CISA : Certified Information Systems Auditor : Part 144
-
An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee’s desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management?
- Stricter controls should be implemented by both the organization and the cleaning agency.
- No action is required since such incidents have not occurred in the past.
- A clear desk policy should be implemented and strictly enforced in the organization.
- A sound backup policy for all important office documents should be implemented.
Explanation:
An employee leaving an important document on a desk and the cleaning staff removing it may result in a serious impact on the business. Therefore, the IS auditor should recommend that strict controls be implemented by both the organization and the outsourced cleaning agency. That such incidents have not occurred in the past does not reduce the seriousness of their impact.
Implementing and monitoring a clear desk policy addresses only one part of the issue. Appropriate confidentiality agreements with the cleaning agency, along with ensuring that the cleaning staff has been educated on the dos and don’ts of the cleaning process, are also controls that should be implemented. The risk here is not a loss of data, but leakage of data to unauthorized sources. A backup policy does not address the issue of unauthorized leakage of information. -
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?
- Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
- Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle.
- No recommendation is necessary since the current approach is appropriate for a medium-sized organization.
- Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization’s risk management.
Explanation:
Establishing regular meetings is the best way to identify and assess risks in a medium- sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient. -
The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:
- financial results.
- customer satisfaction.
- internal process efficiency.
- innovation capacity.
Explanation:
Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing. -
Before implementing an IT balanced scorecard, an organization must:
- deliver effective and efficient services.
- define key performance indicators.
- provide business value to IT projects.
- control IT expenses.
Explanation:
A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives. -
Which of the following is the PRIMARY objective of an IT performance measurement process?
- Minimize errors
- Gather performance data
- Establish performance baselines
- Optimize performance
Explanation:
An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions. Minimizing errors is an aspect of performance, but not the primary objective of performance management. Gathering performance data is a phase of IT measurement process and would be used to evaluate the performance against previously established performance baselines. -
When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST establish that:
- a clear business case has been approved by management.
- corporate security standards will be met.
- users will be involved in the implementation plan.
- the new system will meet all required user functionality.
Explanation:
The first concern of an IS auditor should be to establish that the proposal meets the needs of the business, and this should be established by a clear business case. Although compliance with security standards is essential, as is meeting the needs of the users and having users involved in the implementation process, it is too early in the procurement process for these to be an IS auditor’s first concern. -
Documentation of a business case used in an IT development project should be retained until:
- the end of the system’s life cycle.
- the project is approved.
- user acceptance of the system.
- the system is in production.
Explanation:
A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates vs. actuals. Questions like, ‘why do we do that’, ‘What was the original intent’ and ‘how did we perform against the plan’ can be answered, and lessons for developing future business cases can be learned. During the development phase of a project one should always validate the business case, as it is a good management instrument. After finishing a project and entering production, the business case and all the completed research are valuable sources of information that should be kept for further reference -
Which of the following risks could result from inadequate software baselining?
- Scope creep
- Sign-off delays
- Software integrity violations
- inadequate controls
Explanation:
A software baseline is the cut-off point in the design and development of a system beyond which additional requirements or modifications to the design do not or cannot occur without undergoing formal strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage the requirements of a system through baselining can result in a number of risks. Foremost among these risks is scope creep, the process through which requirements change during development. Choices, C and D may not always result, but choice A is inevitable. -
The most common reason for the failure of information systems to meet the needs of users is that:
- user needs are constantly changing.
- the growth of user requirements was forecast inaccurately.
- the hardware system limits the number of concurrent users.
- user participation in defining the system’s requirements was inadequate.
Explanation:
Lack of adequate user involvement, especially in the system’s requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are, and therefore what the system should accomplish. -
Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration?
- Function point analysis
- PERT chart
- Rapid application development
- Object-oriented system development
Explanation:
A PERT chart will help determine project duration once all the activities and the work involved with those activities are known. Function point analysis is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries, logical internal files, etc. While this will help determine the size of individual activities, it will not assist in determining project duration since there are many overlapping tasks. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality, while object-oriented system development is the process of solution specification and modeling. -
The reason for establishing a stop or freezing point on the design of a new system is to:
- prevent further changes to a project in process.
- indicate the point at which the design is to be completed.
- require that changes after that point be evaluated for cost-effectiveness.
- provide the project management team with more control over the project design.
Explanation:
Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost- benefits and the payback period. -
Change control for business application systems being developed using prototyping could be complicated by the:
- iterative nature of prototyping.
- rapid pace of modifications in requirements and design.
- emphasis on reports and screens.
- lack of integrated tools.
Explanation:
Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control. -
An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort?
- Program evaluation review technique (PERT)
- Counting source lines of code (SLOC)
- Function point analysis
- White box testing
Explanation:
Function point analysis is an indirect method of measuring the size of an application by considering the number and complexity of its inputs, outputs and files. It is useful for evaluating complex applications. PERT is a project management technique that helps with both planning and control. SLOC gives a direct measure of program size, but does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. White box testing involves a detailed review of the behavior of program code, and is a quality assurance technique suited to simpler applications during the design and build stage of development. -
When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST?
- The project budget
- The critical path for the project
- The length of the remaining tasks
- The personnel assigned to other tasks
Explanation:
Since adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will in fact shorten the project duration. Given that there may be slack time available on some of the other tasks not on the critical path, factors such as the project budget, the length of other tasks and the personnel assigned to them may or may not be affected. -
Which of the following is a characteristic of timebox management?
- Not suitable for prototyping or rapid application development (RAD)
- Eliminates the need for a quality process
- Prevents cost overruns and delivery delays
- Separates system and user acceptance testing
Explanation:
Timebox management, by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and RAD, and integrates system and user acceptance testing, but does not eliminate the need for a quality process. -
Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?
- Project database
- Policy documents
- Project portfolio database
- Program organization
Explanation:
A project portfolio database is the basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. A project database may contain the above for one specific project and updates to various parameters pertaining to the current status of that single project. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objective of the project. -
To minimize the cost of a software project, quality management techniques should be applied:
- as close to their writing (i.e., point of origination) as possible.
- primarily at project start-up to ensure that the project is established in accordance with organizational governance standards.
- continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate.
- mainly at project close-down to capture lessons learned that can be applied to future projects.
Explanation:
While it is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is that the earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work. Capturing lessons learned will be too late for the current project. Additionally, applying quality management techniques throughout a project is likely to yield its own insights into the causes of quality problems and assist in staff development. -
When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those:
- whose sum of activity time is the shortest.
- that have zero slack time.
- that give the longest possible completion time.
- whose sum of slack time is the shortest.
Explanation:
A critical path’s activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing, i.e., for reduction in their time by payment of a premium for early completion. Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs vs. time can be obtained. -
At the completion of a system development project, a post project review should include which of the following?
- Assessing risks that may lead to downtime after the production release
- Identifying lessons learned that may be applicable to future projects
- Verifying the controls in the delivered system are working
- Ensuring that test data are deleted
Explanation:
A project team has something to learn from each and every project. As risk assessment is a key issue for project management, it is important for the organization to accumulate lessons learned and integrate them into future projects. An assessment of potential downtime should be made with the operations group and other specialists before implementing a system. Verifying that controls are working should be covered during the acceptance test phase and possibly, again, in the post implementation review. Test data should be retained for future regression testing. -
An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor’s MAIN concern should be that the:
- complexity and risks associated with the project have been analyzed.
- resources needed throughout the project have been determined.
- project deliverables have been identified.
- a contract for external parties involved in the project has been completed.
Explanation:
Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. The other choices, while important during the course of the project, cannot be fully determined at the time the project is initiated, and are often contingent upon the risk and complexity of the project.