CISA Domain 3 Missed Questions
Which of the following is the most important element in the design of a data warehouse? Quality of the metadata Speed of the transactions Volatility of the data Vulnerability of the system
A is the correct answer. Justification This is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information. Companies that have built warehouses believe that metadata are the most important component of the warehouse. A data warehouse is used for analysis and research, not for production operations, so the speed of transactions is not relevant. Data in a data warehouse is frequently received from many sources and vast amounts of information may be received on an hourly or daily basis. Except to ensure adequate storage capability, this is not a primary concern of the designer. Data warehouses may contain sensitive information, or can be used to research sensitive information, so the security of the data warehouse is important. However, this is not the primary concern of the designer.
Question Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: pre-BPR process flowcharts. post-BPR process flowcharts. BPR project plans. continuous improvement and monitoring plans.
B is the correct answer. Justification An IS auditor must review the process as it is today, not as it was in the past. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. Business process reengineering (BPR) project plans are a step within a BPR project. These are steps within a BPR project.
Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion? Function point analysis Earned value analysis Cost budget Program evaluation and review technique
B is the correct answer. Justification This is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget. This is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists. These do not address time. This aids time and deliverables management but lacks projections for estimates at completion and overall financial management.
Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? Bottom-up testing Sociability testing Top-down testing System testing
C is the correct answer. Justification A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. This takes place at a later stage in the development process. The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. This takes place at a later stage in the development process.
An advantage in using a bottom-up vs. a top-down approach to software testing is that: interface errors are detected earlier. confidence in the system is achieved earlier. errors in critical modules are detected earlier. major functions and processing are tested earlier.
C is the correct answer. Justification Interface errors will not be found until later in the testing process—as a result of integration or system testing. Confidence in the system cannot be obtained until the testing is completed. The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that errors in critical modules are found earlier. Bottom-up testing tests individual components and major functions and processing will not be adequately tested until systems and integration testing is completed.
Question Which of the following BEST helps to prioritize project activities and determine the time line for a project? A Gantt chart Earned value analysis Program evaluation review technique Function point analysis
C is the correct answer. Justification This is a simple project management tool and would help with the prioritization requirement, but it is not as effective as PERT. This is a technique to track project cost versus project deliverables but does not assist in prioritizing tasks. The PERT method works on the principle of obtaining project time lines based on project events for three likely scenarios—worst, best and normal. The timeline is calculated by a predefined formula and identifies the critical path, which identifies the key activities that must be prioritized. This measures the complexity of input and output and does not help to prioritize project activities.
Question Which of the following has the MOST significant impact on the success of an application systems implementation? The prototyping application development methodology Compliance with applicable external requirements The overall organizational environment The software reengineering technique
C is the correct answer. Justification This reduces the time to deploy systems primarily by using faster development tools that allow a user to see a high-level view of the workings of the proposed system within a short period of time. The use of any one development methodology will have a limited impact on the success of the project. This has an impact on the implementation success, but the impact is not as significant as the impact of the overall organizational environments. This has the most significant impact on the success of applications systems implemented. This includes the alignment between IT and the business, the maturity of the development processes and the use of change control and other project management tools. This is a process of updating an existing system by extracting and reusing design and program components. This is used to support major changes in the way an organization operates. Its impact on the success of the application systems that are implemented is small compared with the impact of the overall organizational environment.
Which of the following controls helps prevent duplication of vouchers during data entry? A range check Transposition and substitution A sequence check A cyclic redundancy check
C is the correct answer. Justification This works over a range of numbers. Even if the same voucher number reappears, it will satisfy the range and, therefore, not be useful. These are used in encoding but will not help in establishing unique voucher numbers. This involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. This is used for completeness of data received over the network but is not useful in application code level validations.
By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that: reliable products are guaranteed. programmers' efficiency is improved. security requirements are designed. predictable software processes are followed.
D is the correct answer. Justification Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. The capability maturity model does not evaluate technical processes such as programming efficiency. The capability maturity model does not evaluate security requirements or other application controls. By evaluating the organization's development projects against the capability maturity model, an IS auditor determines whether the development organization follows a stable, predictable software development process.
Question An advantage of using sanitized live transactions in test data is that: all transaction types will be included. every error condition is likely to be tested. no special routines are required to assess the results. test transactions are representative of live processing.
D is the correct answer. Justification Sanitized production data may not contain all transaction types. The test data may need to be modified to ensure that all data types are represented. Not all error types are sure to be tested because most production data will only contain certain types of errors. The results can be tested using normal routines, but that is not a significant advantage of using sanitized live data. Test data will be representative of live processing; however, it is important that all sensitive information in the live transaction file is sanitized to prevent improper data disclosure.
Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing? Test data covering critical applications Detailed test plans Quality assurance test specifications User acceptance test specifications
D is the correct answer. Justification Test data will usually be created during the system testing phase. These are created during system testing. These are set out later in the development process. A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase.
An IS auditor is assigned to audit a software development project, which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take? Report that the organization does not have effective project management. Recommend the project manager be changed. Review the IT governance structure. Review the business case and project management.
D is the correct answer. Justification The organization may have effective project management practices and still be behind schedule or over budget. There is no indication that the project manager should be changed without looking into the reasons for the overrun. The organization may have sound IT governance and still be behind schedule or over budget. Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to bringing the project over budget and over schedule.
Question An organization implemented a distributed accounting system, and the IS auditor is conducting a post implementation review to provide assurance of the data integrity controls. Which of the following choices should the auditor perform FIRST? Review user access. Evaluate the change request process. Evaluate the reconciliation controls. Review the data flow diagram.
D is the correct answer. Justification The review of user access would be important; however, in terms of data integrity it would be better to review the data flow diagram. The lack of an adequate change control process could impact the integrity of the data; however, the system should be documented first to determine whether the transactions flow to other systems. This would help to ensure data integrity; however, it is more important to understand the data flows of the application to ensure that the reconciliation controls are located in the correct place. The IS auditor should review the application data flow diagram to understand the flow of data within the application and to other systems. This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls.
Question A small company cannot segregate duties between its development processes and its change control function. What is the BEST way to ensure that the tested code that is moved into production is the same? Release management software Manual code comparison Regression testing in preproduction Management approval of changes
A is the correct answer. Justification Automated release management software can prevent unauthorized changes by moving code into production without any manual intervention. This can detect whether the wrong code has been moved into production; however, code comparison does not prevent the code from being migrated and is not as good a control as using release management software. In addition, manual code comparison is not always efficient and requires highly skilled personnel. Regression testing ensures that changes do not break the current system functionality or unwittingly overwrite previous changes. Regression testing does not prevent untested code from moving into production. Although management should approve every change to production, approvals do not prevent untested code from being migrated into the production environment.
An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: correlation of semantic characteristics of the data migrated between the two systems. correlation of arithmetic characteristics of the data migrated between the two systems. correlation of functional characteristics of the processes between the two systems. relative efficiency of the processes between the two systems.
A is the correct answer. Justification Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database and, therefore, are less important than the semantic characteristics. A review of the correlation of the functional characteristics between the two systems is not relevant to a data migration review. A review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.
Question Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: existence of a set of functions and their specified properties. ability of the software to be transferred from one environment to another. capability of software to maintain its level of performance under stated conditions. relationship between the performance of the software and the amount of resources used.
A is the correct answer. Justification Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functionality of a system represents the tasks, operations and purpose of the system in achieving its objective (i.e., supporting a business requirement). This refers to portability. This refers to reliability. This refers to efficiency.
Which of the following is the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? Requirements should be tested in terms of importance and frequency of use. Test coverage should be restricted to functional requirements. Automated tests should be performed through the use of scripting. The number of required test runs should be reduced by retesting only defect fixes.
A is the correct answer. Justification Maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements, because complexity tends to increase the likelihood of defects. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress (i.e., introduced errors in parts of the system that were previously working correctly). For this reason, it is a good practice to undertake formal regression testing after defect fixes have been implemented.
During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced, and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: buffer overflow. brute force attack. distributed denial-of-service attack,. war dialing attack.
A is the correct answer. Justification Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. This is used to crack passwords, but this is not related to coding standards. This floods its target with numerous packets, to prevent it from responding to legitimate requests. This is not related to coding standards. This uses modem-scanning tools to hack private branch exchanges or other telecommunications services.
During a post-implementation review of an enterprise resource management system, an IS auditor would MOST likely: review access control configuration. evaluate interface testing. review detailed design documentation. evaluate system testing.
A is the correct answer. Justification Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Because a post-implementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system because these are usually vendor packages with user manuals. System testing should be performed before final user signoff. Further, because the system has been implemented, the IS auditor would only check the detailed design if there appeared to be a gap between design and functionality. System testing should be performed before final user signoff. The IS auditor should not need to review the system tests post-implementation.
Question An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if: certain project iterations produce proof-of-concept deliverables and unfinished code. application features and development processes are not extensively documented. software development teams continually re-plan each step of their major projects. project managers do not manage project resources, leaving that to project team members
A is the correct answer. Justification The agile software development methodology is an iterative process where each iteration or "sprint" produces functional code. If a development team was producing code for demonstration purposes, this would be an issue because the following iterations of the project build on the code developed in the prior sprint. One focus of agile methodology is to rely more on team knowledge and produce functional code quickly. These characteristics would result in less extensive documentation or documentation embedded in the code itself. After each iteration or "sprint," agile development teams re-plan the project so that unfinished tasks are performed, and resources can be reallocated as needed. The continual re-planning is a key component of agile development methodology. The management of agile software development is different from conventional development approaches in that leaders act as facilitators and allow team members to determine how to manage their own resources to get each sprint completed. Because the team members are performing the work, they are in a good position to understand how much time/effort is required to complete a sprint.
When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST ensure that: a clear business case has been approved by management. corporate security standards will be met. users will be involved in the implementation plan. the new system will meet all required user functionality.
A is the correct answer. Justification The first concern of an IS auditor is to ensure that the proposal meets the needs of the business. This should be established by a clear business case. Compliance with security standards is essential, but it is too early in the procurement process for this to be an IS auditor's first concern. Having users involved in the implementation process is essential, but it is too early in the procurement process for this to be an IS auditor's first concern. Meeting the needs of the users is essential, and this should be included in the business case presented to management for approval.
Results of a post-implementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? Load testing Stress testing Recovery testing Volume testing
A is the correct answer. Justification This evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate. This determines the capacity of the software to cope with an abnormal number of users or simultaneous operations. Because the number of concurrent users in this question is within normal limits, the answer is load testing, not stress testing. This evaluates the ability of a system to recover after a failure. This evaluates the impact of incremental volume of records (not users) on a system
Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? User management Project steering committee Senior management Quality assurance staff
A is the correct answer. Justification This group assumes ownership of the project and resulting system, allocates qualified representatives to the team and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished, or implemented. This group provides overall direction, ensures appropriate representation of the major stakeholders in the project's outcome, reviews project progress regularly and holds emergency meetings when required. A project steering committee is ultimately responsible for all deliverables, project costs and schedules. This group demonstrates commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those who are needed to complete the project. This group reviews results and deliverables within each phase, and at the end of each phase confirm compliance with standards and requirements. The timing of reviews depends on the system development life cycle, the impact of potential deviation methodology used, the structure and magnitude of the system and the impact of potential deviation.
A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately, and the corresponding products are produced? Verifying production of customer orders Logging all customer orders in the ERP system Using hash totals in the order transmitting process Approving (production supervisor) orders prior to production
A is the correct answer. Justification Verification of the products produced will ensure that the produced products match the orders in the order system. Logging can be used to detect inaccuracies but does not, in itself, guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.
Question During the requirements definition stage of a proposed enterprise resource planning system, the project sponsor requests that the procurement and accounts payable modules be linked. Which of the following test methods would be the BEST to perform? Unit testing Integration testing Sociability testing Quality assurance testing
B is the correct answer Justification This is a technique that is used to test program logic within a particular program or module and does not specifically address the linkage between software modules. Integration testing is the best answer. This is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure dictated by design. This confirms that the new or modified system can operate in its target environment without adversely impacting existing systems and does not specifically address the linkage between software modules. Integration testing is the best answer. This is primarily used to ensure that the logic of the application is correct and does not specifically address the linkage between software modules. Integration testing is the best answer.
Question An IS auditor is performing a post-implementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management? Recalculations Limit checks Run-to-run totals Reconciliations
B is the correct answer. Justification A sample of transactions may be recalculated manually to ensure that processing is accomplishing the anticipated task. Recalculations are performed after the output phase. Processing controls should be implemented as close as possible to the point of data entry. Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered because values must fall within a predetermined limit. These provide the ability to verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process. Run-to-run totals are performed after the output phase. Reconciliation of file totals should be performed on a routine basis. Reconciliations may be performed through the use of a manually maintained account, a file control record or an independent control file. Reconciliations are performed after the output phase.
Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? Increase the time allocated for system testing. Implement formal software inspections. Increase the development staff. Require the sign-off of all project deliverables.
B is the correct answer. Justification Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring, and the cost of the extra testing and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce and may occur too late in the process to be cost-effective. Deliverable reviews normally do not go down to the same level of detail as software inspections.
Which of the following will BEST ensure the successful offshore development of business applications? Stringent contract management practices Detailed and correctly applied specifications Awareness of cultural and political differences Post-implementation review
B is the correct answer. Justification Contract management practices, although important, will not ensure successful development if the specifications are incorrect. When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected. Cultural and political differences, although important, should not affect the delivery of a good product. This, although important, is too late in the process to ensure successful project delivery and is not as pivotal to the success of the project.
The MAIN purpose of a transaction audit trail is to: reduce the use of storage media. determine accountability and responsibility for processed transactions. help an IS auditor trace transactions. provide useful information for capacity planning.
B is the correct answer. Justification Enabling audit trails increases the use of disk space. Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. A transaction log file would be used to trace transactions, but the primary purpose of an audit trail is to support accountability, not to support the work of the IS auditor. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as central processing unit utilization, bandwidth and the number of users.
During which of the following phases in system development would user acceptance test plans normally be prepared? Feasibility study Requirements definition Implementation planning Postimplementation review
B is the correct answer. Justification It is too early for such detailed user involvement. During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure that it meets their stated needs. An IS auditor should know at what point user testing should be planned to ensure that it is most effective and efficient. The implementation planning phase is when the tests are conducted. It is too late in the process to develop the test plan. User acceptance testing should be completed prior to implementation.
While evaluating the "out of scope" section specified in a project plan, an IS auditor should ascertain whether the section: effectively describes unofficial project objectives. effectively describes project boundaries. clearly states the project's "nice to have" objectives. provides the necessary flexibility to the project team. Solution
B is the correct answer. Justification Out-of-scope items are not part of the project. There should be no unofficial project objectives. Reasonable objectives should be considered by the project leadership and either accepted (in scope) or rejected (out of scope). The purpose of the out of scope section is to make clear to readers what items are not considered project objectives so that all project stakeholders understand the project boundaries and what is in scope versus out of scope. This applies to all types of projects, including individual audits. Out-of-scope items are not part of the project, while nice to have items may be included in the project objectives. However, they may be the last priority on the list of all project objectives. Out-of-scope items are not part of the project; the project team's flexibility regarding project objectives should be managed through a robust change request process. This is particularly important to avoid scope creep.
The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor? The right to audit clause was not included in the contract. The business case was not established. There was no source code escrow agreement. The contract does not cover change management procedures.
B is the correct answer. Justification The lack of the right to audit clause presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and the appropriate information was not provided to senior management for formal approval. This situation presents the biggest risk to the organization. If the source code is held by the provider and not provided to the organization, the lack of source code escrow presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. The lack of change management procedures presents a risk to the organization, especially with the possibility of extraordinary charges for any required changes; however, the risk is not as consequential as the lack of a business case.
An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort? Program evaluation review technique Function point analysis Counting source lines of code White box testing
B is the correct answer. Justification This is a project management technique used in the planning and control of system projects. This is a technique used to determine the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal sites. The number of source lines of code gives a direct measure of program size, but it does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. This involves a detailed review of the behavior of program code. It is a quality assurance technique suited to simpler applications during the design and building stage of development.
A failure discovered in which of the following testing stages would have the GREATEST impact on the implementation of new application software? System testing Acceptance testing Integration testing Unit testing
B is the correct answer. Justification This is undertaken by the development team to determine if the combined units of software work together and that the software meets user requirements per specifications. A failure here would be expensive but easier to fix than a failure found later in the testing process. This is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level because this could result in delays and cost overruns. This examines the units/modules as one integrated system and unit testing examines the individual units or components of the software. A failure here would be expensive and require re-work of the modules but would not be as expensive as a problem found just prior to implementation. System, integration and unit testing are all performed by the developers at various stages of development; the impact of failure is comparatively less for each than failure at the acceptance testing stage.
What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning payroll system that is replacing an existing legacy system? Multiple testing Parallel testing Integration testing Prototype testing
B is the correct answer. Justification This will not compare results from the old and new systems. This is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommissioning the legacy system. Parallel testing also results in better user adoption of the new system. This refers to how the system interacts with other systems, and it is not performed by end users. This is used during design and development to ensure that user input is received; however, this method is not used for acquired systems or during user acceptance testing.
Question An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following is MOST relevant? A capability maturity model (CMM) Portfolio management Configuration management Project management body of knowledge (PMBOK)
B is the correct answer. Justification This would not help determine the optimal portfolio of capital projects because it is a means of assessing the relative maturity of the IT processes within an organization: running from Level 0 (Incomplete—Processes are not implemented or fail to achieve their purpose) to Level 5 (Optimizing—Metrics are defined and measured, and continuous improvement techniques are in place). This is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget. A configuration management database (which stores the configuration details for an organization's IT systems) is an important tool for IT service delivery and, in particular, change management. It may provide information that would influence the prioritization of projects but is not designed for that purpose. This is a methodology for the management and delivery of projects. It offers no specific guidance or assistance in optimizing a project portfolio.
When two or more systems are integrated, the IS auditor must review input/output controls in the: systems receiving the output of other systems. systems sending output to other systems. systems sending and receiving data. interfaces between the two systems.
C is the correct answer. Justification A responsible control is to protect downstream systems from contamination from an upstream system. This requires a system that sends data to review its output and the receiving system to review its input. Systems sending data to other systems should ensure that the data they send are correct, but that would not protect the receiving system from transmission errors. Both of the systems must be reviewed for input/output controls because the output for one system is the input for the other. The interfaces must be set up correctly and provide error controls, but good practice is to review the data before sending and after receipt.
Which of the following is the GREATEST risk to the effectiveness of application system controls? Removal of manual processing steps Inadequate procedure manuals Collusion between employees Unresolved regulatory compliance issues
C is the correct answer. Justification Automation should remove manual processing steps wherever possible. The only risk would be the removal of manual security controls without replacement with automated controls. The lack of documentation is a problem on many systems but not a serious risk in most cases. Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented. Unregulated compliance issues are a risk but do not measure the effectiveness of the controls.
The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during: the internal lab testing phase. testing and prior to user acceptance. the requirements gathering process. the implementation phase.
C is the correct answer. Justification During testing, the IS auditor will ensure that the security requirements are met. This is not the time to assess the control specifications. The control specifications will drive the security requirements that are built into the contract and should be assessed before the product is acquired and tested. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues. During the implementation phase, the IS auditor may check whether the controls have been enabled; however, this is not the time to assess the control requirements.
When implementing an application software package, which of the following presents the GREATEST risk? Uncontrolled multiple software versions Source programs that are not synchronized with object code Incorrectly set parameters Programming errors
C is the correct answer. Justification Having multiple versions is a problem, but as long as the correct version is implemented, the most serious risk during implementation is to have the parameters for the program set incorrectly. Lack of synchronization between source and object code will be a serious risk for later maintenance of compiled programs, but this will not affect other types of programs and is not the most serious risk at the time of implementation. Parameters that are not set correctly would be the greatest concern when implementing an application software package. Incorrectly set parameters are an immediate problem that could lead to system breach, failure or noncompliance. This should be found during testing, not at the time of implementation.
The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning system. In the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy? Significant cost savings over other testing approaches Assurance that new, faster hardware is compatible with the new system Assurance that the new system meets functional requirements Increased resiliency during the parallel processing time
C is the correct answer. Justification Parallel operation provides a high level of assurance that the new system functions properly compared to the old system. Parallel operation is generally expensive and does not provide a cost savings over most other testing approaches. In many cases, parallel operation is the most expensive form of system testing due to the need for dual data entry, dual sets of hardware, dual maintenance and dual backups—it is twice the amount of work as running a production system and, therefore, costs more time and money. Hardware compatibility should be determined and tested much earlier in the conversion project and is not an advantage of parallel operation. Compatibility is generally determined based on the application's published specifications and on system testing in a lab environment. Parallel operation is designed to test the application's effectiveness and integrity of application data, not hardware compatibility. In general, hardware compatibility relates more to the operating system level than to a particular application. Although new hardware in a system conversion must be tested under a real production load, this can be done without parallel systems. Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (e.g., batch jobs and backups) on both systems, to ensure that the new system is reliable before unplugging the old system. Increased resiliency during parallel processing is a legitimate outcome from this scenario, but the advantage it provides is temporary and minor, so this is not the correct answer.
What is the PRIMARY reason that an IS auditor would verify that the process of post-implementation review of an application was completed after a release? To make sure that users are appropriately trained To verify that the project was within budget To check that the project meets expectations To determine whether proper controls were implemented
C is the correct answer. Justification Post-implementation review does not target verifying user training needs. Project costs are monitored during development and are not the primary reason for a post-implementation review. The objective of a post-implementation review is to reveal whether the implementation of a system has achieved planned objectives (i.e., meets business objectives and risk acceptance criteria). While an IS auditor would be interested in ensuring that proper controls were implemented, the most important consideration would be that the project meets expectations.
At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: report the error as a finding and leave further exploration to the auditee's discretion. attempt to resolve the error. recommend that problem resolution be escalated. ignore the error because it is not possible to get objective evidence for the software error.
C is the correct answer. Justification Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate. Action should be taken before the application goes into production. The IS auditor is not authorized to resolve the error. When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted including escalation if necessary. Neglecting the error would indicate that the IS auditor has not taken steps to further probe the issue to its logical end.
Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables Extrapolation of the overall end date based on completed work packages and current resources Calculation of the expected end date based on current resources and remaining available project budget
C is the correct answer. Justification The IS auditor cannot count on the accuracy of data in status reports for reasonable assurance. Interviews are a valuable source of information but will not necessarily identify any project challenges because the people being interviewed are involved in project. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule). The calculation based on remaining budget does not consider the speed at which the project has been progressing.
Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? The reporting of the mean time between failures over time The overall mean time to repair failures The first report of the mean time between failures The overall response time to correct failures
C is the correct answer. Justification The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. The response time reflects the agility of the response team or the help desk team in addressing reported issues.
Question During which phase of software application testing should an organization perform the testing of architectural design? Acceptance testing System testing Integration testing Unit testing Solution
C is the correct answer. Justification This determines whether the solution meets the requirements of the business and is performed after system staff has completed the initial system test. This testing includes both quality assurance testing and user acceptance testing, although not combined. This relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. This evaluates the connection of two or more components that pass information from one area to another. The objective is to use unit-tested modules, thus building an integrated structure according to the design. This references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification.
Question An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: the project manager. systems development management. business unit management. the quality assurance team.
C is the correct answer. Justification This individual provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. The project manager cannot sign off on project requirements; that would be a violation of separation of duties. This group provides technical support for hardware and software environments. This group assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. This group ensures the quality of the project by measuring adherence to the organization's system development life cycle. They will conduct testing but not sign off on the project requirements.
Question Which of the following BEST helps ensure that deviations from the project plan are identified? A project management framework A project management approach A project resource plan Project performance criteria
D is the correct answer. Justification Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project but does not define the criteria used to measure project success. This defines guidelines for project management processes and deliverables but does not define the criteria used to measure project success. This defines the responsibilities, relationships, authorities and performance criteria of project team members but does not wholly define the criteria used to measure project success. To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success.
An IS auditor reviewing a proposed application software acquisition should ensure that the: operating system (OS) being used is compatible with the existing hardware platform. planned OS updates have been scheduled to minimize negative impacts on company needs. OS has the latest versions and updates. product is compatible with the current or planned OS.
D is the correct answer. Justification If the OS is currently being used, it is compatible with the existing hardware platform; if it were incompatible, it would not operate properly. The planned OS updates should be scheduled to minimize negative impacts on the organization, but this is not an issue when considering the acquisition of new software. The installed OS should be equipped with the most recent versions and updates (with sufficient history and stability). Because this is installed, it is not a consideration at the time of considering acquisition of a new application. In reviewing the proposed application, the auditor should ensure that the products to be purchased are compatible with the current or planned OS.
Question An IS auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation? The test environment may not have adequate controls to ensure data accuracy. The test environment may produce inaccurate results due to use of production data. Hardware in the test environment may not be identical to the production environment. The test environment may not have adequate access controls implemented to ensure data confidentiality.
D is the correct answer. Justification The accuracy of data used in the test environment is not of significant concern as long as these data are representative of the production environment. Using production data in the test environment does not cause test results to be inaccurate. If anything, using production data improves the accuracy of testing processes, because the data most closely mirror the production environment. In spite of that fact, the risk of data disclosure or unauthorized access in the test environment is still significant and, as a result, production data should not be used in the test environment. This is especially important in a health care organization where patient data confidentiality is critical and privacy laws in many countries impose strict penalties on misuse of these data. Hardware in the test environment should mirror the production environment to ensure that testing is reliable. However, this does not relate to the risk from using live data in a test environment. This is not the correct answer because it does not relate to the risk presented in the scenario. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed.
An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? Use of a capability maturity model Regular monitoring of task-level progress against schedule Extensive use of software development tools to maximize team productivity Post iteration reviews that identify lessons learned for future use in the project
D is the correct answer. Justification The capability maturity model places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. Task-level tracking is not used because daily meetings identify challenges and impediments to the project. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four to eight weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant.
What kind of software application testing is considered the final stage of testing and typically includes users outside of the development team? Alpha testing White box testing Regression testing Beta testing
D is the correct answer. Justification This is the testing stage just before beta testing. Alpha testing is typically performed by programmers and business analysts, instead of users. Alpha testing is used to identify bugs or glitches that can be fixed before beta testing begins with external users. This is performed much earlier in the software development life cycle than alpha or beta testing. White box testing is used to assess the effectiveness of software program logic, where test data are used to determine procedural accuracy of the programs being tested. In other words, does the program operate the way it is supposed to at a functional level? White box testing does not typically involve external users. This is the process of re-running a portion of a test scenario to ensure that changes or corrections have not introduced more errors. In other words, the same tests are run after multiple successive program changes to ensure that the "fix" for one problem did not "break" another part of the program. Regression testing is not the last stage of testing and does not typically involve external users. This is the final stage of testing and typically includes users outside of the development area. Beta testing is a form of user acceptance testing and generally involves a limited number of users who are external to the development effort.
An IS auditor is involved in the reengineering process that aims to optimize IT infrastructure. Which of the following will BEST identify the issues to be resolved? Self-assessment Reverse engineering Prototyping Gap analysis
D is the correct answer. Justification This may be one of the viable options with which to start; however, the results only indicate current conditions, not desired state, and tend to become subjective. This is a technique applied to analyze how a device or program works and is not appropriate here. applied to ensure that user requirements are met prior to being engaged in a full-blown development process. This would be the best method to identify issues that need to be addressed in the reengineering process. Gap analysis indicates which parts of current processes conform to good practices (desired state) and which do not.
Question Which of the following test techniques would the IS auditor use to identify specific program logic that has not been tested? A snapshot Tracing and tagging Logging Mapping
D is the correct answer. Justification This records the flow of designated transactions through logic paths within programs. This shows the trail of instructions executed during an application. This is the activity of recording specific tasks for future review. This identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed.
Question Which of the following should an IS auditor be MOST concerned about in a financial application? Programmers have access to source code in user acceptance testing environment. Secondary controls are documented for identified role conflicts. The information security officer does not authorize all application changes. Programmers have access to the production database.
D is the correct answer. Justification are not of concern to the IS auditor because programmers need access to source code to do their jobs. The UAT environment is a separate from production environment, changes cannot be moved into production environment without prior authorization. When segregation of duties conflicts are identified, secondary controls should be in place to mitigate risk. While the IS auditor reviews secondary controls, in this case the greater concern is programmers having access to the production database. The information security officer is not likely to authorize all application changes; therefore, this is not a concern for an IS auditor. This is considered to be a segregation of duties conflict.
Which of the following types of risk is MOST likely encountered in a software as a service environment? Noncompliance with software license agreements Performance issues due to Internet delivery method Higher cost due to software licensing requirements Higher cost due to the need to update to compatible hardware
SaaS is provisioned on a usage basis and the number of users is monitored by the SaaS provider; therefore, there should be no risk of noncompliance with software license agreements. The risk that can be most likely encountered in a software as a service (SaaS) environment is speed and availability issues, because SaaS relies on the Internet for connectivity. The costs for a SaaS solution should be fixed as a part of the services contract and considered in the business case presented to management for approval of the solution. The open design and Internet connectivity allow most SaaS to run on virtually any type of hardware.