Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 128

  1. When should application controls be considered within the system-development process?

    • After application unit testing
    • After application module testing
    • After applications systems testing
    • As early as possible, even in the development of the project’s functional specifications

    Explanation: 
    Application controls should be considered as early as possible in the system- development process, even in the development of the project’s functional specifications.

  2. What is used to develop strategically important systems faster, reduce development costs, and still maintain high quality?

    • Rapid application development (RAD)
    • GANTT
    • PERT
    • Decision trees
    Explanation: 
    Rapid application development (RAD) is used to develop strategically important systems faster, reduce development costs, and still maintain high quality.
  3. Test and development environments should be separated. True or false?

    • True
    • False
    Explanation: 
    Test and development environments should be separated, to control the stability of the test environment.
  4. What kind of testing should programmers perform following any changes to an application or system?

    • Unit, module, and full regression testing
    • Module testing
    • Unit testing
    • Regression testing
    Explanation: 
    Programmers should perform unit, module, and full regression testing following any changes to an application or system.
  5. Which of the following uses a prototype that can be updated continually to meet changing user or business requirements?

    • PERT
    • Rapid application development (RAD)
    • Function point analysis (FPA)
    • GANTT
    Explanation: 
    Rapid application development (RAD) uses a prototype that can be updated continually to meet changing user or business requirements.
  6. What is the most common reason for information systems to fail to meet the needs of users?

    • Lack of funding
    • Inadequate user participation during system requirements definition
    • Inadequate senior management participation during system requirements definition
    • Poor IT strategic planning
    Explanation: 
    Inadequate user participation during system requirements definition is the most common reason for information systems to fail to meet the needs of users.
  7. Who is responsible for the overall direction, costs, and timetables for systems-development projects?

    • The project sponsor
    • The project steering committee
    • Senior management
    • The project team leader
    Explanation: 
    The project steering committee is responsible for the overall direction, costs, and timetables for systems-development projects.
  8. When should plans for testing for user acceptance be prepared?

    • In the requirements definition phase of the systems-development project
    • In the feasibility phase of the systems-development project
    • In the design phase of the systems-development project
    • In the development phase of the systems-development project
    Explanation: 
    Plans for testing for user acceptance are usually prepared in the requirements definition phase of the systems-development project.
  9. Above almost all other concerns, what often results in the greatest negative impact on the implementation of new application software?

    • Failing to perform user acceptance testing
    • Lack of user training for the new system
    • Lack of software documentation and run manuals
    • Insufficient unit, module, and systems testing
    Explanation: 
    Above almost all other concerns, failing to perform user acceptance testing often results in the greatest negative impact on the implementation of new application software.
  10. Input/output controls should be implemented for which applications in an integrated systems environment?

    • The receiving application
    • The sending application
    • Both the sending and receiving applications
    • Output on the sending application and input on the receiving application
    Explanation: 
    Input/output controls should be implemented for both the sending and receiving applications in an integrated systems environment
  11. Authentication techniques for sending and receiving data between EDI systems is crucial to prevent which of the following?

    • Unsynchronized transactions
    • Unauthorized transactions
    • Inaccurate transactions
    • Incomplete transactions
    Explanation: 
    Authentication techniques for sending and receiving data between EDI systems are crucial to prevent unauthorized transactions.
  12. After identifying potential security vulnerabilities, what should be the IS auditor’s next step?

    • To evaluate potential countermeasures and compensatory controls
    • To implement effective countermeasures and compensatory controls
    • To perform a business impact analysis of the threats that would exploit the vulnerabilities
    • To immediately advise senior management of the findings
    Explanation: 
    After identifying potential security vulnerabilities, the IS auditor’s next step is to perform a business impact analysis of the threats that would exploit the vulnerabilities.
  13. What is the primary security concern for EDI environments?

    • Transaction authentication
    • Transaction completeness
    • Transaction accuracy
    • Transaction authorization
    Explanation: 
    Transaction authorization is the primary security concern for EDI environments.
  14. Which of the following exploit vulnerabilities to cause loss or damage to the organization and its assets?

    • Exposures
    • Threats
    • Hazards
    • Insufficient controls
    Explanation: 
    Threats exploit vulnerabilities to cause loss or damage to the organization and its assets.
  15. Business process re-engineering often results in ___________________ automation, which results in ____________ number of people using technology. Fill in the blanks.

    • Increased; a greater
    • Increased; a fewer
    • Less; a fewer
    • Increased; the same
    Explanation: 
    Business process re-engineering often results in increased automation, which results in a greater number of people using technology.
  16. Whenever business processes have been re-engineered, the IS auditor attempts to identify and quantify the impact of any controls that might have been removed, or controls that might not work as effectively after business process changes. True or false?

    • True
    • False
    Explanation: 
    Whenever business processes have been re-engineered, the IS auditor should attempt to identify and quantify the impact of any controls that might have been removed, or controls that might not work as effectively after business process changes.
  17. When should an application-level edit check to verify that availability of funds was completed at the electronic funds transfer (EFT) interface?

    • Before transaction completion
    • Immediately after an EFT is initiated
    • During run-to-run total testing
    • Before an EFT is initiated 
    Explanation: 
    An application-level edit check to verify availability of funds should be completed at the electronic funds transfer (EFT) interface before an EFT is initiated.
  18. ________________ should be implemented as early as data preparation to support data integrity at the earliest point possible.

    • Control totals
    • Authentication controls
    • Parity bits
    • Authorization controls
    Explanation: 
    Control totals should be implemented as early as data preparation to support data integrity at the earliest point possible.
  19. What is used as a control to detect loss, corruption, or duplication of data?

    • Redundancy check
    • Reasonableness check
    • Hash totals
    • Hash totals
    Explanation: 
    Hash totals are used as a control to detect loss, corruption, or duplication of data.
  20. Data edits are implemented before processing and are considered which of the following?

    • Deterrent integrity controls
    • Detective integrity controls
    • Corrective integrity controls
    • Preventative integrity controls
    Explanation: 
    Data edits are implemented before processing and are considered preventive integrity controls.