CISA Domain 3 Exam 113 Questions with Verified Answers,100% CORRECT

CISA Domain 3 Exam 113 Questions with Verified Answers Integrated Test Facility (ITF) - CORRECT ANSWER - Fictitious entity is created in LIVE environment - This technique allows auditor to open a dummy account - Auditor can enter dummy or test transactions and verify the processing and results of these transactions for correctness - Processed results and expected results are compared to verify that systems are operating correctly - Example: A dummy asset of $100,000/- is entered into system to veridy whether same is being capitalized under correct head and depreciation is calculated properly as per correct rate. Subsequently this dummy transaction is removed after verification of system controls System Control Audit Review File (SCARF) - CORRECT ANSWER - In this technique an embedded (inbuilt) audit module is used to continuously monitor transactions - This technique is used to collect data for special audit purposes - files records only those transactions which are of special audit significance such transactions above specified limit or transactions related to deviation / exception - On a regular basis, auditor gets a printout of the file for examination and verification Snapshot Technique - CORRECT ANSWER - In this technique, snaps (pictures) are taken of the transactions as transaction moves through various stages in the application system - Both before-processing and after-processing images of the transactions are captured. Auditor can verify the correctness of the processing by checking before processing and after processing images of the transactions - In this technique, three important considerations are (i) location where snaps to be taken (ii) time of capturing snaps and (iii) reporting of snapshot data captured Audit Hook - CORRECT ANSWER - These are audit software that captures suspicious transactions - Criteria for suspicious transactions are designed by auditors as per their requirement - For example, in most of the organiztions, cash transactions are monitored closely. Criteria can be designed to capture cash transaction exceeding $ 50,000/-All such captured transactions are subsequently verified by auditor to identify fraud, if any - useful when early detection of error or fraud is required Continuous and Intermittent Simulation (CIS) - CORRECT ANSWER - This technique is variation of SCARF technique - Can be used whenever the application system uses the database management system (DBMS) - DBMS reds the transaction which is passed to CIS. If transaction is as per selected criteria, then CIS examines the transaction for correctness - determines whether any discrepancies exist between the results it produces and those the application system produces - Such discrepencies are written to exception log file - Thus, CIS replicates or simulates the application system processing - As high complex crieria can be set in CIS, it is the best technique to identify transactions as per pre-defined criteria SDLC - Unit Testing - CORRECT ANSWER - Testing is done by developer as and when individual program or module is ready. No need to wait til completion of full software - White box approach (i.e. testing of internal program logic) is applied in unit testing SDLC - Integrated Testing/Interface Testing - CORRECT ANSWER Integrated testing involves testing of connection of two or more module or componenets that pass information from one area to another SDLC - System Testing - CORRECT ANSWER The primary reason for system testing is to evaluate the entire system functionality. System testing includes (i) Recovery testing (ii) Security Testing (iii) Load testing (iv) Volume testing (v) Stress tresting & (vi) Performance testing Final Acceptance Testing - CORRECT ANSWER Includes (i) Quality Assurance Testing (QAT) & (ii) User Acceptance Testing (UAT) Regression Testing - CORRECT ANSWER - Testing done again to ensure that changes or corrections in a program have not introduced new errors - Data used for this testing should be same data as used in previous test - ensures that changes or corrections in a program have not introduced new errors. Therefore, this would be achieved only if the data used for regression testing are the same as the data used in previous tests Sociability Testing - CORRECT ANSWER - A test to ensure that new or modified system can work in the specified environment without adversely impacting existing system Pilot Testing - CORRECT ANSWER - Takes place first at a location to review the performance. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations Parallel Testing - CORRECT ANSWER - The process of comparing results of the old and new system. The purpose of this testing is to ensure that the implementation of a new system meets user requirements White Box Testing vs Black Box Testing - CORRECT ANSWER White Box: - Program logic is tested - Applicable for unit testing and interference testing - Detailed knowledge of programming is required Black Box: - Only functionality is tested, program logic is not tested - Applicable for user acceptance testing (UAT) and interface testing - Testing can be performed without knowledge of programming Alpha Testing vs Beta Testing - CORRECT ANSWER Alpha Testing: - Testing done by internal user - doen prior to beta testing - may not involve testing of full functionality Beta Testing - Testing doen by external user - done after alpha testing - generally, beta testing involves testing of full functionality Top Down Approach vs Bottom up Approach - CORRECT ANSWER Top Down: -Opposite of bottom-up approach. Test starts from broader level and then gradually moves towards individual programs and modules - Advantages: (i) interface error can be detected earlier (ii) confidence in the system is achieved earlier - More appropriate for prototype development Bottom Down: - Begin testing of individual units such as programs or modules and work upward until a complete system is tested - Advantages: (i) Test can be started even before all programs are complete (ii) Errors in critical modules can be found early Regression Testing vs Sociability Testing - CORRECT ANSWER Regression: - Test to ensure that corrections or changes done have not introduced new erros Sociability: - Test to ensure that new or modified system can work without adversely impacting exisiting system Unit Testing vs Interface Testing - CORRECT ANSWER Unit Testing: - Involves testing of individual program or module Interface/Integrate Testing: - Involves testing of connection of two or more componenets that pass information from one are to another Check Digit - CORRECT ANSWER -A mathematically calculated value that is added to data to ensure that the original data have not been altered - This helps in avoiding transposition and transcription errors Parity Bits - CORRECT ANSWER - Says whether the number of 1 bits is odd or even. Generally the parity bit is 1 if the number of 1 bits is odd and 0 if the sum of the 1 bits is even - Verified by receiving computer to ensure data completeness and data integrity during transmission - Used to check for completeness of data transmissions. It is a hardware control that detects data errors when data are read from one computer to another, from memory or during transmission Checksum - CORRECT ANSWER - Exactly the same as parity but able to identify complex errors by increasing the complexity of the arithmetic Forward Error Control - CORRECT ANSWER - Works on the same principle as CRC. However, it also corrects the error. It provides the receiver with the ability to correct errors Atomicity - CORRECT ANSWER - A feature of database systems where a transaction must be all-or-nothing. That is, the transaction must either fully happen, or not happens at all. The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made upto that points are blacked out. Critical Path Methodology (CPM) - CORRECT ANSWER - A technique for estimating project duration. All projects have at least one critical path - Critical path is sequence of activities where duration is longest as compared other path - Thus, CPM represents the shortest possible time required for completing the project. - Activities on Critical Path have zero slack time - Alternatively, it can be said that activies with zero slack time are on a critical path - Slack time can be defined as the amount of time an activity can be delayed without impacting the completion date of the project. Thus zero slack time makes an activity critical and concentration on such activities will help to reduce overall project completion time. Program Evaluation Review Technique (PERT) - CORRECT ANSWER - A technique for estimating project duration - Advantage of PERT over CPM is that in CPM only single duration is considered while PERT considers three different scenerios i.e. optimistic (best), pessimistic (worst) and normal (most likely) and on the basis of three scenarios, a single critical path is arrived - PERT is more reliable than CPM for estimating project duration Gantt Chart - CORRECT ANSWER - Progress of the entire project can be read from this to determine whether the project is behind, ahead or on schedule compared to baseline project plan - Can also be used to track the achievement of milestone Function Point Analysis (FPA) - CORRECT ANSWER - Indirect method of software size estimation - Function points are a unit measure for software size much like an hour is to measuring time, miles are to measuring distance or Celsius is to measuring temperature - FPA is arrived on the basis of number and complexity of inputs, outputs, files, interfaces and queries - FPA is more reliable than SLOC Counting source lines of code (SLOC) - CORRECT ANSWER - SLOC is a direct method of software size estimation Earned Value Analysis (EVA) - CORRECT ANSWER - EVA compares following metrics at regular interval: - Budget to date: (i) Actual spending to date (ii) estimate to complete (iii) estimate at completion - It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progessing in accordance with the plan - EVA is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. For example, a development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours. - Thus value of actual work completed indicated dealy of 4 hours from schedule Time-box Management - CORRECT ANSWER - Major advantage of this approach is that it prevents project cost overruns and delays from scheduled delivery - It is used for prototyping or rapid application development where project need to be completed within timeframe - It integrates system and user acceptance testing, but does not eliminate the need for a quality process What is Decision Support System (DSS)? - CORRECT ANSWER - An interactive system which support semi-structured decision making. It collects data from varied sources and provides useful information to managers. - Example of information that it provides: - Comparative sales figures between one week and the next - Projected revenue figures based on various assumptions - Evaluation of various alternatives on the basis of past experience Characterisitcs of DSS - CORRECT ANSWER - Handles unstructued problems. Supportd semi-structured or less structued decisions - Flexible and adoptable in changing environemnt and decision making approach of the users DSS Efficiency vs Effectiveness - CORRECT ANSWER - A principle fo DSS design is to concentrate less on efficiency (i.e. perfomring tasks quickly and reducing the costs) and more on effectiveness (i.e perfomring the right task) DSS Design & Development - CORRECT ANSWER - Prototyping is the most popular approach to DSS design and development DSS Implementation Risks (7) - CORRECT ANSWER - Non-existent or unwilling users - Multiple users or implementers - Disappearing users, implementers and maintainers - Inability to specify purpose or usage patterns in advance - inability to predict and cushion impact on all parties - Lack of loss of support - Lack of experience with similar systems - Technical problems and cost effectiveness issues Agile Development - CORRECT ANSWER - allows the programmer to just start writing a program without spending much time on preplanning documentation - less importance is placed on formal paper-based deliverables, with the preference being to produce releasable software in short iterations, typically ranging from 4 to 8 weeks - At the end of each iterations, the team considers and documents what worked well adn what could have worked better and identifies improvements to be implemented in subsequent iterations Prototyping - CORRECT ANSWER - The process of creating systems through controlled trial and error - A protype is an early sample or model to test a concept or process. A prototype is a small scale working system used to test the assumptions. Assumptions may be about user requirements, program design or internal logic - can provide the organization with signicant time and cost savings - By focusing mainly on wht the user wants and sees, the developers may miss some of the controls that come from the traditional systems development approach; therefore, a potential risk is that the finished system will have poor controls Rapid Application Development - CORRECT ANSWER Includes use of: - small and well trianed development teams - Prototypes - Tools to support modelling, prototyping and componenet reusability - Central repository - Rigid limits on development time frames Enables the orgnaization to develop systems quickly while reducing developmetn cost and maintaining quality. Relies on the usage of a prototype that can be updated continually to meet changing user or business requirements Object Oriented System Development - CORRECT ANSWER - OOSD is a programming technique and not a software development methodology - In Object oriented language, application is make up of smaller componenets (objects) - One major benefit is the ability to reuse objects - OO uses a technique called ""encapsulations"" in which one object interacts with another object. This is a common practice whereby any particular object may call other objects to perform its work Component Based Development - CORRECT ANSWER - Can be regarded as an outgrowth of object-oriented development Software Reengineering - CORRECT ANSWER - The process of updating an existing system by extracting and reusing design and program components - This process is used to support major changes in the way an organization operates" Reverse Engineering - CORRECT ANSWER - The process of studying and analyzing an application and the information us used to develop a similar system Load Testing - CORRECT ANSWER This evaluates the performance of the software under normal and peak conditions Stress Testing - CORRECT ANSWER This determines the capacity of the software to cope with an abnormal number of users or simultaneous operations Recover Testing - CORRECT ANSWER This evaluates the ability of a system to recover after a failure Volume Testing - CORRECT ANSWER This evaluates the impact of incremental volume of records (not users) on a system Mapping - CORRECT ANSWER This identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed Sequence Check - CORRECT ANSWER Refers to the continuity in serial numbers within the number range on documents Atomicity - CORRECT ANSWER Principle that data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all Control Totals - CORRECT ANSWER "- Relational integrity testing used to detect modification to sensitive data - Used to ensure that batch data is completely and accurately transferred between 2 systems" - CORRECT ANSWER Redundancy Check - CORRECT ANSWER Detects transmission errors by appending calculated bits onto the end of each segment of data Run-to-run totals - CORRECT ANSWER "- Processing control that ensures the completeness and accuracy of accumulated data - Provide the ability to verify data values through the stages of application processing" Parity Bits - CORRECT ANSWER "- Used to check for completeness of data transmissions - Used within network to make sure transmission reached destination in entirety" Check Digit - CORRECT ANSWER Numeric value that has been calculated mathematically and added to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted. Key Verification - CORRECT ANSWER Occurs when one employee enters the amount field and another employee reenters the same data again Completeness Check - CORRECT ANSWER Used to determine if a field contains data and not zeroes or blanks ACID - CORRECT ANSWER "- Atomicity - Consistency - ensures that all integrity conditions the database be maintained with each transaction - Isolation - ensures that each transaction is isolated from other transactions, and hence each transaction only accesses data that part of a consistent database state - Durability - ensures that when a transaction has been reported back to a user as complete, the resulting changes to the database will survive subsequent hardware or software failures" Quality Assurance Testing (QAT) - CORRECT ANSWER Focuses on technical aspects of the system and verifies the system works as per the documented specifications White Box Testing - CORRECT ANSWER "- Examines a program's internal logic structure - Used for unit and integration testing" Black Box Testing - CORRECT ANSWER "- a dynamic analysis tool for testing software modules - tests functionality without regard to actual internal program structure - used for integration and user acceptance testing - Ensures that expected results are produced from defined inputs" Applets - CORRECT ANSWER "- Improves the performance of the web server and network in an Internet application - applets transfer some of the processing load to the client, thereby reducing load on the server" Regression Testing - CORRECT ANSWER Process of rerunning tests to ensure that modifications have not introduced new errors User Acceptance Testing - CORRECT ANSWER "- aka Final Acceptance Testing - Failure of UAT results in the greatest impact to the organization in terms of delays and cost overruns. As compared to failing other systems development testing - occurs during SDLC implementation phase" Quality Assurance group is primarily responsible for: - CORRECT ANSWER ensuring that programs and program changes and documentation adhere to established standards Common Gateway Interface (CGI) - CORRECT ANSWER Most often used as a consistent way for transferring data to the application program and back to the user Advantages to using top-down testing: - CORRECT ANSWER "- Tests of major functions and processing are conducted early - interface errors are detected sooner - user and programmer confidence in the system is raised - is it most effective during the initial phases or prototyping" Systems Testing - CORRECT ANSWER Series of tests to ensure that all components work properly together, and evaluates the system functionality Waterfall Life Cycle Model - CORRECT ANSWER - Most appropriately used when requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. Most common reason for the failure of information systems to meet the needs of the users is that: - CORRECT ANSWER User participation in defining the system's requirements was inadequate. Advantages to using bottom-up testing - CORRECT ANSWER "- Can be started before all programs are complete - errors in critical modules are found early" SDLC Planning Phase - CORRECT ANSWER "- Phases and deliverables of a SDLC project should be determined - 6 Phases total" SDLC Phase 1 - CORRECT ANSWER "- Feasability - development of business case - return on investments" SDLC Phase 2 - CORRECT ANSWER "- Requirements - identify and specify business requirements for the system - early engagement of key users helps ensure business requirements are met during software development - UAT plans normally are prepared in this phase - IS auditors should ensure that security requirements of a new applications development project are defined in the requirements phase" SDLC Phase 3 - CORRECT ANSWER "- Design - program and database specifications - security considerations - procedures to prevent scope creep should be baselines in the Design phase of the SDLC - system flowcharts and entity relationships are developed - input/output definitios are developed (screen designs, reports) - data file or database system is determined - Software Baselining" SDLC Phase 4 - CORRECT ANSWER "- Development Testing - addressed primarily by application programs and system analysts - applications and systems testing is performed at this phase" SDLC Phase 5 - CORRECT ANSWER "- Implementation - UAT performed - QAR - focuses on technical aspects fo the system. Verified the sysem works as per for the documented specificaitons" SDLC Phase 6 - CORRECT ANSWER "- Post Implementation - should be performed jointly with project mgmt and appropriate end users - IA auditors involved should not perform implementation review - primary objective- assess whether expected project benefits were received" Batch Balancing - CORRECT ANSWER Can be used to verify output results and control totals by matching them against the input data and control totals Rapid Applications Development - CORRECT ANSWER "- allows quicker development of strategially important systems - uses rigid time-frame limits through timebox management - integrates system and user acceptance testing - reduces costs while maintainung quality by incorporating protyping" Component Bases Development - CORRECT ANSWER "Assembling applications from cooperating packages of executable software that ineract the well-defined and controlled interfaces. It is characterized by: - Significant for web-based applications - improved quality - allows developers to function more strongly on business functionality - object oriented design and development techniques facilitate the ability to reuse modules - reduces development cost" Prototyping Development Method - CORRECT ANSWER "-process of creating a system through controlled trial and error procedures to reduce risk in developing system - reduces the time to deploy systems by using faster development tools such as 4-GL programming languages - potential risk is the the finished system will have poor controls - provides significant time and cost savings - screens, interactive edits and sample reports are typical prototypes of an interactive application" Integrated Development Environment (IDE) - CORRECT ANSWER "- Provides the benefit of expanding the programming resources and aids available - Utilizes an on-line programming facility to allow programmers to create programs interactively in an integrated development environment - program libraries reside on the server - provides for faster develppment and the use of standard and structured programming techniques" Re-engineering - CORRECT ANSWER Enhances an existing system by extracting and reusing design and program components Evolutionary (Heuristic) Development - CORRECT ANSWER - uses Prototyping to develop specifications Service Oriented Archtiecture - CORRECT ANSWER - design pattern based on distinct pieces of software proving an application functionality as services togother applications via a potocol. It is independent of any vendor, product, or technology 4GL Languages - CORRECT ANSWER - 4thgeneration languages high level computer languages provide fast iteration through successive designs Integrated Test Facility (ITF) - CORRECT ANSWER "- periodic testing does not require separate test processes- ITF creates a fictitipus entity in the database to process test transactions simultaneously with live input. - Test data must be isolated from production data" During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be: - CORRECT ANSWER Improper acceptance of a program. he major risk of combining quality assurance testing and user acceptance testing is that the users may apply pressure to accept a program that meets their needs even though it does not meet quality assurance standards. An IS auditor is involved in the reengineering process that aims to optimize IT infrastructure. Which of the following will BEST identify the issues to be resolved? - CORRECT ANSWER "- Gap Analysis - Gap Analysis indicates which parts of the current processes confrim to good practices (desired state) and which do not." When implementing an application software package, which of the following presents the GREATEST risk? - CORRECT ANSWER Incorrectly set parameters Earned Value Analysis - CORRECT ANSWER "- Method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. - It compares the planned amount of work with what has actually been completed to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. - Works most effectively if a well-formed work breakdown structure exists." The MAJOR advantage of a component-based development approach is the: - CORRECT ANSWER support of multiple development environments. Gantt Chart - CORRECT ANSWER These help to identify activities that have been completed early or late through comparison to a baseline. Progress of the entire project can be read from the Gantt chart to determine whether the project is behind, ahead of or on schedule. Software Baseline - CORRECT ANSWER -Provides a cutoff point for the design of the system and allows the project to proceed as scheduled wihtout being delayed by scope creep. An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide? a) Ask the SaaS vendor to provide a weekly report on application uptime. b) Implement an online polling tool to monitor the application and record outages. c) Log all application outages reported by users and aggregate the outage time weekly. d) Contract an independent third party to provide weekly reports on application uptime. - CORRECT ANSWER Implement an online polling tool to monitor and record application outages is correct. This is the best option for an organization to monitor the software as a service application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved. Ask the software as a service (SaaS) vendor to provide a weekly report on application uptime is incorrect. Weekly application availability reports are useful, but these reports represent only the vendor's perspective. While monitoring these reports, the organization can raise concerns of inaccuracy; however, without internal monitoring, such concerns cannot be substantiated. Log all application outages reported by users and aggregate the outage time weekly is incorrect. Logging the outage times reported by users is helpful but does not give a true picture of all outages of the online application. Some outages may go unreported, especially if the outages are intermittent. Contract an independent third party to provide weekly reports on application uptime is incorrect. Contracting a third party to implement availability monitoring is not a cost-effective option. Additionally, this results in a shift from monitoring the SaaS vendor to monitoring the third party. Which of the following would an IS auditor consider to be the MOST important to review when conducting a disaster recovery audit? a) A hot site is contracted for and available as needed. b) A business continuity manual is available and current. c) Insurance coverage is adequate and premiums are current. d) Data backups are performed timely and stored offsite. - CORRECT ANSWER Data backups are performed timely and stored offsite is correct. Without data to process, all other components of the recovery effort are in vain. Even in the absence of a plan, recovery efforts of any type would not be practical without data to process. A hot site is contracted for and available as needed is incorrect. A hot site is important, but it is of no use if there are no data backups for it. A business continuity manual is available and current is incorrect. A business continuity manual is advisable but not most important in a disaster recovery audit. Insurance coverage is adequate and premiums are current is incorrect. Insurance coverage should be adequate to cover costs but is not as important as having the data backup. During the audit of a database server, which of the following would be considered the GREATEST exposure? a) The password on the administrator account does not expire. b) Default global security settings for the database remain unchanged. c) Old data have not been purged. d) Database activity is not fully logged. - CORRECT ANSWER Default global security settings for the database remain unchanged is correct. Default security settings for the database could allow issues such as blank user passwords or passwords that were the same as the username. The password on the administrator account does not expire is incorrect. A non-expiring password is a risk and an exposure but not as serious a risk as a weak password or the continued use of default settings. Old data have not been purged is incorrect. Failure to purge old data may present a performance issue but is not an immediate security concern. Database activity is not fully logged is incorrect. Logging all database activity is a potential risk but not as serious a risk as default settings. What is the BEST backup strategy for a large database with data supporting online sales? a) Weekly full backup with daily incremental backup b) Daily full backup c) Clustered servers d) Mirrored hard disks - CORRECT ANSWER Mirrored hard disks is correct. This will ensure that all data are backed up to more than one disk so that a failure of one disk will not result in loss of data. Weekly full backup and daily incremental backup is incorrect. This is a poor backup strategy for online transactions. Because this system supports online sales it can be difficult to recreate lost data and this solution may result in a loss of up to one day's worth of data. Daily full backup is incorrect. A full backup normally requires a couple of hours, and therefore, it can be impractical to conduct a full backup every day. Clustered servers is incorrect. These provide a redundant processing capability but are not a backup. Which of the following business continuity plan tests involves participation of relevant members of the crisis management/response team to practice proper coordination? a) Tabletop b) Functional c) Full-scale d) Deskcheck - CORRECT ANSWER Tabletop is correct. The primary purpose of tabletop testing is to practice proper coordination because it involves all or some of the crisis team members and is focused more on coordination and communication issues than on technical process details. Functional is incorrect. Functional testing involves mobilization of personnel and resources at various geographic sites. This is a more in-depth functional test and not primarily focused on coordination and communication. Full-scale is incorrect. Full-scale testing involves enterprisewide participation and full involvement of external organizations. Deskcheck is incorrect. Deskcheck testing requires the least effort of the options given. Its aim is to ensure the plan is up to date and promote familiarity of the BCP to critical personnel from all areas. An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability? a) Changes are authorized by IT managers at all times. b) User acceptance testing is performed and properly documented. c) Test plans and procedures exist and are closely followed. d) Capacity planning is performed as part of each development project. - CORRECT ANSWER Test plans and procedures exist and are closely followed is correct. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. Changes are authorized by IT managers at all times is incorrect. Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management. User acceptance testing is performed and properly documented is incorrect. User acceptance testing is important but not a critical element of change control and would not usually address the topic of availability as asked in the question. Capacity planning is performed as part of each development project is incorrect. While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process. Which of the following is an appropriate test method to apply to a business continuity plan? a) Pilot b) Paper c) Unit d) System - CORRECT ANSWER Paper is correct. A paper test (sometimes called a deskcheck) is appropriate for testing a business continuity plan (BCP). It is a walk-through of the entire BCP, or part of the BCP, involving major players in the BCP's execution who reason out what may happen in a particular disaster. Pilot is incorrect. A pilot test is used for implementing a new process or technology and is not appropriate for a BCP. Unit is incorrect. A unit test is used to test new software components and is not appropriate for a BCP. System is incorrect. A system test is an integrated test used to test a new IT system but is not appropriate for a BCP. During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions? a) One-for-one checking b) Data file security c) Transaction logs d) File updating and maintenance authorization - CORRECT ANSWER Transaction logs is correct. These generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. It also helps to determine which transactions have been posted to an account—by a particular individual during a particular period. One-for-one checking is incorrect. This is a control procedure in which an individual document agrees with a detailed listing of documents processed by the system. It would take a long time to complete the research using this procedure. Data file security is incorrect. These controls prevent access by unauthorized users in their attempt to alter data files. This would not help identify the transactions posted to an account. File updating and maintenance authorization is incorrect. This is a control procedure to update the stored data and ensure accuracy and security of stored data. This does provide evidence regarding the individuals who update the stored data; however, it is not effective in the given situation to determine transactions posted to an account. During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a: a) user raises a change request and tests it in the test environment. b) programmer codes a change in the development environment and tests it in the test environment. c) manager approves a change request and then reviews it in production. d) manager initiates a change request and subsequently approves it. - CORRECT ANSWER Manager initiates a change request and subsequently approves it is correct. Initiating and subsequently approving a change request violates the principle of segregation of duties. A person should not be able to approve their own requests. User raises a change request and tests it in the test environment is incorrect. Having a user involved in testing changes is common practice. Programmer codes a change in the development environment and tests it in the test environment is incorrect. Having a programmer code a change in development and then separately test the change in a test environment is a good practice and preferable over testing in production. Manager approves a change request and then reviews it in production is incorrect. Having a manager review a change to make sure it was done correctly is an acceptable practice. Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a postimplementation review? a) The code was missed during the initial implementation. b) The change did not have change management approval. c) The error was discovered during the postimplementation review. d) The release team used the same change order number. - CORRECT ANSWER The change did not have change management approval is correct. Change management approval of changes mitigates the risk of unauthorized changes being introduced to the production environment. Unauthorized changes might result in disruption of systems or fraud. It is, therefore, imperative to ensure that each change has appropriate change management approval. The code was missed during the initial implementation is incorrect. Although missing a component of a release is indicative of a process deficiency, it is of more concern that the missed change was promoted into the production environment without management approval. The error was discovered during the post-implementation review is incorrect. Most release/change control errors are discovered during post-implementation review. It is of greater concern that the change was promoted without management approval after it was discovered. The release team used the same change order number is incorrect. Using the same change order number is not a relevant concern. When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software: a) was installed, but not documented in the IT department records. b) was being used by users not properly trained in its use. c) is not listed in the approved software standards document. d) license will expire in the next 15 days. - CORRECT ANSWER Is not listed in the approved software standards document is correct. The installation of software that is not allowed by policy is a serious violation and could put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies. Was installed, but not documented in the IT department records is incorrect. All software, including licenses, should be documented in IT department records, but this is not as serious as the violation of policy in installing unapproved software. Was being used by users not properly trained in its use is incorrect. Discovering that users have not been formally trained in the use of a software product is common, and while not ideal, most software includes help files and other tips that can assist in learning how to use the software effectively. License will expire in the next 15 days is incorrect. A software license that is about to expire is not a risk if there is a process in place to renew it. Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend? a) Develop a baseline and monitor system usage. b) Define alternate processing procedures. c) Prepare the maintenance manual. d) Implement the changes users have suggested. - CORRECT ANSWER Develop a baseline and monitor system usage is correct. An IS auditor should recommend the development of a performance baseline and monitor the system's performance against the baseline to develop empirical data upon which decisions for modifying the system can be made. Define alternate processing procedures is incorrect. Alternate processing procedures will not alter a system's performance, and no changes should be made until the reported issue has been examined more thoroughly. Prepare the maintenance manual is incorrect. A maintenance manual will not alter a system's performance or address the user concerns. Implement the changes users have suggested is incorrect. Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system. After a disaster declaration, the media creation date at a warm recovery site is based on the: a) recovery point objective. b) recovery time objective. c) service delivery objective. d) maximum tolerable outage. - CORRECT ANSWER Recovery point objective (RPO) is correct. This is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The media creation date will reflect the point to which data are to be restored or the RPO. Recovery time objective is incorrect. This is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. Service delivery objective is in correct. This is directly related to the business needs and is the level of service to be reached during the alternate process mode until the normal situation is restored. Maximum tolerable outage is incorrect. This is the maximum time that an organization can support processing in alternate mode. An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess: a) problem management procedures. b) software development procedures. c) backout procedures. d) incident management procedures. - CORRECT ANSWER Backout procedures is correct. These are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process—a process which specifies what procedures should be followed when software is being upgraded but the upgrade does not work and requires a fallback to its former state. Problem management procedures is incorrect. These are used to track user feedback and issues related to the operation of an application for trend analysis and problem resolution. Software development procedures is incorrect. These procedures such as the software development life cycle (SDLC) are used to manage the creation or acquisition of new or modified software. Incident management procedures is incorrect. These are used to manage errors or problems with system operation. They are usually used by a help desk. One of the incident management procedures may be how to follow a fallback plan. Emergency changes that bypass the normal change control process are MOST acceptable if: a) management reviews and approves the changes after they have occurred. b) the changes are reviewed by a peer at the time of the change. c) the changes are documented in the change control system by the operations department. d) management has preapproved all emergency changes. - CORRECT ANSWER Management reviews and approves the changes after they have occurred is correct. Because management cannot always be available when a system failure occurs, it is acceptable for changes to be reviewed and approved within a reasonable time period after they occur. The changes are reviewed by a peer at the time of the change is incorrect. Although peer review provides some accountability, management should review and approve all changes, even if that review and approval must occur after the fact. The changes are documented in the change control system by the operations department is incorrect. Documenting the event does not replace the need for a review and approval process to occur. Management has preapproved all emergency changes is incorrect. It is not a good control practice for management to ignore its responsibility by preapproving all emergency changes in advance without reviewing them. Unauthorized changes could then be made without management's knowledge. Which of the following is the BEST method to ensure that critical IT system failures do not recur? a) Invest in redundant systems. b) Conduct a follow-up audit. c) Monitor system performance. d) Perform root cause analysis. - CORRECT ANSWER Perform root cause analysis is correct. Root cause analysis determines the key reason an incident has occurred and allows for appropriate corrections that will help prevent the incident from recurring. Invest in redundant systems is incorrect. Redundancy may be a solution; however, a root cause analysis enables an educated decision to address the origin of the problem instead of simply assuming that system redundancy is the solution. Conduct a follow-up audit is incorrect. While an audit may discover the root cause of the problem, an audit is not a solution to an operational problem. Identifying the origins of operational failures needs to be part of day-to-day IT processes and owned by the IT department. Monitor system performance is incorrect. Use of monitoring tools is a means to gather data and can contribute to root cause analysis, but it does not by itself help prevent an existing problem from recurring. In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation? a) Approve and document the change the next business day. b) Limit developer access to production to a specific time frame. c) Obtain secondary approval before releasing to production. d) Disable the compiler option in the production machine. - CORRECT ANSWER Approve and document the change the next business day is correct. It may be appropriate to allow programmers to make emergency changes as long as they are documented and approved after the fact. Limit developer access to production to a specific time frame is incorrect. Restricting release time frame may help somewhat; however, it would not apply to emergency changes and cannot prevent unauthorized release of the programs. Obtain secondary approval before releasing to production is incorrect. This is not relevant in an emergency situation. Disable the compiler option in the production machine is incorrect. This is not relevant in an emergency situation. While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an IS auditor should PRIMARILY ensure that the process is focused on: a) adequately monitoring service levels of IT resources and services. b) providing data to enable timely planning for capacity and performance requirements. c) providing accurate feedback on IT resource capacity. d) properly forecasting performance, capacity and throughput of IT resources. - CORRECT ANSWER Providing accurate feedback on IT resource capacity is correct. Accurate capacity monitoring of IT resources would be the most critical element of a continuous monitoring process. Adequately monitoring service levels of IT resources and services is incorrect. Continuous monitoring helps to ensure that service level agreements (SLAs) are met, but this would not be the primary focus of monitoring. It is possible that even if a system were offline, it would meet the requirements of an SLA. Therefore, accurate availability monitoring is more important. Providing data to enable timely planning for capacity and performance requirements is incorrect. While data gained from capacity and performance monitoring would be an input to the planning process, the primary focus would be to monitor availability. Properly forecasting performance, capacity and throughput of IT resources is incorrect. While continuous monitoring would help management to predict likely IT resource capabilities, the more critical issue would be that availability monitoring is accurate.