Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 47

  1. Which of the following is MOST important for an effective control self-assessment program?

    • Determining the scope of the assessment
    • Evaluating changes to the risk environment
    • Understanding the business process
    • Performing detailed test procedures
  2. A new information security manager is charged with reviewing and revising the information security strategy. The information security manager’s FIRST course of action should be to gain an understanding of the organization’s:

    • security architecture
    • risk register
    • internal control framework
    • business strategy
  3. Which device acting as a translator is used to connect two networks or applications from layer 4 up to layer 7 of the ISO/OSI Model?

    • Bridge
    • Repeater
    • Router
    • Gateway

    Explanation:

    A gateway is used to connect two networks using dissimilar protocols at the lower layers or it could also be at the highest level of the protocol stack.

    Important Note:

    For the purpose of the exam, you have to remember that a gateway is not synonymous to the term firewall.

    The second thing you must remembers is the fact that a gateway act as a translation device.
    It could be used to translate from IPX to TCP/IP for example. It could be used to convert different types of applications protocols and allow them to communicate together. A gateway could be at any of the OSI layers but usually tend to be higher up in the stack.

    For your exam you should know the information below:

    Repeaters
    A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.
    Repeaters can also work as line conditioners by actually cleaning up the signals. This works much better when amplifying digital signals than when amplifying analog signals, because digital signals are discrete units, which makes extraction of background noise from them much easier for the amplifier. If the device is amplifying analog signals, any accompanying noise often is amplified as well, which may further distort the signal.
    A hub is a multi-port repeater. A hub is often referred to as a concentrator because it is the physical communication device that allows several computers and devices to communicate with each other. A hub does not understand or work with IP or MAC addresses. When one system sends a signal to go to another system connected to it, the signal is broadcast to all the ports, and thus to all the systems connected to the concentrator.

    Repeater

    CISA Certified Information Systems Auditor Part 47 Q03 026
    CISA Certified Information Systems Auditor Part 47 Q03 026

    Bridges
    A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.

    Bridge

     

    CISA Certified Information Systems Auditor Part 47 Q03 027
    CISA Certified Information Systems Auditor Part 47 Q03 027

    Routers
    Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary. Because routers have more network-level knowledge, they can perform higher-level functions, such as calculating the shortest and most economical path between the sending and receiving hosts.

    Router and Switch

    CISA Certified Information Systems Auditor Part 47 Q03 028
    CISA Certified Information Systems Auditor Part 47 Q03 028

    Switches
    Switches combine the functionality of a repeater and the functionality of a bridge. A switch amplifies the electrical signal, like a repeater, and has the built-in circuitry and intelligence of a bridge. It is a multi-port connection device that provides connections for individual computers or other hubs and switches.

    Gateways
    Gateway is a general term for software running on a device that connects two different environments and that many times acts as a translator for them or somehow restricts their interactions. Usually a gateway is needed when one environment speaks a different language, meaning it uses a certain protocol that the other environment does not understand. The gateway can translate Internetwork Packet Exchange (IPX) protocol
    packets to IP packets, accept mail from one type of mail server and format it so another type of mail server can accept and understand it, or connect and translate different data link technologies such as FDDI to Ethernet.

    Gateway Server

    CISA Certified Information Systems Auditor Part 47 Q03 029
    CISA Certified Information Systems Auditor Part 47 Q03 029

    The following answers are incorrect:

    Repeater – A repeater provides the simplest type of connectivity, because it only repeats electrical signals between cable segments, which enables it to extend a network. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. The device amplifies signals because signals attenuate the farther they have to travel.

    Bridges – A bridge is a LAN device used to connect LAN segments. It works at the data link layer and therefore works with MAC addresses. A repeater does not work with addresses; it just forwards all signals it receives. When a frame arrives at a bridge, the bridge determines whether or not the MAC address is on the local network segment. If the MAC address is not on the local network segment, the bridge forwards the frame to the necessary network segment.

    Routers – Routers are layer 3, or network layer, devices that are used to connect similar or different networks. (For example, they can connect two Ethernet LANs or an Ethernet LAN to a Token Ring LAN.) A router is a device that has two or more interfaces and a routing table so it knows how to get packets to their destinations. It can filter traffic based on access control lists (ACLs), and it fragments packets when necessary.

    Reference:
    CISA review manual 2014 Page number 263
    Official ISC2 guide to CISSP CBK 3rd Edition Page number 229 and 230

  4. Which of the following is a telecommunication device that translates data from digital to analog form and back to digital?

    • Multiplexer
    • Modem
    • Protocol converter
    • Concentrator
    Explanation:
    A modem is a device that translates data from digital form and then back to digital for communication over analog lines.
    Reference: Information Systems Audit and Control Association,
    Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 114).
  5. Which of the following transmission media would NOT be affected by cross talk or interference?

    • Copper cable
    • Radio System
    • Satellite radio link
    • Fiber optic cables
    Explanation:

    Only fiber optic cables are not affected by crosstalk or interference.

    For your exam you should know the information about transmission media:

    Copper Cable
    Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports voice and data.
    Copper has been used in electric wiring since the invention of the electromagnet and the telegraph in the 1820s.The invention of the telephone in 1876 created further demand for copper wire as an electrical conductor.
    Copper is the electrical conductor in many categories of electrical wiring. Copper wire is used in power generation, power transmission, power distribution, telecommunications, electronics circuitry, and countless types of electrical equipment. Copper and its alloys are also used to make electrical contacts. Electrical wiring in buildings is the most important market for the copper industry. Roughly half of all copper mined is used to manufacture electrical wire and cable conductors.
    Copper Cable

    CISA Certified Information Systems Auditor Part 47 Q05 030
    CISA Certified Information Systems Auditor Part 47 Q05 030

    Coaxial cable
    Coaxial cable, or coax (pronounced ‘ko.aks), is a type of cable that has an inner conductor surrounded by a tubular insulating layer, surrounded by a tubular conducting shield. Many coaxial cables also have an insulating outer sheath or jacket. The term coaxial comes from the inner conductor and the outer shield sharing a geometric axis. Coaxial cable was invented by English engineer and mathematician Oliver Heaviside, who patented the design in 1880.Coaxial cable differs from other shielded cable used for carrying lower-frequency signals, such as audio signals, in that the dimensions of the cable are controlled to give a precise, constant conductor spacing, which is needed for it to function efficiently as a radio frequency transmission line.

    Coaxial cable is expensive and does not support many LAN’s. It supports data and video
    Coaxial Cable

    CISA Certified Information Systems Auditor Part 47 Q05 031
    CISA Certified Information Systems Auditor Part 47 Q05 031

    Fiber optics
    An optical fiber cable is a cable containing one or more optical fibers that are used to carry light. The optical fiber elements are typically individually coated with plastic layers and contained in a protective tube suitable for the environment where the cable will be deployed. Different types of cable are used for different applications, for example long distance telecommunication, or providing a high-speed data connection between different parts of a building.

    Fiber optics used for long distance, hard to splice, not vulnerable to cross talk and difficult to tap. It supports voice data, image and video.
    Radio System
    Radio systems are used for short distance, cheap and easy to tap.
    Radio is the radiation (wireless transmission) of electromagnetic signals through the atmosphere or free space.

    Information, such as sound, is carried by systematically changing (modulating) some property of the radiated waves, such as their amplitude, frequency, phase, or pulse width. When radio waves strike an electrical conductor, the oscillating fields induce an alternating current in the conductor. The information in the waves can be extracted and transformed back into its original form.

    Fiber Optics

    CISA Certified Information Systems Auditor Part 47 Q05 032
    CISA Certified Information Systems Auditor Part 47 Q05 032

    Microwave radio system
    Microwave transmission refers to the technology of transmitting information or energy by the use of radio waves whose wavelengths are conveniently measured in small numbers of centimeter; these are called microwaves.
    Microwaves are widely used for point-to-point communications because their small wavelength allows conveniently-sized antennas to direct them in narrow beams, which can be pointed directly at the receiving antenna. This allows nearby microwave equipment to use the same frequencies without interfering with each other, as lower frequency radio waves do. Another advantage is that the high frequency of microwaves gives the microwave band a very large information-carrying capacity; the microwave band has a bandwidth 30 times that of all the rest of the radio spectrum below it. A disadvantage is that microwaves are limited to line of sight propagation; they cannot pass around hills or mountains as lower frequency radio waves can.

    Microwave radio transmission is commonly used in point-to-point communication systems on the surface of the Earth, in satellite communications, and in deep space radio communications. Other parts of the microwave radio band are used for radars, radio navigation systems, sensor systems, and radio astronomy.

    Microwave radio systems are carriers for voice data signal, cheap and easy to tap.

    Microwave Radio System

    CISA Certified Information Systems Auditor Part 47 Q05 033
    CISA Certified Information Systems Auditor Part 47 Q05 033

    Satellite Radio Link
    Satellite radio is a radio service broadcast from satellites primarily to cars, with the signal broadcast nationwide, across a much wider geographical area than terrestrial radio stations. It is available by subscription, mostly commercial free, and offers subscribers more stations and a wider variety of programming options than terrestrial radio.

    Satellite radio link uses transponder to send information and easy to tap.

    The following answers are incorrect:

    Copper Cable- Copper cable is very simple to install and easy to tap. It is used mostly for short distance and supports voice and data.
    Radio System – Radio systems are used for short distance, cheap and easy to tap.
    Satellite Radio Link – Satellite radio link uses transponder to send information and easy to tap.

    Reference:

    CISA review manual 2014 page number 265 &
    Official ISC2 guide to CISSP CBK 3rd Edition Page number 233

  6. Why would a database be renormalized?

    • To ensure data integrity
    • To increase processing efficiency
    • To prevent duplication of data
    • To save storage space
    Explanation:

    A database is renormalized when there is a need to improve processing efficiency.

    There is, however, a risk to data integrity when this occurs. Since it implies the introduction of duplication, it will not likely allow saving of storage space.

    Reference:

    Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 109).

  7. Which of the following is not a common method of multiplexing data?

    • Analytical multiplexing
    • Time-division multiplexing
    • Asynchronous time-division multiplexing
    • Frequency division multiplexing
    Explanation:
    Generally, the methods for multiplexing data include the following:
    Time-division multiplexing (TDM): information from each data channel is allocated bandwidth based on pre-assigned time slots, regardless of whether there is data to transmit.
    Asynchronous time-division multiplexing (ATDM): information from data channels is allocated bandwidth as needed, via dynamically assigned time slots.
    Frequency division multiplexing (FDM): information from each data channel is allocated bandwidth based on the signal frequency of the traffic.
    Statistical multiplexing: Bandwidth is dynamically allocated to any data channels that have information to transmit.
    Reference:
    Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 114).
  8. Which of the following ISO/OSI layers performs transformations on data to provide a standardized application interface and to provide common communication services such as encryption?

    • Application layer
    • Session layer
    • Presentation layer
    • Transport layer
    Explanation:
    The presentation layer (ISO/OSI layer 6) performs transformations on data to provide a standardized application interface and to provide common communication services such as encryption, text compression and reformatting. The function of the presentation layer is to ensure that the format of the data submitted by the application layer conforms to the applicable network standard.
    Reference:
    Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 119).
  9. Which of the following is NOT a defined ISO basic task related to network management?

    • Fault management
    • Accounting resources
    • Security management
    • Communications management
    Explanation:

    Fault management: Detects the devices that present some kind of fault.
    Configuration management: Allows users to know, define and change remotely the configuration of any device.
    Accounting resources: Holds the records of the resource usage in the WAN.
    Performance management: Monitors usage levels and sets alarms when a threshold has been surpassed.
    Security management: Detects suspicious traffic or users and generates alarms accordingly.

    Reference:

    Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 137).

  10. What is the most effective means of determining that controls are functioning properly within an operating system?

    • Interview with computer operator
    • Review of software control features and/or parameters
    • Review of operating system manual
    • Interview with product vendor
    Explanation:

    Various operating system software products provide parameters and options for the tailoring of the system and activation of features such as activity logging. Parameters are important in determining how a system runs because they allow a standard piece of software to be customized to diverse environments. The reviewing of software control features and/or parameters is the most effective means of determining how controls are functioning within an operating system and of assessing and operating system’s integrity.

    The operating system manual should provide information as to what settings can be used but will not likely give any hint as to how parameters are actually set. The product vendor and computer operator are not necessarily aware of the detailed setting of all parameters.

    The review of software control features and/or parameters would be part of your security audit. A security audit is typically performed by an independent third party to the management of the system. The audit determines the degree with which the required controls are implemented.

    A security review is conducted by the system maintenance or security personnel to discover vulnerabilities within the system. A vulnerability occurs when policies are not followed, miscon figurations are present, or flaws exist in the hardware or software of the system. System reviews are sometimes referred to as a vulnerability assessment.

    Reference:

    Schneider, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition: Security Operations, Page 1054, for users with the Kindle edition look at Locations 851-855
    and
    Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 102).

  11. Which of the following characteristics pertaining to databases is not true?

    • A data model should exist and all entities should have a significant name.
    • Justifications must exist for normalized data.
    • No NULLs should be allowed for primary keys.
    • All relations must have a specific cardinality.
    Explanation:

    Justifications should be provided when data is renormalized, not when it is normalized, because it introduces risk of data inconsistency. Renormalization is usually introduced for performance purposes.

    Reference:

    Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 108).

  12. Which of the following is the BEST way to detect software license violations?

    • Implementing a corporate policy on copyright infringements and software use.
    • Requiring that all PCs be diskless workstations.
    • Installing metering software on the LAN so applications can be accessed through the metered software.
    • Regularly scanning PCs in use to ensure that unauthorized copies of software have not been loaded on the PC.
    Explanation:

    The best way to prevent and detect software license violations is to regularly scan used PCs, either from the LAN or directly, to ensure that unauthorized copies of software have not been loaded on the PC.

    Other options are not detective.
    A corporate policy is not necessarily enforced and followed by all employees.

    Software can be installed from other means than floppies or CD-ROMs (from a LAN or even downloaded from the Internet) and software metering only concerns applications that are registered.

    Reference:

    Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 108).

  13. For an auditor, it is very important to understand the different forms of project organization and their implication in the control of project management activities. In which of the following project organization form is management authority shared between the project manager and the department head?

    • Influence project organization
    • Pure project organization
    • Matrix project organization
    • Forward project organization
    Explanation:

    For CISA exam you should know the information below about Project Organizational Forms.

    Three major forms of organizational alignment for project management within business organization are observe:

    Influence project organization – The project manager has only a staff function without formal management authority. The project manager is only allowed to advise peers and team members as to which activities should be completed.
    Pure project organization – The project manager has formal authority over those taking part in the project. Often this is bolstered by providing a special working area for the project team that is separated from their normal office space.
    Matrix project organization – Management authority is shared between the project manager and the department head.

    Request for the major project should be submitted to and prioritize by the IS steering committee. A project manager should be identified and appointed by the IS steering committee. The project manager, who need not be an IS staff member

    The following were incorrect answers:

    Influence project organization – The project manager has only a staff function without formal management authority. The project manager is only allowed to advise peers and team members as to which activities should be completed.

    Pure project organization – The project manager has formal authority over those taking part in the project. Often this is bolstered by providing a special working area for the project team that is separated from their normal office space.

    Forward project organization- Not a valid type of project organization form.

    Reference:
    CISA review manual 2014 Page number 148

  14. Who provides the funding to the project and works closely with the project manager to define critical success factor (CSF)?

    • Project Sponsor
    • Security Officer
    • User Management
    • Senior Management
    Explanation:

    Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

    For the CISA exam you should know the information below about roles and responsibilities of groups/individuals that may be involved in the development process are summarized below:

    Senior Management – Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

    User Management – Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training. User management is concerned primarily with the following questions:

    Are the required functions available in the software?
    How reliable is the software?
    How effective is the software?
    Is the software easy to use?
    How easy is to transfer or adapt old data from preexisting software to this environment?
    Is it possible to add new functions?
    Does it meet regulatory requirement?

    Project Steering Committee – Provides overall directions and ensures appropriate representation of the major stakeholders in the project’s outcome. The project steering committee is ultimately responsible for all deliverables, project costs and schedules. This committee should be compromised of senior representative from each business area that will be significantly impacted by the proposed new system or system modifications.

    System Development Management – Provides technical support for hardware and software environment by developing, installing and operating the requested system.

    Project Manager – Provides day-to-day management and leadership of the project, ensures that project activities remain in line with the overall directions, ensures appropriate representation of the affected departments, ensures that the project adheres local standards, ensures that deliverable meet the quality expectation of key stakeholder, resolve interdepartmental conflict, and monitors and controls cost of the project timetables.

    Project Sponsor – Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

    System Development Project Team – Completes assigned tasks, communicates effectively with user by actively involving them in the development process, works according to local standards, and advise the project manager of necessary plan deviations.

    User Project Team – Completes assigned tasks, communicate effectively with the system developers by actively involving themselves in the development process as Subject Matter Expert (SME) and works according to local standards, and advise the project manager of expected and actual project deviations.

    Security Officer – Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life cycle on appropriate security measures that should be incorporated into the system.

    Quality Assurance – Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence of the project staff to the organization’s software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

    The following were incorrect answers:

    Security Officer – Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life cycle on appropriate security measures that should be incorporated into the system.

    User Management – Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training.

    Senior Management – Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

    Reference:

    CISA review manual 2014 Page number 150

  15. Who is responsible for ensuring that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures?

    • Project Sponsor
    • Security Officer
    • User Management
    • Senior Management
    Explanation:

    Security Officer ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life cycle on appropriate security measures that should be incorporated into the system.

    For the CISA exam you should know the information below about roles and responsibilities of groups/individuals that may be involved in the development process are summarized below:

    Senior Management – Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

    User Management – Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training. User management is concerned primarily with the following questions:

    Are the required functions available in the software?
    How reliable is the software?
    How effective is the software?
    Is the software easy to use?
    How easy is to transfer or adapt old data from preexisting software to this environment?
    Is it possible to add new functions?
    Does it meet regulatory requirement?

    Project Steering Committee – Provides overall directions and ensures appropriate representation of the major stakeholders in the project’s outcome. The project steering committee is ultimately responsible for all deliverables, project costs and schedules. This committee should be compromised of senior representative from each business area that will be significantly impacted by the proposed new system or system modifications.

    System Development Management – Provides technical support for hardware and software environment by developing, installing and operating the requested system.

    Project Manager – Provides day-to-day management and leadership of the project, ensures that project activities remain in line with the overall directions, ensures appropriate representation of the affected departments, ensures that the project adheres local standards, ensures that deliverable meet the quality expectation of key stakeholder, resolve interdepartmental conflict, and monitors and controls cost of the project timetables.

    Project Sponsor – Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

    System Development Project Team – Completes assigned tasks, communicates effectively with user by actively involving them in the development process, works according to local standards, and advise the project manager of necessary plan deviations.

    User Project Team – Completes assigned tasks, communicate effectively with the system developers by actively involving themselves in the development process as Subject Matter Expert (SME) and works according to local standards, and advise the project manager of expected and actual project deviations.

    Security Officer – Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life cycle on appropriate security measures that should be incorporated into the system.

    Quality Assurance – Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence of the project staff to the organization’s software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

    The following were incorrect answers:

    Project Sponsor – Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

    User Management – Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training.

    Senior Management – Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

    Reference:
    CISA review manual 2014 Page number 150

  16. Who is responsible for reviewing the result and deliverables within and at the end of each phase, as well as confirming compliance with requirements?

    • Project Sponsor
    • Quality Assurance
    • User Management
    • Senior Management
    Explanation:

    Quality Assurance personnel review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence of the project staff to the organization’s software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

    For CISA exam you should know below information about roles and responsibilities of groups/individuals that may be involved in the development process are summarized below:

    Senior Management – Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

    User Management – Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training. User management is concerned primarily with the following questions:

    Are the required functions available in the software?
    How reliable is the software?
    How effective is the software?
    Is the software easy to use?
    How easy is to transfer or adapt old data from preexisting software to this environment?
    Is it possible to add new functions?
    Does it meet regulatory requirement?

    Project Steering Committee – Provides overall directions and ensures appropriate representation of the major stakeholders in the project’s outcome. The project steering committee is ultimately responsible for all deliverables, project costs and schedules. This committee should be compromised of senior representative from each business area that will be significantly impacted by the proposed new system or system modifications.

    System Development Management – Provides technical support for hardware and software environment by developing, installing and operating the requested system.

    Project Manager – Provides day-to-day management and leadership of the project, ensures that project activities remain in line with the overall directions, ensures appropriate representation of the affected departments, ensures that the project adheres local standards, ensures that deliverable meet the quality expectation of key stakeholder, resolve interdepartmental conflict, and monitors and controls cost of the project timetables.

    Project Sponsor – Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

    System Development Project Team – Completes assigned tasks, communicates effectively with user by actively involving them in the development process, works according to local standards, and advise the project manager of necessary plan deviations.

    User Project Team – Completes assigned tasks, communicate effectively with the system developers by actively involving themselves in the development process as Subject Matter Expert (SME) and works according to local standards, and advise the project manager of expected and actual project deviations.

    Security Officer – Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life cycle on appropriate security measures that should be incorporated into the system.

    Quality Assurance – Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence of the project staff to the organization’s software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

    The following were incorrect answers:

    Project Sponsor – Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

    User Management – Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training.

    Senior Management – Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

    Reference:

    CISA review manual 2014 Page number 150

  17. Who is responsible for providing technical support for the hardware and software environment by developing, installing and operating the requested system?

    • System Development Management
    • Quality Assurance
    • User Management
    • Senior Management
    Explanation:

    System Development Management provides technical support for hardware and software environment by developing, installing and operating the requested system.

    For the CISA exam you should know the information below about roles and responsibilities of groups/individuals that may be involved in the development process are summarized below:

    Senior Management – Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

    User Management – Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training. User management is concerned primarily with the following questions:

    Are the required functions available in the software?
    How reliable is the software?
    How effective is the software?
    Is the software easy to use?
    How easy is to transfer or adapt old data from preexisting software to this environment?
    Is it possible to add new functions?
    Does it meet regulatory requirement?

    Project Steering Committee – Provides overall directions and ensures appropriate representation of the major stakeholders in the project’s outcome. The project steering committee is ultimately responsible for all deliverables, project costs and schedules. This committee should be compromised of senior representative from each business area that will be significantly impacted by the proposed new system or system modifications.

    System Development Management – Provides technical support for hardware and software environment by developing, installing and operating the requested system.

    Project Manager – Provides day-to-day management and leadership of the project, ensures that project activities remain in line with the overall directions, ensures appropriate representation of the affected departments, ensures that the project adheres local standards, ensures that deliverable meet the quality expectation of key stakeholder, resolve interdepartmental conflict, and monitors and controls cost of the project timetables.

    Project Sponsor – Project sponsor provides funding for the project and works closely with the project manager to define critical success factor(CSFs) and metrics for measuring the success of the project. It is crucial that success is translated to measurable and quantifiable terms. Data and application ownership are assigned to a project sponsor. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support.

    System Development Project Team – Completes assigned tasks, communicates effectively with user by actively involving them in the development process, works according to local standards, and advise the project manager of necessary plan deviations.

    User Project Team – Completes assigned tasks, communicate effectively with the system developers by actively involving themselves in the development process as Subject Matter Expert (SME) and works according to local standards, and advise the project manager of expected and actual project deviations.

    Security Officer – Ensures that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures: consult throughout the life cycle on appropriate security measures that should be incorporated into the system.

    Quality Assurance – Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence of the project staff to the organization’s software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

    The following were incorrect answers:

    Quality Assurance – Personnel who review result and deliverables within each phase and at the end of each phase, and confirm compliance with requirements. Their objective is to ensure that the quality of the project by measuring adherence of the project staff to the organization’s software development life cycle (SDLC), advise on the deviation and propose recommendation for process improvement or greater control points when deviation occur.

    User Management – Assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirement definitions, test case development, acceptance testing and user training.

    Senior Management – Demonstrate commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those needed to complete the project.

    Reference:
    CISA review manual 2014 Page number 150

  18. Which of the following factor is LEAST important in the measurement of critical success factors of productivity in the SDLC phases?

    • Dollar Spent per use
    • Number of transactions per month
    • Number of transactions per user
    • Number of occurrences of fraud/misuse detection
    Explanation:

    The LEAST is the keyword used in this question, You need to find out a LEAST important factor in the measurement of the productivity.

    For the CISA exam you should know the table below which contains information about measurement of a critical success factor.

    Measurement of Critical Success Factors
    Productivity
    Dollars spent per use
    Number of transactions per month
    Number of transactions per user

    Quality
    Number of discrepancies
    Number of disputes
    Number of occurrences of fraud/misuse detection
    Economic value

    Total processing time reduction
    Momentary value of administration costs
    Customer service
    Turnaround time for customer question handling
    Frequency of useful communication to user.

    The following were incorrect answers:
    The other options presented are more important in the measurement of critical success factor of the productivity.

    Reference:

    CISA review manual 2014 Page number 159

  19. Which of the following statement correctly describes the difference between QAT and UAT?

    • QAT focuses on technical aspect of the application and UAT focuses on functional aspect of the application
    • UAT focuses on technical aspect of the application and QAT focuses on functional aspect of the application
    • UAT and QAT both focuses on functional aspect of the application
    • UAT and QAT both focuses on technical aspect of the application
    Explanation:

    Final Acceptance Testing -It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application.

    For CISA exam you should know below types of testing:

    Unit Testing – The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification.
    Interface or integration testing – A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.

    System Testing – A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team. The following specific analysis may be carried out during system testing.

    Recovery Testing – Checking the system’s ability to recover after a software or hardware failure.

    Security Testing – Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems.

    Load Testing – Testing an application with large quantities of data to evaluate its performance during peak hour.

    Volume testing – Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process.

    Stress Testing – Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process.

    Performance Testing – Comparing the system performance to other equivalent systems using well defined benchmarks.

    Final Acceptance Testing – It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application.
    QAT focuses on documented specifications and the technology employed. It verifies that application works as documented by testing the logical design and the technology itself. It also ensures that the application meet the documented technical specifications and deliverables. QAT is performed primarily by IS department. The participation of end user is minimal and on request. QAT does not focus on functionality testing.
    UAT supports the process of ensuring that the system is production ready and satisfies all documented requirements. The methods include:
    Definition of test strategies and procedure.
    Design of test cases and scenarios
    Execution of the tests.
    Utilization of the result to verify system readiness.
    Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of the user. A UAT plan must be documented for the final test of the completed system. The tests are written from a user’s perspective and should test the system in a manner as close to production possible.

    The following were incorrect answers:

    The other presented options incorrectly describe the difference between QAT and UAT

    Reference:
    CISA review manual 2014 Page number 166

  20. Which of the following type of testing uses a set of test cases that focus on control structure of the procedural design?

    • Interface testing
    • Unit Testing
    • System Testing
    • Final acceptance testing
    Explanation:

    Unit testing is the testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification.

    For CISA exam you should know below types of testing:

    Unit Testing – The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification.
    Interface or integration testing – A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.

    System Testing – A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team. The following specific analysis may be carried out during system testing.

    Recovery Testing – Checking the system’s ability to recover after a software or hardware failure.

    Security Testing – Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems.

    Load Testing – Testing an application with large quantities of data to evaluate its performance during peak hour.

    Volume testing – Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process.

    Stress Testing – Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process.

    Performance Testing – Comparing the system performance to other equivalent systems using well defined benchmarks.

    Final Acceptance Testing – It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application.
    QAT focuses on documented specifications and the technology employed. It verifies that application works as documented by testing the logical design and the technology itself. It also ensures that the application meet the documented technical specifications and deliverables. QAT is performed primarily by IS department. The participation of end user is minimal and on request. QAT does not focus on functionality testing.
    UAT supports the process of ensuring that the system is production ready and satisfies all documented requirements. The methods include:
    Definition of test strategies and procedure.
    Design of test cases and scenarios
    Execution of the tests.
    Utilization of the result to verify system readiness.
    Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of the user. A UAT plan must be documented for the final test of the completed system. The tests are written from a user’s perspective and should test the system in a manner as close to production possible.

    The following were incorrect answers:

    Interface or integration testing – A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.

    System Testing – A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team.

    Final Acceptance Testing – During this testing phase the defined methods of testing to apply should be incorporated into the organization’s QA methodology.

    Reference:

    CISA review manual 2014 Page number 166