Below are some of the questions collated for easy reference
of CISA aspirants. Please note that these questions are easily available from the net and collated domain-wise for easy reference.
CISA Question Bank-3
1. Which of the following is critical to the selection and acquisition of the correct operating system software? A. Competitive bids B. User department approval C. Hardware configuration analysis D. Purchasing department approval The correct answer is: C.
Hardware configuration analysis Explanation: The purchase of operating system software is dependent on the fact that the software is compatible with the existing hardware. Choices A and D, although important, are not as important as choice C. Users do not normally approve the acquisition of operating systems software. .......................................................................................................... 2. A single digitally signed instruction was
given to a financial institution to credit a customer's account. The financial institution received the instruction three times and credited the account three times. Which of the following would be the MOST appropriate control against such multiple credits? A. Encrypting the hash of the payment instruction with the public key of the financial institution B. Affixing a time stamp to the instruction and using it to check for duplicate payments C. Encrypting the hash of
the payment instruction with the private key of the instructor D. Affixing a time stamp to the hash of the instruction before having it digitally signed by the instructor The correct answer is: B. Affixing a time stamp to the instruction and using it to check for duplicate payments Explanation: Affixing a time stamp to the instruction and using it to check for duplicate payments makes the instruction unique. The financial institution can check that the instruction was
not intercepted and replayed, and thus, it could prevent crediting the account three times. Encrypting the hash of the payment instruction with the public key of the financial institution does not protect replay, it only protects confidentiality and integrity of the instruction. Encrypting the hash of the payment instruction with the private key of the instructor ensures integrity of the instruction and nonrepudiation of the issued instruction. The process of creating a
message digest requires applying a cryptographic hashing algorithm to the entire message. The receiver, upon decrypting the message digest, will recompute the hash using the same hashing algorithm and compare the result with what was sent. Hence, affixing a time stamp into the hash of the instruction before being digitally signed by the instructor would violate the integrity requirements of a digital signature.
.......................................................................................................... 3. Assumptions while planning an IS project involve a high degree of risk because they are: A. based on known constraints. B. based on objective past data. C. a result of a lack of information. D. often made by unqualified people. The correct answer is: C. a result of a lack of information. Explanation: Assumptions are made when adequate information is
not available. When an IS project manager makes an assumption, there is a high degree of risk because the lack of proper information can cause unexpected loss to an IS project. Assumptions are not based on "known" constraints. When constraints are known in advance, a project manager can plan according to those constraints rather than assuming the constraints will not affect the project. Having objective data about past IS projects will not lead to making assumptions, but
rather helps the IS project manager in planning the project. Hence, if objective past data are available and the project manager makes use of them, the risk to the project is less. Regardless of whether they are made by qualified people or unqualified people, assumptions are risky. .......................................................................................................... 4. An existing system is being extensively enhanced by extracting and reusing design
and program components. This is an example of: A. reverse engineering. B. prototyping. C. software reuse. D. reengineering. The correct answer is: D. reengineering. Explanation: Old (legacy) systems that have been corrected, adapted and enhanced extensively require reengineering to remain maintainable. Reengineering is a rebuilding activity to incorporate new technologies into existing systems. Using program language statements, reverse engineering
involves reversing a program's machine code into the source code in which it was written to identify malicious content in a program, such as a virus, or to adapt a program written for use with one processor for use with a differently designed processor. Prototyping is the development of a system through controlled trial and error. Software reuse is the process of planning, analyzing and using previously developed software components. The reusable components are integrated
into the current software product systematically. .......................................................................................................... 5. When implementing an acquired system in a client-server environment, which of the following tests would confirm that the modifications in the Windows registry do not adversely impact the desktop environment? A. Sociability testing B. Parallel testing C. White box testing D. Validation testing The
correct answer is: A. Sociability testing Explanation: When implementing an acquired system in an client-server environment, sociability testing would confirm that the system can operate in the target environment without adversely impacting other systems. Parallel testing is the process of feeding test data to the old and new systems and comparing the results. White box testing is based on a close examination of procedural details, and validation testing tests the
functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements. .......................................................................................................... 6. Information for detecting unauthorized input from a terminal would be BEST provided by the: A. console log printout. B. transaction journal. C. automated suspense file listing. D. user error report. The
correct answer is: B. transaction journal. Explanation: The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, and the user error report would only list input
that resulted in an edit error. .......................................................................................................... 7. The IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could the IS auditor use to estimate the size of the development effort? A. Program evaluation review
technique (PERT) B. Counting source lines of code (SLOC) C. Function point analysis D. White box testing The correct answer is: C. Function point analysis Explanation: Function point analysis is an indirect method of measuring the size of an application by considering the number and complexity of its inputs, outputs and files. It is useful for evaluating complex applications. PERT is a project management technique that helps with both planning and control.
SLOC gives a direct measure of program size, but does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. White box testing involves a detailed review of the behavior of program code, and is a quality assurance technique suited to simpler applications during the design and build stage of development. ..........................................................................................................
8. The editing/validation of data entered at a remote site would be performed MOST effectively at the: A. central processing site after running the application system. B. central processing site during the running of the application system. C. remote processing site after transmission of the data to the central processing site. D. remote processing site prior to transmission of the data to the central processing site. The correct answer is: D. remote processing site
prior to transmission of the data to the central processing site. Explanation: It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site. .......................................................................................................... 9. Which of the following is the FIRST thing an IS auditor should do after the discovery of a Trojan horse program in a computer system? A. Investigate
the author. B. Remove any underlying threats. C. Establish compensating controls. D. Have the offending code removed. The correct answer is: D. Have the offending code removed. Explanation: The IS auditor's first duty is to prevent the Trojan horse from causing further damage. After removing the offending code, follow up actions would include investigation and recommendations (choices B and C).
.......................................................................................................... 10. The GREATEST benefit in implementing an expert system is the: A. capturing of the knowledge and experience of individuals in an organization. B. sharing of knowledge in a central repository. C. enhancement of personnel productivity and performance. D. reduction of employee turnover in key departments. The correct answer is: A. capturing of the knowledge and
experience of individuals in an organization. Explanation: The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. Coding and entering the knowledge in a central repository, shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnel productivity and performance is a benefit; however, it is not as important as capturing the knowledge and experience. Employee
turnover is not necessarily affected by an expert system. .......................................................................................................... 11. An IS auditor reviewing a proposed application software acquisition should ensure that the: A. operating system (OS) being used is compatible with the existing hardware platform. B. planned OS updates have been scheduled to minimize negative impacts on company needs. C. OS has the latest versions and
updates. D. products are compatible with the current or planned OS. The correct answer is: D. products are compatible with the current or planned OS. Explanation: Choices A, B and C are incorrect because none of them is related to the area being audited. In reviewing the proposed application the auditor should ensure that the products to be purchased are compatible with the current or planned OS. Regarding choice A, if the OS is currently being used, it is
compatible with the existing hardware platform, because if it is not, it would not operate properly. In choice B, the planned OS updates should be scheduled to minimize negative impacts on the organization. For choice C, the installed OS should be equipped with the most recent versions and updates (with sufficient history and stability). .......................................................................................................... 12. Which of the following is
MOST likely to occur when a system development project is in the middle of the programming/coding phase? A. Unit tests B. Stress tests C. Regression tests D. Acceptance tests The correct answer is: A. Unit tests Explanation: During the programming phase, the development team should have mechanisms in place to ensure that coding is being developed to standard and is working correctly. Unit tests are key elements of that process in that they ensure that
individual programs are working correctly. They would normally be supported by code reviews. Stress tests, regression tests and acceptance tests would normally occur later in the development and testing phases. As part of the process of assessing compliance with quality processes, IS auditors should verify that such reviews are undertaken. .......................................................................................................... 13. An organization
planning to purchase a software package asks the IS auditor for a risk assessment. Which of the following is the MAJOR risk? A. Unavailability of the source code B. Lack of a vendor-quality certification C. Absence of vendor/client references D. Little vendor experience with the package The correct answer is: A. Unavailability of the source code Explanation: If the vendor goes out of business, not having the source code available would make it impossible
to update the (software) package. Lack of a vendor-quality certification, absence of vendor/client references and little vendor experience with the package are important issues but not critical. .......................................................................................................... 14. An IS auditor assigned to audit a reorganized process should FIRST review which of the following? A. A map of existing controls B. Eliminated controls C. Process
charts D. Compensating controls The correct answer is: C. Process charts Explanation: To ensure adequate control over the business process, the auditor should first review the flow charts showing the before and after processes. The process charts aid in analyzing the changes in the processes. The other choices—analyzing eliminated controls, ensuring that compensating controls are in place and analyzing the existing controls—are incorrect as each, performed
individually, would not be as effective and all-encompassing as reviewing the process charts. .......................................................................................................... 15. The PRIMARY benefit of integrating total quality management (TQM) into a software development project is: A. comprehensive documentation. B. on-time delivery. C. cost control. D. end-user satisfaction. The correct answer is: D. end-user satisfaction.
Explanation: Quality is ultimately a measure of end-user satisfaction. If the end user is not satisfied, then the product was not properly developed. Comprehensive documentation, on-time delivery and costs are all secondary to end-user satisfaction. .......................................................................................................... 16. When reviewing the quality of an IS department's development process, the IS auditor finds that he/she does not use
any formal, documented methodology and standards. The IS auditor's MOST appropriate action would be to: A. complete the audit and report the finding. B. investigate and recommend appropriate formal standards. C. document the informal standards and test for compliance. D. withdraw and recommend a further audit when standards are implemented. The correct answer is: C. document the informal standards and test for compliance. Explanation: The IS auditor's first
concern would be to ensure that projects are consistently managed. Where it is claimed that an internal standard exists, it is important to ensure that it is operated correctly, even when this means documenting the claimed standards first. Merely reporting the issue as a weakness and closing the audit without findings would not help the organization in any way and investigating formal methodologies may be unnecessary if the existing, informal standards prove to be adequate
and effective. .......................................................................................................... 17. During unit testing, the test strategy applied is: A. black box. B. white box. C. bottom-up. D. top-down. The correct answer is: B. white box. Explanation: White box testing examines the internal structure of a module. A programmer should perform this test for each module prior to integrating the module with others. Black box
testing focuses on the functional requirements and does not consider the control structure of the module. Choices C and D are not correct because these tests require that several modules have already been assembled and tested. .......................................................................................................... 18. A decision support system (DSS): A. is aimed at solving highly structured problems. B. combines the use of models with nontraditional
data access and retrieval functions. C. emphasizes flexibility in the decision-making approach of users. D. supports only structured decision-making tasks. The correct answer is: C. emphasizes flexibility in the decision-making approach of users. Explanation: DSS emphasizes flexibility in the decision-making approach of users. It is aimed at solving lessstructured problems, combines the use of models and analytic techniques with traditional data access and
retrieval functions, and supports semistructured decision-making tasks. .......................................................................................................... 19. Which of the following phases represents the optimum point for software baselining to occur? A. Testing B. Design C. Requirement D. Development The correct answer is: B. Design Explanation: Software baselining is the cut-off point in the design and development of an
application, beyond which change should not occur without undergoing formal procedures for approval and should be supported by a cost-benefit business impact analysis. The optimum point for software baselining to occur is the design phase. .......................................................................................................... 20. A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form.
To ensure that transactions are not lost during processing, the IS auditor should recommend the inclusion of: A. validation controls. B. internal credibility checks. C. clerical control procedures. D. automated systems balancing. The correct answer is: D. automated systems balancing. Explanation: Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be
reported for investigation and correction. Validation controls and internal credibility checks are certainly valid controls, but will not detect and report lost transactions. In addition, although a clerical procedure could be used to summarize and compare inputs and outputs, an automated process is less susceptible to error. .......................................................................................................... 21. When auditing the conversion of an
accounting system an IS auditor should verify the existence of a: A. control total check. B. validation check. C. completeness check. D. limit check. The correct answer is: A. control total check. Explanation: Tallying a control total of all accounts before and after conversion will assure the IS auditor that all amount data has been taken into the new system. Later one-to-one checking by users will assure that all the data has been converted. The
other choices are incorrect. Validation checks, completeness checks and limit checks would be applied at the point at which the data are originally entered into the accounting system. .......................................................................................................... 22. A debugging tool, which reports on the sequence of steps executed by a program, is called a(n): A. output analyzer. B. memory dump. C. compiler. D. logic path
monitor. The correct answer is: D. logic path monitor. Explanation: Logic path monitors report on the sequence of steps executed by a program. This provides the programmer with clues to logic errors, if any, in the program. An output analyzer checks the results of a program for accuracy by comparing the expected results with the actual results. A memory dump provides a picture of the content of a computer's internal memory at any point in time, often when the
program is aborted, thus providing information on inconsistencies in data or parameter values. Though compilers have some potential to provide feedback to a programmer, they are not generally considered a debugging tool. .......................................................................................................... 23. Which of the following facilitates program maintenance? A. More cohesive and loosely coupled programs B. Less cohesive and loosely coupled
programs C. More cohesive and strongly coupled programs D. Less cohesive and strongly coupled programs The correct answer is: A. More cohesive and loosely coupled programs Explanation: Cohesion refers to the performance of a single, dedicated function by each program. Coupling refers to the independence of the comparable units. Loosely coupled units, when the program code is changed, will reduce the probability of affecting other program units. More cohesive
and loosely coupled units are best for maintenance. .......................................................................................................... 24. Which of the following ensures completeness and accuracy of accumulated data? A. Processing control procedures B. Data file control procedures C. Output controls D. Application controls The correct answer is: A. Processing control procedures Explanation: Processing controls ensure the
completeness and accuracy of accumulated data, for example, editing and run-to-run totals. Data file control procedures ensure that only authorized processing occurs to stored data, for example, transaction logs. Output controls ensure that data delivered to users will be presented, formatted and delivered in a consistent and secure manner, for example, using report distribution. "Application controls" is a general term comprising all kinds of controls used in an
application. .......................................................................................................... 25. The MAJOR concern for an IS auditor reviewing a CASE environment should be that the use of CASE does not automatically: A. result in a correct capture of requirements. B. ensure that desirable application controls have been implemented. C. produce ergonomic and user-friendly interfaces. D. generate efficient code. The correct answer is:
A. result in a correct capture of requirements. Explanation: The principal concern should be to ensure an alignment of the application with business needs and user requirements. While the CASE being used may provide tools to cover this crucial initial phase, a cooperative user-analyst interaction is always needed. Choice B should be the next concern. If the system meets business needs and user requirements, it should also incorporate all desirable controls. Controls have
to be specified since CASE can only automatically incorporate certain, rather low-level, controls (such as type of input data, e.g., date, expected). CASE will not (choice C) automatically generate ergonomic and user-friendly interfaces, but it should provide tools for easy (and automatically documented) tuning. CASE applications (choice D) generally come short of optimizing the use of hardware and software resources, precisely because they are designed to optimize other
elements, such as developers' effort or documentation. .......................................................................................................... 26. The MOST likely explanation for the use of applets in an Internet application is that: A. it is sent over the network from the server. B. the server does not run the program and the output is not sent over the network. C. they improve the performance of the web server and network. D. it is a JAVA program
downloaded through the web browser and executed by the web server of the client machine. The correct answer is: C. they improve the performance of the web server and network. Explanation: An applet is a JAVA program that is sent over the network from the web server, through a web browser, to the client machine. Then the code is run on the machine. Since the server does not run the program and the output is not sent over the network, the performance on the web
server and network, over which the server and client are connected, drastically improves through the use of applets. Performance improvement is more important than the reasons offered in choices A and B. Since JAVA virtual machine (JVM) is embedded in most web browsers, the applet download through the web browser runs on the client machine from the web browser, not from the web server, making choice D incorrect.
.......................................................................................................... 27. Ideally, stress testing should be carried out in a: A. test environment using test data. B. production environment using live workloads. C. test environment using live workloads. D. production environment using test data. The correct answer is: C. test environment using live workloads. Explanation: Stress testing is carried out to ensure a system can
cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment (choices B and D), and if only test data is used, there is no certainty that the system was stress tested adequately. .......................................................................................................... 28. Good quality software is BEST achieved: A. through thorough
testing. B. by finding and quickly correcting programming errors. C. by determining the amount of testing using the available time and budget. D. by applying well-defined processes and structured reviews throughout the project. The correct answer is: D. by applying well-defined processes and structured reviews throughout the project. Explanation: Testing can point to quality deficiencies, However, it cannot by itself fix them. Corrective action at this point in
the project is expensive. While it is necessary to detect and correct program errors, the bigger return comes from detecting defects as they occur in upstream phases, such as requirements and design. Choice C is representative of the most common mistake when applying quality management to a software project. It is seen as overhead, instead early removal of defects has a substantial payback. Rework is actually the largest cost driver on most software projects. Choice D
represents the core of achieving quality, that is, following a well-defined, consistent process and effectively reviewing key deliverables. .......................................................................................................... 29. A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be the IS auditor's main concern about the new process? A.
Are key controls in place to protect assets and information resources? B. Does it address the corporate customer requirements? C. Does the system meet the performance goals (time and resources)? D. Have owners been identified who will be responsible for the process? The correct answer is: A. Are key controls in place to protect assets and information resources? Explanation: The audit team must advocate the inclusion of the key controls and verify that the controls are
in place before implementing the new process. Choices B, C and D are objectives that the BPR process should achieve, but they are not the auditor's primary concern. .......................................................................................................... 30. A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing in-house-developed system. In reviewing the proposed development approach,
which of the following would be of GREATEST concern? A. Acceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business requirements. The correct answer is: B. A quality plan is not part of the contracted deliverables. Explanation: A quality plan is an essential element of all
projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. Acceptance is normally managed by the user area, since they must be satisfied that the new system will meet their requirements. If the system is large, a phased-in approach to implementing the
application is a reasonable approach. Prototyping is a valid method of ensuring that the system will meet business requirements. .......................................................................................................... 31. The use of a GANTT chart can: A. aid in scheduling project tasks. B. determine project checkpoints. C. ensure documentation standards. D. direct the postimplementation review. The correct answer is: A. aid in scheduling
project tasks. Explanation: A GANTT chart is used in project control. It may aid in the identification of needed checkpoints, but its primary use is in scheduling. It will not ensure the completion of documentation nor will it provide direction for the postimplementation review. .......................................................................................................... 32. Using test data as part of a comprehensive test of program controls in a
continuous online manner is called a(n): A. test data/deck. B. base-case system evaluation. C. integrated test facility (ITF). D. parallel simulation. The correct answer is: B. base-case system evaluation. Explanation: A base-case system evaluation uses test data sets developed as part of comprehensive testing programs. It is used to verify correct systems operations before acceptance, as well as periodic validation. Test data/deck simulates
transactions through real programs. An ITF creates fictitious files in the database with test transactions processed simultaneously with live input. Parallel simulation is the production of data processed using computer programs that simulate application program logic. .......................................................................................................... 33. Testing the connection of two or more system components that pass information from one area to
another is: A. pilot testing. B. parallel testing C. interface testing. D. regression testing. The correct answer is: C. interface testing. Explanation: Interface testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. Pilot testing is a preliminary test that focuses on specific and predetermined aspects of a system and is not meant to replace other methods. Parallel
testing is the process of feeding test data into two systems—the modified system and an alternative system—and comparing the results. Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing is the same as the data used in the original test.
.......................................................................................................... 34. Regression testing is the process of testing a program to determine if: A. the new code contains errors. B. discrepancies exist between functional specifications and performance. C. new requirements have been met. D. changes have introduced any errors in the unchanged code. The correct answer is: D. changes have introduced any errors in the unchanged
code. Explanation: Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be the same as the data used in the original test. Unit testing is used to determine if a new code contains errors or does not meet requirements.
.......................................................................................................... 35. Which of the following groups/individuals should assume overall direction and responsibility for costs and timetables of system development projects? A. User management B. Project steering committee C. Senior management D. Systems development management The correct answer is: B. Project steering committee Explanation: The project steering
committee is ultimately responsible for all costs and timetables. User management assumes ownership of the project and the resulting system. Senior management commits to the project and approves the resources necessary to complete the project. System development management provides technical support for the hardware and software environments by developing, installing and operating the requested system.
.......................................................................................................... 36. The difference between white box testing and black box testing is that white box testing: A. involves the IS auditor. B. is performed by an independent programmer team. C. examines a program's internal logical structure. D. uses the bottom-up approach. The correct answer is: C. examines a program's internal logical structure. Explanation: Black box
testing observes a system's external behavior, while white box testing is a detailed exam of a logical path, checking the possible conditions. The IS auditor need not be involved in either testing method. The bottom-up approach can be used in both tests. White box testing requires knowledge of the internals of the program or the module to be implemented/tested. Black box testing requires that the functionality of the program be known. The independent programmer team would not
be aware of the application of a program in which they have not been involved; hence, the independent programmer team cannot provide any assistance in either of these testing approaches. .......................................................................................................... 37. An IS auditor reviewing a project, where quality is a major concern, should use the project management triangle to explain that a(n): A. increase in quality can be achieved, even
if resource allocation is decreased. B. increase in quality is only achieved, if resource allocation is increased. C. decrease in delivery time can be achieved, even if resource allocation is decreased. D. decrease in delivery time can only be achieved, if quality is decreased. The correct answer is: A. increase in quality can be achieved, even if resource allocation is decreased. Explanation: The three primary dimensions of a project are determined by the
deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains
constant. .......................................................................................................... 38. Which of the following integrity tests examines the accuracy, completeness, consistency and authorization of data? A. Data B. Relational C. Domain D. Referential The correct answer is: A. Data Explanation: Data integrity testing examines the accuracy, completeness, consistency and authorization of data. Relational integrity
testing detects modification to sensitive data by the use of control totals. Domain integrity testing verifies that data conforms to specifications. Referential integrity testing ensures that data exists in its parent or original file before it exists in the child or another file. .......................................................................................................... 39. Which of the following is MOST effective in controlling application maintenance? A.
Informing users of the status of changes B. Establishing priorities on program changes C. Obtaining user approval of program changes D. Requiring documented user specifications for changes The correct answer is: C. Obtaining user approval of program changes Explanation: User approvals of program changes will ensure that changes are correct as specified by the user and that they are authorized. Therefore, erroneous or unauthorized changes are less likely to
occur, minimizing system downtime and errors. .......................................................................................................... 40. Which of the following groups should assume ownership of a systems development project and the resulting system? A. User management B. Senior management C. Project steering committee D. Systems development management The correct answer is: A. User management Explanation: User management assumes
ownership of the project and resulting system. They should review and approve deliverables as they are defined and accomplished. Senior management approves the project and the resources needed to complete it. The project steering committee provides overall direction and is responsible for monitoring costs and timetables. Systems development management provides technical support.
.......................................................................................................... 41. To make an electronic funds transfer (EFT), one employee enters the amount field and another employee reenters the same data again, before the money is transferred. The control adopted by the organization in this case is: A. sequence check. B. key verification. C. check digit. D. completeness check. The correct answer is: B. key verification.
Explanation: Key verification is a process in which keying-in is repeated by a separate individual using a machine that compares the original entry to the repeated entry. Sequence check refers to the continuity in serial numbers within the number range on documents. A check digit is a numeric value that has been calculated mathematically and added to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted. Completeness checks
ensure that all the characters required for a field have been input. .......................................................................................................... 42. An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is: A. continuous improvement. B. quantitative quality goals. C. a
documented process. D. a process tailored to specific projects. The correct answer is: A. continuous improvement. Explanation: An organization would have reached the highest level of the software CMM at level 5, optimizing. Quantitative quality goals can be reached at level 4 and below, a documented process is executed at level 3 and below, and a process tailored to specific projects can be achieved at level 3 or below.
.......................................................................................................... 43. The use of fourth-generation languages (4GLs) should be weighed carefully against using traditional languages, because 4GLs: A. can lack the lower-level detail commands necessary to perform data intensive operations. B. cannot be implemented on both the mainframe processors and microcomputers. C. generally contain complex language subsets that must be used by
skilled users. D. cannot access database records and produce complex online outputs. The correct answer is: A. can lack the lower-level detail commands necessary to perform data intensive operations. Explanation: All of the answers are advantages of using 4GLs except that they can lack the lower-level detail commands necessary to perform data intensive operations. These operations are usually required when developing major applications.
.......................................................................................................... 44. During the development of an application, the quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: A. increased maintenance. B. improper documentation of testing. C. inadequate functional testing. D. delays in problem resolution. The correct answer is: C.
inadequate functional testing. Explanation: The major risk of combining quality assurance testing and user acceptance testing is that functional testing may be inadequate. Choices A, B and D are not as important. .......................................................................................................... 45. An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its
proprietary application software as part of the solution. The contract should require that: A. a backup server be available to run ETCS operations with up-to-date data. B. a backup server be loaded with all the relevant software and data. C. the systems staff of the organization be trained to handle any event. D. source code of the ETCS application be placed in escrow. The correct answer is: D. source code of the ETCS application be placed in escrow.
Explanation: Whenever proprietary application software is purchased, the contract should provide for a source code agreement. This will ensure that the purchasing company will have the opportunity to modify the software should the vendor cease to be in business. Having a backup server with current data and staff training is critical but not as critical as ensuring the availability of the source code.
.......................................................................................................... 46. Which of the following is a dynamic analysis tool for the purpose of testing software modules? A. Black box test B. Desk checking C. Structured walk-through D. Design and code The correct answer is: A. Black box test Explanation: A black box test is a dynamic analysis tool for testing software modules. During the testing of software modules a
black box test works first in a cohesive manner as a single unit/entity consisting of numerous modules, and second with the user data that flows across software modules. In some cases, this even drives the software behavior. In choices B, C and D, the software (design or code) remains static and somebody closely examines it by applying his/her mind, without actually activating the software. Hence, these cannot be referred to as dynamic analysis tools.
.......................................................................................................... 47. The impact of EDI on internal controls will be: A. that fewer opportunities for review and authorization will exist. B. an inherent authentication. C. a proper distribution of EDI transactions while in the possession of third parties. D. that IPF management will have increased responsibilities over data center controls. The correct answer is: A. that fewer
opportunities for review and authorization will exist. Explanation: EDI promotes a more efficient paperless environment, but at the same time, less human intervention makes it more difficult for reviewing and authorizing. Choice B is incorrect; since the interaction between parties is electronic, there is no inherent authentication occurring. Computerized data can look the same no matter what the source and does not include any distinguishing human element or signature.
Choice C is incorrect because this is a security risk associated with EDI. Choice D is incorrect because there are relatively few, if any, additional data center controls associated with the implementation of EDI applications. Instead, more control will need to be exercised by the user's application system to replace manual controls, such as site reviews of documents. More emphasis will need to be placed on control over data transmission (network management controls).
.......................................................................................................... 48. Which of the following tasks occurs during the research stage of the benchmarking process? A. Critical processes are identified. B. Benchmarking partners are visited. C. Findings are translated into core principles. D. Benchmarking partners are identified. The correct answer is: D. Benchmarking partners are identified. Explanation: During the
research stage, the team collects data and identifies the benchmarking partners. In the planning stage, the team identifies the critical processes to be benchmarked. Visiting the benchmarking partners is performed in the observation stage. Translating the findings into core principles is performed during the adaptation stage. .......................................................................................................... 49. Which of the following would be a risk
specifically associated with the agile development process? A. Lack of documentation B. Lack of testing C. Poor requirements definition D. Poor project management practices The correct answer is: A. Lack of documentation Explanation: Agile development relies on knowledge held by people within the organization, as opposed to external knowledge. The main issue is the necessity for providing compensating controls to ensure that changes and enhancements to
the system can be made later on, even if the key personnel who know the implemented business logic leave the company. Lack of testing might be an issue but without formal documentation it is difficult for an auditor to gather objective evidence. Rapid response to changing requirements is one strength of the agile development processes. Replanning the project at the end of each iteration, including reprioritizing requirements, identifying any new requirements and determining
in which release delivered functionality is to be implemented, is a main aspect of the agile process. Applied project management practices are slightly different than those required for traditional methods of software development. The project manager's role. This role shifts from one primarily concerned with planning the project, allocating tasks and monitoring progress, to that of a facilitator and advocate. Responsibility for planning and control shifts to the team
members. .......................................................................................................... 50. An IS auditor evaluating data integrity in a transaction-driven system environment should review atomicity to determine whether: A. the database survives failures (hardware or software). B. each transaction is separated from other transactions. C. integrity conditions are maintained. D. a transaction is completed or a database is updated. The
correct answer is: D. a transaction is completed or a database is updated. Explanation: This concept is included in the atomicity, completeness, isolation and durability (ACID) principle. Durability means that the database survives failures (hardware or software). Isolation means that each transaction is separated from other transactions. Consistency means that integrity conditions are maintained.
.......................................................................................................... 51. In an electronic fund transfer (EFT) system, which of the following controls would be useful in detecting a duplication of messages? A. Message authentication code B. Digital signature C. Authorization sequence number D. Segregation of authorization The correct answer is: C. Authorization sequence number Explanation: All of these controls are
necessary in an EFT system; however, the authorization sequence number is the control that will detect the duplication of a message. A message authentication code detects unauthorized modifications, a digital signature ensures nonrepudiation, and the segregation of the creation of the message and the authorization will avoid dummy messages. .......................................................................................................... 52. The request for proposal
(RFP) for the acquisition of an application system would MOST likely be approved by the: A. project steering committee. B. project sponsor. C. project manager. D. user project team. The correct answer is: A. project steering committee. Explanation: A project steering committee usually consists of a senior representative from each function that will be affected by the new system and would be the most appropriate group to approve the RFP. The project
sponsor provides funding for the project. The project manager and user project team are responsible for drafting the RFP. .......................................................................................................... 53. Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? A. Parallel testing B. Pilot testing C.
Interface/integration testing D. Sociability testing The correct answer is: D. Sociability testing Explanation: The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development.
Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations.
Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure. .......................................................................................................... 54. An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture
application. The initial validation process would MOST likely: A. check to ensure that the type of transaction is valid for the card type. B. verify the format of the number entered then locate it on the database. C. ensure that the transaction entered is within the cardholder's credit limit. D. confirm that the card is not shown as lost or stolen on the master file. The correct answer is: B. verify the format of the number entered then locate it on the database.
Explanation: The initial validation should confirm whether the card is valid. This validity is established through the card number and PIN entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered is valid (i.e., it can be processed by the system). If the data captured in the initial validation is not valid (if the card number or PIN do not match with the database), then
the card will be rejected or captured per the controls in place. Once initial validation is completed, then other validations specific to the card and cardholder would be performed. .......................................................................................................... 55. The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it: A. facilitates user involvement. B. allows
early testing of technical features. C. facilitates conversion to the new system. D. shortens the development time frame. The correct answer is: D. shortens the development time frame. Explanation: The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily always true.
.......................................................................................................... 56. A distinguishing feature of fourth-generation languages (4GLs) is portability, which means? A. Environmental independence B. Workbench concepts (i.e., temporary storage, test editing, etc.) C. Ability to design screen formats and develop graphical outputs D. Ability to execute online operations The correct answer is: A. Environmental independence
Explanation: Portability describes the ability of 4GLs to execute across computer architectures, operating systems, mainframe processors and personal computers. Choices B, C and D are other attributes of 4GLs. .......................................................................................................... 57. Which of the following is a characteristic of timebox management? It: A. is not suitable for prototyping or rapid application development (RAD). B.
eliminates the need for a quality process. C. prevents cost overruns and delivery delays. D. separates system and user acceptance testing. The correct answer is: C. prevents cost overruns and delivery delays. Explanation: Timebox management, by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and RAD, and integrates system and user acceptance testing, but does not eliminate the need for a quality process.
.......................................................................................................... 58. Which of the following represents the GREATEST potential risk in an EDI environment? A. Transaction authorization B. Loss or duplication of EDI transmissions C. Transmission delay D. Deletion or manipulation of transactions prior to or after establishment of application controls The correct answer is: A. Transaction authorization Explanation:
Since the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. Choices B and D are examples of risks, but the impact is not as great as that of unauthorized transactions. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data.
.......................................................................................................... 59. When assessing the portability of a database application, the IS auditor should verify that: A. a structured query language (SQL) is used. B. information import and export procedures exist with other systems. C. indexes are used. D. all entities have a significant name and identified primary and foreign keys. The correct answer is: A. a structured query
language (SQL) is used. Explanation: The use of an SQL is a key element for database portability. Import and export of information with other systems is an objective of a database interfaces review. The use of an index is an objective of a database access review, and the fact that all entities have a significant name and identified primary and foreign keys is an objective of a database design review.
.......................................................................................................... 60. Which of the following types of controls is designed to provide the ability to verify data and record values through the stages of application processing? A. Range checks B. Run-to-run totals C. Limit checks on calculated amounts D. Exception reports The correct answer is: B. Run-to-run totals Explanation: Run-to-run totals provide the ability to
verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process. .......................................................................................................... 61. During an application audit, the IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS
auditor should recommend? A. Implement data backup and recovery procedures. B. Define standards and closely monitor for compliance. C. Ensure that only authorized personnel can update the database. D. Establish controls to handle concurrent access problems. The correct answer is: A. Implement data backup and recovery procedures. Explanation: Implementing data backup and recovery procedure is a corrective control, because backup and recovery procedures can
be used to roll back database errors. Defining or establishing standards is a preventive control, and monitoring for compliance is a detective control. Ensuring that only authorized personnel can update the database is a preventive control. Establishing controls to handle concurrent access problems is a preventive control. .......................................................................................................... 62. A manufacturing firm wants to automate its
invoice payment system. Objectives state that the system should require considerably less time for review and authorization and the system should be capable of identifying errors that require follow up. Which of the following would BEST meet these objectives? A. Establishing an inter-networked system of client servers with suppliers for increased efficiencies B. Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice
processing C. Establishing an EDI system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format D. Reengineering the existing processing and redesigning the existing system The correct answer is: C. Establishing an EDI system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format Explanation: EDI is the best answer. Properly implemented (e.g.,
agreements with trading partners transaction standards, controls over network security mechanisms in conjunction with application controls) EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities for review and authorization. .......................................................................................................... 63. Which of the following is the GREATEST risk when implementing a data warehouse? A. Increased
response time on the production systems B. Access controls that are not adequate to prevent data modification C. Data duplication D. Data that is not updated or current The correct answer is: B. Access controls that are not adequate to prevent data modification Explanation: Once the data is in a warehouse, no modifications should be made to it and access controls should be in place to prevent data modification. Increased response time on the production systems
is not a risk, because a data warehouse does not impact production data. Based on data replication, data duplication is inherent in a data warehouse. Transformation of data from operational systems to a data warehouse is done at predefined intervals, and as such, data may not be current. .......................................................................................................... 64. A financial institution is using an expert system for managing credit limits. An
IS auditor reviewing the system should be MOST concerned with the: A. validation of data inputs into the system. B. level of experience and skills contained in the knowledge base. C. access control settings. D. implemented processing controls. The correct answer is: B. level of experience and skills contained in the knowledge base. Explanation: The level of experience or intelligence in the knowledge base is a key concern for the IS auditor, as decision
errors based on a lack of knowledge could have a severe impact on the organization. Choices A, C and D are not as important as B. .......................................................................................................... 65. Which of the following is a strength of the program evaluation review technique (PERT) over other techniques? PERT: A. considers different scenarios for planning and control projects. B. allows the user to input program and system
parameters. C. tests system maintenance processes accurately. D. estimates costs of system projects. The correct answer is: A. considers different scenarios for planning and control projects. Explanation: PERT considers different scenarios for planning and controlling projects. Three time estimates— optimistic, pessimistic and most likely—are used to create a level of uncertainty in the estimation of the time for individual activities.
.......................................................................................................... 66. During the review of a web-based software development project, the IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: A. buffer overflow. B. brute force attack. C. distributed denial-of-service attack. D. war dialing attack. The correct answer
is: A. buffer overflow. Explanation: Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. A brute-force attack is used to crack passwords. A distributed denial-of-service attack floods its target with numerous packets, to prevent it from responding to legitimate requests. War dialing uses modem-scanning tools to hack PBXs.
.......................................................................................................... 67. When selecting software, which of the following business and technical issues is the MOST important to be considered? A. Vendor reputation B. Requirements of the organization C. Cost factors D. An installed base The correct answer is: B. Requirements of the organization Explanation: Establishing the requirements of the organization is a task that
should be completed early in the process. Cost factors are a part of the analysis in the evaluation of software alternatives. A vendor's reputation and the installed base become important only after the requirements are met. .......................................................................................................... 68. An advantage of using sanitized live transactions in test data is that: A. all transaction types will be included. B. every error condition
is likely to be tested. C. no special routines are required to assess the results. D. test transactions are representative of live processing. The correct answer is: D. test transactions are representative of live processing. Explanation: Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.
.......................................................................................................... 69. To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is: A. during data preparation. B. in transit to the computer. C. between related computer runs. D. during the return of the data to the user department. The correct answer is: A. during data preparation. Explanation: During
data preparation is the best answer, because it establishes control at the earliest point. .......................................................................................................... 70. In a data warehouse, data quality is achieved by: A. cleansing. B. restructuring. C. source data credibility. D. transformation. The correct answer is: C. source data credibility. Explanation: In a data warehouse system, the quality of data depends on the
quality of the originating source. Choices A, B and D relate to the composition of a data warehouse and do not affect data quality. Restructuring, transformation and cleansing all relate to reorganization of existing data within the database. .......................................................................................................... 71. Which of the following is used to ensure that batch data is completely and accurately transferred between two systems?
A. Control total B. Check digit C. Check sum D. Control account The correct answer is: A. Control total Explanation: A control total is frequently used as an easily recalculated control. The number of invoices in a batch or the value of invoices in a batch are examples of control totals. They provide a simple way of following an audit trail from a general ledger summary item to an individual transaction, and back. A check digit is a method of verifying the
accuracy of a single data item, such as a credit card number. Although a check sum is an excellent control over batch completeness and accuracy, it is not easily recalculated and, therefore, is not as commonly used in financial systems as a control total. Check sums are frequently used in data transfer as part of encryption protocols. Control accounts are used in financial systems to ensure that components that exchange summary information, such as a sales register and a
general ledger, can be reconciled. .......................................................................................................... 72. A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing? A. Unit testing B. Integration testing C. Design walk-throughs D.
Configuration management The correct answer is: B. Integration testing Explanation: A common system maintenance problem is that errors are often corrected quickly (especially when deadlines are tight); units are tested by the programmer and then transferred to the acceptance test area; this often results in system problems that should have been detected during integration or system testing. Integration testing aims at ensuring that the major components of the
system interface correctly. .......................................................................................................... 73. An IS auditor performing a review of the EFT operations of a retailing company would verify that the customers credit limit is checked before funds are transferred by reviewing the EFT: A. system's interface. B. switch facility. C. personal identification number generating procedure. D. operation backup procedures. The
correct answer is: A. system's interface. Explanation: At the application processing level, the IS auditor should review the interface between the EFT system and the application system that processes the accounts from which funds are transferred. Choice B is incorrect because an EFT switch is the facility that provides the communication linkage for all equipment in the network. Choices C and D are procedures that would not help determine if the customer's credit limit
is verified before the funds are transferred. .......................................................................................................... 74. The use of object-oriented design and development techniques would MOST likely: A. facilitate the ability to reuse modules. B. improve system performance. C. enhance control effectiveness. D. speed up the system development life cycle. The correct answer is: A. facilitate the ability to reuse modules.
Explanation: One of the major benefits of object-oriented design and development is the ability to reuse modules. The other options do not normally benefit from the object-oriented technique. .......................................................................................................... 75. A programmer included a routine into a payroll application to search for his/her own payroll number. As a result, if this payroll number does not appear during the payroll
run, a routine will generate and place random numbers onto every paycheck. This routine is known as: A. scavenging. B. data leakage. C. piggybacking. D. a Trojan horse. The correct answer is: D. a Trojan horse. Explanation: A Trojan horse is malicious code hidden in an authorized computer program. The hidden code will be executed whenever the authorized program is executed. In this case, as long as the perpetrator's payroll number is part of the
payroll process nothing happens, but as soon as the payroll number is gone havoc occurs. .......................................................................................................... 76. In an artificial intelligence system, access to which of the following components should be strictly controlled? A. Inference engine B. Explanation module C. Knowledge base D. Data interface The correct answer is: C. Knowledge base Explanation: The
knowledge base contains specific information or fact patterns associated with a particular subject matter and the rules for interpreting these facts; therefore, strict access controls should be implemented and monitored to ensure the integrity of the decision rules. The inference engine is a program that uses the knowledge base and determines the most appropriate outcome based on the information supplied by the user. The data interface enables the expert system to collect
data from nonhuman sources. For example, measurement instruments in a power plant and the explanation module aid the user in addressing the problem to be analyzed and provides the expert conclusion. .......................................................................................................... 77. During a postimplementation review, which of the following tools would an IS auditor use to get the picture of the internal memory's content at different stages in
the program execution? A. Memory dump B. Logic path monitor C. Trace utility D. Output analyzer The correct answer is: C. Trace utility Explanation: A trace utility is used to get the picture of the internal memory's content at different stages in the program execution to show the evolution of such things as counters and registers. Memory dump is used to get the picture of the internal memory's content at one point in time, mainly produced when the
program is aborted. Logic path monitor reports on the sequence of events achieved by the program, thus providing clues on logic errors. Output analyzers help check the results of program execution for accuracy. .......................................................................................................... 78. Which of the following is the MOST critical and contributes the MOST to the quality of data in a data warehouse? A. Accuracy of the source data B.
Credibility of the data source C. Accuracy of the extraction process D. Accuracy of the data transformation The correct answer is: A. Accuracy of the source data Explanation: Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source is important, accurate extraction processes are important and accurate transformation routines are important but would not change inaccurate data into quality
(accurate) data. .......................................................................................................... 79. Peer reviews to detect software errors during a program development activity are called: A. emulation techniques. B. structured walk-throughs. C. modular program techniques. D. top-down program construction. The correct answer is: B. structured walk-throughs. Explanation: A structured walk-through is a management tool for
improving productivity. Structured walkthroughs can detect an incorrect or improper interpretation of the program specifications. This, in turn, improves the quality of system testing and acceptance of it. The other choices are methods or tools in the overall systems development process. .......................................................................................................... 80. A company has implemented a new client-server enterprise resource planning
(ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced? A. Verifying production to customer orders B. Logging all customer orders in the ERP system C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production The correct answer is: A. Verifying
production to customer orders Explanation: Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time-consuming, manual process that does not guarantee proper control.
.......................................................................................................... 81. Once an organization has finished the business process reengineering (BPR) of all its critical operations, the IS auditor would MOST likely focus on a review of: A. pre-BPR process flowcharts. B. post-BPR process flowcharts. C. BPR project plans. D. continuous improvement and monitoring plans. The correct answer is: B. post-BPR process flowcharts.
Explanation: The IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in the past. Choices C and D are incorrect because they are steps within a BPR project. .......................................................................................................... 82. The primary purpose of a system test is
to: A. test the generation of the designed control totals. B. determine whether the documentation of the system is accurate. C. evaluate the system functionally. D. ensure that the system operators become familiar with the new system. The correct answer is: C. evaluate the system functionally. Explanation: The primary reason why a system is tested is to evaluate the entire system functionality.
.......................................................................................................... 83. When auditing the proposed acquisition of a new computer system, the IS auditor should FIRST establish that: A. a clear business case has been approved by management. B. corporate security standards will be met. C. users will be involved in the implementation plan. D. the new system will meet all required user functionality. The correct answer is: A. a
clear business case has been approved by management. Explanation: The first concern of the IS auditor should be to establish that the proposal meets the needs of the business, and this should be established by a clear business case. Although compliance with security standards is essential, as are meeting the needs of the users and having users involved in the implementation process, it is too early in the procurement process for these to be the IS auditor's first
concern. .......................................................................................................... 84. Which of the following is a check (control) for completeness? A. Check digits B. Parity bits C. One-for-one checking D. Prerecorded input The correct answer is: B. Parity bits Explanation: Parity bits are used to check for completeness of data transmissions. Choice A is incorrect because check digits are a control check for accuracy.
Choice C is incorrect because, in one-forone checking, individual documents are matched to a detailed listing of documents processed by the computer, but do not ensure that all documents have been received for processing. Choice D (prerecorded input) is a data file control for which selected information fields are preprinted on blank input forms to reduce the chance of input errors.
.......................................................................................................... 85. The phases and deliverables of a system development life cycle (SDLC) project should be determined: A. during the initial planning stages of the project. B. after early planning has been completed, but before work has begun. C. through out the work stages, based on risks and exposures. D. only after all risks and exposures have been identified and the IS auditor
has recommended appropriate controls. The correct answer is: A. during the initial planning stages of the project. Explanation: It is extremely important that the project be planned properly and that the specific phases and deliverables be identified during the early stages of the project. .......................................................................................................... 86. Which of the following is MOST critical when creating data for
testing the logic in a new or modified application system? A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual processing C. Completing the test on schedule D. A random sample of actual data The correct answer is: B. Data representing conditions that are expected in actual processing Explanation: Selecting the right kind of data is key in testing a computer system. The data should not only include
valid and invalid data but should be representative of actual processing. Quality is more important than quantity. It is more important to have adequate test data than to complete the testing on schedule. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data. .......................................................................................................... 87. An IS auditor's PRIMARY
concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that: A. users may prefer to use contrived data for testing. B. unauthorized access to sensitive data may result. C. error handling and credibility checks may not be fully proven. D. the full functionality of the new process may not necessarily be tested. The correct answer is: B. unauthorized access to sensitive data may result. Explanation:
Unless the data are sanitized, there is a risk of disclosing sensitive data. .......................................................................................................... 88. When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? A. Use of a cryptographic hashing algorithm B. Enciphering the message digest C. Deciphering the message digest D. A sequence number and time stamp The
correct answer is: D. A sequence number and time stamp Explanation: When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection and could be used to verify that a payment instruction was not duplicated. Use of a cryptographic hashing algorithm against the entire message helps achieve data integrity.
Enciphering the message digest using the sender's private key, which signs the sender's digital signature to the document helps in authenticating the transaction. When the message is deciphered by the receiver, using the sender's public key, it ensures that the message could only have come from the sender. This process of sender authentication achieves nonrepudiation.
.......................................................................................................... 89. A tax calculation program maintains several hundred tax rates. The BEST control to ensure that tax rates entered into the program are accurate is: A. an independent review of the transaction listing. B. a programmed edit check to prevent entry of invalid data. C. programmed reasonableness checks with a 20 percent data entry range. D. a visual verification of data
entered by the processing department. The correct answer is: A. an independent review of the transaction listing. Explanation: Tax rates represent critical data that will be used in numerous calculations and should be independently verified by someone other than the entry person before they are used in processing. Choices B and C are programmed controls that are useful for preventing gross errors, that is, errors such as an added zero or alpha instead of a numeric. A
tax table must be 100 percent accurate, not just readable. Choice D will allow the data entry person to check input accuracy, but it is not sufficient. .......................................................................................................... 90. Which of the following is often an advantage of using prototyping for systems development? A. The finished system will have adequate controls. B. The system will have adequate security/audit trail. C. It
reduces time to deployment. D. It is easy to achieve change control. The correct answer is: C. It reduces time to deployment. Explanation: Prototyping is the process of creating systems through controlled trial and error. This method of system development can provide the organization with significant time and cost savings. By focusing mainly on what the user wants and sees, developers may miss some of the controls that come from the traditional systems development
approach; therefore, a potential risk is that the finished system will have poor controls. In prototyping, changes in the designs and requirements occur quickly and are seldom documented or approved; hence, change control becomes more complicated with prototyped systems. .......................................................................................................... 91. An organization has an integrated development environment (IDE) on which the program
libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE? A. Controls the proliferation of multiple versions of programs B. Expands the programming resources and aids available C. Increases program and processing integrity D. Prevents valid changes from being overwritten by other changes The correct answer is: B. Expands the programming resources and aids available
Explanation: A strength of an IDE is that it expands the programming resources and aids available. The other choices are IDE weaknesses. .......................................................................................................... 92. Which of the following testing methods is MOST effective during the initial phases of prototyping? A. System B. Parallel C. Volume D. Top-down The correct answer is: D. Top-down Explanation: Top-down
testing starts with the system's major functions and works downward. The initial emphasis when using prototyping is to create screens and reports, thus shaping most of the proposed system's features in a short period. Volume and system testing is performed during final system testing phases. Parallel testing is not necessarily needed, especially if there is no old system with which to compare.
.......................................................................................................... 93. As a business process reengineering (BPR) project takes hold it is expected that: A. business priorities will remain stable. B. information technologies will not change. C. the process will improve product, service and profitability. D. input from clients and customers will no longer be necessary. The correct answer is: C. the process will improve product,
service and profitability. Explanation: As a reengineering process takes hold, certain key results will begin to emerge, including a concentration on process as a means of improving product, service and profitability. In addition, new business priorities and approaches to the use of information as well as powerful and more accessible information technologies will emerge. Often, the roles of client and customers will be redefined providing them with more direct and active
participation in the enterprise's business process. .......................................................................................................... 94. Responsibility and reporting lines cannot always be established when auditing automated systems since: A. diversified control makes ownership irrelevant. B. staff traditionally changes jobs with greater frequency. C. ownership is difficult to establish where resources are shared. D. duties change
frequently in the rapid development of technology. The correct answer is: C. ownership is difficult to establish where resources are shared. Explanation: Because of the diversified nature of both data and application systems, the actual owner of data and applications may be hard to establish. .......................................................................................................... 95. A retail company recently installed data warehousing client
software at geographically diverse sites. Due to time zone differences between the sites, updates to the warehouse are not synchronized. Which of the following will be affected the MOST? A. Data availability B. Data completeness C. Data redundancy D. Data inaccuracy The correct answer is: B. Data completeness Explanation: Unsynchronized updates will generally cause data completeness to be affected, for example, sales data from one site do not
necessarily match costs incurred in another site. .......................................................................................................... 96. The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: A. rules. B. decision trees. C. semantic nets. D. dataflow diagrams. The correct answer is: B. decision trees. Explanation: Decision trees use
questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.
.......................................................................................................... 97. Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. B. Application programmers are implementing changes to test programs. C. Operations support staff are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.
The correct answer is: A. Application programmers are implementing changes to production programs. Explanation: Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development
and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.
.......................................................................................................... 98. When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST? A. The project budget B. The critical path for the project C. The length of the remaining tasks D. The personnel assigned to other tasks The correct answer is: B. The critical path for the project
Explanation: Since adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will in fact shorten the project duration. Given that there may be slack time available on some of the other tasks not on the critical path, factors such as the project budget, the length of other tasks and the personnel assigned to them may or may not be affected.
.......................................................................................................... 99. Which of the following is the PRIMARY purpose for conducting parallel testing? A. To determine if the system is cost-effective B. To enable comprehensive unit and system testing C. To highlight errors in the program interfaces with files D. To ensure the new system meets user requirements The correct answer is: D. To ensure the new system meets user
requirements Explanation: The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements. Parallel testing may show that the old system is, in fact, better than the new system, but this is not the primary reason. Unit and system testing are completed before parallel testing. Program interfaces with files are tested for errors during system testing.
.......................................................................................................... 100. Prices are charged on the basis of a standard master file rate that changes as the volume increases. Any exceptions must be manually approved. What is the MOST effective automated control to help ensure that all price exceptions are approved? A. All amounts are displayed back to the data entry clerk, who must verify them visually. B. Prices outside the normal range
should be entered twice to verify data entry accuracy. C. The system beeps when price exceptions are entered and prints such occurrences on a report. D. A second-level password must be entered before a price exception can be processed. The correct answer is: D. A second-level password must be entered before a price exception can be processed. Explanation: Automated control should ensure that the system processes the price exceptions only upon approval of another
user who is authorized to approve such exceptions. A second-level password would ensure that price exceptions will be approved by a user who has been authorized by management. Visual verification of all amounts by a data entry clerk is not a control, but a basic requirement for any data entry. The user's ability to visually verify what has been entered is a basic manual control. Entering of price exceptions twice is an input control. This does not ensure that exceptions will
be verified automatically by another user. The system beeping on entry of a price exception is only a warning to the data entry clerk; it does not prevent proceeding further. Printing of these exceptions on a report is a detective (manual) control. .......................................................................................................... 101. The reason for establishing a stop or freezing point on the design of a new system is to: A. prevent further changes to
a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design. The correct answer is: C. require that changes after that point be evaluated for cost-effectiveness. Explanation: Projects often have a tendency to expand, especially during the requirements definition phase. This expansion
often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a re-review of all of the cost-benefits and the payback period. .......................................................................................................... 102. After discovering a security vulnerability in a third-party application that
interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend? A. Stress B. Black box C. Interface D. System The correct answer is: D. System Explanation: Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. Interface testing is not enough, and stress or black box testing are inadequate in these
circumstances. .......................................................................................................... 103. A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a: A. reasonableness check. B. parity check. C. redundancy check. D. check digits. The correct answer is: C. redundancy check. Explanation: A redundancy check detects transmission errors by appending
calculated bits onto the end of each segment of data. A reasonableness check compares data to predefined reasonability limits or occurrence rates established for the data. A parity check is a hardware control that detects data errors when data are read from one computer to another, from memory or during transmission. Check digits detect transposition and transcription errors.
.......................................................................................................... 104. The quality assurance group is typically responsible for: A. ensuring that the output received from system processing is complete. B. monitoring the execution of computer processing tasks. C. ensuring that programs and program changes and documentation adhere to established standards. D. designing procedures to protect data against accidental disclosure,
modification or destruction. The correct answer is: C. ensuring that programs and program changes and documentation adhere to established standards. Explanation: The quality assurance group is typically responsible for ensuring that programs, program changes and documentation adhere to established standards. Choice A is the responsibility of the data control group, choice B is the responsibility of computer operations, and choice D is the responsibility of
data security. .......................................................................................................... 105. When implementing an application software package, which of the following presents the GREATEST risk? A. Uncontrolled multiple software versions B. Source programs that are not synchronized with object code C. Incorrectly set parameters D. Programming errors The correct answer is: C. Incorrectly set parameters Explanation:
Parameters that are not set correctly would be the greatest concern when implementing an application software package. The other choices, though important, are a concern of the provider, not the organization that is implementing the software itself. .......................................................................................................... 106. Which of the following is a control weakness that can jeopardize a system replacement project? A. The project
initiation document has not been updated to reflect changes in the system scope. B. A gap analysis comparing the chosen solution to the original specification has revealed a number of significant changes in functionality. C. The project has been subject to a number of requirement specification changes. D. The organization has decided that a project steering committee is not required. The correct answer is: D. The organization has decided that a project steering
committee is not required. Explanation: Even in a small project, the lack of a project steering committee represents the absence of a fundamental control. The project initiation document captures the initial scope and structure of the project, and it is not practical to keep it updated, as changes to the project can be captured through change control procedures and committee decisions. A gap analysis is a process that enables differences to be identified and addressed.
Changes of scope and requirements are significant risks that can have a major effect on project success; however, of themselves, they are not control weaknesses. They should be controlled by change control procedures. .......................................................................................................... 107. Which of the following is an implementation risk within the process of decision support systems? A. Management control B. Semistructured
dimensions C. Inability to specify purpose and usage patterns D. Changes in decision processes The correct answer is: C. Inability to specify purpose and usage patterns Explanation: The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a decision support system (DSS). Choices A, B and D are not risks, but characteristics of a DSS.
.......................................................................................................... 108. During the audit of an acquired software package, the IS auditor learned that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing
policy. D. ensure that the procedure had been approved. The correct answer is: D. ensure that the procedure had been approved. Explanation: In the case of a deviation from the predefined procedures, the IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. The other choices are not the first actions the IS auditor should take. They are
steps that may or may not be taken after determining that the procedure used to acquire the software had been approved. .......................................................................................................... 109. An IS auditor that participates in the testing stage of a software development project establishes that the individual modules perform correctly. The IS auditor should: A. conclude that the individual modules running as a group will be correct.
B. document the test as positive proof that the system can produce the desired results. C. inform management and recommend an integrated test. D. provide additional test data. The correct answer is: C. inform management and recommend an integrated test. Explanation: Modules that have been tested individually can have interface problems, causing adverse affects on other modules. Therefore, the most appropriate action for the IS auditor is to recommend that
management carry out an integrated test, which will demonstrate whether the modules working together can produce the desired output. Running additional test data against individual modules will not prove the ability of the modules to work together. .......................................................................................................... 110. Which of the following represents a typical prototype of an interactive application? A. Screens and process
programs B. Screens, interactive edits and sample reports C. Interactive edits, process programs and sample reports D. Screens, interactive edits, process programs and sample reports The correct answer is: B. Screens, interactive edits and sample reports Explanation: Process programs are not produced by a prototyping tool. This often leads to confusion for the end user who expects quick implementation of programs that accomplish the results that these tools
produce. .......................................................................................................... 111. Functional acknowledgements are used: A. as an audit trail for EDI transactions. B. to functionally describe the IS department. C. to document user roles and responsibilities. D. as a functional description of application software. The correct answer is: A. as an audit trail for EDI transactions. Explanation: Functional acknowledgements
are standard EDI transactions that tell trading partners that their electronic documents were received. Different types of functional acknowledgments provide various levels of detail and, therefore, can act as an audit trail for EDI transactions. The other choices are not relevant to the description of functional acknowledgements. .......................................................................................................... 112. Documentation of a business case
used in an IT development project should be retained until: A. the end of the system's life cycle. B. the project is approved. C. user acceptance of the system. D. the system is in production. The correct answer is: A. the end of the system's life cycle. Explanation: A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable
information on estimates vs. actuals. Questions like "why do we do that," "what was the original intent" and "how did we perform against the plan" can be answered and lessons for developing future business cases can be learned. During the development phase of a project one should always validate the business case, as it is a good management instrument. After finishing a project and entering production, the business case and all the research done are valuable sources of
information that should be kept for further reference. .......................................................................................................... 113. An advantage in using a bottom-up vs. a top-down approach to software testing is that: A. interface errors are detected earlier. B. confidence in the system is achieved earlier. C. errors in critical modules are detected earlier. D. major functions and processing are tested earlier. The correct
answer is: C. errors in critical modules are detected earlier. Explanation: The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices in this question all refer
to advantages of a top-down approach, which follows the opposite path, either in depth-first or breadth-first search order. .......................................................................................................... 114. An objective of a postimplementation review of a new or extensively modified business application system is to: A. determine whether test data covered all scenarios. B. conduct a certification and accreditation process. C. assess
whether expected project benefits were received. D. design audit trail reports. The correct answer is: C. assess whether expected project benefits were received. Explanation: Assessing whether expected project benefits were achieved would be one of the objectives of a post-implementation review. Determining whether test data covered all scenarios and conducting a certification and accreditation process are objectives of the implementation phase of application
systems development. Designing audit trails is part of the design phase of the development. .......................................................................................................... 115. Which of the following would be the MOST likely to ensure that business requirements are met during software development? A. Adequate training B. Programmers that clearly understand the business processes C. Documentation of business rules D. Early engagement of
key users The correct answer is: D. Early engagement of key users Explanation: Key users, since they are familiar with the daily needs, are the individuals that can provide the requirements to ensure the application developed will meet the business needs. Training would aid in learning how to use the system but would not provide the business requirements. Choices B and C are important; however, they will not, by themselves, ensure that requirements are met.
.......................................................................................................... 116. Which of the following should be included in a feasibility study for a project to implement an EDI process? A. The encryption algorithm format B. The detailed internal control procedures C. The necessary communication protocols D. The proposed trusted third-party agreement The correct answer is: C. The necessary communication protocols
Explanation: Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must be included, as there may be significant cost implications, if new hardware and software are involved, and risk implications, if the technology is new to the organization.
.......................................................................................................... 117. The responsibility for designing, implementing and maintaining a system of internal control lies with: A. the IS auditor. B. management. C. the external auditor. D. the programming staff. The correct answer is: B. management. Explanation: Designing, implementing and maintaining a system of internal controls, including the prevention and
detection of fraud is the responsibility of management. The IS auditor assesses the risks and performs tests to detect irregularities created by weaknesses in the structure of internal controls. .......................................................................................................... 118. A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the
bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: A. payroll reports should be compared to input forms. B. gross payroll should be recalculated manually. C. checks (cheques) should be compared to input forms. D. checks (cheques) should be reconciled with output reports. The correct answer is: A. payroll reports should be compared to input forms. Explanation: The best way to confirm data accuracy, when
input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Hence, comparing payroll reports with input forms is the best mechanism of verifying data accuracy. Recalculating gross payroll manually would only verify whether the processing is correct and not the data accuracy of inputs. Comparing checks (cheques) to input forms is not feasible as checks (cheques) have the processed
information and input forms have the input data. Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been issued as per output reports. .......................................................................................................... 119. Business units are concerned about the performance of a newly implemented system. Which of the following should the IS auditor recommend? A. Develop a baseline and monitor system usage.
B. Define alternate processing procedures. C. Prepare the maintenance manual. D. Implement the changes users have suggested. The correct answer is: A. Develop a baseline and monitor system usage. Explanation: The IS auditor should recommend the development of a performance baseline and monitor the system's performance, against the baseline, to develop empirical data upon which decisions for modifying the system can be made. Alternate processing procedures and a
maintenance manual will not alter a system's performance. Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system. .......................................................................................................... 120. At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve
the error. The IS auditor should: A. report the error as a finding and leave further exploration to the auditee's discretion. B. attempt to resolve the error. C. recommend that problem resolution be escalated. D. ignore the error, as it is not possible to get objective evidence for the software error. The correct answer is: C. recommend that problem resolution be escalated. Explanation: When an auditor observes such conditions, it is best to fully apprise the
auditee and suggest that further problem resolutions be attempted. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate, and neglecting the error would indicate that the auditor has not taken steps to further probe the issue to its logical end. .......................................................................................................... 121. An organization is implementing a new system to replace a legacy system. Which
of the following conversion practices creates the GREATEST risk? A. Pilot B. Parallel C. Direct cut-over D. Phased The correct answer is: C. Direct cut-over Explanation: Direct cut-over implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. All other alternatives are done gradually and thus provide greater recoverability and are therefore less risky.
.......................................................................................................... 122. Which of the following is the FIRST step in a business process reengineering (BPR) project? A. Defining the areas to be reviewed B. Developing a project plan C. Understanding the process under review D. Reengineering and streamlining the process under review The correct answer is: A. Defining the areas to be reviewed Explanation: On the basis of
the evaluation of the entire business process, correctly defining the areas to be reviewed is the first step in a BPR project. On the basis of the definition of the areas to be reviewed, the project plan is developed. Understanding the process under review is important, but the subject of the review must be defined first. Thereafter, the process can be reengineered, streamlined, implemented and monitored for continuous improvement.
.......................................................................................................... 123. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? A. Log all table update transactions. B. Implement before-and-after image reporting. C. Use tracing and tagging. D. Implement integrity constraints in the database. The correct answer is: D.
Implement integrity constraints in the database. Explanation: Implementing integrity constraints in the database is a preventive control, because data is checked against predefined tables or rules preventing any undefined data from being entered. Logging all table update transactions and implementing before-and-after image reporting are detective controls that would not avoid the situation. Tracing and tagging are used to test application systems and controls and could
not prevent out-of-range data. .......................................................................................................... 124. An organization donating used computers should ensure that: A. the computers were not used to store confidential data. B. a nondisclosure agreement has been signed. C. the data storage media are sanitized. D. all data has been deleted. The correct answer is: C. the data storage media are sanitized. Explanation: To
ensure confidentiality of the organization’s data when disposing of used computers, the information stored on the computers should not be available once the computers are out of control of the organization. Destroying or sanitizing the storage media will provide this assurance. The next best method is to ensure that the computers were not used for storing confidential information. A signed nondisclosure agreement will not prevent sensitive data on the donated computers from
being recovered. Deleting data does not remove it from storage. .......................................................................................................... 125. Which of the following is an advantage of prototyping? A. The finished system normally has strong internal controls. B. Prototype systems can provide significant time and cost savings. C. Change control is often less complicated with prototype systems. D. It ensures that functions or extras are not
added to the intended system. The correct answer is: B. Prototype systems can provide significant time and cost savings. Explanation: Prototype systems can provide significant time and cost savings; however, they also have several disadvantages. They often have poor internal controls, change control becomes much more complicated, and it often leads to functions or extras being added to the system that were not originally intended.
.......................................................................................................... 126. Which is the first software capability maturity model (CMM) level to include a standard software development process? A. Initial (level 1) B. Repeatable (level 2) C. Defined (level 3) D. Optimizing (level 5) The correct answer is: C. Defined (level 3) Explanation: Based on lessons learned from level 1 (initial) and level 2 (repeatable), level 3
(defined) initiates documentation to provide standardized software processes across the organization. Level 1 (initial) is characterized as ad hoc, and reliance is placed on key personnel and processes are not documented. After level 1, level 2 (repeatable) creates a learning environment where disciplined processes can be repeated successfully on other projects of similar size and scope. The ability to quantitatively control software projects arises on attaining the final
level (5) of CMM. At level 5, an organization is in a position to use continuous process improvement strategies in applying innovative solutions and state-of-the-art technologies to its software projects. .......................................................................................................... 127. The most common reason for the failure of information systems to meet the needs of users is that: A. user needs are constantly changing. B. the growth of
user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the system's requirements was inadequate. The correct answer is: D. user participation in defining the system's requirements was inadequate. Explanation: Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the
user. Only users can define what their needs are and, therefore, what the system should accomplish. .......................................................................................................... 128. In planning a software development project, which of the following is the MOST difficult to determine? A. Project slack times B. The project's critical path C. Time and resource requirements for individual tasks D. Relationships that preclude the start of
an activity before others are complete The correct answer is: C. Time and resource requirements for individual tasks Explanation: The most difficult problem is effectively estimating a project's slack time and/or resource requirements for individual tasks or development activities. This is commonly done through direct software measures [size-oriented, e.g., SLOC (source lines of code) or KLOC (thousand lines of code)] or indirect software measures (function
points—values for a number of user inputs, outputs, inquiries, files and interfaces). The other choices are employed project management methods and techniques that are dependent on the effectiveness of methods used in deriving accurate and reliable software development productivity and performance measures. .......................................................................................................... 129. Which of the following is an object-oriented technology
characteristic that permits an enhanced degree of security over data? A. Inheritance B. Dynamic warehousing C. Encapsulation D. Polymorphism The correct answer is: C. Encapsulation Explanation: Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication
interface with the exterior and only that which belongs to that interface can be accessed. .......................................................................................................... 130. If an application program is modified and proper system maintenance procedures are in place, which of the following should be tested? The: A. integrity of the database. B. access controls for the applications programmer. C. complete program, including any interface
systems. D. segment of the program containing the revised code. The correct answer is: C. complete program, including any interface systems. Explanation: The complete program with all interfaces needs to be tested to determine the full impact of a change to program code. Usually, the more complex the program, the more testing is required. .......................................................................................................... 131. An IS auditor
is conducting a review of an application system after users have completed acceptance testing. What should be the IS auditor’s major concern? A. Determining whether test objectives were documented B. Assessing whether users documented expected test results C. Reviewing whether test problem logs were completed D. Determining if there are unresolved issues The correct answer is: D. Determining if there are unresolved issues Explanation: In assessing the overall
success or failure of the acceptance test, the IS auditor should determine whether the test plans were documented and whether actual results were compared with expected results as well as review the test problem log to confirm resolution of identified test issues. The IS auditor should then determine the impact of the unresolved issues on system functionality and usability.
.......................................................................................................... 132. When two or more systems are integrated, input/output controls must be reviewed by the IS auditor in the: A. systems receiving the output of other systems. B. systems sending output to other systems. C. systems sending and receiving data. D. interfaces between the two systems. The correct answer is: C. systems sending and receiving data.
Explanation: Both of the systems must be reviewed for input/output controls, since the output for one system is the input for the other. .......................................................................................................... 133. An IS auditor performing a review of the IS department discovers that formal project approval procedures do not exist. In the absence of these procedures, the IS manager has been arbitrarily approving projects that can be
completed in a short duration and referring other, more complicated projects to higher levels of management for approval. The IS auditor should recommend as a FIRST course of action that: A. users participate in the review and approval process. B. formal approval procedures be adopted and documented. C. projects be referred to appropriate levels of management for approval. D. the IS manager's job description be changed to include approval authority. The correct answer
is: B. formal approval procedures be adopted and documented. Explanation: It is imperative that formal, written approval procedures are established to set accountability. This is true of the IS manager and higher levels of management. Choices A, C and D would be subsequent recommendations once authority has been established. .......................................................................................................... 134. An IS auditor performing an
application maintenance audit would review the log of program changes for the: A. authorization of program changes. B. creation date of a current object module. C. number of program changes actually made. D. creation date of a current source program. The correct answer is: A. authorization of program changes. Explanation: The manual log will most likely contain information on authorized changes to a program. Deliberate, unauthorized changes will not be
documented by the responsible party. An automated log, found usually in library management products, and not a change log would most likely contain date information for the source and executable modules. .......................................................................................................... 135. Which of the following is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs
and maintaining quality? A. Function point analysis B. Critical path methodology C. Rapid application development D. Program evaluation review technique The correct answer is: C. Rapid application development Explanation: Rapid application development is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality. The program evaluation review technique
(PERT) and critical path methodology (CPM) are both planning and control techniques, while function point analysis is used for estimating the complexity of developing business applications. .......................................................................................................... 136. When reviewing a system development project at the project initiation stage, an IS auditor finds that the project team is following the organization's quality manual. To meet
critical deadlines the project team proposes to fast track the validation and verification processes, commencing some elements before the previous deliverable is complete. Under these circumstances, the IS auditor would MOST likely: A. report this as a critical finding to senior management. B. accept that different quality processes can be adopted for each project. C. report to IS management the team's failure to follow quality procedures. D. report the risks associated
with fast tracking to the project steering committee. The correct answer is: D. report the risks associated with fast tracking to the project steering committee. Explanation: It is important that quality processes are appropriate to individual projects. Attempts to apply inappropriate processes will often find their abandonment under pressure. A fast-tracking process is an acceptable option under certain circumstances; however, it is important that the project
steering committee is informed of the risks associated with this (i.e., possibility of rework if changes are required). .......................................................................................................... 137. A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? A. Key verification B. One-for-one
checking C. Manual recalculations D. Functional acknowledgements The correct answer is: D. Functional acknowledgements Explanation: Acting as an audit trail for EDI transactions, functional acknowledgements are one of the main controls used in data mapping. All the other choices are manual input controls, whereas data mapping deals with automatic integration of data in the receiving company.
.......................................................................................................... 138. Which of the following development methods most heavily relies on the usage of a prototype that can be updated continually to meet changing user or business requirements? A. Data-oriented system development (DOD) B. Object-oriented system development (OOD) C. Business process reengineering (BPR) D. Rapid application development (RAD) The correct answer
is: D. Rapid application development (RAD) Explanation: RAD uses prototyping as its core development tool no matter which underlying technology is used. In contrast, OOSD and DOSD use continuously developing models but have a focus on content solution space (e.g., How to best address the problem to make the code reusable and maintainable?) and can be applied using a traditional waterfall approach. It should also be noted that business process reengineering (BPR)
attempts to convert an existing business process rather than make dynamic changes. .......................................................................................................... 139. The PRIMARY reason for separating the test and development environments is to: A. restrict access to systems under test. B. segregate user and development staff. C. control the stability of the test environment. D. secure access to systems under development. The correct
answer is: C. control the stability of the test environment. Explanation: The test environment must be controlled and stable to ensure that development projects are tested in a realistic environment that, as far as possible, mirrors the live environment. Restricting access to test and development systems can be achieved easily by normal access control methods, and the mere separation of the environments will not provide adequate segregation of duties. The IS auditor
must be aware of the benefits of separating these environments wherever possible. .......................................................................................................... 140. Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: A. existence of a set of functions and their specified properties. B. ability of the software
to be transferred from one environment to another. C. capability of software to maintain its level of performance under stated conditions. D. relationship between the performance of the software and the amount of resources used. The correct answer is: A. existence of a set of functions and their specified properties. Explanation: Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functions are
those that satisfy stated or implied needs. Choice B refers to portability, choice C refers to reliability and choice D refers to efficiency. .......................................................................................................... 141. Which of the following data validation edits could be used by a bank, to ensure the correctness of bank account numbers assigned to customers, thereby helping to avoid transposition and transcription errors? A. Sequence
check B. Validity check C. Check digit D. Existence check The correct answer is: C. Check digit Explanation: A check digit is a mathematically calculated value that is added to data to ensure that the original data have not been altered. This helps in avoiding transposition and transcription errors. Thus, a check digit can be added to an account number to check for accuracy. Sequence checks ensure that a number follows sequentially and any out of sequence
or duplicate control numbers are rejected or noted on an exception report. Validity checks and existence checks match data against predetermined criteria to ensure accuracy. .......................................................................................................... 142. Which of the following will BEST ensure the successful offshore development of business applications? A. Stringent contract management practices B. Detailed and correctly applied
specifications C. Awareness of cultural and political differences D. Postimplementation reviews The correct answer is: B. Detailed and correctly applied specifications Explanation: When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be
adequately communicated. Contract management practices, cultural and political differences, and postimplementation reviews, although important, are not as pivotal to the success of the project. .......................................................................................................... 143. A data validation edit that matches input data to an occurrence rate is a: A. limit check. B. reasonableness check. C. range check. D. validity check. The correct
answer is: B. reasonableness check. Explanation: A reasonableness check is an edit check, wherein input data are matched to predetermined reasonable limits or occurrence rates. Limit checks verify that data do not exceed a predetermined amount. Range checks verify that data are within a predetermined range of values. Validity checks test for data validity in accordance with predetermined criteria.
.......................................................................................................... 144. When a new system is to be implemented within a short time frame, it is MOST important to: A. finish writing user manuals. B. perform user acceptance testing. C. add last-minute enhancements to functionalities. D. ensure that the code has been documented and reviewed. The correct answer is: B. perform user acceptance testing. Explanation: It
would be most important to complete the user acceptance testing to ensure that the system to be implemented is working correctly. The completion of the user manuals is similar to the performance of code reviews. If time is tight, the last thing one would want to do is add another enhancement, as it would be necessary to freeze the code and complete the testing, then make any other changes as future enhancements. It would be appropriate to have the code documented and
reviewed, but unless the acceptance testing is completed, there is no guarantee that the system will work correctly and meet user requirements. .......................................................................................................... 145. An IS auditor who has discovered unauthorized transactions during a review of EDI transactions is likely to recommend improving the: A. EDI trading partner agreements. B. physical controls for terminals. C.
authentication techniques for sending and receiving messages. D. program change control procedures. The correct answer is: C. authentication techniques for sending and receiving messages. Explanation: Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. The EDI trading partner agreements would minimize exposure to legal issues.
.......................................................................................................... 146. Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects? A. Project database B. Policy documents C. Project portfolio database D. Program organization The correct answer is: C. Project portfolio database Explanation: A project portfolio database is the
basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. A project database may contain the above for one specific project and updates to various parameters pertaining to the current status of that single project. Policy documents on project management set direction for the design, development, implementation and monitoring of
the project. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objective of the project. .......................................................................................................... 147. Which of the following types of data validation editing checks is used to determine if a field contains data, and not zeros or blanks? A. Check digit B.
Existence check C. Completeness check D. Reasonableness check The correct answer is: C. Completeness check Explanation: A completeness check is used to determine if a field contains data and not zeros or blanks. A check digit is a digit calculated mathematically to ensure original data were not altered. An existence check also checks entered data for agreement to predetermined criteria. A reasonableness check matches input to predetermined reasonable limits or
occurrence rates. .......................................................................................................... 148. During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: A. review access control configuration. B. evaluate interface testing. C. review detailed design documentation. D. evaluate system testing. The correct answer is: A. review access control configuration.
Explanation: Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not
generally relevant to an enterprise resource management system, since these are usually vendor packages with user manuals. System testing should be performed before final user sign-off .......................................................................................................... 149. In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data
integrity is known as: A. isolation. B. consistency. C. atomicity. D. durability. The correct answer is: C. atomicity. Explanation: The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. Consistency ensures that all integrity conditions in the database be maintained with each transaction. Isolation ensures that each
transaction is isolated from other transactions, and hence, each transaction only accesses data that are part of a consistent database state. Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database will survive subsequent hardware or software failures. .......................................................................................................... 150. Which of the following is the most
important element in the design of a data warehouse? A. Quality of the metadata B. Speed of the transactions C. Volatility of the data D. Vulnerability of the system The correct answer is: A. Quality of the metadata Explanation: Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata aim to provide a table of contents
to the information stored in the data warehouse. Companies that have built warehouses believe that metadata are the most important component of the warehouse. .......................................................................................................... 151. Which of the following activities should an IS auditor perform to evaluate the reliability of a software? A. Review the number of failed login attempts. B. Count the number of program errors in a given
period of execution time. C. Measure the response time of different requests. D. Interview users to assess the extent to which their requirements are met. The correct answer is: B. Count the number of program errors in a given period of execution time. Explanation: The number of program errors is a measure of the reliability of a system. The number of failed login attempts is a security issue but does not relate to reliability. Response time is an indicator of
efficiency rather than reliability. User perception is an indicator of usability not reliability. .......................................................................................................... 152. Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration? A. Function point analysis B.
PERT chart C. Rapid application development D. Object-oriented system development The correct answer is: B. PERT chart Explanation: A PERT chart will help determine project duration once all the activities and the work involved in the activities are known. Function point analysis is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries, logical internal
files, etc. While this will help determine the size of individual activities, it will not assist in determining project duration since there are many overlapping tasks. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality, and object-oriented system development is the process of solution specification and modeling.
.......................................................................................................... 153. Who of the following is ultimately responsible for providing requirement specifications to the software development project team? A. Team leader B. Project sponsor C. System analyst D. Steering committee The correct answer is: B. Project sponsor Explanation: The project sponsor is the manager in charge of the business function, the owner of the
data and the owner of the system under development. Providing functional specifications through functional users is the responsibility of the project sponsor. The other choices are incorrect. The team leader or project manager working with the project sponsor is responsible for the overall control of the project. The steering committee provides the overall direction and ensures representation of all areas impacted by the new system. The steering committee is responsible
for monitoring the overall progress of the project, but is not responsible for the function being automated and, therefore, cannot provide requirement specifications. The system analyst, working from the specifications, designs the new application system. .......................................................................................................... 154. An enterprise has established a steering committee to oversee its e-business program. The steering committee
would MOST likely be involved in the: A. documentation of requirements. B. escalation of project issues. C. design of interface controls. D. specification of reports. The correct answer is: B. escalation of project issues. Explanation: The function of the steering committee is to ensure the success of the project. If there are factors or issues that potentially could affect planned results, the steering committee should escalate them. Activities such as
documentation of requirements, design of interface controls and specification of reports are the responsibility of the project team. .......................................................................................................... 155. A data warehouse is: A. object-oriented. B. subject-oriented. C. departmental specific. D. a volatile database The correct answer is: B. subject-oriented. Explanation: Data warehouses are subject-oriented. The
data warehouse is meant to help make decisions when the function(s) to be affected by the decision transgresses across departments within an organization. They are nonvolatile. Object orientation and volatility are irrelevant to a data warehouse system. .......................................................................................................... 156. Which of the following data validation edits is effective in detecting transposition and transcription
errors? A. Range check B. Check digit C. Validity check D. Duplicate check The correct answer is: B. Check digit Explanation: A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered, e.g., an incorrect, but valid, value substituted for the original. This control is effective in detecting transposition and transcription errors. A range check is checking data that
matches a predetermined range of values. A validity check is programmed checking of the data validity in accordance with predetermined criteria. In a duplicate check, new or fresh transactions are matched to those previously entered to ensure that they are not already in the system. .......................................................................................................... 157. Before implementing controls, management should FIRST ensure that the controls:
A. satisfy a requirement in addressing a risk issue. B. do not reduce productivity. C. are based on a cost-benefit analysis. D. are detective or corrective. The correct answer is: A. satisfy a requirement in addressing a risk issue. Explanation: When designing controls, it is necessary to consider all the above aspects. In an ideal situation, controls that address all these aspects would be the best controls. Realistically, it may not be possible to design
them all and cost may be prohibitive; therefore, it is necessary to first consider the preventive controls that attack the cause of a threat. .......................................................................................................... 158. Which of the following Capability Maturity Model levels ensures achievement of basic project management controls? A. Repeatable (level 2) B. Defined (level 3) C. Managed (level 4) D. Optimizing (level 5) The
correct answer is: A. Repeatable (level 2) Explanation: Level 2 has the characteristics of basic project management controls. Level 3 ensures a documented process, level 4 ensures quantitative quality goals, and level 5 ensures continuous process improvement. .......................................................................................................... 159. By evaluating application development projects against the capability maturity model (CMM), an
IS auditor should be able to verify that: A. reliable products are guaranteed. B. programmers' efficiency is improved. C. security requirements are designed. D. predictable software processes are followed. The correct answer is: D. predictable software processes are followed. Explanation: By evaluating the organization's development projects against the CMM, the IS auditor determines whether the development organization follows a stable, predictable software
process. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. CMM does not evaluate technical processes such as programming nor does it evaluate security requirements or other application controls. .......................................................................................................... 160. Which of the following systems or tools can
recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? A. Intrusion detection systems B. Data mining techniques C. Firewalls D. Packet filtering routers The correct answer is: B. Data mining techniques Explanation: Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is
changed, than it is a flag that the transaction may have resulted from a fraudulent use of the card. .......................................................................................................... 161. What data should be used for regression testing? A. Different data than used in the previous test B. The most current production data C. The data used in previous tests D. Data produced by a test data generator The correct answer is: C. The data used
in previous tests Explanation: Regression testing ensures that changes or corrections in a program have not introduced new errors. Therefore, this would be achieved only if the data used for regression testing are the same as the data used in previous tests. .......................................................................................................... 162. Failure in which of the following testing stages would have the GREATEST impact on the implementation
of new application software? A. System testing B. Acceptance testing C. Integration testing D. Unit testing The correct answer is: B. Acceptance testing Explanation: Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level, as this could result in delays and cost overruns. System testing is undertaken by the developer team to
determine if the software meets user requirements per specifications. Integration testing examines the units/modules as one integrated system and unit testing examine the individual units or components of the software. System, integration and unit testing are all performed by the developers at various stages of development, and the impact of failure is comparatively less for each, than failure at the acceptance testing stage.
.......................................................................................................... 163. The waterfall life cycle model of software development is most appropriately used when: A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. B. requirements are well understood and the project is subject to time pressures. C. the project intends to apply an object-oriented design
and programming approach. D. the project will involve the use of new technology. The correct answer is: A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. Explanation: Historically, the waterfall model has been best suited to the stable conditions described in choice A. When the degree of uncertainty of the system to be delivered and the conditions in which it will be used rises,
the waterfall model has not been successful. In these circumstances the various forms of iterative development life cycle gives the advantage of breaking down the scope of the overall system to be delivered, making the requirements gathering and design activities more manageable. The ability to deliver working software earlier also acts to alleviate uncertainty and may allow an earlier realization of benefits. The choice of a design and programming approach is not itself a
determining factor of the type of software development life cycle that is appropriate. The use of new technology in a project introduces a significant element of risk. An iterative form of development, particularly one of the family of agile methods that focuses on early development of actual working software, is likely to be the better option to manage this uncertainty.
.......................................................................................................... 164. The purpose of debugging programs is to: A. generate random data that can be used to test programs before implementing them. B protect valid changes from being overwritten by other changes during programming. C. define the program development and maintenance costs to be include in the feasibility study. D. ensure that abnormal terminations and coding flaws are
detected and corrected. The correct answer is: D. ensure that abnormal terminations and coding flaws are detected and corrected. Explanation: The purpose of debugging programs is to ensure that program abends and coding flaws are detected and corrected before the final program goes into production. There are special tools, such as logic path monitors, memory dumps and output analyzers, to aid the debugging efforts.
.......................................................................................................... 165. Sales orders are automatically numbered sequentially at each of a retailer's multiple outlets. Small orders are processed directly at the outlets, with large orders sent to a central production facility. The MOST appropriate control to ensure that all orders transmitted to production are received and processed would be to: A. send and reconcile transaction counts
and totals. B. have data transmitted back to the local site for comparison. C. compare data communications protocols with parity checking. D. track and account for the numerical sequence of sales orders at the production facility. The correct answer is: A. send and reconcile transaction counts and totals. Explanation: Sending and reconciling transaction totals not only ensure that the orders were received, but also processed by the central production location.
Transmission back to the local site confirms that the central location received it, but not that they have actually processed it. Tracking and accounting for the numerical sequence only confirms what orders are on hand, and not whether they actually have been completed. The use of parity checking would only confirm that the order was not changed during transmission. ..........................................................................................................
166. Which of the following is a control to compensate for a programmer having access to accounts payable production data? A. Processing controls such as range checks and logic edits B. Reviewing accounts payable output reports by data entry C. Reviewing system-produced reports for checks (cheques) over a stated amount D. Having the accounts payable supervisor match all checks (cheques) to approved invoices The correct answer is: D. Having the accounts payable
supervisor match all checks (cheques) to approved invoices Explanation: To ensure that the programmer could not have a check (cheque) generated, it would be necessary for someone to confirm all of the checks (cheques) generated by the system. Range and logic checks could easily be bypassed by a programmer, since they are privy to the controls that have been built into the system. The review of the accounts payable reports by data entry would only identify changes that
might have been made to the data input. It would not identify information that might have been changed on the master files. Reviewing reports for checks (cheques) over a certain amount would not allow for the identification of any unauthorized, low-value checks (cheques) or catch alterations to the actual checks (cheques) themselves. .......................................................................................................... 167. Which of the following BEST
describes the objectives of following a standard system development methodology? A. To ensure that appropriate staffing is assigned and to provide a method of controlling costs and schedules B. To provide a method of controlling costs and schedules and to ensure communication among users, IS auditors, management and IS personnel C. To provide a method of controlling costs and schedules and an effective means of auditing project development D. To ensure
communication among users, IS auditors, management and personnel, and to ensure that appropriate staffing is assigned The correct answer is: B. To provide a method of controlling costs and schedules and to ensure communication among users, IS auditors, management and IS personnel Explanation: A well-defined systems development methodology will facilitate effective management of the project since costs and schedules will be monitored consistently. Also, design
methodologies require various approvals and sign-offs from different functional groups. This facilitates adequate communications between these groups. .......................................................................................................... 168. Procedures to prevent scope creep should be baselined in which of the following systems development life cycle (SDLC) phases? A. Development B. Implementation C. Design D. Feasibility The correct
answer is: C. Design Explanation: To prevent uncontrolled entry of new requirements into a system being developed, a standard process for authorization, approval, testing and documentation is necessary. Such procedures are baselined in the design phase and modified in accordance with the needs of the organization. In the development phase, the design specifications are used to program the system that will support specific organizational processes. The implementation
phase is too late and the feasibility phase is too early for establishing scope creep procedures. .......................................................................................................... 169. An employee is responsible for updating daily the interest rates in a finance application, including interest rate exceptions for preferred customers. Which of the following is the BEST control to ensure that all rate exceptions are approved? A. A supervisor must
enter his/her password before a rate exception is validated. B. Rates outside the normal range require prior management approval. C. The system beeps an alarm when rate exceptions are entered. D. All interest rates must be logged and verified every 30 days. The correct answer is: B. Rates outside the normal range require prior management approval. Explanation: Prior approval of management for rates outside the normal range would be a proper control. Entering the
password of a supervisor does not ensure authorization. A system alarm upon entry of a rate exception is only a warning. Logging of exceptions is a detective control. .......................................................................................................... 170. Change control for business application systems being developed using prototyping could be complicated by the: A. iterative nature of prototyping. B. rapid pace of modifications in requirements and
design. C. emphasis on reports and screens. D. lack of integrated tools. The correct answer is: B. rapid pace of modifications in requirements and design. Explanation: Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control.
.......................................................................................................... 171. The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure: A. integrity. B. authenticity. C. authorization. D. nonrepudiation. The correct answer is: A. integrity. Explanation: A checksum calculated on an amount field and included in the EDI communication can be
used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can be ensured by using digital signatures. .......................................................................................................... 172. Which of the following would help to ensure the portability of an application connected to a database? The: A. verification of database import and export
procedures. B. usage of a structured query language (SQL). C. analysis of stored procedures/triggers. D. synchronization of the entity-relation model with the database physical schema. The correct answer is: B. usage of a structured query language (SQL). Explanation: The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures better interfacing with other systems, analyzing stored procedures/triggers ensures
proper access/performance, and reviewing the design entity-relation model will be helpful, but none of these contribute to the portability of an application connecting to a database. .......................................................................................................... 173. During which of the following phases in system development would user acceptance test plans normally be prepared? A. Feasibility study B. Requirements definition C.
Implementation planning D. Postimplementation review The correct answer is: B. Requirements definition Explanation: During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure it meets their stated needs. The feasibility study is too early for such detailed
user involvement, and the implementation planning and postimplementation review phases are too late. The IS auditor should know at what point user testing should be planned to ensure it is most effective and efficient. .......................................................................................................... 174. Which of the following risks could result from inadequate software baselining? A. Scope creep B. Sign-off delays C. Software integrity
violations D. Inadequate controls The correct answer is: A. Scope creep Explanation: A software baseline is the cut-off point in the design and development of a system beyond which additional requirements or modifications to the design do not or cannot occur without undergoing formal strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage the requirements of a system through baselining can result in a number of
risks. Foremost among these risks is scope creep, the process through which requirements change during development. Choices B, C and D may not always result, but choice A is inevitable. ..........................................................................................................