Information Systems Auditing and Development Lifecycle, Exams of Business Economics

Various aspects of information systems auditing and the system development lifecycle (sdlc). It discusses the tasks and responsibilities of an is auditor in reviewing feasibility studies, requirements definition, testing, and implementation of information systems. The different sdlc models, including the traditional waterfall model and the iterative model, as well as the advantages and challenges associated with each. It also covers input, processing, and output controls, as well as application controls and testing techniques used in the sdlc. The is auditor's involvement and verification activities throughout the sdlc are highlighted, emphasizing the importance of their role in ensuring the completeness, accuracy, and security of the developed system.

Typology: Exams

2023/2024

Available from 07/27/2024

paul-kamau-2
paul-kamau-2 🇺🇸

4

(7)

5.4K documents

1 / 12

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CISA Chapter 3 Exam 48 Questions with Verified Answers
Project Management Structure - 3 types that outline the authority and control
within an organization - CORRECT ANSWER - functional - the project manager has
only a staff function without formal management authority. The work is broken
down in departments
- project - the project manager's formal authority over those taking part in the
project. Includes authority over project budgets, schedule, and team
- matrix - management authority is shared between the project manager and the
department heads
project management roles and responsibilties - CORRECT ANSWER senior
management - demonstrates commitment to the project and approves the
necessary resources
project sponsor - provides funding for the project and works closely with project
manager to define critical success factors
user management - assumes ownership of the project and resulting system
user project team - completes assigned tasks
project manager - provides day to day management and leadership
quality assurance - reviews results and deliverable
systems development manager - provides technical support for hardware and
software
system development project team - completes assigned tasks
security officer/team - ensures that system controls and supporting processes
provide an effective level or protection
information system security engineer - applies scientific and engineering
principles to identify security vulnerabilities and reduce risk.
Portfolio/Program Management - CORRECT ANSWER a project portfolio is defined
as all of the projects being carried out in an organization at a given point in time
Project Management Office - CORRECT ANSWER as an owner of the project
management and program management process, must be a permanent structure
and adequately staffed to provide professional support in these areas to maintain
current and develop new procedures and standards.
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download Information Systems Auditing and Development Lifecycle and more Exams Business Economics in PDF only on Docsity!

CISA Chapter 3 Exam 48 Questions with Verified Answers

Project Management Structure - 3 types that outline the authority and control within an organization - CORRECT ANSWER - functional - the project manager has only a staff function without formal management authority. The work is broken down in departments

  • project - the project manager's formal authority over those taking part in the project. Includes authority over project budgets, schedule, and team
  • matrix - management authority is shared between the project manager and the department heads project management roles and responsibilties - CORRECT ANSWER senior management - demonstrates commitment to the project and approves the necessary resources project sponsor - provides funding for the project and works closely with project manager to define critical success factors user management - assumes ownership of the project and resulting system user project team - completes assigned tasks project manager - provides day to day management and leadership quality assurance - reviews results and deliverable systems development manager - provides technical support for hardware and software system development project team - completes assigned tasks security officer/team - ensures that system controls and supporting processes provide an effective level or protection information system security engineer - applies scientific and engineering principles to identify security vulnerabilities and reduce risk. Portfolio/Program Management - CORRECT ANSWER a project portfolio is defined as all of the projects being carried out in an organization at a given point in time Project Management Office - CORRECT ANSWER as an owner of the project management and program management process, must be a permanent structure and adequately staffed to provide professional support in these areas to maintain current and develop new procedures and standards.

Project benefits realization objectives - CORRECT ANSWER - IT enabled business investments achieve the promised benefits

  • require capabilities are delivered
  • IT services and other IT assets continue to contribute to business value Function Point Analysis (FPA) - CORRECT ANSWER technique is a multiple-point technique used for estimation complexity in developing large business applications An IS auditors role may take place during the project or upon completion. Tasks generally include the following: - CORRECT ANSWER - meet with key systems development and user project team members to determine the main components, objectives, and user requirements
  • discuss the selection of appropriate controls with systems development and user project team members
  • discuss references to authoritative sources
  • evaluate available controls and participate in discussions regarding the design of system and implementation of controls
  • periodically meet with systems development and user project team members and review documentation and deliverables
  • identify and test existing controls
  • review and analyze test plans
  • analyze test results
  • review appropriate documentation
  • discuss and examine supporting records to test system maintenance procedures
  • participate in post implementation reviews a business case - CORRECT ANSWER provides the information required for an organization to decide whether a project should proceed A feasibility study will normally include - CORRECT ANSWER - project scope
  • current analysis
  • requirements
  • approach
  • evaluation
  • review
  • end-user-centric - is to provide different views of data for their performance optimization. This objective includes decision support systems (DSSs) and geographic information systems (GISs) A traditional SDLC (waterfall) model - CORRECT ANSWER Involve a lifecycle verification approach that ensures that potential mistakes are corrected early and not solely during final acceptance testing Primary advantages to traditional SDLC model - CORRECT ANSWER is that it provides a template for which methods for requirements can be placed Problems with traditional SDLC model - CORRECT ANSWER - unanticipated events that result in iterations, creating problems and in implementing the approach
  • the difficulty of obtaining explicit set of requirements from the customer/user as the approach requires
  • managing requirements and convincing the user about the undue or unwarranted requirements in system functionalities
  • the necessity of customer/user patience
  • a changing business environment that alters or changes the customer/user requirements A verification and validation SDLC model - CORRECT ANSWER emphasizes the relationship between development phases and testing levels. The most granular testing - unit testing occurs immediately after programs have been written V-model advantages - CORRECT ANSWER - an IS auditors influence is increased where there are formal procedures and guidelines identifying each phase
  • IS auditor can review all relevant areas and phases
  • IS auditor can identify selected parts of the system
  • IS auditor can provide an evaluation of the methods and techniques applied through development Iterative SDLC Model - CORRECT ANSWER is a cyclical process in which business requirements are developed and tested in iterations until the entire application is designed, build, and tested

Traditional system development life cycle approach - CORRECT ANSWER Phase 1 - feasibility study - determine the strategic benefits to implementing the system Phase 2 - requirements definition - define the problem or need that requires resolution Phase 3A - software selection and acquisitions (purchased systems) - prepare a request for proposal outline entity requirements to invited bids Phase 3B - design (in house implementation) - establish a baseline of specifications Phase 4A - configuration (purchased systems) - configure system. if packaged tailor to organizations requirements Phase 4B - development (in house development) - using design specifications to begin programming and formalizing supporting operational processes Phase 5 - final testing and implementation - establish operation of the new system. with final iteration of user acceptance testing Phase 6 - post implementation - implement a formal process that assess the adequacy of the system and project cost benefit Potential risks that can occur when designing and developing new systems - CORRECT ANSWER strategic risk - arises when the business goal are identified and weighted without taking the corporate strategy into account business risk - the new system may not meet users business needs, requirements, and exceptions project risk - project activities to design and develop the system exceed the limits of the financial resources set aside for the project IS auditor should review the adequacy of the following project management techniques - CORRECT ANSWER - levels of oversight by the project committee

  • risk management methods
  • issue management
  • cost management
  • process for planning and dependency management
  • reporting process to senior management
  • change control processes
  • stakeholder management involvement
  • sign off process
  • delivery time - develop and review delivery plan
  • installation plan - develop and review
  • installation test plan An IS auditor should perform the following when reviewing software aquistion - CORRECT ANSWER - analyze the documentation from the feasibility study
  • review the RFP to ensure it covers items listed in this section
  • determine if selected vendor is support by RFP documentation
  • attend agenda based presentations and conference room pilots
  • review vendor contract prior to signing it
  • ensure that contract is reviewed by a legal counsel
  • review RFP to ensure security responses are included input authorization - CORRECT ANSWER verifies that all transactions have been authorized and approved by management Types of authorizations include - CORRECT ANSWER - signatures on batch forms or source documents
  • online access controls
  • unique passwords
  • terminal or client workstation identification
  • source documents
  • input data validation Batch controls - CORRECT ANSWER are group input transaction to provide control totals. batch control can be based on total monetary amount, total items, total documents or hash totals input control techniques - CORRECT ANSWER - transaction log - contains a detailed list of all updates
  • reconciliation of data - control whether all data received are properly recorded and processed documentation error correction procedures anticipation transmittal log cancellation of source documents

input sanitization data validation edits and controls (checks) - CORRECT ANSWER sequence, limit, range, validity, reasonableness, table, existence, key verification, check digit, completeness, duplicate check, logical relationship The following are processing control techniques that can address the issues of completeness and accuracy of accumulated data - CORRECT ANSWER manual recalculations editing run to run programmed reasonableness verification of calculated amounts limit checks on amounts reconciliation of file totals exception reports Output controls - CORRECT ANSWER the data delivered to users will be presented formatted and delivered in a consistent and secure manner output controls include - CORRECT ANSWER - logging and storage of negotiable sensitive and critical forms in a secure place

  • computer generation of negotiable instruments, forms and signatures
  • report accuracy completeness and timeliness
  • reports generate from the system
  • report distribution
  • balancing and reconcilling
  • output error handling
  • output report rentention
  • verification of receipt of reports application controls - CORRECT ANSWER are controls over the aforementioned input processing and output functions. The include methods for ensuring that..
  • only complete accurate and valid data are entered in the system
  • processing accomplishes the correct task
  • processing results meet expectation
  • data are maintained

Test plans identify test approaches such as the following two reciprocal approaches, to software testing - CORRECT ANSWER bottom up - testing begins with atomic units, such as programs or modules and works upward until a complete system testing has taken place top down - testing follows the opposite path either in depth - first or breadth first search order two common types of data integrity - CORRECT ANSWER - relational integrity test

  • performed at the data element and record based levels. Relational integrity is enforced through data validation routines build into the application or by defining the input condition constraints and data characteristics at the table definition in the database stage
  • referential integrity tests - define existence relationships between entities in different tables of a database that needs to be maintained by the DBMS Testing application systems - CORRECT ANSWER snapshots - records flow of designated transactions through logic paths within programs mapping - identifies specific program logic tracing and tagging - tracing shows the trail of, tagging involves placing an indicator test data/deck - stimulates transactions through real program base case system evaluation - uses test data sets and verifies correct system operations before acceptance parallel operation - processes actual production data through existing integrated testing facility - creates a fictitious file in the database parallel simulation - processes production data using computer programs that stimulate application program logic transaction selection programs - use audit to screen and select transactions input to the regular production cycle embedded audit data collection - software embedded in host computer applications screens extended records - gathers all data that have been affected by a particular program It is essential that an IS auditor be involved in reviewing this phase and perform the following - CORRECT ANSWER - reviewing the test plan for completeness
  • reconcile control totals and converted data
  • review error reports
  • verify cycling processing for correctness
  • verify accuracy of critical reports and outputs used by management
  • interview end users
  • review system and end-user documentation
  • review parallel testing results for accuracy
  • verify system security
  • review unit and system test plans
  • review the UAT and ensure that they accept software has been delivered to the implementation team
  • review procedures used for recording and following through on error reports An IS auditor should verify that appropriate sign-offs have been obtained prior to implementation and perform the following: - CORRECT ANSWER - review the programmed procedures used for scheduling and running the system along with system parameters used in executing the production schedule
  • review all system documentation to ensure its completeness and confirm that all recent updates from the testing phase have been incorporated
  • verify all data conversions to ensure that they are correct and complete before implementing the system in production An IS auditor performing a post-implementation review should be independent of the system development process therefore.. - CORRECT ANSWER an IS auditor involved in consulting with the project team on the development of the system should not perform this review. post-implementation reviews performed by an auditor tend to concentrate on the control aspects of the system development and implementation processes An IS auditor should perform the following functions.. - CORRECT ANSWER - determine of the system's objectives and requirements were archived. During the post implementation review, careful attention should be paid to the end users utilization, trouble tickets, work orders and overall satisfaction with the system
  • determine if the cost benefits identified in the feasibility study are being measured, analyzed and accurately reported to management
  • review program change requests performed to assess the type of change required of the system