Domain 3 (CISA Review Questions,
Answers & Explanations Manual, 12th
Edition | Print | English)
A3-1 Who should review and approve system deliverables as they are defined and
accomplished, to ensure the successful completion and implementation of a new
business system application?
A. User management
B. Project steering committee
C. Senior management
D. Quality assurance staff - Answer- A is the correct answer. Justification:
A. User management assumes ownership of the project and resulting system,
allocates qualified
representatives to the team and actively participates in system requirements
definition, acceptance testing and user training. User management should review
and approve system deliverables as they are defined and accomplished, or
implemented.
B. . A project steering committee provides overall direction, ensures appropriate
representation of the
major stakeholders in the project's outcome, reviews project progress regularly and
holds emergency meetings when required. A project steering committee is ultimately
responsible for all deliverables, project costs and schedules.
C. Senior management demonstrates commitment to the project and approves the
necessary resources to complete the project. This commitment from senior
management helps ensure involvement by those who are needed to complete the
project.
D. Quality assurance staff review results and deliverables within each phase, and at
the end of each phase confirm compliance with standards and requirements. The
timing of reviews depends on the system development life cycle, the impact of
potential deviation methodology used, the structure and magnitude of the system
and the impact of potential deviation.
A3-2 Which of the following BEST helps to prioritize project activities and determine
the time line for a project?
A. A Gantt chart
B. Earned value analysis
C. Program evaluation review technique
D. Function point analysis - Answer- C is the correct answer. Justification:
A. A Gantt chart is a simple project management tool and would help with the
prioritization requirement, but it is not as effective as program evaluation review
technique (PERT).
B. Earned value analysis is a technique to track project cost versus project
deliverables but does not assist in prioritizing tasks.
,C. The PERT method works on the principle of obtaining project time lines based on
project events for three likely scenarios-worst, best and normal. The timeline is
calculated by a predefined formula and identifies the critical path, which identifies the
key activities that must be prioritized.
D. Function point analysis measures the complexity of input and output and does not
help to prioritize project activities.
A3-3 An IS auditor reviewing a series of completed projects finds that the
implemented functionality often exceeded requirements and most of the projects ran
significantly over budget. Which of these areas of the organization's project
management process is the MOST likely cause of this issue?
A. Project scope management
B. Project time management
C. Project risk management
D. Project procurement management - Answer- A is the correct answer. Justification:
A. Because the implemented functionality is greater than what was required, the
most likely cause of the budget issue is failure to effectively manage project scope.
Project scope management is defined as the processes required to ensure that the
project includes all of the required work, and only the required work, to complete the
project.
B. Project time management is defined as the processes required to ensure timely
completion of the
project. The issue noted in the question does not mention whether projects were
completed on time, so this is not the most likely cause.
C. Project risk management is defined as the processes concerned with identifying,
analyzing and responding to project risk. Although the budget overruns mentioned
above represent one form of project risk, they appear to be caused by implementing
too much functionality, which relates more directly to project scope.
D. Project procurement management is defined as the processes required to acquire
goods and services from outside the performing organization. Although purchasing
goods and services that are too expensive can cause budget overruns, in this case
the key to the question is that implemented functionality is greater than what was
required, which is more likely related to project scope.
A3-4 An IS auditor is reviewing the software development process for an
organization. Which of the following functions are appropriate for the end users to
perform?
A. Program output testing
B. System configuration
C. Program logic specification
D. Performance tuning - Answer- A is the correct answer. Justification:
A. A user can test program output by checking the program input and comparing it
with the
system output. This task, although usually done by the programmer, can also be
done effectively by the user.
B. System configuration is usually too technical to be accomplished by a user and
this situation could
create security issues. This could introduce a segregation of duties issue.
,C. Program logic specification is a very technical task that is normally performed by a
prqgrammer. This could introduce a segregation of duties issue. . .
D. Performance tuning also requires high levels of technical skill and will not be
effectively accomplished by a user. This could introduce a segregation of duties
issue.
A3-5 An IS auditoris reviewing system developmentfor a health care organizationwith
two application environments production and test. During an interview,the auditor
notes that production data are used in the test environment to test program
changes.What is the MOST significant potential risk from this situation?
A. The test environment may not have adequate controls to ensure data accuracy.
B. The test environment may produce inaccurate results due to use of production
data.
C. Hardware in the test environment may not be identical to the production
environment.
D. The test environment may not have adequate access controls implemented to
ensure data confidentiality. - Answer- D is the correct answer. Justification:
A. The accuracy of data used in the test environment is not of significant concern as
long as these data
are representative of the production environment.
B. Using production data in the test environment does not cause test results to be
inaccurate. If anything, using production data improves the accuracy of testing
processes, because the data most closely
mirror the production environment. In spite of that fact, the risk of data disclosure or
unauthorized access in the test environment is still significant and, as a result,
production data should not be used in the test environment. This is especially
important in a health care organization where patient data
confidentiality is critical and privacy laws in many countries impose strict penalties on
misuse of these
data.
C. Hardware in the test environment shouldmirror the production environment to
ensure that testing is reliable. However, this does not relate to the risk from using live
data in a test environment. This is not the correct answer because it does not relate
to the risk presented in the scenario.
D. In many cases, the test environment is not configured with the same access
controls that are
enabled in the production environment. For example, programmers may have
privileged access to the test environment (for testing), but not to the production
environment. If the test environment does not have adequate access control, the
production data are subject to risk of unauthorized access and/or data disclosure.
This is the most significant risk of the choices listed.
A3-6 The IS auditor is reviewing a recently completed conversion to a new enterprise
resource planning system.
In the final stage of the conversion process, the organization ran the old and new
systems in parallel for 30 days before allowing the new system to run on its own.
What is the MOST significant advantage to the organization by using this strategy?
A. Significant cost savings over other testing approaches
, B. Assurance that new, faster hardware is compatible with the new system
C. Assurance that the new system meets functional requirements
D. Increased resiliency during the parallel processing time - Answer- C is the correct
answer. Justification:
A. Parallel operation provides a high level of assurance that the new system
functions properly compared to the old system. Parallel operation is generally
expensive and does not provide a cost savings
over most other testing approaches. In many cases, parallel operation is the most
expensive form of system testing due to the need for dual data entry, dual sets of
hardware, dual maintenance and dual backups-it is twice the amount of work as
running a production system and, therefore, costs more time and money.
B. Hardware compatibility should be determined and tested much earlier in the
conversion project
and is not an advantage of parallel operation. Compatibility is generally determined
based on the application's published specifications and on system testing in a lab
environment. Parallel operation is designed to test the application's effectiveness
and integrity of application data, not hardware compatibility. In general, hardware
compatibility relates more to the operating system level than to a particular
application. Although new hardware in a system conversion must be tested under a
real production load, this can be done without parallel systems.
C. Parallel operation is designed to provide assurance that a new system meets its
functional
requirements. This is the safest form of system conversion testing because, if the
new system fails, the old system is still available for production use. In addition, this
form of testing allows the application developers and administrators to
simultaneously run operational tasks (e.g., batch jobs and backups) on both
systems, to ensure that the new system is reliable before unplugging the old system.
D. Increased resiliency during parallel processing is a legitimate outcome from this
scenario, but the
advantage it provides is temporary
A3-7 What kind of software application testing is considered the final stage of testing
and typically includes users outside of the development team?
A. Alpha testing
B. White box testing
C. Regression testing
D. Beta testing - Answer- D is the correct answer. Justification:
A. Alpha testing is the testing stage just before beta testing. Alpha testing is typically
performed by
programmers and business analysts, instead of users. Alpha testing is used to
identify bugs or glitches that can be fixed before beta testing begins with external
users.
B. White box testing is performed much earlier in the software development life cycle
than alpha or beta
testing. White box testing is used to assess the effectiveness of software program
logic, where test
data are used to determine procedural accuracy of the programs being tested. In
other words, does the program operate the way it is supposed to at a functional
level? White box testing does not typically involve external users.
