CISA : Certified Information Systems Auditor : Part 146

  1. What control detects transmission errors by appending calculated bits onto the end of each segment of data?

    • Reasonableness check
    • Parity check
    • Redundancy check
    • Check digits

    A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data. A reasonableness check compares data to predefined reasonability limits or occurrence rates established for the data. A parity check is a hardware control that detects data errors when data are read from one computer to another, from memory or during transmission.
    Check digits detect transposition and transcription errors.

  2. Which of the following is the GREATEST risk when implementing a data warehouse?

    • increased response time on the production systems
    • Access controls that are not adequate to prevent data modification
    • Data duplication
    • Data that is not updated or current
    Once the data is in a warehouse, no modifications should be made to it and access controls should be in place to prevent data modification. Increased response time on the production systems is not a risk, because a data warehouse does not impact production data. Based on data replication, data duplication is inherent in a data warehouse. Transformation of data from operational systems to a data warehouse is done at predefined intervals, and as such, data may not be current.
  3. Which of the following will BEST ensure the successful offshore development of business applications?

    • Stringent contract management practices
    • Detailed and correctly applied specifications
    • Awareness of cultural and political differences
    • Post implementation reviews
    When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Contract management practices, cultural and political differences, and post implementation reviews, although important, are not as pivotal to the success of the project.
  4. Which of the following is the GREATEST risk to the effectiveness of application system controls?

    • Removal of manual processing steps
    • inadequate procedure manuals
    • Collusion between employees
    • Unresolved regulatory compliance issues
    Collusion is an active attack that can be sustained and is difficult to identify since even well-thought-out application controls may be circumvented. The other choices do not impact well-designed application controls.
  5. The MAIN purpose of a transaction audit trail is to:

    • reduce the use of storage media.
    • determine accountability and responsibility for processed transactions.
    • help an IS auditor trace transactions.
    • provide useful information for capacity planning.
    Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling audit trails increases the use of disk space. A transaction log file would be used to trace transactions, but would not aid in determining accountability and responsibility. The objective of capacity planning is the efficient and effective use of IT resources and requires information such as CPU utilization, bandwidth, number of users, etc.
  6. An appropriate control for ensuring the authenticity of orders received in an EDI application is to:

    • acknowledge receipt of electronic orders with a confirmation message.
    • perform reasonableness checks on quantities ordered before filling orders.
    • verify the identity of senders and determine if orders correspond to contract terms.
    • encrypt electronic orders.
    An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the company’s orders, not the authenticity of its customers’ orders. Encrypting sensitive messages is an appropriate step but does not apply to messages received.
  7. A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization and the system should be capable of identifying errors that require follow up. Which of the following would BEST meet these objectives?

    • Establishing an inter-networked system of client servers with suppliers for increased efficiencies
    • Outsourcing the function to a firm specializing in automated payments and accounts receivable/invoice processing
    • Establishing an EDI system of electronic business documents and transactions with key suppliers, computer to computer, in a standard format
    • Reengineering the existing processing and redesigning the existing system
    EDI is the best answer. Properly implemented (e.g., agreements with trading partner’s transaction standards, controls over network security mechanisms in conjunction with application controls), EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities for review and authorization.
  8. An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is:

    • continuous improvement.
    • quantitative quality goals.
    • a documented process.
    • a process tailored to specific projects.
    An organization would have reached the highest level of the software CMM at level 5, optimizing. Quantitative quality goals can be reached at level 4 and below, a documented process is executed at level 3 and below, and a process tailored to specific projects can be achieved at level 3 or below.
  9. During the audit of an acquired software package, an IS auditor learned that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST:

    • test the software for compatibility with existing hardware.
    • perform a gap analysis.
    • review the licensing policy.
    • ensure that the procedure had been approved.
    In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. The other choices are not the first actions an IS auditor should take. They are steps that may or may not be taken after determining that the procedure used to acquire the software had been approved.
  10. Failure in which of the following testing stages would have the GREATEST impact on the implementation of new application software?

    • System testing
    • Acceptance testing
    • Integration testing
    • Unit testing
    Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level, as this could result in delays and cost overruns. System testing is undertaken by the developer team to determine if the software meets user requirements per specifications. Integration testing examines the units/modules as one integrated system and unit testing examines the individual units or components of the software. System, integration and unit testing are all performed by the developers at various stages of development; the impact of failure is comparatively less for each than failure at the acceptance testing stage.
  11. An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations.

    Which of the following would be a strength of an IDE?

    • Controls the proliferation of multiple versions of programs
    • Expands the programming resources and aids available
    • Increases program and processing integrity
    • Prevents valid changes from being overwritten by other changes
    A strength of an IDE is that it expands the programming resources and aids available. The other choices are IDE weaknesses.
  12. Which of the following is the most important element in the design of a data warehouse?

    • Quality of the metadata
    • Speed of the transactions
    • Volatility of the data
    • Vulnerability of the system
    Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata aim to provide a table of contents to the information stored in the data warehouse. Companies that have built warehouses believe that metadata are the most important component of the warehouse.
  13. Ideally, stress testing should be carried out in a:

    • test environment using test data.
    • production environment using live workloads.
    • test environment using live workloads.
    • production environment using test data.
    Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment (choices Band D), and if only test data is used, there is no certainty that the system was stress tested adequately.
  14. Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?

    • inheritance
    • Dynamic warehousing
    • Encapsulation
    • Polymorphism
    Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed.
  15. The phases and deliverables of a system development life cycle (SDLC) project should be determined:

    • during the initial planning stages of the project.
    • after early planning has been completed, but before work has begun.
    • throughout the work stages, based on risks and exposures.
    • only after all risks and exposures have been identified and the IS auditor has recommended appropriate controls.
    It is extremely important that the project be planned properly and that the specific phases and deliverables be identified during the early stages of the project.
  16. Which of the following is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality?

    • Function point analysis
    • Critical path methodology
    • Rapid application development
    • Program evaluation review technique
    Rapid application development is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality. The program evaluation review technique (PERT) and critical path methodology (CPM) are both planning and control techniques, while function point analysis is used for estimating the complexity of developing business applications.
  17. When implementing an application software package, which of the following presents the GREATEST risk?

    • Uncontrolled multiple software versions
    • Source programs that are not synchronized with object code
    • incorrectly set parameters
    • Programming errors.
    Parameters that are not set correctly would be the greatest concern when implementing an application software package. The other choices, though important, are a concern of the provider, not the organization that is implementing the software itself.
  18. Which of the following is an advantage of prototyping?

    • The finished system normally has strong internal controls.
    • Prototype systems can provide significant time and cost savings.
    • Change control is often less complicated with prototype systems.
    • it ensures that functions or extras are not added to the intended system.
  19. A decision support system (DSS):

    • is aimed at solving highly structured problems.
    • combines the use of models with nontraditional data access and retrieval functions.
    • emphasizes flexibility in the decision making approach of users.
    • supports only structured decision making tasks.
    DSS emphasizes flexibility in the decision making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions, and supports semi structured decision making tasks.
  20. An advantage of using sanitized live transactions in test data is that:

    • all transaction types will be included.
    • every error condition is likely to be tested.
    • no special routines are required to assess the results.
    • test transactions are representative of live processing.
    Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.