Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 148

  1. Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?

    • Bottom up
    • Sociability testing
    • Top-down
    • System test

    The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. Sociability testing and system tests take place at a later stage in the development process.

  2. During the requirements definition phase of a software development project, the aspects of software testing that should be addressed are developing:

    • test data covering critical applications.
    • detailed test plans.
    • quality assurance test specifications.
    • user acceptance testing specifications
     A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance test specification should be developed during this phase. The other choices are generally performed during the system testing phase.
  3. Which of the following is an advantage of the top-down approach to software testing?

    • Interface errors are identified early
    • Testing can be started before all programs are complete
    • it is more effective than other testing approaches
    • Errors in critical modules are detected sooner
    The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environment being tested. Choices B and D are advantages of the bottom-up approach to system testing.
  4. During the system testing phase of an application development project the IS auditor should review the:

    • conceptual design specifications.
    • vendor contract.
    • error reports.
    • program change requests.
    Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. A conceptual design specification is a document prepared during the requirements definition phase. A vendor contract is prepared during a software acquisition process. Program change requests would normally be reviewed as a part of the postimplementation phase.
  5. Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects?

    • increase the time allocated for system testing
    • implement formal software inspections
    • increase the development staff
    • Require the sign-off of all project deliverables
    inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction as less rework is involved. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring and the cost of the extra testing, and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce.
    Deliverable reviews normally do not go down to the same level of detail as software inspections.
  6. Which of the following is a prevalent risk in the development of end-user computing (EUC) applications?

    • Applications may not be subject to testing and IT general controls
    • increased development and maintenance costs
    • increased application development time
    • Decision-making may be impaired due to diminished responsiveness to requests for information
    End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. End-user computing (EUC) systems typically result in reduced application development and maintenance costs, and a reduced development cycle time. EUC systems normally increase flexibility and responsiveness to management’s information requests.
  7. Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project?

    • System owners
    • System users
    • System designers
    • System builders
    System owners are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems. System users are the individuals who use or are affected by the information system.
    Their requirements are crucial in the testing stage of a project. System designers translate business requirements and constraints into technical solutions. System builders construct the system based on the specifications from the systems designers. In most cases, the designers and builders are one and the same.
  8. The MAJOR advantage of a component-based development approach is the:

    • ability to manage an unrestricted variety of data types.
    • provision for modeling complex relationships.
    • capacity to meet the demands of a changing environment.
    • support of multiple development environments.
    Components written in one language can interact with components written in other languages or running on other machines, which can increase the speed of development. Software developers can then focus on business logic. The other choices are not the most significant advantages of a component-based development approach.
  9. The specific advantage of white box testing is that it:

    • verifies a program can operate successfully with other parts of the system.
    • ensures a program’s functional operating effectiveness without regard to the internal program structure.
    • determines procedural accuracy or conditions of a program’s specific logic paths.
    • examines a program’s functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.
    White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s logic paths. Verifying the program can operate successfully with other parts of the system is sociability testing. Testing the program’s functionality without knowledge of internal structures is black box testing. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing.
  10. Following best practices, formal plans for implementation of new information systems are developed during the:

    • development phase.
    • design phase.
    • testing phase.
    • deployment phase.
    Planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses.
  11. An IS auditor is reviewing a project that is using an Agile software development approach. Which of the following should the IS auditor expect to find?

    • Use a process-based maturity model such as the capability maturity model (CMM)
    • Regular monitoring of task-level progress against schedule
    • Extensive use of software development tools to maximize team productivity
    • Postiteration reviews that identify lessons learned for future use in the project
    A key tenet of the Agile approach to software project management is team learning and the use of team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that, at the end of each iteration, the team considers and documents what worked well and what could have worked better, and identifies improvements to be implemented in subsequent iterations. CMM and Agile really sit at opposite poles. CMM places heavy emphasis on predefined formal processes and formal project management and software development deliverables. Agile projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics.
    Additionally, less importance is placed on formal paper- based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from 4 to 8 weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. Agile projects do make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance.
  12. An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted as defect fixes are implemented by developers. Which of the following would be the BEST recommendation for an IS auditor to make?

    • Consider feasibility of a separate user acceptance environment
    • Schedule user testing to occur at a given time each day
    • implement a source code version control tool
    • Only retest high priority defects
    A separate environment or environments is normally necessary for testing to be efficient and effective, and to ensure the integrity of production code, it is important that the development and testing code base be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate testing environment. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.
  13. Which of the following types of testing would determine whether a new or modifies system can operate in its target environment without adversely impacting other existing systems?

    • Parallel testing
    • Pilot testing
    • Interface/integration testing
    • Sociability testing
    The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development. Parallel testing is the process of feeding data into two systems-the modified system and an alternate system- and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure.
  14. At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:

    • report the error as a finding and leave further exploration to the auditee’s discretion.
    • attempt to resolve the error.
    • recommend that problem resolution be escalated.
    • ignore the error, as it is not possible to get objective evidence for the software error.
    When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted. Recording it as a minor error and leaving it to the auditee’s discretion would be inappropriate, and neglecting the error would indicate that the auditor has not taken steps to further probe the issue to its logical end.
  15. Which of the following is an implementation risk within the process of decision support systems?

    • Management control
    • Semistructured dimensions
    • inability to specify purpose and usage patterns
    • Changes in decision processes
    The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a decision support system (DSS). Choices A, B and D are not risks, but characteristics of a DDS. 
  16. An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?

    • Pilot
    • Parallel
    • Direct cutover
    • Phased
    Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. All other alternatives are done gradually and thus provide greater recoverability and are therefore less risky.
  17. Which of the following system and data conversion strategies provides the GREATEST redundancy?

    • Direct cutover
    • Pilot study
    • Phased approach
    • Parallel run
    Parallel runs are the safest-though the most expensive-approach, because both the old and new systems are run, thus incurring what might appear to be double costs. Direct cutover is actually quite risky, since it does not provide for a ‘shake down period’ nor does it provide an easy fallback option. Both a pilot study and a phased approach are performed incrementally, making rollback procedures difficult to execute.
  18. Which of the following would impair the independence of a quality assurance team?

    • Ensuring compliance with development methods
    • Checking the testing assumptions
    • Correcting coding errors during the testing process
    • Checking the code to ensure proper documentation
    Correction of code should not be a responsibility of the quality assurance team as it would not ensure segregation of duties and would impair the team’s independence. The other choices are valid quality assurance functions.
  19. From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is:

    • a big bang deployment after proof of concept.
    • prototyping and a one-phase deployment.
    • a deployment plan based on sequenced phases.
    • to simulate the new infrastructure before deployment.
    When developing a large and complex IT infrastructure, the best practice is to use a phased approach to fitting the entire system together. This will provide greater assurance of quality results. The other choices are riskier approaches.
  20. An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:

    • correlation of semantic characteristics of the data migrated between the two systems.
    • correlation of arithmetic characteristics of the data migrated between the two systems.
    • correlation of functional characteristics of the processes between the two systems.
    • relative efficiency of the processes between the two systems.
    Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor’s main concern should be to verify that the interpretation of the data is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database, and therefore are less important than the semantic characteristics. A review of the correlation of the functional characteristics or a review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.