CISA : Certified Information Systems Auditor : Part 147

  1. An IS auditor’s PRIMARY concern when application developers wish to use a copy of yesterday’s production transaction file for volume tests is that:

    • users may prefer to use contrived data for testing.
    • unauthorized access to sensitive data may result.
    • error handling and credibility checks may not be fully proven.
    • the full functionality of the new process may not necessarily be tested.

    Unless the data are sanitized, there is a risk of disclosing sensitive data.

  2. Which of the following is the PRIMARY purpose for conducting parallel testing?

    • To determine if the system is cost-effective
    • To enable comprehensive unit and system testing
    • To highlight errors in the program interfaces with files
    • To ensure the new system meets user requirements
    The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements. Parallel testing may show that the old system is, in fact, better than the new system, but this is not the primary reason. Unit and system are completed before parallel testing. Program interfaces with files are tested for errors during system testing. 
  3. The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:

    • rules.
    • decision trees.
    • semantic nets.
    • dataflow diagrams.
    Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. Semantic nets resemble a dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.
  4. An advantage in using a bottom-up vs. a top-down approach to software testing is that:

    • interface errors are detected earlier.
    • confidence in the system is achieved earlier.
    • errors in critical modules are detected earlier.
    • major functions and processing are tested earlier.
    The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices in this question all refer to advantages of a top-down approach, which follows the opposite path, either in depth-first or breadth-first search order.
  5. During which of the following phases in system development would user acceptance test plans normally be prepared?

    • Feasibility study
    • Requirements definition
    • implementation planning
    • Postimplementation review
    During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document hot the system functionality can be tested ensure it meets their stated needs. The feasibility study is too early for such detailed user involvement, and the implementation planning and postimplementation review phases are too late. An IS auditor should know at what point user testing should be planned to ensure it is most effective and efficient.
  6. The use of object-oriented design and development techniques would MOST likely:

    • facilitate the ability to reuse modules.
    • improve system performance.
    • enhance control effectiveness.
    • speed up the system development life cycle.
    One of the major benefits of object-oriented design and development is the ability to reuse modules. The other options do not normally benefit from the object-oriented technique.
  7. Which of the following should be included in a feasibility study for a project to implement an EDI process?

    • The encryption algorithm format
    • The detailed internal control procedures
    • The necessary communication protocols
    • The proposed trusted third-party agreement
    Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must be included, as there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.
  8. When a new system is to be implemented within a short time frame, it is MOST important to:

    • finish writing user manuals.
    • perform user acceptance testing.
    • add last-minute enhancements to functionalities.
    • ensure that the code has been documented and reviewed.
    It would be most important to complete the user acceptance testing to ensure that the system to be implemented is working correctly. The completion of the user manuals is similar to the performance of code reviews. If time is tight, the last thing one would want to do is add another enhancement, as it would be necessary to freeze the code and complete the testing, then make any other changes as future enhancements. It would be appropriate to have the code documented and reviewed, but unless the acceptance testing is completed, there is no guarantee that the system will work correctly and meet user requirement. 
  9. An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:

    • a backup server be available to run ETCS operations with up-to-date data.
    • a backup server be loaded with all the relevant software and data.
    • the systems staff of the organization be trained to handle any event.
    • source code of the ETCS application be placed in escrow.
    Whenever proprietary application software is purchased, the contract should provide for a source code agreement. This will ensure that the purchasing company will have the opportunity to modify the software should the vendor cease to be in business. Having a backup server with current data and staff training is critical but not as critical as ensuring the availability of the source code.
  10. The MOST likely explanation for the use of applets in an Internet application is that:

    • it is sent over the network from the server.
    • the server does not run the program and the output is not sent over the network.
    • they improve the performance of the web server and network.
    • it is a JAVA program downloaded through the web browser and executed by the web server of the client machine.
    An applet is a JAVA program that is sent over the network from the web server, through a web browser and to the client machine; the code is then run on the machine. Since the server does not run the program and the output is not sent over the network, the performance on the web server and network-over which the server and client are connected-drastically improves through the use of applets. Performance improvement is more important than the reasons offered in choices A and B. Since JAVA virtual machine (JVM) is embedded in most web browsers, the applet download through the web browser runs on the client machine from the web browser, not from the web server, making choice D incorrect.
  11. Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card?

    • Intrusion detection systems
    • Data mining techniques
    • Firewalls
    • Packet filtering routers
    Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.
  12. Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the:

    • existence of a set of functions and their specified properties.
    • ability of the software to be transferred from one environment to another.
    • capability of software to maintain its level of performance under stated conditions.
    • relationship between the performance of the software and the amount of resources used.
    Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functions are those that satisfy stated or implied needs. Choice B refers to portability; choice C refers to reliability and choice D refers to efficiency.
  13. During the development of an application, the quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be:

    • increased maintenance.
    • improper documentation of testing.
    • inadequate functional testing.
    • delays in problem resolution.
    The major risk of combining quality assurance testing and user acceptance testing is that functional testing may be inadequate. Choices A, B and D are not as important. 
  14. The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it:

    • facilitates user involvement.
    • allows early testing of technical features.
    • facilitates conversion to the new system.
    • shortens the development time frame.
    The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily always true.
  15. An IS auditor reviewing a proposed application software acquisition should ensure that the:

    • operating system (OS) being used is compatible with the existing hardware platform.
    • planned OS updates have been scheduled to minimize negative impacts on company needs.
    • OS has the latest versions and updates.
    • products are compatible with the current or planned OS.
    Choices A, B and C are incorrect because none of them are related to the area being audited. In reviewing the proposed application, the auditor should ensure that the products to be purchased are compatible with the current or planned OS. Regarding choice, A, if the OS is currently being used, it is compatible with the existing hardware platform, because if it is not it would not operate properly. In choice B, the planned OS updates should be scheduled to minimize negative impacts on the organization. For choice C, the installed OS should be equipped with the most recent versions and updates (with sufficient history and stability).
  16. The GREATEST benefit in implementing an expert system is the:

    • capturing of the knowledge and experience of individuals in an organization.
    • sharing of knowledge in a central repository.
    • enhancement of personnel productivity and performance.
    • reduction of employee turnover in key departments.
    The basis for an expert system is the capture and recording of the knowledge and experience of individuals in an organization. Coding and entering the knowledge in a central repository, shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnel productivity and performance is a benefit; however, it is not as important as capturing the knowledge and experience. Employee turnover is not necessarily affected by an expert system. 
  17. By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:

    • reliable products are guaranteed.
    • programmers’ efficiency is improved.
    • security requirements are designed.
    • predictable software processes are followed.
    By evaluating the organization’s development projects against the CMM, an IS auditor determines whether the development organization follows a stable, predictable software process. Although the likelihood of success should increase as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. CMM does not evaluate technical processes such as programming nor does it evaluate security requirements or other application controls.
  18. The waterfall life cycle model of software development is most appropriately used when:

    • requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate.
    • requirements are well understood and the project is subject to time pressures.
    • the project intends to apply an object-oriented design and programming approach.
    • the project will involve the use of new technology.
    Historically, the waterfall model has been best suited to the stable conditions described in choice
    A. When the degree of uncertainty of the system to be delivered and the conditions in which it will be used rises, the waterfall model has not been successful, in these circumstances, the various forms of iterative development life cycle gives the advantage of breaking down the scope of the overall system to be delivered, making the requirements gathering and design activities more manageable. The ability to deliver working software earlier also acts to alleviate uncertainty and may allow an earlier realization of benefits. The choice of a design and programming approach is not itself a determining factor of the type of software development life cycle that is appropriate. The use of new technology in a project introduces a significant element of risk. An iterative form of development, particularly one of the agile methods that focuses on early development of actual working software, is likely to be the better option to manage this uncertainty.
  19. Which of the following is MOST critical when creating data for testing the logic in a new or modified application system?

    • A sufficient quantity of data for each test case
    • Data representing conditions that are expected in actual processing
    • Completing the test on schedule
    • A random sample of actual data
    Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. It is more important to have adequate test data than to complete the testing on schedule. It is unlikely that a random sample of actual data would cover all test conditions and provide a reasonable representation of actual data.
  20. During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful:

    • buffer overflow.
    • brute force attack.
    • distributed denial-of-service attack.
    • war dialing attack.
    Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. A brute force attack is used to crack passwords. A distributed denial- of-service attack floods its target with numerous packets, to prevent it from responding to legitimate requests. War dialing uses modem-scanning tools to hack PBXs.