Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 145

  1. An IS auditor invited to a development project meeting notes that no project risks have been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risks and that, if risks do start impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to:

    • stress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans.
    • accept the project manager’s position as the project manager is accountable for the outcome of the project.
    • offer to work with the risk manager when one is appointed.
    • inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project.


    the majority of project risks can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with the risks. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risks. Appointing a risk manager is a good practice but waiting until the project has been impacted by risks is misguided. Risk management needs to be forward looking; allowing risks to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risks have emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project manage me practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management.

  2. While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the:

    • effectiveness of the QA function because it should interact between project management and user management
    • efficiency of the QA function because it should interact with the project implementation team.
    • effectiveness of the project manager because the project manager should interact with the QA function.
    • efficiency of the project manager because the QA function will need to communicate with the project implementation team.
    To be effective the quality assurance (QA) function should be independent of project management. The QA function should never interact with the project implementation team since this can impact effectiveness. The project manager does not interact with the QA function, which should not impact the effectiveness of the project manager. The QA function does not interact with the project implementation team, which should not impact the efficiency of the project manager.
  3. When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that:

    • increases in quality can be achieved, even if resource allocation is decreased.
    • increases in quality are only achieved if resource allocation is increased.
    • decreases in delivery time can be achieved, even if resource allocation is decreased.
    • decreases in delivery time can only be achieved if quality is decreased.
    The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant. 
  4. An IS auditor is assigned to audit a software development project which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take?

    • Report that the organization does not have effective project management.
    • Recommend the project manager be changed.
    • Review the IT governance structure.
    • Review the conduct of the project and the business case.
    Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to making the project over budget and over schedule. The organization may have effective project management practices and sound IT governance and still be behind schedule or over budget. There is no indication that the project manager should be changed without looking into the reasons for the overrun.
  5. Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)?

    • Function point analysis
    • Earned value analysis
    • Cost budget
    • Program Evaluation and Review Technique
    Earned value analysis (EVA) is an industry standard method for measuring a project’s progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed, to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists. Function point analysis (FPA) is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget. Cost budgets do not address time. PERT aids in time and deliverables management, but lacks projections for estimates at completion (EACs) and overall financial management.
  6. When reviewing an active project, an IS auditor observed that, because of a reduction in anticipated benefits and increased costs, the business case was no longer valid. The IS auditor should recommend that the:

    • project be discontinued.
    • business case be updated and possible corrective actions be identified.
    • project be returned to the project sponsor for reapproval.
    • project be completed and the business case be updated later.
     An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. The IS auditor should recommend that the business case be kept current throughout the project since it is a key input to decisions made throughout the life of any project.
  7. An organization is implementing an enterprise resource planning (ERP) application to meet its business objectives. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results?

    • Project sponsor
    • System development project team (SPDT)
    • Project steering committee
    • User project team (UPT)
    A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project’s progress to ensure that it will deliver the expected results. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. A system development project team (SDPT) completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The SDPT is not responsible for reviewing the progress of the project. A user project team (UPT) completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A UPT is not responsible for reviewing the progress of the project.
  8. A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?

    • IS auditor
    • Database administrator
    • Project manager
    • Data owner
    During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. However, an IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. A database administrator’s primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. A project manager provides day-to- day management and leadership of the project, but is not responsible for the accuracy and integrity of the data. 
  9. A project manager of a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after 6 months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine:

    • what amount of progress against schedule has been achieved.
    • if the project budget can be reduced.
    • if the project could be brought in ahead of schedule.
    • if the budget savings can be applied to increase the project scope.
    Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project. To properly assess the project budget position, it is necessary to know how much progress has actually been made and, given this, what level of expenditure would be expected. It is possible that project expenditure appears to be low because actual progress has been slow. Until the analysis of project against schedule has been completed, it is impossible to know whether there is any reason to reduce budget, if the project has slipped behind schedule, then not only may there be no spare budget but it is possible that extra expenditure may be needed to retrieve the slippage. The low expenditure could actually be representative of a situation where the project is likely to miss deadlines rather than potentially come in ahead of time. If the project is found to be ahead of budget after adjusting for actual progress, this is not necessarily a good outcome because it points to flaws in the original budgeting process; and, as said above, until further analysis is undertaken, it cannot be determined whether any spare funds actually exist. Further, if the project is behind schedule, then adding scope may be the wrong thing to do.
  10. A manager of a project was not able to implement all audit recommendations by the target date. The IS auditor should:

    • recommend that the project be halted until the issues are resolved.
    • recommend that compensating controls be implemented.
    • evaluate risks associated with the unresolved issues.
    • recommend that the project manager reallocate test resources to resolve the issues.
    It is important to evaluate what the exposure would be when audit recommendations have not been completed by the target date. Based on the evaluation, management can accordingly consider compensating controls, risk acceptance, etc. All other choices might be appropriate only after the risks have been assessed.
  11. Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?

    • Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports
    • Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables.
    • Extrapolation of the overall end date based on completed work packages and current resources
    • Calculation of the expected end date based on current resources and remaining available project budget
    Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (80:20 rule). The calculation based on remaining budget does not take into account the speed at which the project has been progressing.
  12. Which of the following situations would increase the likelihood of fraud?

    • Application programmers are implementing changes to production programs.
    • Application programmers are implementing changes to test programs.
    • Operations support staff are implementing changes to batch schedules.
    • Database administrators are implementing changes to data structures.
    Production programs are used for processing an enterprise’s data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.
  13. The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure:

    • integrity.
    • authenticity.
    • authorization.
    • nonrepudiation.
    A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other controls. Nonrepudiation can be ensured by using digital signatures.
  14. Before implementing controls, management should FIRST ensure that the controls:

    • satisfy a requirement in addressing a risk issue.
    • do not reduce productivity.
    • are based on a cost-benefit analysis.
    • are detective or corrective.
    When designing controls, it is necessary to consider all the above aspects. In an ideal situation, controls that address all these aspects would be the best controls. Realistically, it may not be possible to design them all and cost may be prohibitive; therefore, it is necessary to first consider the preventive controls that attack the cause of a threat.
  15. Information for detecting unauthorized input from a terminal would be BEST provided by the:

    • console log printout.
    • transaction journal.
    • automated suspense file listing.
    • user error report.
    The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, while the user error report would only list input that resulted in an edit error.
  16. The editing/validation of data entered at a remote site would be performed MOST effectively at the:

    • central processing site after running the application system.
    • central processing sire during the running of the application system.
    • remote processing site after transmission of the data to the central processing site.
    • remote processing site prior to transmission of the data to the central processing site.
    It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.
  17. To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is:

    • during data preparation.
    • in transit to the computer.
    • between related computer runs.
    • during the return of the data to the user department.
    During data preparation is the best answer, because it establishes control at the earliest point.
  18. Functional acknowledgements are used:

    • as an audit trail for EDI transactions.
    • to functionally describe the IS department.
    • to document user roles and responsibilities.
    • as a functional description of application software.
    Functional acknowledgements are standard EDI transactions that tell trading partners that their electronic documents were received. Different types of functional acknowledgments provide various levels of detail and, therefore, can act as an audit trail for EDI transactions. The other choices are not relevant to the description of functional acknowledgements.
  19. A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of:

    • validation controls.
    • internal credibility checks.
    • clerical control procedures.
    • automated systems balancing.
    Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation controls and internal credibility checks are certainly valid controls, but will not detect and report lost transactions. In addition, although a clerical procedure could be used to summarize and compare inputs and outputs, an automated process is less susceptible to error.
  20. What process uses test data as part of a comprehensive test of program controls in a continuous online manner?

    • Test data/deck
    • Base-case system evaluation
    • Integrated test facility (ITF)
    • Parallel simulation
    A base-case system evaluation uses test data sets developed as part of comprehensive testing programs, it is used to verify correct systems operations before acceptance, as well as periodic validation. Test data/deck simulates transactions through real programs. An ITF creates fictitious files in the database with test transactions processed simultaneously with live input. Parallel simulation is the production of data processed using computer programs that simulate application program logic.