D3: IS Acquisition, Development & Implementation 4/19/2017

asdfDuring which of the following phases in system development would user acceptance test plans normally be prepared? Incorrect A. Feasibility study B. Requirements definition C. Implementation planning D. Postimplementation review You answered A. The correct answer is B.

A. The feasibility study is too early for such detailed user involvement. B. During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure that it meets their stated needs. An IS auditor should know at what point user testing should be planned to ensure that it is most effective and efficient. C. The implementation planning phase is when the tests are conducted. It is too late in the process to develop the test plan. D. User acceptance testing should be completed prior to implementation.

Which of the following BEST ensures that business requirements are met prior to implementation? Incorrect A. Feasibility study B. User acceptance testing (UAT) C. Postimplementation review D. Implementation plan

You answered A. The correct answer is B. A. A feasibility study describes the key alternative courses of action that will satisfy the business and functional requirements of a project, including an evaluation of the technological and economic feasibility. A feasibility study is conducted at the commencement of the project. However, the final user acceptance testing (UAT) happens after the feasibility study and therefore is of greater value. B. UAT ensures that business process owners and IT stakeholders evaluate the outcome of the testing process to ensure that business requirements are met. C. The postimplementation review occurs after the implementation. D. The implementation plan formally defines expectations and performance measurement, and the effective recovery in the event of implementation failure. It does not ensure that business requirements are met.

Incorrect A. project be discontinued. B. business case be updated and possible corrective actions be identified. C. project be returned to the project sponsor for reapproval. D. project be completed and the business case be updated later.

You answered A. The correct answer is B. A. An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. B. The IS auditor should recommend that the business case be kept current throughout the project because it is a key input to decisions made throughout the life of any project. C. The project cannot be returned to the sponsor until the business case has been updated. D. An IS auditor should not recommend completing the project before reviewing an updated business case and ensuring approval from the project sponsor

A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? Incorrect A. Confidentiality of the information stored in the database B. The hardware being used to run the database application C. Backups of the information in the overseas database D. Remote access to the backup database

You answered A. The correct answer is B. A. Confidentiality of the information stored in the database is not a major concern, because the information is intended for public use. B. The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users. C. Backups of the information in the overseas database are not a major concern, because the overseas database is a mirror of the local database; thus, a backup copy exists locally. D. Remote access to the backup database does not impact availability.

When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? Incorrect A. The project budget B. The critical path for the project C. The length of the remaining tasks D. The personnel assigned to other tasks

You answered A. The correct answer is B. A. Given that there may be slack time available on some of the other tasks not on the critical path, the resource allocation should be based on the project segments that affect delivery dates. B. Because adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will, in fact, shorten the project duration. C. Given that there may be slack time available on some of the other tasks not on the critical path, a factor such as the length of other tasks may or may not be affected. D. Depending on the skill level of the resources required or available, the addition of resources may not, in fact, shorten the time line. Therefore, the first step is to examine what resources are required to address the times on the critical path.

Which of the following is a characteristic of timebox management? Incorrect A. Not suitable for prototyping or rapid application development (RAD) B. Eliminates the need for a quality process C. Prevents cost overruns and delivery delays D. Separates system and user acceptance testing

You answered A. The correct answer is C. A. Timebox management is very suitable for prototyping and rapid application development (RAD). B. Timebox management does not eliminate the need for a quality process. C. Timebox management, by its nature, sets specific time and cost boundaries. It is effective in controlling costs and delivery time lines by ensuring that each segment of the project is divided into small controllable time frames. D. Timebox management integrates system and user acceptance testing.

Which of the following types of risk is MOST likely encountered in a software as a service (SaaS) environment? Incorrect A. Noncompliance with software license agreements B. Performance issues due to Internet delivery method C. Higher cost due to software licensing requirements D. Higher cost due to the need to update to compatible hardware

You answered A. The correct answer is B. A. Software as a service (SaaS) is provisioned on a usage basis and the number of users is monitored by the SaaS provider; therefore, there should be no risk of noncompliance with software license agreements. B. The risk that could be most likely encountered in a SaaS environment is speed and availability issues, due to the fact that SaaS relies on the Internet for connectivity. C. The costs for a SaaS solution should be fixed as a part of the services contract and considered in the business case presented to management for approval of the solution. D. The open design and Internet connectivity allow most SaaS to run on virtually any type of hardware.

Which of the following would BEST help to prioritize project activities and determine the time line for a project? Incorrect A. A Gantt chart B. Earned value analysis (EVA) C. Program evaluation review technique (PERT) D. Function point analysis (FPA)

You answered A. The correct answer is C. A. A Gantt chart is a simple project management tool and would help with the prioritization requirement, but it is not as effective as program evaluation review technique (PERT). B. Earned value analysis (EVA) is a technique to track project cost versus project deliverables but does not assist in prioritizing tasks. C. The PERT method works on the principle of obtaining project time lines based on project events for three likely scenarios (worst, best, normal). The time line is calculated by a predefined formula and identifies the critical path, which identifies the key activities that must be prioritized. D. Function point analysis (FPA) measures the complexity of input and output and does not help to prioritize project activities.

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? Incorrect A. Bottom-up testing B. Sociability testing C. Top-down testing D. System testing

You answered A. The correct answer is C. A. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. B. Sociability testing takes place at a later stage in the development process. C. The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. D. System tests take place at a later stage in the development process.

During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions? Incorrect A. One-for-one checking B. Data file security C. Transaction logs D. File updating and maintenance authorization

You answered A. The correct answer is C. A. One-for-one checking is a control procedure in which an individual document agrees with a detailed listing of documents processed by the system. It would take a long time to complete the research using this procedure. B. Data file security controls prevent access by unauthorized users in their attempt to alter data files. This would not help identify the transactions posted to an account. C. Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. It also helps to determine which transactions have been posted to an account—by a particular individual during a particular period. D. File updating and maintenance authorization is a control procedure to update the stored data and ensure accuracy and security of stored data. This does provide evidence regarding the individuals who update the stored data; however, it is not effective in the given situation to determine transactions posted to an account.

At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: Incorrect A. report the error as a finding and leave further exploration to the auditee's discretion. B. attempt to resolve the error. C. recommend that problem resolution be escalated. D. ignore the error because it is not possible to get objective evidence for the software error.

You answered A. The correct answer is C. A. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate. Action should be taken before the application goes into production. B. The IS auditor is not authorized to resolve the error. C. When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted including escalation if necessary. D. Neglecting the error would indicate that the IS auditor has not taken steps to further probe the issue to its logical end.

The reason for establishing a stop or freezing point on the design of a new system is to: Incorrect A. prevent further changes to a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design.

You answered A. The correct answer is C. A. The stop point is intended to provide greater control over changes but not to prevent them. B. The stop point is used for project control but not to create an artificial fixed point that requires the design of the project to cease. C. Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period. D. A stop point is used to control requirements, not systems design.

Question: 10

You answered A. The correct answer is C. A. User acceptance testing (UAT) verifies that the system functionality has been deemed acceptable by the end users of the system; however, a review of UAT will not validate whether the system is performing as designed because UAT could be performed on a subset of system functionality. The UAT review is a part of the postimplementation review. B. While a risk assessment would highlight the risk of the system, it would not include an analysis to verify that the system is operating as designed. C. The purpose of a postimplementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track. D. Management approval of the system could be based on reduced functionality and does not verify that the system is operating as designed. Review of management approval is a part of postimplementation review.

A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of: Incorrect A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing.

You answered A. The correct answer is D. A. Input and output validation controls are certainly valid controls but will not detect and report lost transactions. B. Internal credibility checks are valid controls to detect errors in processing but will not detect and report lost transactions. C. A clerical procedure could be used to summarize and compare inputs and outputs; however, an automated process is less susceptible to error. D. Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction.

Assignment of process ownership is essential in system development projects because it: Incorrect A. enables the tracking of the development completion percentage. B. optimizes the design cost of user acceptance test (UAT) cases. C. minimizes the gaps between requirements and functionalities. D. ensures that system design is based on business needs.

You answered A. The correct answer is D. A. Process ownership assignment does not have a feature to track the completion percentage of deliverables. B. Whether the design cost of test cases will be optimized is not determined from the assignment of process ownership. It may help to some extent; however, there are many other factors involved in the design of test cases. C. For gap minimization, a specific requirements analysis framework should be in place and then applied; however, a gap may be found between the design and the as-built system that could lead to system functionality not meeting requirements. This will be identified during user acceptance testing (UAT). Process ownership alone does not have the capability to minimize requirement gaps. D. The involvement of process owners will ensure that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins.

An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? A. Consider the feasibility of a separate user acceptance environment. Incorrect B. Schedule user testing to occur at a given time each day. C. Implement a source code version control tool. D. Only retest high-priority defects.

You answered B. The correct answer is A. A. A separate environment or environments is normally necessary for testing to be efficient and effective and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. B. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. C. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate test environment. D. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.

A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision? A. Technical skills and knowledge within the organization related to sourcing and software development Incorrect B. Privacy requirements as applied to the data processed by the application C. Whether the legacy system being replaced was developed in-house D. The users not devoting reasonable time to define the functionalities of the solution

You answered B. The correct answer is A. A. Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. B. Privacy regulations would apply to both solutions. C. While individuals with knowledge of the legacy system are helpful, they may not have the technical skills to build a new system. Therefore, this is not the primary factor influencing the make versus buy decision. D. Unclear business requirements (functionalities) will similarly affect either development process, but are not the primary factor influencing the make versus buy decision.

Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? A. Load testing Incorrect B. Stress testing C. Recovery testing D. Volume testing

You answered B. The correct answer is A. A. Load testing evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate. B. Stress testing determines the capacity of the software to cope with an abnormal number of users or simultaneous operations. Because the number of concurrent users in this question is within normal limits, the answer is load testing, not stress testing. C. Recovery testing evaluates the ability of a system to recover after a failure. D. Volume testing evaluates the impact of incremental volume of records (not users) on a system.

During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: A. buffer overflow. Incorrect B. brute force attack. C. distributed denial-of-service attack (DDoS). D. war dialing attack.

You answered B. The correct answer is A. A. Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. B. A brute force attack is used to crack passwords, but this is not related to coding standards. C. A distributed denial-of-service (DDoS) attack floods its target with numerous packets, to prevent it from responding to legitimate requests. This is not related to coding standards. D. War dialing uses modem-scanning tools to hack private branch exchanges (PBXs) or other telecommunications services.

The project steering committee is ultimately responsible for: A. day-to-day management and leadership of the project. B. allocating the funding for the project. Correct C. project deliverables, costs and timetables. D. ensuring that system controls are in place.

You are correct, the answer is C. A. Day-to-day management and leadership of the project is the function of the project manager. B. Providing the funding for the project is the function of the project sponsor. C. The project steering committee provides overall direction; ensures appropriate representation of the major stakeholders in the project's outcome; and takes ultimate responsibility for the deliverables, costs and timetables. D. Ensuring that system controls are in place is the function of the project security officer.

From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: A. a major deployment after proof of concept. Incorrect B. prototyping and a one-phase deployment. C. a deployment plan based on sequenced phases. D. to simulate the new infrastructure before deployment.

You answered B. The correct answer is C. A. A major deployment would pose a higher risk of implementation failure. B. Prototyping may reduce development failure, but a large environment will usually require a phased approach. C. When developing a large and complex IT infrastructure, a good practice is to use a phased approach to fit the entire system together. This will provide greater assurance of quality results. D. It is not usually feasible to simulate a large and complex IT infrastructure prior to deployment.

During which phase of software application testing should an organization perform the testing of architectural design? A. Acceptance testing Incorrect B. System testing C. Integration testing D. Unit testing

You answered B. The correct answer is C. A. Acceptance testing determines whether the solution meets the requirements of the business and is performed after system staff has completed the initial system test. This testing includes both quality assurance testing (QAT) and user acceptance testing (UAT), although not combined. B. System testing relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. C. Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according to the design. D. Unit testing references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification.

When implementing an application software package, which of the following presents the GREATEST risk? A. Uncontrolled multiple software versions Incorrect B. Source programs that are not synchronized with object code C. Incorrectly set parameters D. Programming errors

You answered B. The correct answer is C. A. Having multiple versions is a problem, but as long as the correct version is implemented, the most serious risk during implementation is to have the parameters for the program set incorrectly. B. Lack of synchronization between source and object code will be a serious risk for later maintenance of compiled programs, but this will not affect other types of programs and is not the most serious risk at the time of implementation. C. Parameters that are not set correctly would be the greatest concern when implementing an application software package. Incorrectly set parameters are an immediate problem that could lead to system breach, failure or noncompliance. D. Programming errors should be found during testing, not at the time of implementation.

In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as: A. isolation. Incorrect B. consistency. C. atomicity. D. durability.

You answered B. The correct answer is C. A. Isolation ensures that each transaction is isolated from other transactions; hence, each transaction can only access data if it is not being simultaneously accessed or modified by another process. B. Consistency ensures that all integrity conditions in the database be maintained with each transaction. C. The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. D. Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database will survive subsequent hardware or software failures.

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? A. The reporting of the mean time between failures over time Incorrect B. The overall mean time to repair failures C. The first report of the mean time between failures D. The overall response time to correct failures

You answered B. The correct answer is C. A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. B. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues. C. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. D. The response time is a reflection of the agility of the response team or the help desk team in addressing reported issues.

Which of the following has the MOST significant impact on the success of an application systems implementation? A. The prototyping application development methodology Incorrect B. Compliance with applicable external requirements C. The overall organizational environment D. The software reengineering technique

You answered B. The correct answer is C. A. The prototyping application development technique reduces the time to deploy systems primarily by using faster development tools that allow a user to see a high-level view of the workings of the proposed system within a short period of time. The use of any one development methodology will have a limited impact on the success of the project. B. Compliance with applicable external requirements has an impact on the implementation success, but the impact is not as significant as the impact of the overall organizational environments. C. The overall organizational environment has the most significant impact on the success of applications systems implemented. This includes the alignment between IT and the business, the maturity of the development processes and the use of change control and other project management tools. D. The software reengineering technique is a process of updating an existing system by extracting and reusing design and program components. This is used to support major changes in the way an organization operates. Its impact on the success of the application systems that are implemented is small compared with the impact of the overall organizational environment.

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should: A. conclude that the project is progressing as planned because dates are being met. Incorrect B. question the project manager further to identify whether overtime costs are being tracked accurately. C. conclude that the programmers are intentionally working slowly to earn extra overtime pay. D. investigate further to determine whether the project plan may not be accurate.

You answered B. The correct answer is D. A. Even though the project is on time and budget, there may be problems with the project plan because considerable amounts of unplanned overtime have been required. B. There is a possibility that the project manager has hidden some costs to make the project look better; however, the real problem may be with whether the project plan is realistic, not just the accounting. C. It is possible that the programmers are trying to take advantage of the time system, but if the overtime has been required to keep the project on track it is more likely that the time lines and expectations of the project are unrealistic. D. While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a good practice. While overtime costs may be an indicator that something is wrong with the plan, in many organizations the programming staff may be salaried, so overtime costs may not be directly recorded.

A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? A. Key verification Incorrect B. One-for-one checking C. Manual recalculations D. Functional acknowledgements

You answered B. The correct answer is D. A. Key verification is used for encryption and protection of data but not for data mapping. B. One-for-one checking validates that transactions are accurate and complete but does not map data. C. Manual recalculations are used to verify that the processing is correct but do not map data. D. Acting as an audit trail for electronic data interchange (EDI) transactions, functional acknowledgments are one of the main controls used in data mapping.

The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it: A. facilitates user involvement. Incorrect B. allows early testing of technical features. C. facilitates conversion to the new system. D. shortens the development time frame.

You answered B. The correct answer is D. A. Rapid application development (RAD) emphasizes greater user involvement to ensure that the system meets user requirements; however, its primary objective is to speed up development. B. RAD does allow early testing, but this is also true for the traditional system development life cycle (SDLC) models. C. RAD does not facilitate conversion to a new system. D. The greatest advantage and core objective of RAD is a shorter time frame for the development of a system.

Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based approach to the IT system life cycle? A. Adequate involvement of stakeholders B. Selection of a risk management framework Incorrect C. Identification of risk mitigation strategies D. Understanding of the regulatory environment

You answered C. The correct answer is A. A. The most important critical success factor (CSF) is the adequate involvement and support of the various quality assurance, privacy, legal, audit, regulatory affairs or compliance teams in high regulatory risk situations. Some IT system changes may, based on risk ratings, require sign-off from key stakeholders before proceeding. B. Selecting a risk management framework helps the organization define the approach to addressing risk but still requires adequate involvement of stakeholders to be successful. C. Identifying risk mitigation strategies helps the organization define the approach to addressing risk, but still requires adequate involvement of stakeholders to be successful. D. Having an understanding of the regulatory environment is important to ensure that risk is addressed in the context of the applicable regulation, but adequate stakeholder involvement is required to ensure success.

An IS auditor who is auditing the software acquisition process will ensure that the: A. contract is reviewed and approved by the legal counsel before it is signed. B. requirements cannot be met with the systems already in place. Incorrect C. requirements are found to be critical for the business. D. user participation is adequate in the process.

You answered C. The correct answer is A. A. The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS auditor should verify that legal counsel reviewed and approved the contract before management signs the contract. B. Existing systems may meet the requirements, but management may choose to acquire software for other reasons. C. Not all of the requirements in the contract need to support critical business needs; some requirements may be there for ease-of-use or other purposes. D. User participation is not necessarily required in the software acquisition process. Instead, users would most likely participate in requirements definition and user acceptance testing (UAT).

An IS auditor has been asked to look at past projects to determine how future projects can better meet business requirements. With which of the following would the auditors MOST likely consult? A. Project sponsors B. Project managers Incorrect C. End-user groups D. Business analysts

You answered C. The correct answer is A. A. The project sponsor is the owner of the project, and therefore, the most appropriate person to discuss whether the business requirements defined as part of the project objectives have been met. B. Project managers organize and ensure that the direction of the project aligns to the overall direction, complies with standards and monitors project milestones. The sponsor is in a better position to determine whether requirements have been met and is most likely to be consulted by the IS auditor. C. End-user groups can be a valuable resource; however, the project sponsor has managerial authority and is involved in strategic planning and is therefore a better answer. D. Although business analysts have detailed knowledge of business requirements, the project sponsor has a more accurate view of actual past project performance.

Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? A. User management B. Project steering committee Incorrect C. Senior management D. Quality assurance staff

You answered C. The correct answer is A. A. User management assumes ownership of the project and resulting system, allocates qualified representatives to the team and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented. B. A project steering committee provides overall direction, ensures appropriate representation of the major stakeholders in the project's outcome, reviews project progress regularly and holds emergency meetings when required. A project steering committee is ultimately responsible for all deliverables, project costs and schedules. C. Senior management demonstrates commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those who are needed to complete the project. D. Quality assurance staff review results and deliverables within each phase, and at the end of each phase confirm compliance with standards and requirements. The timing of reviews depends on the system development life cycle, the impact of potential deviation methodology used, the structure and magnitude of the system and the impact of potential deviation.

A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately and the corresponding products are produced? A. Verifying production to customer orders B. Logging all customer orders in the ERP system Incorrect C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production

You answered C. The correct answer is A. A. Verification will ensure that produced products match the orders in the customer order system. B. Logging can be used to detect inaccuracies but does not, in itself, guarantee accurate processing. C. Hash totals will ensure accurate order transmission, but not accurate processing centrally. D. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.

Information for detecting unauthorized input from a user workstation would be BEST provided by the: A. console log printout. B. transaction journal. Incorrect C. automated suspense file listing. D. user error report.

You answered C. The correct answer is B. A. A console log printout is not the best because it would not record activity from a specific terminal. B. The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. C. An automated suspense file listing would list only transaction activity where an edit error occurred. D. The user error report would list only input that resulted in an edit error and would not record improper user input.

A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern? A. Acceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. Incorrect C. Not all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business requirements.

You answered C. The correct answer is B. A. Acceptance is normally managed by the user area because users must be satisfied that the new system will meet their requirements. B. A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. C. If the system is large, a phased-in approach to implementing the application is a reasonable approach. D. Prototyping is a valid method of ensuring that the system will meet business requirements.

Which of the following will BEST ensure the successful offshore development of business applications? A. Stringent contract management practices B. Detailed and correctly applied specifications Incorrect C. Awareness of cultural and political differences D. Postimplementation reviews

You answered C. The correct answer is B. A. Contract management practices, although important, will not ensure successful development if the specifications are incorrect. B. When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected. C. Cultural and political differences, although important, should not affect the delivery of a good product. D. Postimplementation reviews, although important, are too late in the process to ensure successful project delivery and are not as pivotal to the success of the project.

Which of the following is the BEST indicator that a newly developed system will be used after it is in production? A. Regression testing B. User acceptance testing (UAT) Incorrect C. Sociability testing D. Parallel testing

You answered C. The correct answer is B. A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality. B. User acceptance testing (UAT) is undertaken to provide confidence that a system or system component operates as intended, to provide a basis for evaluating the implementation of the requirements or to demonstrate the effectiveness or efficiency of the system or component. If the results of the testing are poor, then the system is unlikely to be adopted by the users. C. Sociability test results indicate how the application works with other components within the environment and is not indicative of the user experience. D. Parallel testing is performed when the comparison of two applications is needed but will not provide feedback on user satisfaction.

An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? A. Undocumented approval of some project changes B. Faulty migration of historical data from the old system to the new system Incorrect C. Incomplete testing of the standard functionality of the ERP subsystem D. Duplication of existing payroll permissions on the new ERP subsystem

You answered C. The correct answer is B. A. Undocumented changes (leading to scope creep) are a risk, but the greatest risk is the loss of data integrity when migrating data from the old system to the new system. B. The most significant risk after a payroll system conversion is loss of data integrity and not being able to pay employees in a timely and accurate manner or have records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount. C. A lack of testing is always a risk; however, in this case, the new payroll system is a subsystem of an existing commercially available (and therefore probably well-tested) system. D. Setting up the new system, including access permissions and payroll data, always presents some level of risk; however, the greatest risk is related to the migration of data from the old system to the new system.

An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that: A. users may prefer to use contrived data for testing. B. unauthorized access to sensitive data may result. C. error handling and credibility checks may not be fully proven. Incorrect D. the full functionality of the new process may not necessarily be tested.

You answered D. The correct answer is B. A. Production data are easier for users to use for comparison purposes. B. Unless the data are sanitized, there is a risk of disclosing sensitive data. C. There is a risk that former production data may not test all error routines; however, this is not as serious as the risk of release of sensitive data. D. Using a copy of production data may not test all functionality, but this is not as serious as the risk of disclosure of sensitive data.

During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. B. perform a gap analysis. Incorrect C. review the licensing policy. D. ensure that the procedure had been approved.

You answered C. The correct answer is D. A. Because the software package has already been acquired, it is most likely that it is in use and therefore compatible with existing hardware. Further, the first responsibility of the IS auditor is to ensure that the purchasing procedures have been approved. B. Because there was no request for proposal (RFP), there may be no documentation of the expectations of the product and nothing to measure a gap against. The first task for the IS auditor is to ensure that the purchasing procedures were approved. C. The licensing policy should be reviewed to ensure proper licensing but only after the purchasing procedures are checked. D. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities.

Which of the following should be developed during the requirements definition phase of a software development project to address aspects of software testing? A. Test data covering critical applications B. Detailed test plans Incorrect C. Quality assurance (QA) test specifications D. User acceptance test specifications

You answered C. The correct answer is D. A. Test data will usually be created during the system testing phase. B. Detailed test plans are created during system testing. C. Quality assurance (QA) test specifications are set out later in the development process. D. A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase.

The MAJOR advantage of a component-based development approach is the: A. ability to manage an unrestricted variety of data types. B. provision for modeling complex relationships. Incorrect C. capacity to meet the demands of a changing environment. D. support of multiple development environments.

You answered C. The correct answer is D. A. The data types must be defined within each component, and it is not sure that any component will be able to handle multiple data types. B. Component-based development is no better than many other development methods at modeling complex relationships. C. Component-based development is one of the methodologies that can be effective at meeting changing requirements, but this is not its primary benefit or purpose. D. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic.

Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities? A. The programming language B. The development environment Incorrect C. A version control system D. Program coding standards

You answered C. The correct answer is D. A. The programming language may be a concern if it is not a commonly used language; however, program coding standards are more important. B. The development environment may be relevant to evaluate the efficiency of the program development process but not future maintenance of the program. C. A version control system helps manage software code revisions; however, it does not ensure that coding standards are consistently applied. D. Program coding standards are required for efficient program maintenance and modifications. To enhance the quality of programming activities and future maintenance capabilities, program coding standards should be applied. Program coding standards are essential to writing, reading and understanding code, simply and clearly, without having to refer back to design specifications.

Which of the following is an advantage of prototyping? A. The finished system normally has strong internal controls. B. Prototype systems can provide significant time and cost savings. C. Change control is often less complicated with prototype systems. Incorrect D. It ensures that functions or extras are not added to the intended system.

You answered D. The correct answer is B. A. Prototyping often has poor internal controls because the focus is primarily on functionality, not on security. B. Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements; however, they also have several disadvantages, including loss of overall security focus, project oversight and implementation of a prototype that is not yet ready for production. C. Change control becomes much more complicated with prototyping. D. Prototyping often leads to functions or extras being added to the system that were not originally intended.

Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment? A. Lack of transaction authorizations B. Loss or duplication of EDI transmissions C. Transmission delay Incorrect D. Deletion or manipulation of transactions prior to or after establishment of application controls

You answered D. The correct answer is A. A. Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. B. Loss or duplication of electronic data interchange (EDI) transmissions is an example of risk, but because all transactions should be logged, the impact is not as great as that of unauthorized transactions. C. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data. D. Deletion or manipulation of transactions prior to or after establishment of application controls is an example of risk, logging will detect any alteration to the data and the impact is not as great as that of unauthorized transactions.

Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? A. Applications may not be subject to testing and IT general controls. B. Development and maintenance costs may be increased. C. Application development time may be increased. Incorrect D. Decision-making may be impaired due to diminished responsiveness to requests for information.

You answered D. The correct answer is A. A. End-user computing (EUC) is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. B. EUC systems typically result in reduced application development and maintenance costs. C. EUC systems typically result in a reduced development cycle time. D. EUC systems normally increase flexibility and responsiveness to management's information requests because the system is being developed directly by the user community.

Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: A. existence of a set of functions and their specified properties. B. ability of the software to be transferred from one environment to another. C. capability of software to maintain its level of performance under stated conditions. Incorrect D. relationship between the performance of the software and the amount of resources used.

You answered D. The correct answer is A. A. Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functionality of a system represents the tasks, operations and purpose of the system in achieving its objective (i.e., supporting a business requirement). B. The ability of the software to be transferred from one environment to another refers to portability. C. The capability of software to maintain its level of performance under stated conditions refers to reliability. D. The relationship between the performance of the software and the amount of resources used refers to efficiency.

An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? A. Achieve standards alignment through an increase of resources devoted to the project. B. Align the data definition standards after completion of the project. C. Delay the project until compliance with standards can be achieved. Incorrect D. Enforce standard compliance by adopting punitive measures against violators.

You answered D. The correct answer is A. A. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. B. The usage of nonstandard data definitions would lower the efficiency of the new development, and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion is risky and is not a viable solution. C. Delaying the project would be an inappropriate suggestion because of business requirements or the likely damage to entire project profitability. D. Punishing the violators would be outside the authority of the auditor and inappropriate until the reason for the violations have be determined.

A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: A. payroll reports should be compared to input forms. B. gross payroll should be recalculated manually. C. checks (cheques) should be compared to input forms. Incorrect D. checks (cheques) should be reconciled with output reports.

You answered D. The correct answer is A. A. The best way to confirm data accuracy, when input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Hence, comparing payroll reports with input forms is the best mechanism of verifying data accuracy. B. Recalculating gross payroll manually would only verify whether the processing is correct and not the data accuracy of inputs. C. Comparing checks (cheques) to input forms is not feasible because checks (cheques) have the processed information and input forms have the input data. D. Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been issued as per output reports.

The specific advantage of white box testing is that it: A. verifies a program can operate successfully with other parts of the system. B. ensures a program's functional operating effectiveness without regard to the internal program structure. C. determines procedural accuracy or conditions of a program's specific logic paths. Incorrect D. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.

You answered D. The correct answer is C. A. Verifying the program can operate successfully with other parts of the system is sociability testing. B. Testing the program's functionality without knowledge of internal structures is black box testing. C. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. D. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing.

An IS auditor is evaluating a virtual machine-based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production? A. Server configuration has been hardened appropriately. B. Allocated physical resources are available. C. System administrators are trained to use the virtual machine (VM) architecture. Incorrect D. The VM server is included in the disaster recovery plan (DRP).

You answered D. The correct answer is A. A. The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all non-required functions before production, especially when production architecture is different from development and testing architecture. B. The greatest risk is associated with the difference between the testing and production environments. Ensuring that physical resources are available is a relatively low risk and easily addressed. C. Virtual machines (VMs) are often used for optimizing programming and testing infrastructure. In this scenario, the development environment (VM architecture) is different from the production infrastructure (physical three-tier). Because the VMs are not related to the web application in production, there is no real requirement for the system administrators to be familiar with a virtual environment. D. Because the VMs are only used in a development environment and not in production, it may not be necessary to include VMs in the disaster recovery plan (DRP).

An IS auditor is reviewing an enterprise's system development testing policy. Which of the following statements concerning use of production data for testing would the IS auditor consider to be MOST appropriate? A. Senior IS and business management must approve use before production data can be utilized for testing. B. Production data can be used if they are copied to a secure test environment. C. Production data can never be used. All test data must be developed and based on documented test cases. Incorrect D. Production data can be used provided that confidentiality agreements are in place.

You answered D. The correct answer is A. A. There is risk associated with the use of production data for testing. This includes compromising customer or employee confidentiality (which may also involve breaching legislation) and corrupting production of the data. Additionally, there are certain cases in which effective testing requires specifically designed data. There are other cases in which using production data would provide insights that are difficult or impossible to get from manufactured test data. One example is testing of interfaces to legacy systems. Management information systems are a further example where access to "real" data is likely to enhance testing. Some flexibility on the use of production data is likely to be the best option. In addition to obtaining senior management approval, conditions that mitigate the risk associated with using production data can be agreed on, such as masking names and other identifying fields to protect privacy. B. Copying production data to a secure environment is a good practice, but this should only be done with the approval of management. Management must accept the risk of using production data for testing. C. Creating a complete set of test data would be an ideal situation but is not always possible due to the volume of test data that would be required. D. Production data could only be used with management's permission. Then it can be appropriate to require the use of confidentiality agreements.

An IS auditor is performing a postimplementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management? A. Recalculations B. Limit checks C. Run-to-run totals Incorrect D. Reconciliations

You answered D. The correct answer is B. A. A sample of transactions may be recalculated manually to ensure that processing is accomplishing the anticipated task. Recalculations are performed after the output phase. B. Processing controls should be implemented as close as possible to the point of data entry. Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered because values must fall within a predetermined limit. C. Run-to-run totals provide the ability to verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process. Run-to-run totals are performed after the output phase. D. Reconciliation of file totals should be performed on a routine basis. Reconciliations may be performed through the use of a manually maintained account, a file control record or an independent control file. Reconciliations are performed after the output phase.

Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? A. Increase the time allocated for system testing. B. Implement formal software inspections. C. Increase the development staff. Incorrect D. Require the sign-off of all project deliverables.

You answered D. The correct answer is B. A. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring, and the cost of the extra testing and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. B. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved. C. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. D. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce and may occur too late in the process to be cost-effective. Deliverable reviews normally do not go down to the same level of detail as software inspections.

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? A. Function point analysis (FPA) B. Earned value analysis (EVA) C. Cost budget Incorrect D. Program evaluation and review technique (PERT)

You answered D. The correct answer is B. A. Function point analysis (FPA) is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget. B. Earned value analysis (EVA) is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists. C. Cost budgets do not address time. D. Program evaluation and review technique (PERT) aids time and deliverables management, but lacks projections for estimates at completion (EACs) and overall financial management.

An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: A. check to ensure that the type of transaction is valid for the card type. B. verify the format of the number entered, then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. Incorrect D. confirm that the card is not shown as lost or stolen on the master file.

You answered D. The correct answer is B. A. The initial validation would not be used to check the transaction type—just the validity of the card number. B. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered are valid (i.e., can be processed by the system). If the data captured in the initial validation are not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, other validations specific to the card and cardholder would be performed. C. The initial validation is to prove the card number entered is valid—only then can the transaction amount be checked for approval from the bank. D. The verification that the card has not been reported as lost or stolen is only done after the card number has been validated as correctly entered.

The use of object-oriented design and development techniques would MOST likely: Correct A. facilitate the ability to reuse modules. B. improve system performance. C. enhance control effectiveness. D. speed up the system development life cycle (SDLC).

You are correct, the answer is A. A. One of the major benefits of object-oriented design and development is the ability to reuse modules. B. Object-oriented design is not intended as a method of improving system performance. C. Control effectiveness is not an objective of object-oriented design and control effectiveness may, in fact, be reduced through this approach. D. The use of object-oriented design may speed up the system development life cycle (SDLC) for future projects through the reuse of modules, but it will not speed up development of the initial project.

Which of the following controls helps prevent duplication of vouchers during data entry? A. A range check B. Transposition and substitution C. A sequence check Incorrect D. A cyclic redundancy check (CRC)

You answered D. The correct answer is C. A. A range check works over a range of numbers. Even if the same voucher number reappears, it will satisfy the range and, therefore, not be useful. B. Transposition and substitution are used in encoding but will not help in establishing unique voucher numbers. C. A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. D. A cyclic redundancy check (CRC) is used for completeness of data received over the network but is not useful in application code level validations.

When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: A. excessive transaction turnaround time. B. application interface failure. C. improper transaction authorization. Incorrect D. nonvalidated batch totals.

You answered D. The correct answer is C. A. An excessive turnaround time is an inconvenience, but not a serious risk. B. The failure of the application interface is a risk, but not the most serious issue. Usually such a problem is temporary and easily fixed. C. Foremost among the risk associated with electronic data interchange (EDI) is improper transaction authorization. Because the interaction with the parties is electronic, there is no inherent authentication. Improper authentication would pose a serious risk of financial loss. D. The integrity of EDI transactions is important, but not as significant as the risk of unauthorized transactions.

During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: A. increased maintenance. B. improper documentation of testing. C. improper acceptance of a program. Incorrect D. delays in problem resolution.

You answered D. The correct answer is C. A. The method of testing used will not affect the maintenance of the system. B. Quality assurance and user acceptance testing are often led by business representatives according to a defined test plan. The combination of these two tests will not affect documentation. C. The major risk of combining quality assurance testing and user acceptance testing is that the users may apply pressure to accept a program that meets their needs even though it does not meet quality assurance standards. D. The method of testing should not affect the time lines for problem resolution.

Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application? A. Total cost of ownership (TCO) of the application B. The resources required for implementation C. Return on investment (ROI) to the company Incorrect D. The cost and complexity of security requirements

You answered D. The correct answer is C. A. Total cost of ownership (TCO) of the application is important to understand the resource and budget requirements in the short and long term; however, decisions should be based on benefits realization from this investment. Therefore, return on investment (ROI) is the most important consideration. B. The resources required for implementation of the application are an important consideration; however, decisions should be based on benefits realization from this investment. Therefore, ROI should be carefully considered. C. The proposed ROI benefits, along with targets or metrics that can be measured, are the most important aspects of a business case. While reviewing the business case, it should be verified that the proposed ROI is achievable, does not make unreasonable assumptions and can be measured for success. (Benefits realization should look beyond project cycles to longer-term cycles that consider the total benefits and total costs throughout the life of the new system.) D. The cost and complexity of security requirements are important considerations, but they need to be weighed against the proposed benefits of the application. Therefore, ROI is more important.

An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: Correct A. correlation of semantic characteristics of the data migrated between the two systems. B. correlation of arithmetic characteristics of the data migrated between the two systems. C. correlation of functional characteristics of the processes between the two systems. D. relative efficiency of the processes between the two systems.

You are correct, the answer is A. A. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system. B. Arithmetic characteristics represent aspects of data structure and internal definition in the database and, therefore, are less important than the semantic characteristics. C. A review of the correlation of the functional characteristics between the two systems is not relevant to a data migration review. D. A review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? Correct A. Requirements should be tested in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automated tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes.

You are correct, the answer is A. A. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects. B. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. C. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. D. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress (i.e., introduced errors in parts of the system that were previously working correctly). For this reason, it is a good practice to undertake formal regression testing after defect fixes have been implemented.

Due to a reorganization, a business application system will be extended to other departments. Which of the following should be of the GREATEST concern for an IS auditor? Correct A. Process owners have not been identified. B. The billing cost allocation method has not been determined. C. Multiple application owners exist. D. A training program does not exist.

You are correct, the answer is A. A. When one application is expanded to multiple departments, it is important to ensure the mapping between the process owner and system functions. In the absence of a defined process owner, there may be issues in respect to monitoring or authorization controls. B. The allocation method of application usage cost is of less importance. C. The fact that multiple application owners exist is not a concern for an IS auditor as long as process owners have been identified. D. The fact that a training program does not exist would only be a minor concern for the IS auditor.

Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse? Correct A. Accuracy of the source data B. Credibility of the data source C. Accuracy of the extraction process D. Accuracy of the data transformation

You are correct, the answer is A. A. Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Inaccurate source data will corrupt the integrity of the data in the data warehouse. B. Credibility of the data source is important but would not change inaccurate data into quality (accurate) data. C. Accurate extraction processes are important but would not change inaccurate data into quality (accurate) data. D. Accurate transformation routines are important but would not change inaccurate data into quality (accurate) data.

When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those: A. whose sum of activity time is the shortest. Correct B. that have zero slack time. C. that give the longest possible completion time. D. whose sum of slack time is the shortest.

You are correct, the answer is B. A. Attention should focus on the tasks within the critical path that have no slack time. B. A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing (i.e., for reduction in their time by payment of a premium for early completion). Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs versus time can be obtained. C. The critical path is the longest time length of the activities, but is not based on the longest time of any individual activity. D. A task on the critical path has no slack time.

Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration? A. Function point analysis (FPA) Correct B. Program evaluation review technique (PERT) chart C. Rapid application development D. Object-oriented system development

You are correct, the answer is B. A. Function point analysis (FPA) is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal files. While this will help determine the size of individual activities, it will not assist in determining project duration because there are many overlapping tasks. B. A program evaluation review technique (PERT) chart will help determine project duration once all the activities and the work involved with those activities are known. C. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. D. Object-oriented system development is the process of solution specification and modeling but will not assist in calculating project duration.

An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort? A. Program evaluation review technique (PERT) Correct B. Function point analysis (FPA) C. Counting source lines of code D. White box testing

You are correct, the answer is B. A. Program evaluation review technique (PERT) is a project management technique used in the planning and control of system projects. B. Function point analysis (FPA) is a technique used to determine the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal sites. C. The number of source lines of code gives a direct measure of program size, but it does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. D. White box testing involves a detailed review of the behavior of program code. It is a quality assurance technique suited to simpler applications during the design and building stage of development.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? A. Project sponsor B. System development project team (SDPT) Correct C. Project steering committee D. User project team (UPT)

You are correct, the answer is C. A. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. B. A system development project team (SDPT) completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The SDPT is not responsible for overseeing the progress of the project. C. A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. D. A user project team (UPT) completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A UPT is not responsible for reviewing the progress of the project.

The GREATEST advantage of using web services for the exchange of information between two systems is: A. secure communication. B. improved performance. Correct C. efficient interfacing. D. enhanced documentation.

You are correct, the answer is C. A. Communication is not necessarily more secure using web services. B. The use of web services will not necessarily increase performance. C. Web services facilitate the interoperable exchange of information between two systems regardless of the operating system or programming language used. D. There is no documentation benefit in using web services.

Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another? A. Compare the hash total before and after the migration. B. Verify that the number of records is the same for both databases. Correct C. Perform sample testing of the migrated account balances. D. Compare the control totals of all of the transactions.

You are correct, the answer is C. A. The hash total will only validate the data integrity at a batch level rather than at a transaction level. B. Databases are composed of records that can contain multiple fields. The number of records will not allow an IS auditor to ascertain whether some of these fields have been successfully migrated. C. Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before and after the migration. D. Comparing the control totals does not imply that the records are complete or that individual values are accurate.

Which of the following system and data conversion strategies provides the GREATEST redundancy? A. Direct cutover B. Pilot study C. Phased approach Correct D. Parallel run

You are correct, the answer is D. A. Direct cutover is actually quite risky because it does not provide for a "shake down period" nor does it provide an easy fallback option. B. A pilot study approach is performed incrementally, making rollback procedures difficult to execute. C. A phased approach is performed incrementally, making rollback procedures difficult to execute. D. Parallel runs are the safest—though the most expensive—approach because both the old and new systems are run, thus incurring what might appear to be double costs.

Which of the following BEST helps ensure that deviations from the project plan are identified? A. A project management framework B. A project management approach C. A project resource plan D. Project performance criteria

You did not answer the question. The correct answer is D. A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project but does not define the criteria used to measure project success. B. A project management approach defines guidelines for project management processes and deliverables but does not define the criteria used to measure project success. C. A project resource plan defines the responsibilities, relationships, authorities and performance criteria of project team members but does not wholly define the criteria used to measure project success. D. To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success.

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? A. Use of a capability maturity model (CMM) B. Regular monitoring of task-level progress against schedule C. Extensive use of software development tools to maximize team productivity Correct D. Postiteration reviews that identify lessons learned for future use in the project

You are correct, the answer is D. A. The capability maturity model (CMM) places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. B. Task-level tracking is not used because daily meetings identify challenges and impediments to the project. C. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance. D. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four to eight weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant.

The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission of the data to the central processing site. Correct D. remote processing site prior to transmission of the data to the central processing site.

You are correct, the answer is D. A. Validating data prior to transmission is the most efficient method and saves the effort of transmitting or processing invalid data. However, due to the risk of errors being introduced during transmission it is also good practice to re-validate the data at the central processing site. B. Validating data prior to transmission is the most efficient method and saves the effort of transmitting or processing invalid data. However, due to the risk of errors being introduced during transmission it is also good practice to re-validate the data at the central processing site. C. To validate the data after it has been transmitted is not a valid control. D. It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.

An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation procedures should include: A. vouching. B. authorizations. C. corrections. Correct D. tracing.

You are correct, the answer is D. A. Vouching is usually performed during the funds transfer, not during the reconciliation effort. B. In online processing, authorizations are normally done automatically by the system, not during the reconciliation. C. Correction entries should be reviewed during a reconciliation; however, they are normally done by an individual other than the person entrusted to do reconciliations and are not as important as tracing. D. Tracing is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer (EFT) transactions, the direction on tracing may start from the customer-printed copy of the receipt, checking the system audit trails and logs, and finally checking the master file records for daily transactions.

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? Incorrect A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables C. Extrapolation of the overall end date based on completed work packages and current resources D. Calculation of the expected end date based on current resources and remaining available project budget

You did not answer the question. The correct answer is C. A. The IS auditor cannot count on the accuracy of data in status reports for reasonable assurance. B. Interviews are a valuable source of information, but will not necessarily identify any project challenges because the people being interviewed are involved in project. C. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule). D. The calculation based on remaining budget does not take into account the speed at which the project has been progressing.