1. Which of the following groups should assume ownership of a systems development project and the resulting system? A. User management B. Senior management C. Project steering committee D. Systems development management The correct answer is: A. User management Explanation: User management assumes ownership of the project and resulting system. They should review and approve deliverables as they are defined and accomplished. Senior management approves the project and the resources needed to complete it. The project steering committee provides overall direction and is responsible for monitoring costs and timetables. Systems development management provides technical support. 2. A request for a change to a report format in a module (subsystem) was made. After making the required changes, the programmer should carry out: A. unit testing. B. unit and module testing. C. unit, module and regression testing. D. module testing. The correct answer is: C. unit, module and regression testing. Explanation: Unit, module and regression testing will ensure that the specific unit, module or subsystem and the complete system work as expected. Regression testing is required for any changes carried out at any level. The unit testing will ensure that the unit is working as expected. The unit and module testing will ensure that the unit and the module work as expected. Unit testing and module testing will ensure that the report or the unit and the module or the subsystem are working as expected, but will not ensure that there has not been an impact on the complete system. Regression testing is required for any changes carried out at any level. 3. Which of the following should be done by an IS auditor when a source code comparison indicates modifications were made? A. Determine whether modifications were authorized. B. Update the control copy of the source code. C. Manually review the source code. D. Insert remarks in the source code describing the modifications. The correct answer is: A. Determine whether modifications were authorized. Explanation: The IS auditor's primary objective should be to determine if the changes were authorized. A manual review of the source code may be done in some instances, but this would not answer the question of whether the changes were authorized. Choices B and D would not be proper actions. 4. Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? A. Parallel testing. B. Pilot testing C. Interface/integration testing D. Sociability testing The correct answer is: D. Sociability testing Explanation: The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a clientserver or web development. Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure. 5. Which of the following represents a typical prototype of an interactive application? A. Screens and process programs B. Screens, interactive edits and sample reports C. Interactive edits, process programs and sample reports D. Screens, interactive edits, process programs and sample reports The correct answer is: B. Screens, interactive edits and sample reports Explanation: Process programs are not produced by a prototyping tool. This often leads to confusion for the end user who expects quick implementation of programs that accomplish the results that these tools produce. 6. An enterprise has established a steering committee to oversee its e-business program. The steering committee would MOST likely be involved in the: A. documentation of requirements. B. escalation of project issues. C. design of interface controls. D. specification of reports. The correct answer is: B. escalation of project issues. Explanation: The function of the steering committee is to ensure the success of the project. If there are factors or issues that potentially could affect planned results, the steering committee should escalate them. Activities such as documentation of requirements, design of interface controls and specification of reports are the responsibility of the project team. 7. Which of the following is a dynamic analysis tool for the purpose of testing software modules? A. Black box test B. Desk checking C. Structured walk-through D. Design and code The correct answer is: A. Black box test Explanation: A black box test is a dynamic analysis tool for testing software modules. During the testing of software modules a black box test works first in a cohesive manner as a single unit/entity consisting of numerous modules, and second with the user data that flows across software modules. In some cases, this even drives the software behavior. In choices B, C and D, the software (design or code) remains static and somebody closely examines it by applying his/her mind, without actually activating the software. Hence, these cannot be referred to as dynamic analysis tools. 8. The request for proposal (RFP) for the acquisition of an application system would MOST likely be approved by the: A. project steering committee. B. project sponsor. C. project manager. D. user project team. The correct answer is: A. project steering committee. Explanation: A project steering committee usually consists of senior representative from each function that will be affected by the new system and would be the most appropriate group to approve the RFP. The project sponsor provides funding for the project. The project manager and user project team are responsible for drafting the RFP. 9. Which of the following group/individuals should assume overall direction and responsibility for costs and timetables of system development projects? A. User management B. Project steering committee C. Senior management D. Systems development management The correct answer is: B. Project steering committee Explanation: The project steering committee is ultimately responsible for all costs and timetables. User management assumes ownership of the project and the resulting system. Senior management commits to the project and approves the resources necessary to complete the project. System development management provides technical support for the hardware and software environments by developing, installing and operating the requested system. 10. The MAJOR concern for an IS auditor reviewing a CASE environment should be that the use of CASE does not automatically: A. result in a correct capture of requirements. B. ensure that desirable application controls have been implemented. C. produce ergonomic and user-friendly interfaces. D. generate efficient code. The correct answer is: A. result in a correct capture of requirements. Explanation: The principal concern should be to ensure an alignment of the application with business needs and user requirements. While the CASE being used may provide tools to cover this crucial initial phase, a cooperative user-analyst interaction is always needed. Choice B should be the next concern. If the system meets business needs and user requirements, it should also incorporate all desirable controls. Controls have to be specified since CASE can only automatically incorporate certain, rather low-level, controls (such as type of input data, e.g., date, expected). CASE will not (choice C) automatically generate ergonomic and user-friendly interfaces, but it should provide tools for easy (and automatically documented) tuning. CASE applications (choice D) generally come short of optimizing the use of hardware and software resources, precisely because they are designed to optimize other elements, such as developers effort or documentation. 11. The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: A. rules. B. decision trees. C. semantic nets. D. dataflow diagrams. The correct answer is: B. decision trees. Explanation: Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data. 12. Which of the following risks could result from inadequate software baselining? A. Scope creep B. Sign-off delays C. Software integrity violations D. Inadequate controls The correct answer is: A. Scope creep Explanation: A software baseline is the cut-off point in the design and development of a system beyond which additional requirements or modifications to the design do not or cannot occur without undergoing formal strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage the requirements of a system through baselining can result in a number of risks. Foremost among these risks is scope creep, the process through which requirements change during development. Choices B, C and D may not always result, but choice A is inevitable. 13. The PRIMARY reason for separating the test and development environments is to: A. restrict access to systems under test. B. segregate user and development staff. C. control the stability of the test environment. D. secure access to systems under development. The correct answer is: C. control the stability of the test environment. Explanation: The test environment must be controlled and stable to ensure that development projects are tested in a realistic environment that, as far as possible, mirrors the live environment. Restricting access to test and development systems can be achieved easily by normal access control methods, and the mere separation of the environments will not provide adequate segregation of duties. The IS auditor must be aware of the benefits of separating these environments wherever possible. 14. After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend? A. Stress B. Black box C. Interface D. System The correct answer is: D. System Explanation: Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. Interface testing is not enough, and stress or black box testing are inadequate in these circumstances. 15. An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an integrated development environment? A. Controls the proliferation of multiple versions of programs B. Expands the programming resources and aids available C. Increases program and processing integrity D. Prevents valid changes from being overwritten by other changes The correct answer is: B. Expands the programming resources and aids available Explanation: A strength of an integrated development environment is that it expands the programming resources and aids available. The other choices are IDE weaknesses. 16. Which of the following is MOST effective in controlling application maintenance? A. Informing users of the status of changes B. Establishing priorities on program changes C. Obtaining user approval of program changes D. Requiring documented user specifications for changes The correct answer is: C. Obtaining user approval of program changes Explanation: User approvals of program changes will ensure that changes are correct as specified by the user and that they are authorized. Therefore, erroneous or unauthorized changes are less likely to occur, minimizing system downtime and errors. 17. When implementing an acquired system in a client-server environment, which of the following tests would confirm that the modifications in the Windows registry do not adversely impact the desktop environment? A. Sociability testing B. Parallel testing C. White box testing D. Validation testing The correct answer is: A. Sociability testing Explanation: When implementing an acquired system in an client-server environment, sociability testing would confirm that the system can operate in the target environment without adversely impacting other systems. Parallel testing is the process of feeding test data to both the old and new system and comparing the results. White box testing is based on a close examination of procedural details, and validation testing tests the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements. 18. When implementing an application software package, which of the following presents the GREATEST risk? A. Uncontrolled multiple software versions B. Source programs that are not synchronized with object code C. Incorrectly set parameters D. Programming errors The correct answer is: C. Incorrectly set parameters Explanation: Parameters that are not set correctly would be the greatest concern when implementing an application software package. The other choices, though important, are a concern of the provider, not the organization that is implementing the software itself. 19. Peer reviews to detect software errors during a program development activity are called: A. emulation techniques. B. structured walk-throughs. C. modular program techniques. D. top-down program construction. The correct answer is: B. structured walk-throughs. Explanation: A structured walk-through is a management tool for improving productivity. Structured walk-throughs can detect an incorrect or improper interpretation of the program specifications. This, in turn, improves the quality of system testing and acceptance of it. The other choices are methods or tools in the overall systems development process. 20. When selecting software, which of the following business and technical issues is the MOST important to be considered? A. Vendor reputation B. Requirements of the organization C. Cost factors D. An installed base The correct answer is: B. Requirements of the organization Explanation: Establishing the requirements of the organization is a task that should be completed early in the process. Cost factors are a part of the analysis in the evaluation of software alternatives. A vendor’s reputation and the installed base become important only after the requirements are met. 21. An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is: A. continuous improvement. B. quantitative quality goals. C. a documented process. D. a process tailored to specific projects. The correct answer is: A. continuous improvement. Explanation: An organization would have reached the highest level of the software CMM at level 5, optimizing. Quantitative quality goals can be reached at level 4 and below, a documented process is executed at level 3 and below, and a process tailored to specific projects can be achieved at level 3 or below. 22. An existing system is being extensively enhanced by extracting and reusing design and program components. This is an example of: A. reverse engineering. B. prototyping. C. software reuse. D. reengineering. The correct answer is: D. reengineering. Explanation: Old (legacy) systems that have been corrected, adapted and enhanced extensively require reengineering to remains maintainable. Reengineering is a rebuilding activity to incorporate new technologies into existing systems. Using program language statements, reverse engineering involves reversing a program's machine code into the source code in which it was written to identify malicious content in a program such as a virus, or to adapt a program written for use with one processor for use with a differently designed processor. Prototyping is the development of a system through controlled trial and error. Software reuse is the process of planning, analyzing and using previously developed software components. The reusable components are integrated into the current software product systematically. 23. During which of the following phases in system development would user acceptance test plans normally be prepared? A. Feasibility study B. Requirements definition C. Implementation planning D. Post-implementation review The correct answer is: B. Requirements definition Explanation: During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how the system functionality can be tested to ensure it meets their stated needs. The feasibility study is too early for such detailed user involvement, and the implementation planning and postimplementation review phases are too late. The IS auditor should know at what point user testing should be planned in order to ensure it is most effective and efficient. 24. A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing? A. Unit testing B. Integration testing C. Design walk-throughs D. Configuration management The correct answer is: B. Integration testing Explanation: A common system maintenance problem is that errors are often corrected quickly (especially when deadlines are tight), units are tested by the programmer, and then transferred to the acceptance test area. This often results in system problems that should have been detected during integration or system testing. Integration testing aims at ensuring that the major components of the system interface correctly. 25. Which of the following is a strength of the program evaluation review technique (PERT) over other techniques? PERT: A. considers different scenarios for planning and control projects. B. allows the user to input program and system parameters. C. tests system maintenance processes accurately. D. estimates costs of system projects. The correct answer is: A. considers different scenarios for planning and control projects. Explanation: PERT considers different scenarios for planning and controlling projects. Three time estimates—optimistic, pessimistic and most likely—are used to create a level of uncertainty in the estimation of the time for individual activities. 26. In regard to moving an application program from the test environment to the production environment, the BEST control would be provided by having the: A. application programmer copy the source program to the production libraries and then have the production control group compile the program. B. application programmer copy the source program to the production libraries and then have the production control group compile the program. C. production control group compile the object module to the production libraries using the source program in the test environment. D. production control group copy the source program to the production libraries and then compile the program. The correct answer is: D. production control group copy the source program to the production libraries and then compile the program. Explanation: The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program. 27. If an application program is modified and proper system maintenance procedures are in place, which of the following should be tested? The: A. integrity of the database. B. access controls for the applications programmer. C. complete program, including any interface systems. D. segment of the program containing the revised code. The correct answer is: C. complete program, including any interface systems. Explanation: The complete program with all interfaces needs to be tested to determine the full impact of a change to program code. Usually, the more complex the program, the more testing is required. 28. The program evaluation review technique (PERT): A. assumes that activities cannot be started and stopped independently. B. assumes a perfect knowledge of the times of individual activities. C. starts with a definition of the project activities and their relative sequence. D. events, marking the start or end of an activity, have time of their own and expend resources. The correct answer is: C. starts with a definition of the project activities and their relative sequence. Explanation: When designing a PERT network, the first step is to identify all the activities of the project and their relative sequence. The analyst must be careful not to overlook any activity. The list of activities determines the detail of the PERT network. Choice A is not correct, as PERT assumes that the project is a collection of activities or tasks, where the activities can be started and stopped independently of each other, in contrast to a sequential flow of processing. Choice B is not correct because PERT assumes an imperfect knowledge of the times of individual activities and, therefore, incorporates a level of uncertainty in the estimation of such times. Choice D is incorrect as each activity in PERT begins and ends with an event. The event has no time of its own and expends no resources. An event or result may be the completion of the operational feasibility study or the point at which the user accepts the detailed design. 29. The PRIMARY role of an IS auditor during the system design phase of an application development project is to: A. advise on specific and detailed control procedures. B. ensure the design accurately reflects the requirement. C. ensure all necessary controls are included in the initial design. D. advise the development manager on adherence to the schedule. The correct answer is: C. ensure all necessary controls are included in the initial design. Explanation: The duty of the IS auditor is to ensure that required controls are included. Unless specifically present as a consultant, the IS auditor should not be involved in detailed designs. During the design phase, the IS auditor’s primary role is to ensure controls are included. Unless there is any potential slippage to report, the IS auditor is not concerned with project control at this stage. 30. Which is the first software capability maturity model (CMM) level to include a standard software development process? A. Initial (level 1) B. Repeatable (level 2) C. Defined (level 3) D. Optimizing (level 5) The correct answer is: C. Defined (level 3) Explanation: Based on lessons learned from level 1 (initial) and level 2 (repeatable), level 3 (defined) initiates documentation to provide standardized software processes across the organization. Level 1 (initial) is characterized as ad hoc and reliance is placed on key personnel and processes are not documented. After level 1, level 2 (repeatable) creates a learning environment where disciplined processes can be repeated successfully on other projects of similar size and scope. The ability to quantitatively control software projects arises on attaining the final level (5) of CMM. At level 5, an organization is in a position to use continuous process improvement strategies in applying innovative solutions and state-of-the-art technologies to its software projects. 31. What data should be used for regression testing? A. Different data than used in the previous test B. The most current production data C. The data used in previous tests D. Data produced by a test data generator The correct answer is: C. The data used in previous tests Explanation: Regression testing ensures that changes or corrections in a program have not introduced new errors. Therefore, this would be achieved only if the data used for regression testing are the same as the data used in previous tests. 32. The IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could the IS auditor use to estimate the size of the development effort? A. Program evaluation review technique (PERT) B. Counting source lines of code (SLOC) C. Function point analysis D. White box testing The correct answer is: C. Function point analysis Explanation: Function point analysis is an indirect method of measuring the size of an application by considering the number and complexity of its inputs, outputs and files. It is useful for evaluating complex applications. PERT is a project management technique that helps with both planning and control. SLOC gives a direct measure of program size, but does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. White box testing involves a detailed review of the behavior of program code, and is a quality assurance technique suited to simpler applications during the design and build stage of development. 33. An IS auditor’s PRIMARY concern when application developers wish to use a copy of yesterday’s production transaction file for volume tests is that: A. users may prefer to use contrived data for testing. B. unauthorized access to sensitive data may result. C. error handling and credibility checks may not be fully proven. D. the full functionality of the new process may not necessarily be tested. The correct answer is: B. unauthorized access to sensitive data may result. Explanation: Unless the data are sanitized, there is a risk of disclosing sensitive data. 34. Ideally, stress testing should be carried out in a: A. test environment using test data. B. production environment using live workloads. C. production environment using live workloads. D. production environment using test data. The correct answer is: C. production environment using live workloads. Explanation: Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment (choices B and D), and if only test data is used, there is no certainty that the system was stress tested adequately. 35. An organization planning to purchase a software package asks the IS auditor for a risk assessment. Which of the following is the MAJOR risk? A. Unavailability of the source code B. Lack of a vendor-quality certification C. Absence of vendor/client references D. Little vendor experience with the package The correct answer is: A. Unavailability of the source code Explanation: If the vendor goes out of business, not having the source code available would make it impossible to update the (software) package. Lack of a vendor-quality certification, absence of vendor/client references and little vendor experience with the package are important issues but not critical. 36. An advantage of using sanitized live transactions in test data is that: A. all transaction types will be included. B. every error condition is likely to be tested. C. no special routines are required to assess the results. D. test transactions are representative of live processing. The correct answer is: D. test transactions are representative of live processing. Explanation: Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way. 37. During the development of an application, the quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: A. increased maintenance. B. improper documentation of testing. C. inadequate functional testing. D. delays in problem resolution. The correct answer is: C. inadequate functional testing. Explanation: The major risk of combining quality assurance testing and user acceptance testing is that functional testing may be inadequate. Choices A, B and D are not as important. 38. When reviewing a system development project at the project initiation stage, an IS auditor finds that the project team is following the organization’s quality manual. To meet critical deadlines the project team proposes to fast track the validation and verification processes, commencing some elements before the previous deliverable is signed off. Under these circumstances, the IS auditor would MOST likely: A. report this as a critical finding to senior management. B. accept that different quality processes can be adopted for each project. C. report to IS management the team’s failure to follow quality procedures. D. report the risks associated with fast tracking to the project steering committee. The correct answer is: D. report the risks associated with fast tracking to the project steering committee. Explanation: It is important that quality processes are appropriate to individual projects. Attempts to apply inappropriate processes will often find their abandonment under pressure. A fast-tracking process is an acceptable option under certain circumstances; however, it is important that the project steering committee is informed of the risks associated with this (i.e., possibility of rework if changes are required). 39. Which of the following is the PRIMARY purpose for conducting parallel testing? A. To determine if the system is cost-effective B. To enable comprehensive unit and system testing C. To highlight errors in the program interfaces with files D. To ensure the new system meets user requirements The correct answer is: D. To ensure the new system meets user requirements Explanation: The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements. Parallel testing may show that the old system is, in fact, better than the new system, but this is not the primary reason. Unit and system testing will be completed before parallel testing. Errors in program interfaces with files will be tested during system testing. 40. An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that: A. a backup server be available to run ETCS operations with up-to-date data. B. a backup server be loaded with all the relevant software and data. C. the systems staff of the organization be trained to handle any event. D. source code of the ETCS application be placed in escrow. The correct answer is: D. source code of the ETCS application be placed in escrow. Explanation: Whenever proprietary application software is purchased, the contract should provide for a source code agreement. This will ensure that the purchasing company will have the opportunity to modify the software should the vendor cease to be in business. Having a backup server with current data and staff training is critical but not as critical as ensuring the availability of the source code. 41. One of the purposes of library control software is to allow: A. programmers access to production source and object libraries. B. batch program updating. C. operators to update the control library with the production version before testing is completed. D. read-only access to source code. The correct answer is: D. read-only access to source code. Explanation: An important purpose of library control software is to allow read-only access to source code. Choices A, B and C are activities which library control software should help to prevent or prohibit. 42. A programmer, using firecall IDs, as provided in the manufacture’s manual, gained access to the production environment and made an unauthorized change. Which of the following could have prevented this from happening? A. Deactivationt B. Monitoring C. Authorization D. Resetting The correct answer is: D. Resetting Explanation: The vendor supplied firecall IDs should be reset at the time of implementing the system and new IDs generated. Deactivation may cause the disruption of a critical production job. Without resetting the vendor provided firecall IDs, monitoring and authorization of such IDs are not effective controls. 43. Which of the following BEST describes the objectives of following a standard system development methodology? A. To ensure that appropriate staffing is assigned and to provide a method of controlling costs and schedules B. To provide a method of controlling costs and schedules and to ensure communication among users, IS auditors, management and IS personnel C. To provide a method of controlling costs and schedules and an effective means of auditing project development D. To ensure communication among users, IS auditors, management and personnel, and to ensure that appropriate staffing is assigned The correct answer is: B. To provide a method of controlling costs and schedules and to ensure communication among users, IS auditors, management and IS personnel Explanation: A well-defined systems development methodology will facilitate effective management of the project since costs and schedules will be monitored consistently. Also, design methodologies require various approvals and sign-offs from different functional groups. This facilitates adequate communications between these groups. 44. The use of fourth-generation languages (4GLs) should be weighed carefully against using traditional languages, because 4GLs: A. can lack lower level detail commands necessary to perform data intensive operations. B. cannot be implemented on both the mainframe processors and microcomputers. C. generally contain complex language subsets that must be used by skilled users. D. cannot access database records and produce complex online outputs. The correct answer is: A. can lack lower level detail commands necessary to perform data intensive operations. Explanation: All of the answers are advantages of using 4GLs except that they can lack lower-level detail commands necessary to perform data intensive operations. These operations are usually required when developing major applications. 45. An advantage in using a bottom-up vs. a top-down approach to software testing is that: A. interface errors are detected earlier. B. confidence in the system is achieved earlier. C. errors in critical modules are detected earlier. D. major functions and processing are tested earlier. The correct answer is: C. errors in critical modules are detected earlier. Explanation: The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upwards until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing is the fact that there is no need for stubs or drivers, and errors in critical modules are found earlier. The other choices in this question all refer to advantages of a top-down approach which follows the opposite path, either in depth-first or breadth-first search order. 46. A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity? A. Comparing source code B. Reviewing system log files C. Comparing object code D. Reviewing executable and source code integrity The correct answer is: B. Reviewing system log files Explanation: Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library. Source and object code comparisons are ineffective because the original programs were restored and do not exist. Reviewing executable and source code integrity is an ineffective control because integrity between the executable and source code is automatically maintained. 47. During a post-implementation review of an enterprise resource management system, an IS auditor would MOST likely: A. review access control configuration. B. evaluate interface testing. C. review detailed design documentation. D. evaluate system testing. The correct answer is: A. review access control configuration. Explanation: Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a post-implementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system, since these are usually vendor packages with user manuals. System testing should be performed before final user sign-off. 48. Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data? A. Inheritance B. Dynamic warehousing C. Encapsulation D. Polymorphism The correct answer is: C. Encapsulation Explanation: Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed. 49. Change management procedures are established by IS management to: A. control the movement of applications from the test environment to the production environment. B. control the interruption of business operations from lack of attention to unresolved problems. C. ensure the uninterrupted operation of the business in the event of a disaster. D. verify that system changes are properly documented. The correct answer is: A. control the movement of applications from the test environment to the production environment. Explanation: Change management procedures are established by IS management to control the movement of applications from the test environment to the production environment. Problem escalation procedures control the interruption of business operations from lack of attention to unresolved problems, and quality assurance procedures verify that system changes are authorized and tested. 50. Business units are concerned about the performance of a newly implemented system. Which of the following should the IS auditor recommend? A. Develop a baseline and monitor system usage. B. Define alternate processing procedures. C. Prepare the maintenance manual. D. Implement the changes users have suggested. The correct answer is: A. Develop a baseline and monitor system usage. Explanation: The IS auditor should recommend the development of a performance baseline and monitor the system’s performance, against the baseline, to develop empirical data upon which decisions for modifying the system can be made. Alternate processing procedures and a maintenance manual will not alter a system’s performance. Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system. 51. Regression testing is the process of testing a program to determine if: A. the new code contains errors. B. discrepancies exist between functional specifications and performance. C. new requirements have been met. D. changes have introduced any errors in the unchanged code. The correct answer is: D. changes have introduced any errors in the unchanged code. Explanation: Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be the same as the data used in the original test. Unit testing is used to determine if a new code contains errors or does not meet requirements. 52. When auditing the proposed acquisition of a new computer system, the IS auditor should FIRST establish that: A. a clear business case has been approved by management. B. C. users will be involved in the implementation plan. D. the new system will meet all required user functionality. The correct answer is: A. a clear business case has been approved by management. Explanation: The first concern of the IS auditor should be to establish that the proposal meets the needs of the business, and this should be established by a clear business case. Although compliance with security standards is essential, as are meeting the needs of the users and having users involved in the implementation process, it is too early in the procurement process for these to be the IS auditor’s first concern. 53. Which of the following testing methods is MOST effective during the initial phases of prototyping? A. System B. Parallel C. Volume D. Top-down The correct answer is: D. Top-down Explanation: Top-down testing starts with the system’s major functions and works downwards. The initial emphasis when using prototyping is to create screens and reports, thus shaping most of the proposed system’s features in a short period. Volume and system testing is performed during final system testing phases. Parallel testing is not necessarily needed, especially if there is no old system with which to compare. 54. The reason for establishing a stop or freezing point on the design of a new system is to: A. prevent further changes to a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design. The correct answer is: C. require that changes after that point be evaluated for cost-effectiveness. Explanation: Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs it is recommended that the project be stopped or frozen to allow a rereview of all of the cost-benefits and the payback period. 55. An objective of a post-implementation review of a new or extensively modified business application system is to: A. determine whether test data covered all scenarios. B. conduct a certification and accreditation process. C. assess whether expected project benefits were received. D. design audit trail reports. The correct answer is: C. assess whether expected project benefits were received. Explanation: Assessing whether expected project benefits were achieved would be one of the objectives of a post-implementation review. Determining whether test data covered all scenarios and conducting a certification and accreditation process are objectives of the implementation phase of application systems development. Designing audit trails is part of the design phase of the development. 56. The responsibility for designing, implementing and maintaining a system of internal control lies with: A. the IS auditor. B. management. C. the external auditor. D. the programming staff. The correct answer is: B. management. Explanation: Designing, implementing and maintaining a system of internal controls, including the prevention and detection of fraud is the responsibility of management. The IS auditor assesses the risks and performs tests to detect irregularities created by weaknesses in the structure of internal controls. 57. Which of the following capability maturity model levels ensures achievement of basic project management controls? A. Repeatable (level 2) B. Defined (level 3) C. Managed (level 4) D. Optimizing (level 5) The correct answer is: A. Repeatable (level 2) Explanation: Level 2 has the characteristics of basic project management controls. Level 3 ensures a documented process, level 4 ensures quantitative quality goals, and level 5 ensures continuous process improvement. 58. The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it: A. facilitates user involvement. B. allows early testing of technical features. C. facilitates conversion to the new system. D. shortens the development time frame. The correct answer is: D. shortens the development time frame. Explanation: The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily always true. 59. When reviewing the quality of an IS department’s development process, the IS auditor finds that he/she does not use any formal, documented methodology and standards. The IS auditor’s MOST appropriate action would be to: A. complete the audit and report the finding. B. investigate and recommend appropriate formal standards. C. document the informal standards and test for compliance. D. withdraw and recommend a further audit when standards are implemented. The correct answer is: C. document the informal standards and test for compliance. Explanation: The IS auditor’s first concern would be to ensure that projects are consistently managed. Where it is claimed that an internal standard exists, it is important to ensure that it is operated correctly, even when this means documenting the claimed standards first. Merely reporting the issue as a weakness and closing the audit without findings would not help the organization in any way and investigating formal methodologies may be unnecessary if the existing, informal standards prove to be adequate and effective. 60. An organization wants to enforce data integrity principles and achieve faster performance/execution in a database application. Which of the following design principles should be applied? A. User (customized) triggers B. Data validation at the front end C. Data validation at the back end D. Referential integrity The correct answer is: D. Referential integrity Explanation: Referential integrity should be implemented at the time of the design of the database to provide a faster execution mechanism. All other options are implemented at the application coding stage. 61. Which of the following is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality? A. Function point analysis B. Critical path methodology C. Rapid application development D. Program evaluation review technique The correct answer is: C. Rapid application development Explanation: Rapid application development is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality. The program evaluation review technique (PERT) and critical path methodology (CPM) are both planning and control techniques, while function point analysis is used for estimating the complexity of developing business applications. 62. During the audit of an acquired software package the IS auditor learned that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing policy. D. ensure that the procedure had been approved. The correct answer is: D. ensure that the procedure had been approved. Explanation: In the case of a deviation from the predefined procedures, the IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. The other choices are not the first actions the IS auditor should take. They are steps that may or may not be taken after determining that the procedure used to acquire the software had been approved. 63. Assumptions while planning an IS project involve a high degree of risk because they are: A. based on known constraints. B. based on objective past data. C. a result of a lack of information. D. often made by unqualified people. The correct answer is: C. a result of a lack of information. Explanation: Assumptions are made when adequate information is not available. When an IS project manager makes an assumption, there is a high degree of risk because the lack of proper information can cause unexpected loss to an IS project. Assumptions are not based on “known” constraints. When constraints are known in advance, a project manager can plan according to those constraints rather than assuming the constraints will not affect the project. Having objective data about past IS projects will not lead to making assumptions, but rather helps the IS project manager in planning the project. Hence, if objective past data are available and the project manager makes use of them, risk to the project is less. Regardless of whether they are made by qualified people or unqualified people, assumptions are risky. 64. Which of the following is a control weakness that can jeopardize a system replacement project? A. The project initiation document has not been updated to reflect changes in the system scope. B. A gap analysis comparing the chosen solution to the original specification has revealed a number of significant changes in functionality. C. The project has been subject to a number of requirement specifications changes. D. The organization has decided that a project steering committee is not required. The correct answer is: D. The organization has decided that a project steering committee is not required. Explanation: Even in a small project, the lack of a project steering committee represents the absence of a fundamental control. The project initiation document captures the initial scope and structure of the project, and it is not practical to keep it updated, as changes to the project can be captured through change control procedures and committee decisions. A gap analysis is a process that enables differences to be identified and addressed. Changes of scope and requirements are significant risks that can have a major effect on project success; however, of themselves, they are not control weaknesses. They should be controlled by change control procedures. 65. Who of the following is ultimately responsible for providing requirement specifications to the software development project team? A. Team leader B. Project sponsor C. System analyst D. Steering committee The correct answer is: B. Project sponsor Explanation: The project sponsor is the manager in charge of the business function, the owner of the data and the owner of the system under development. Providing functional specifications through functional users is the responsibility of the project sponsor. The other choices are incorrect. The team leader or project manager working with the project sponsor is responsible for the overall control of the project. The steering committee provides the overall direction and ensures representation of all areas impacted by the new system. The steering committee is responsible for monitoring the overall progress of the project, but is not responsible for the function being automated and, therefore, cannot provide requirement specifications. The system analyst working from the specifications designs the new application system. 66. An IS auditor that participates in the testing stage of a software development project establishes that the individual modules perform correctly. The IS auditor should: A. conclude that the individual modules running as a group will be correct. B. document the test as positive proof that the system can produce the desired results. C. inform management and recommend an integrated test. D. provide additional test data. The correct answer is: C. inform management and recommend an integrated test. Explanation: Modules that have been tested individually can have interface problems, causing adverse affects on other modules. Therefore, the most appropriate action for the IS auditor is to recommend that management carry out an integrated test, which will demonstrate whether the modules working together can produce the desired output. Running additional test data against individual modules will not prove the ability of the modules to work together. 67. Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration? A. Function point analysis B. PERT chart C. Rapid application development D. Object-oriented system development The correct answer is: B. PERT chart Explanation: Function point analysis is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries, logical internal files, etc. While this will help determine the size of individual activities, it will not assist in determining project duration since there are many overlapping tasks. A PERT chart will help determine project duration once all the activities and the work involved in the activities are known. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality, and object-oriented system development is the process of solution specification and modeling. 68. A distinguishing feature of fourth-generation languages (4GLs) is portability, which means? A. Environmental independence B. Workbench concepts (i.e., temporary storage, test editing, etc.) C. Ability to design screen formats and develop graphical outputs D. Ability to execute online operations The correct answer is: A. Environmental independence Explanation: Portability describes the ability of 4GLs to execute across computer architectures, operating systems, mainframe processors and personal computers. Choices B, C and D are other attributes of 4GLs. 69. In planning a software development project, which of the following is the MOST difficult to determine? A. Project slack times B. The project’s critical path C. Time and resource requirements for individual tasks D. Relationships that preclude the start of an activity before others are complete The correct answer is: C. Time and resource requirements for individual tasks Explanation: The most difficult problem is effectively estimating a project’s slack time and/or resource requirements for individual tasks or development activities. This is commonly done through direct software measures (sizeoriented SLOC—source lines of code; KLOC—thousand lines of code) or indirect software measures (function points—values for number of user inputs, outputs, inquiries; number of files and interfaces). The other choices are project management methods and techniques employed that are dependent on the effectiveness of methods used in deriving accurate and reliable software development productivity and performance measures. 70. During unit testing, the test strategy applied is: A. black box. B. white box. C. bottom-up. D. top-down. The correct answer is: B. white box. Explanation: White box testing examines the internal structure of a module. A programmer should perform this test for each module prior to integrating the module with others. Black box testing focuses on the functional requirements and does not consider the control structure of the module. Choices C and D are not correct because these tests require that several modules have already been assembled and tested. 71. An IS auditor reviewing a proposed application software acquisition should ensure that the: A. operating system (OS) being used is compatible with the existing hardware platform. B. planned OS updates have been scheduled to minimize negative impacts on company needs. C. OS has the latest versions and updates. D. products are compatible with the current or planned OS. The correct answer is: D. products are compatible with the current or planned OS. Explanation: Choices A, B and C are incorrect because none of them is related to the area being audited. In reviewing the proposed application the auditor should ensure that the products to be purchased are compatible with the current or planned OS. Regarding choice A, if the OS is currently being used, it is compatible with the existing hardware platform, because if it is not, it would not operate properly. In choice B, the planned OS updates should be scheduled to minimize negative impacts on the organization. For choice C, the installed OS should be equipped with the most recent versions and updates (with sufficient history and stability). 72. Which of the following is the GREATEST risk when implementing a data warehouse? A. Increased response time on the production systems B. Access controls that are not adequate to prevent data modification C. Data duplication D. Data that is not updated or current The correct answer is: B. Access controls that are not adequate to prevent data modification Explanation: Once the data is in a warehouse, no modifications should be made to it and access controls should be in place to prevent data modification. Increased response time on the production systems is not a risk, because a data warehouse does not impact production data. Based on data replication, data duplication is inherent in a data warehouse. Transformation of data from operational systems to a data warehouse is done at predefined intervals, and as such, data may not be current. 73. An organization is moving its application maintenance in-house from an outside source. Which of the following should be the main concern of an IS auditor? A. Regression testing B. Job scheduling C. User manuals D. Change control procedures The correct answer is: D. Change control procedures Explanation: It is essential for the maintenance and control of software that change control procedures be in place. Regression testing is completed after changes are made to the software, and since the software is already being used, the job schedule must be in place and may be reviewed later. This change does not affect user manuals and any associated risks. 74. Good quality software is BEST achieved: A. through thorough testing. B. by finding and quickly correcting programming errors. C. by determining the amount of testing using the available time and budget. D. by applying well-defined processes and structured reviews throughout the project. The correct answer is: D. by applying well-defined processes and structured reviews throughout the project. Explanation: Testing can point to quality deficiencies, However, it cannot by itself fix them. Corrective action at this point in the project is expensive. While it is necessary to detect and correct program errors, the bigger return comes from detecting defects as they occur in upstream phases, such as requirements and design. Choice C is representative of the most common mistake when applying quality management to a software project. It is seen as overhead, instead early removal of defects has a substantial payback. Rework is actually the largest cost driver on most software projects. Choice D represents the core of achieving quality, that is, following a well-defined, consistent process and effectively reviewing key deliverables. 75. Which of the following development methods uses a prototype that can be updated continually to meet changing user or business requirements? A. Data-oriented development (DOD) B. Object-oriented development (OOD) C. Business process reengineering (BPR) D.Rapid application development (RAD) The correct answer is: D.Rapid application development (RAD) Explanation: Only RAD uses prototyping as its core development tool. OOD and DOD use continuously developing models, and BPR attempts to convert an existing business process rather than make dynamic changes. 76. The phases and deliverables of a system development life cycle (SDLC) project should be determined: A. during the initial planning stages of the project. B. after early planning has been completed, but before work has begun. C. through out the work stages, based on risks and exposures. D. only after all risks and exposures have been identified and the IS auditor has recommended appropriate controls. The correct answer is: A. during the initial planning stages of the project. Explanation: It is extremely important that the project be planned properly and that the specific phases and deliverables be identified during the early stages of the project. 77. Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized? A. Release-to-release source and object comparison reports B. Library control software restricting changes to source code C. Restricted access to source code and object code D. Date and time-stamp reviews of source and object code The correct answer is: D. Date and time-stamp reviews of source and object code Explanation: Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used. 78. Which of the following is often an advantage of using prototyping for systems development? A. The finished system will have adequate controls. B. The system will have adequate security/audit trail. C. It reduces time to deployment. D. It is easy to achieve change control. The correct answer is: C. It reduces time to deployment. Explanation: Prototyping is the process of creating systems through controlled trial and error. This method of system development can provide the organization with significant time and cost savings. By focusing mainly on what the user wants and sees, developers may miss some of the controls that come from the traditional systems development approach; therefore, a potential risk is that the finished system will have poor controls. In prototyping, changes in the designs and requirements occur quickly and are seldom documented or approved; hence, change control becomes more complicated with prototyped systems. 79. Which of the following would be the MOST likely to ensure that business requirements are met during software development? A. Adequate training B. Programmers that clearly understand the business processes C. Documentation of business rules D. Early engagement of key users The correct answer is: D. Early engagement of key users Explanation: Key users, since they are familiar with the daily needs, are the individuals that can provide the requirements to ensure the application developed will meet the business needs. Training would aid in learning how to use the system but would not provide the business requirements. Choices B and C are important; however, they will not, by themselves, ensure that requirements are met. 80. Which of the following audit procedures would an IS auditor normally perform FIRST when reviewing an organization’s systems development methodology? A. Determine procedural adequacy. B. Analyze procedural effectiveness. C. Evaluate the level of compliance with procedures. D. Compare established standards to observed procedures. The correct answer is: D. Compare established standards to observed procedures. Explanation: The first step should be to establish that the entity being audited meets best practice. The adequacy of the procedures observed should follow confirmation that they meet best practice. Effectiveness analysis will follow establishment of standards. Compliance tests will follow establishment of standards. 81. A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing in-house-developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern? A. Acceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business requirements. The correct answer is: B. A quality plan is not part of the contracted deliverables. Explanation: A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. Acceptance is normally managed by the user area, since they must be satisfied that the new system will meet their requirements. If the system is large, a phased-in approach to implementing the application is a reasonable approach. Prototyping is a valid method of ensuring that the system will meet business requirements. 82. Which of the following should be included in a feasibility study for a project to implement an EDI process? A. The encryption algorithm format B. The detailed internal control procedures C. The necessary communication protocols D. The proposed trusted third-party agreement The correct answer is: C. The necessary communication protocols Explanation: Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must be included, as there may be significant cost implications, if new hardware and software are involved, and risk implications, if the technology is new to the organization. 83. Which of the following facilitates program maintenance? A. More cohesive and loosely coupled programs B. Less cohesive and loosely coupled programs C. More cohesive and strongly coupled programs D. Less cohesive and strongly coupled programs The correct answer is: A. More cohesive and loosely coupled programs Explanation: Cohesion refers to the performance of a single dedicated function by each program. Coupling refers to the independence of the comparable units. Loosely coupled units, when the program code is changed, will reduce the probability of affecting other program units. More cohesive and loosely coupled units are best for maintenance. 84. The primary purpose of a system test is to: A. test the generation of the designed control totals. B. determine whether the documentation of the system is accurate. C. evaluate the system functionally. D. ensure that the system operators become familiar with the new system. The correct answer is: C. evaluate the system functionally. Explanation: The primary reason why a system is tested is to evaluate the entire system functionality. 85. Which of the following phases represents the optimum point for software baselining to occur? A. Testing B. Design C. Requirement D. Development The correct answer is: B. Design Explanation: Software baselining is the cut-off point in the design and development of an application, beyond which change should not occur without undergoing formal procedures for approval and should be supported by a business cost-benefit impact analysis. The optimum point for software baselining to occur is the design phase. 86. Which of the following is a measure of the size of an information system based on the number and complexity of a system’s inputs, outputs and files? A. Program evaluation review technique (PERT) B. Rapid application development (RAD) C. Function point analysis (FPA) D. Critical path method (CPM) The correct answer is: C. Function point analysis (FPA) Explanation: Function point analysis is a measure of the size of an information system based on the number and complexity of the inputs, outputs and files that a user sees and with which it interacts. Function points are used in a manner analogous to lines of code as a measure of software productivity, quality and other attributes. PERT is a network management technique used in both the planning and control of projects. RAD is a methodology that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality. CPM is used by network management techniques, such as PERT, in computing a critical path. 87. The purpose of debugging programs is to: A. generate random data that can be used to test programs before implementing them. B. protect valid changes from being overwritten by other changes during programming. C. define the program development and maintenance costs to be include in the feasibility study. D. ensure that abnormal terminations and coding flaws are detected and corrected. The correct answer is: D. ensure that abnormal terminations and coding flaws are detected and corrected. Explanation: The purpose of debugging programs is to ensure that program abends and coding flaws are detected and corrected before the final program goes into production. There are special tools, such as logic path monitors, memory dumps and output analyzers, to aid the debugging efforts. 88. Utilizing audit software to compare the object code of two programs is an audit technique used to test program: A. logic. B. changes. C. efficiency. D. computations. The correct answer is: B. changes. Explanation: The use of audit software to compare programs is an audit technique used to test change control. 89. An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk? A. Pilot B. Parallel C. Direct cut-over D. Phased The correct answer is: C. Direct cut-over Explanation: Direct cut-over implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. All other alternatives are done gradually and thus provide greater recoverability and are therefore less risky. 90. The difference between whitebox testing and black box testing is that white box testing: A. involves the IS auditor. B. is performed by an independent programmer team. C. examines a program’s internal logical structure. D. uses the bottom-up approach. The correct answer is: C. examines a program’s internal logical structure. Explanation: Black box testing observes a system’s external behavior, while white box testing is a detailed exam of a logical path, checking the possible conditions. The IS auditor need not be involved in either testing method. The bottom-up approach can be used in both tests. White box testing requires knowledge of the internals of the program or the module to be implemented/tested. Black box testing requires that the functionality of the program be known. The independent programmer team would not be aware of the application of a program in which they have not been involved; hence, the independent programmer team cannot provide any assistance in either of these testing approaches. 91. The PRIMARY objective of conducting a post-implementation review is to assess whether the system: A. achieved the desired objectives. B. provides for backup and recovery. C. provides for information security. D. documentation is clear and understandable. The correct answer is: A. achieved the desired objectives. Explanation: The primary objective of a post-implementation review of a system is to assess whether the system’s objectives have been achieved. The other choices may be subobjectives of a post-implementation review but are not the primary purpose. 92. Procedures to prevent scope creep should be baselined in which of the following systems development life cycle (SDLC) phases? A. Development B. Implementation C. Design D. Feasibility The correct answer is: C. Design Explanation: To prevent uncontrolled entry of new requirements into a system being developed, a standard process for authorization, approval, testing and documentation is necessary. Such procedures are baselined in the design phase and modified in accordance with the needs of the organization. In the development phase, the design specifications are used to program the system that will support specific organizational processes. The implementation phase is too late and the feasibility phase is too early for establishing scope creep procedures. 93. Which of the following is an advantage of prototyping? A. The finished system normally has strong internal controls. B. Prototype systems can provide significant time and cost savings. C. Change control is often less complicated with prototype systems. D. It ensures that functions or extras are not added to the intended system. The correct answer is: B. Prototype systems can provide significant time and cost savings. Explanation: Prototype systems can provide significant time and cost savings; however, they also have several disadvantages. They often have poor internal controls, change control becomes much more complicated, and it often leads to functions or extras being added to the system that were not originally intended. 94. When a new system is to be implemented within a short time frame, it is MOST important to: A. finish writing user manuals. B. perform user acceptance testing. C. add last-minute enhancements to functionalities. D. ensure that the code has been documented and reviewed. The correct answer is: B. perform user acceptance testing. Explanation: It would be most important to complete the user acceptance testing to ensure that the system to be implemented is working correctly. The completion of the user manuals is similar to the performance of code reviews. If time is tight, the last thing one would want to do is add another enhancement, as it would be necessary to freeze the code and complete the testing, then make any other changes as future enhancements. It would be appropriate to have the code documented and reviewed, but unless the acceptance testing is completed, there is no guarantee that the system will work correctly and meet user requirements. 95. Which of the following is a control to detect an unauthorized change in a production environment? A. Denying programmers access to production data B. Requiring change requests to include benefits and costs C. Periodically comparing control and current object and source programs D. Establishing procedures for emergency changes The correct answer is: C. Periodically comparing control and current object and source programs Explanation: Running the code comparison program on the control and current object and source programs allows for the detection of unauthorized changes in the production environment. Choices A, B and D are preventive controls that are effective as long as they are being applied consistently. 96. Which of the following is MOST likely to occur when a system development project is in the middle of the programming/coding phase? A. Unit tests B. Stress tests C. Regression tests D. Acceptance tests The correct answer is: A. Unit tests Explanation: During the programming phase, the development team should have mechanisms in place to ensure that coding is being developed to standard and is working correctly. Unit tests are key elements of that process in that they ensure that individual programs are working correctly. They would normally be supported by code reviews. Stress tests, regression tests and acceptance tests would normally occur later in the development and testing phases. As part of the process of assessing compliance with quality processes, IS auditors should verify that such reviews are undertaken. 97. The MOST likely explanation for the use of applets in an Internet application is that: A. it is sent over the network from the server. B. the server does not run the program and the output is not sent over the network. C. they improve the performance of both the web server and network. D. it is a JAVA program downloaded through the web browser and executed by the web server of the client machine. The correct answer is: C. they improve the performance of both the web server and network. Explanation: An applet is a JAVA program that is sent over the network from the web server, through a web browser, to the client machine. Then the code is run on the machine. Since the server does not run the program and the output is not sent over the network, the performance on both the web server and network, over which the server and client are connected, drastically improves through the use of applets. Performance improvement is more important than the reasons offered in choices A and B. Since JAVA virtual machine (JVM) is embedded in most web browsers, the applet download through the web browser runs on the client machine from the web browser, not from the web server, making choice D incorrect. 98. Which of the following is the most important element in the design of a data warehouse? A. Quality of the metadata B. Speed of the transactions C. Volatility of the data D. Vulnerability of the system The correct answer is: A. Quality of the metadata Explanation: Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata aim to provide a table of contents to the information stored in the data warehouse. Companies that have built warehouses believe that metadata are the most important component of the warehouse. 99. Testing the connection of two or more system components that pass information from one area to another is: A. pilot testing. B. parallel testing C. interface testing. D. regression testing. The correct answer is: C. interface testing. Explanation: Interface testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. Pilot testing is a preliminary test that focuses on specific and predetermined aspects of a system and is not meant to replace other methods. Parallel testing is the process of feeding test data into two systems—the modified system and an alternative system—and comparing the results. Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing is the same as the data used in the original test. 100. Change control for business application systems being developed using prototyping could be complicated by the: A. iterative nature of prototyping. B. rapid pace of modifications in requirements and design. C. emphasis on reports and screens. D. lack of integrated tools. The correct answer is: B. rapid pace of modifications in requirements and design. Explanation: Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control. 101. A debugging tool, which reports on the sequence of steps executed by a program, is called a/an: A. output analyzer. B. memory dump. C. compiler. D. logic path monitor. The correct answer is: D. logic path monitor. Explanation: Logic path monitors report on the sequence of steps executed by a program. This provides the programmer with clues to logic errors, if any, in the program. An output analyzer checks the results of a program for accuracy by comparing the expected results with the actual results. A memory dump provides a picture of the content of a computer’s internal memory at any point in time, often when the program is aborted, thus providing information on inconsistencies in data or parameter values. Though compilers have some potential to provide feedback to a programmer, they are not generally considered a debugging tool. 102. The use of object-oriented design and development techniques would MOST likely: A. facilitate the ability to reuse modules. B. improve system performance. C. enhance control effectiveness. D. speed up the system development life cycle. The correct answer is: A. facilitate the ability to reuse modules. Explanation: One of the major benefits of object-oriented design and development is the ability to reuse modules. The other options do not normally benefit from the object-oriented technique. 103. A decision support system (DSS): A. is aimed at solving highly structured problems. B. combines the use of models with nontraditional data access and retrieval functions. C. emphasizes flexibility in the decision-making approach of users. D. supports only structured decision-making tasks. The correct answer is: C. emphasizes flexibility in the decision-making approach of users. Explanation: DSS emphasizes flexibility in the decision-making approach of users. It is aimed at solving less-structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions, and supports semistructured decision-making tasks. 104. The most common reason for the failure of information systems to meet the needs of users is that: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the system’s requirements was inadequate. The correct answer is: D. user participation in defining the system’s requirements was inadequate. Explanation: Lack of adequate user involvement, especially in the system’s requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are and, therefore, what the system should accomplish. 105. Failure in which of the following testing stages would have the GREATEST impact on the implementation of new application software? A. System testing B. Acceptance testing C. Integration testing D. Unit testing The correct answer is: B. Acceptance testing Explanation: Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level, as this could result in delays and cost overruns. System testing is undertaken by the developer team to determine if the software meets user requirements per specifications. Integration testing examines the units/modules as one integrated system and unit testing examine the individual units or components of the software. System, integration and unit testing are all performed by the developers at various stages of development, and the impact of failure is comparatively less for each, than failure at the acceptance testing stage. 106. At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: A. report the error as a finding and leave further exploration to the auditee’s discretion. B. attempt to resolve the error. C. recommend that problem resolution be escalated. D. ignore the error, as it is not possible to get objective evidence for the software error. The correct answer is: C. recommend that problem resolution be escalated. Explanation: When an auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted. Recording it as a minor error and leaving it to the auditee’s discretion would be inappropriate, and neglecting the error would indicate that the auditor has not taken steps to further probe the issue to its logical end. -------------------------------------------------------------------------------- Close Window | Instruction Page Copyright © 2002-5 Information Systems Audit and Control Association. All rights reserved. USE RESTRICTIONS The Question Database and Software ("CISA Sample Exam") is copyrighted. Licensee may not and Licensee may not permit others to (a) disassemble, decompile, or otherwise derive source code from the CISA Sample Exam, (b) reverse engineer the CISA Sample Exam, (c) modify or prepare derivative works of the CISA Sample Exam, (d) copy the CISA Sample Exam (e) rent or lease the CISA Sample Exam, (f) use the CISA Sample Exam in an on-line system, (g) use the CISA Sample Exam in any manner that infringes the intellectual property or other rights of another party, or (h) transfer the CISA Sample Exam or any copy thereof to another party. Unauthorized copying of the CISA Sample Exam is expressly forbidden. Licensee may not reproduce the CISA Sample Exam or any part thereof. You may not create derivative works, including translations, of the CISA Sample Exam or any part thereof without the prior written consent of ISACA. Licensee may make printed media copies of the quiz and scored results, so long as such copies do not include any part of the Software, for non-commercial, personal use including transmission by any means including electronic, mechanical, recording, or otherwise.