systems sending output to other systems. C. systems sending and receiving data. D. interfaces between the two systems.

User acceptance testing (UAT) (UAT ensures that business process owners and IT stakeholders evaluate the outcome of the testing process to ensure that business requirements are met. A is wrong because a feasibility study describes the key alternative courses of action that will satisfy a project's business and functional requirements, including an evaluation of the technological and economic feasibility. A feasibility study is conducted at the commencement of the project. However, the final user acceptance testing (UAT) happens after the feasibility study and is of greater value. C is wrong because the postimplementation review occurs after the implementation. D is wrong because the implementation plan formally defines expectations, performance measurement, and effective recovery in case of implementation failure. It does not ensure that business requirements are met.)

Which of the following BEST ensures that business requirements are met prior to implementation? A. Feasibility study B. User acceptance testing (UAT) C. Postimplementation review D. Implementation plan

project performance criteria (To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success. A is wrong because establishing a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project but does not define the criteria used to measure project success. B is wrong because a project management approach defines guidelines for project management processes and deliverables but does not define the criteria used to measure project success. C is wrong because a project resource plan defines project team members' responsibilities, relationships, authorities, and performance criteria but does not wholly define the criteria used to measure project success.)

Which of the following BEST helps ensure that deviations from the project plan are identified? A: a project management framework B: a project management approach C: a project resource plan D: project performance criteria

Parallel changeover (Parallel changeover involves running the old system, then running both the old and new systems in parallel, and finally entirely changing to the new system after gaining confidence in the new system's functionality. A is wrong because phased changeover involves the changeover from the old system to the new system in a phased manner. Therefore, at no time will the old system and the new system both be fully operational as one integrated system. B is wrong because in abrupt changeover, the new system is changed from the old system on a cutoff date and time, and the old system is discontinued after the changeover to the new system. Therefore, the old system is not available as a backup if problems occur when the new system is implemented. C is wrong because rollback procedures restore all systems to their previous working state; however, parallel changeover is the better strategy.)

Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications? A. Phased changeover B. Abrupt changeover C. Rollback procedure D. Parallel changeover

A sequence check (A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence, thus preventing duplicate vouchers. A is wrong because a range check works over a range of numbers. Even if the same voucher number reappears, it will satisfy the range and, therefore, not be useful. B is wrong because transposition and substitution are used in encoding but will not help establish unique voucher numbers. D is wrong because a cyclic redundancy check (CRC) is used to check the completeness of data received over the network but is not useful in application code level validations.)

Which of the following controls helps prevent duplication of vouchers during data entry? A. A range check B. Transposition and substitution C. A sequence check D. A cyclic redundancy check (CRC)

the overall organizational environment (The overall organizational environment has the most significant impact on the success of applications systems implemented. This includes the alignment between IT and the business, the maturity of the development processes, and the use of change control and other project management tools. A is wrong because the prototyping application development technique reduces the time to deploy systems primarily by using faster development tools that allow a user to see a high-level view of the workings of the proposed system within a short period. B is wrong because compliance with applicable external requirements impacts the implementation success, but the impact is less significant than the impact of the overall organizational environment. D is wrong because the software reengineering technique updates an existing system by extracting and reusing design and program components.)

Which of the following has the MOST significant impact on the success of an application systems implementation? A: the prototyping application development methodology B: compliance with applicable external requirements C: the overall organizational environment D: the software reengineering technique

requirements should be tested in terms of importance and frequency of use

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? A: requirements should be tested in terms of importance and frequency of use B: test coverage should be restricted to functional requirements C: automated tests should be performed through the use of scripting D: the number of required tests should be reduced by retesting only defect fixes

Data representing conditions that are expected in actual processing (Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. A is wrong because the quantity of data for each test case is not as important as having test cases that will address all operating conditions. C is wrong because having adequate test data is more important than completing the testing on schedule. D is wrong because it is unlikely that a random sample of actual data would cover all test conditions and reasonably represent actual data.)

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system? A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual processing C. Completing the test on schedule D. A random sample of actual data

Gantt charts (Gantt charts help identify activities completed early or late through comparison to a baseline. Progress of the entire project can be read from the Gantt chart to determine whether the project is behind, ahead of, or on schedule. A is wrong because critical path diagrams are used to determine the critical path for the project, representing the shortest possible time required to complete the project. B is wrong because program evaluation review technique (PERT) diagrams are a critical path method (CPM) technique in which three estimates (as opposed to one) of timelines required to complete activities are used to determine the critical path. C is wrong because function point analysis (FPA) is a technique used to determine the size of a development task based on the number of function points.)

Which of the following is MOST relevant to an IS auditor evaluating how the project manager has monitored the progress of the project? A. Critical path diagrams B. Program evaluation review technique (PERT) diagrams C. Function point analysis (FPA) D. Gantt charts

Prevents cost overruns and delivery delays (Timebox management, by its nature, sets specific time and cost boundaries. It effectively controls costs and delivery timelines by ensuring that each project segment is divided into small controllable time frames. A is wrong because timebox management is very suitable for prototyping and rapid application development (RAD). B is wrong because timebox management does not eliminate the need for a quality process. D is wrong because timebox management integrates system and user acceptance testing.)

Which of the following is a characteristic of timebox management? A. Not suitable for prototyping or rapid application development (RAD) B. Eliminates the need for a quality process C. Prevents cost overruns and delivery delays D. Separates system and user acceptance testing

Periodic testing does not require separate test processes. (An integrated test facility (ITF) creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data. A is wrong because the ITF tests a test transaction as if it were a real transaction and validates that transaction processing is done correctly. It is not related to reviewing the source of a transaction. C is wrong because an ITF validates the correct operation of a transaction in an application but does not ensure that a system is being operated correctly. D is wrong because the ITF is based on integrating test data into the normal process flow, so test data is still required.)

Which of the following is an advantage of an integrated test facility (ITF)? A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. B. Periodic testing does not require separate test processes. C. It validates application systems and ensures the correct operation of the system. D. The need to prepare test data is eliminated.

Prototype systems can provide significant time and cost savings. (Prototype systems can provide significant time and cost savings through better user interaction and the ability to adapt to changing requirements rapidly; however, they also have several disadvantages, including loss of overall security focus, project oversight, and implementation of a prototype that is not yet ready for production. A is wrong because prototyping often has poor internal controls because the focus is primarily on functionality, not security. C is wrong because change control becomes much more complicated with prototyping. D is wrong because prototyping often leads to functions or extras not originally intended to be added to the system.)

Which of the following is an advantage of prototyping? A. The finished system normally has strong internal controls. B. Prototype systems can provide significant time and cost savings. C. Change control is often less complicated with prototype systems. D. It ensures that functions or extras are not added to the intended system.

Paper (A paper test (sometimes called a desk check) is appropriate for testing a BCP. It is a walk-through of the entire BCP, or part of the BCP, involving major players in the BCP's execution who reason out what may happen in a particular disaster. A is wrong because a pilot test is used to implement a new process or technology and is inappropriate for a BCP. C is wrong because a unit test is used to test new software components and is not appropriate for a BCP. D is wrong because a system test is an integrated test used to test a new IT system but is inappropriate for a BCP.)

Which of the following is an appropriate test method to apply to a business continuity plan (BCP)? A. Pilot B. Paper C. Unit D. System

User acceptance testing (UAT) (User acceptance testing (UAT) is undertaken to provide confidence that a system or system component operates as intended, to provide a basis for evaluating the implementation of the requirements, or to demonstrate the effectiveness or efficiency of the system or component. If the testing results are good, then the users will likely adopt the system. A is wrong because regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality. C is wrong because sociability test results indicate how the application works with other components within the environment and do not indicate the user experience. D is wrong because parallel testing is performed when comparing two applications, which is needed but will not provide feedback on user satisfaction.)

Which of the following is the BEST indicator that a newly developed system will be used after it is in production? A. Regression testing B. User acceptance testing (UAT) C. Sociability testing D. Parallel testing

Adequate involvement of stakeholders

Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based approach to the IT system life cycle? A. Adequate involvement of stakeholders B. Selection of a risk management framework C. Identification of risk mitigation strategies D. Understanding of the regulatory environment

Quality of the metadata (Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents for the stored information. B is wrong because a data warehouse is used for analysis and research, not for production operations, so the speed of transactions needs to be more relevant. C is wrong because data in a data warehouse is frequently received from many sources, and vast amounts of information may be received hourly or daily. D is wrong because although this is not a primary concern, data warehouses may contain sensitive information or can be used to research sensitive information, so the security of the data warehouse is important.)

Which of the following is the most important element in the design of a data warehouse? A. Quality of the metadata B. Speed of the transactions C. Volatility of the data D. Vulnerability of the system

Earned value analysis (EVA) (Earned value analysis (EVA) is an industry-standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed to determine if the cost, schedule, and work accomplished are progressing per the plan. EVA works most effectively if a well-formed work breakdown structure exists. A is wrong because function point analysis (FPA) is an indirect measure of software size and complexity and does not address the elements of time and budget. C is wrong because cost budgets do not address time. D is wrong because the program evaluation and review technique (PERT) aids in time and deliverables management but lacks projections for estimates at completion (EACs) and overall financial management.)

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? A. Function point analysis (FPA) B. Earned value analysis (EVA) C. Cost budget D. Program evaluation and review technique (PERT)

The time and cost implications caused by the change (Any scope change might impact the duration and cost of the project; that is why an impact study is conducted, and the client is informed of the potential impact on the schedule and cost. B is wrong because a change in scope does not necessarily impact the risk that regression tests will fail. C is wrong because an impact study will not determine whether users will agree with a change in scope. D is wrong because conducting an impact study could identify a lack of resources, such as the project team lacking the skills necessary to make the change; however, this is only part of the impact on the overall timelines and cost to the project due to the change.)

Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed and an impact study has not been performed? A. The time and cost implications caused by the change B. The risk that regression tests will fail C. Users not agreeing with the change D. The project team not having the skills to make the necessary change

the necessary communication protocols (The communications processes must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization. A is wrong because encryption algorithms are too detailed for this phase. They would only be outlined, and any cost or performance implications would be shown. B is wrong because internal control procedures are too detailed for this phase. They would only be outlined, and any cost or performance implications would be shown. D is wrong because third-party agreements are too detailed for this phase. They would only be outlined and any cost or performance implications shown.)

Which of the following should be included in a feasibility study for a project to implement an electronic data interchange process? A: the encryption algorithm format B: the detailed internal control procedures C: the necessary communication protocols D: the proposed trusted third party agreement

Beta testing (Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta testing is the last stage of testing and involves sending the product's beta version to independent beta test sites or offering it free to interested users. A is wrong because alpha testing is often performed only by users within the organization developing the software. Alpha testing generally involves a software version that does not contain all the features of the final product and maybe a simulated test. B is wrong because regression testing determines whether system changes have introduced new errors to existing functionality. D is wrong because white box testing is used to assess the effectiveness of program logic.)

Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment? A. Alpha testing B. Regression testing C. Beta testing D. White box testing

Parallel run (Parallel runs are the safest—though the most expensive—approach because both the old and new systems are run, thus incurring what might appear to be double costs. A is wrong because direct cutover is actually quite risky because it does not provide for a "shake down period" nor does it provide an easy fallback option. B is wrong because a pilot study approach is performed incrementally, making rollback procedures difficult to execute. C is wrong because a phased approach is performed incrementally, making rollback procedures difficult to execute.)

Which of the following system and data conversion strategies provides the GREATEST redundancy? A. Direct cutover B. Pilot study C. Phased approach D. Parallel run

Mapping (This records the flow of designated transactions through logic paths within programs. This shows the trail of instructions executed during an application. This is the activity of recording specific tasks for future review. This identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed.)

Which of the following test techniques would the IS auditor use to identify specific program logic that has not been tested? A. A snapshot B. Tracing and tagging C. Logging D. Mapping

Hash totals (The use of hash totals is an effective method to detect errors in data processing reliably. A hash total would indicate an error in data integrity. A is wrong because automated controls such as programmed edit checks are preventive controls. B is wrong because automated controls, such as well-designed data entry screens, are preventive controls. C is wrong because enforcing segregation of duties primarily ensures that a single individual does not have the authority to create and approve a transaction; this is not considered a method to detect errors, but a method to help prevent errors.)

Which of the following would BEST help to detect errors in data processing? A. Programmed edit checks B. Well-designed data entry screens C. Segregation of duties D. Hash totals

File header record (A file header record provides assurance that proper data files are being used and allows for automatic checking. B is wrong because although version usage provides assurance that the correct file and version are being used, it only allows for automatic checking. C is wrong because parity checking is a data integrity validation method typically used by a data transfer program. While parity checking may help to ensure that data and program files are transferred successfully, more is needed to ensure that the proper data or program files are being used. D is wrong because file security controls cannot be used to provide assurance that proper data files are being used and cannot allow automatic checking.)

Which one of the following could be used to provide automated assurance that proper data files are being used during processing? A. File header record B. Version usage C. Parity checking D. File security controls

User management (User management assumes ownership of project and resulting system, allocates qualified representatives to team, and actively participates in system requirements definition, acceptance testing, and user training. They should review and approve system deliverables as they are defined, accomplished, or implemented. The project steering committee provides overall direction, ensures appropriate representation of stakeholders in project outcome, reviews project progress regularly, and holds emergency meetings. They are responsible for deliverables, project costs, and schedules. Senior management demonstrates commitment to project and approves necessary resources to complete project. QA staff review results and deliverables and confirm compliance with standards. Review timings depend on SDLC, impact of potential deviation methodology used, structure and magnitude of system, and impact of likely deviation.)

Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? A. User management B. Project steering committee C. Senior management D. Quality assurance staff