Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 48

  1. Which of the following type of testing has two major categories: QAT and UAT?

    • Interface testing
    • Unit Testing
    • System Testing
    • Final acceptance testing
  2. Which of the following type of testing validate functioning of the application under test with other system, where a set of data is transferred from one system to another?

    • Interface testing
    • Unit Testing
    • System Testing
    • Final acceptance testing

    Explanation:

    Interface or integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.

    For CISA exam you should know below types of testing:

    Unit Testing – The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification.
    Interface or integration testing – A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.

    System Testing – A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team. The following specific analysis may be carried out during system testing.

    Recovery Testing – Checking the systems ability to recover after a software or hardware failure.

    Security Testing – Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems.

    Load Testing – Testing an application with large quantities of data to evaluate its performance during peak hour.

    Volume testing – Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process.

    Stress Testing – Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process.

    Performance Testing – Comparing the system performance to other equivalent systems using well defined benchmarks.

    Final Acceptance Testing – It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application.
    QAT focuses on documented specifications and the technology employed. It verifies that application works as documented by testing the logical design and the technology itself. It also ensures that the application meet the documented technical specifications and deliverables. QAT is performed primarily by IS department. The participation of end user is minimal and on request. QAT does not focus on functionality testing.
    UAT supports the process of ensuring that the system is production ready and satisfies all documented requirements. The methods include:
    Definition of test strategies and procedure.
    Design of test cases and scenarios
    Execution of the tests.
    Utilization of the result to verify system readiness.
    Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of the user. A UAT plan must be documented for the final test of the completed system. The tests are written from a user’s perspective and should test the system in a manner as close to production possible.

    The following were incorrect answers:

    Unit Testing – The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensures internal operation of the programs according to the specification.

    System Testing – A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team.
    Final Acceptance Testing – During this testing phase the defined methods of testing to apply should be incorporated into the organization’s QA methodology.

    Reference:

    CISA review manual 2014 Page number 166

  3. Identify the INCORRECT statement from below mentioned testing types

    • Recovery Testing – Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems
    • Load Testing – Testing an application with large quantities of data to evaluate its performance during peak hour
    • Volume testing – Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process
    • Stress Testing – Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process
    Explanation:

    The word INCORRECT is the keyword used in this question. You need to find out the incorrect option specified above. The term recovery testing is incorrectly defined in the above options. The correct description of recovery testing is: Recovery Testing – Checking the system’s ability to recover after a software or hardware failure

    For CISA exam you should know below types of testing:

    Unit Testing – The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification.
    Interface or integration testing – A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.

    System Testing – A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team. The following specific analysis may be carried out during system testing.

    Recovery Testing – Checking the system’s ability to recover after a software or hardware failure.

    Security Testing – Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems.

    Load Testing – Testing an application with large quantities of data to evaluate its performance during peak hour.

    Volume testing – Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process.

    Stress Testing – Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process.

    Performance Testing – Comparing the system performance to other equivalent systems using well defined benchmarks.

    Final Acceptance Testing – It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application.
    QAT focuses on documented specifications and the technology employed. It verifies that application works as documented by testing the logical design and the technology itself. It also ensures that the application meet the documented technical specifications and deliverables. QAT is performed primarily by IS department. The participation of end user is minimal and on request. QAT does not focus on functionality testing.
    UAT supports the process of ensuring that the system is production ready and satisfies all documented requirements. The methods include:
    Definition of test strategies and procedure.
    Design of test cases and scenarios
    Execution of the tests.
    Utilization of the result to verify system readiness.
    Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of the user. A UAT plan must be documented for the final test of the completed system. The tests are written from a user’s perspective and should test the system in a manner as close to production possible.

    The following were incorrect answers:
    The other options presented contains valid definitions.

    Reference:
    CISA review manual 2014 Page number 166

  4. Which of the following is the process of repeating a portion of a test scenario or test plan to ensure that changes in information system have not introduced any errors?

    • Parallel Test
    • Black box testing
    • Regression Testing
    • Pilot Testing
    Explanation:

    Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

    For CISA exam you should know below mentioned types of testing

    Alpha and Beta Testing – An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically, software goes to two stages testing before it consider finished. The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user.

    Pilot Testing – A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities.

    White box testing – Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s specific logic path. However, testing all possible logical path in large information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only.

    Black Box Testing – An integrity based form of testing associated with testing components of an information system’s “functional” operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing.

    Function/validation testing – It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements.

    Regression Testing – The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

    Parallel Testing – This is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.

    Sociability Testing – The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary application processing and interface with other system but, in a client server and web development, changes to the desktop environment. Multiple application may run on the user’s desktop, potentially simultaneously, so it is important to test the impact of installing new dynamic link libraries (DLLs), making operating system registry or configuration file modification, and possibly extra memory utilization.

    The following were incorrect answers:

    Parallel Testing – This is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.

    Black Box Testing – An integrity based form of testing associated with testing components of an information system’s “functional” operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing.

    Pilot Testing – A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities

    Reference:

    CISA review manual 2014 Page number 167

  5. Which of the following is the process of feeding test data into two systems – the modified system and alternative system and comparing the result?

    • Parallel Test
    • Black box testing
    • Regression Testing
    • Pilot Testing
    Explanation:

    Parallel testing is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.

    For CISA exam you should know below mentioned types of testing

    Alpha and Beta Testing – An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically, software goes to two stages testing before it consider finished. The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user.

    Pilot Testing – A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities.

    White box testing – Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s specific logic path. However, testing all possible logical path in large information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only.

    Black Box Testing – An integrity based form of testing associated with testing components of an information system’s “functional” operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing.

    Function/validation testing – It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements.

    Regression Testing – The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

    Parallel Testing – This is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.

    Sociability Testing – The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary application processing and interface with other system but, in a client server and web development, changes to the desktop environment. Multiple application may run on the user’s desktop, potentially simultaneously, so it is important to test the impact of installing new dynamic link libraries (DLLs ) , making operating system registry or configuration file modification, and possibly extra memory utilization.

    The following were incorrect answers:

    Regression Testing – The process of returning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

    Black Box Testing – An integrity based form of testing associated with testing components of an information system’s “functional” operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing.

    Pilot Testing – A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities

    Reference:

    CISA review manual 2014 Page number 167

  6. Which of the following statement correctly describes the difference between black box testing and white box testing?

    • Black box testing focuses on functional operative effectiveness where as white box assesses the effectiveness of software program logic
    • White box testing focuses on functional operative effectiveness where as black box assesses the effectiveness of software program logic
    • White box and black box testing focuses on functional operative effectiveness of an information systems without regard to any internal program structure
    • White box and black box testing focuses on the effectiveness of the software program logic
    Explanation:

    For CISA exam you should know below mentioned types of testing

    Alpha and Beta Testing – An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically, software goes to two stages testing before it consider finished. The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user.

    Pilot Testing – A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests – usually over interim platform and with only basic functionalities.

    White box testing – Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s specific logic path. However, testing all possible logical path in large information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only.

    Black Box Testing – An integrity based form of testing associated with testing components of an information system’s “functional” operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing.

    Function/validation testing – It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements.

    Regression Testing – The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data.

    Parallel Testing – This is the process of feeding test data into two systems – the modified system and an alternative system and comparing the result.

    Sociability Testing – The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary application processing and interface with other system but, in a client server and web development, changes to the desktop environment. Multiple application may run on the user’s desktop, potentially simultaneously, so it is important to test the impact of installing new dynamic link libraries (DLLs) , making operating system registry or configuration file modification, and possibly extra memory utilization.

    The following were incorrect answers:
    The other options presented does not provides correct difference between black box and white box testing.

    Reference:

    CISA review manual 2014 Page number 167

  7. Which of the following data validation control validates input data against predefined range values?

    • Range Check
    • Table lookups
    • Existence check
    • Reasonableness check
    Explanation:

    In the Range Check control data should not exceed a predefined range of values

    For CISA exam you should know below mentioned data validation edits and controls

    Sequence Check – The control number follows sequentially and any sequence or duplicated control numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are numbered sequentially. The day’s invoice begins with 12001 and ends with 15045. If any invoice larger than 15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.

    Limit Check – Data should not exceed a predefined amount. For example, payroll checks should not exceed US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.

    Validity Check – Programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record should be rejected.

    Range Check – Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

    Reasonableness check – Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

    Table Lookups – Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a code to a city name.

    Existence Check – Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

    Key verification – The keying process is repeated by a separate individual using a machine that compares the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and compared to verify the keying process.

    Check digit – a numeric value that has been calculated mathematically is added to a data to ensure that original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in detecting transposition and transcription error. For ex. A check digit is added to an account number so it can be checked for accuracy when it is used.

    Completeness check – a filed should always contain data rather than zero or blanks. A check of each byte of that field should be performed to determine that some form of data, or not blanks or zeros, is present. For ex. A worker number on a new employee record is left blank. His is identified as a key in filed and the record would be rejected, with a request that the field be completed before the record is accepted for processing.

    Duplicate check – new transaction is matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice.

    Logical relationship check – if a particular condition is true, then one or more additional conditions or data input relationship may be required to be true and consider the input valid. For ex. The hire data of an employee may be required to be true and consider the input valid. For ex. The hire date of an employee may be required to be more than 16 years past his her date of birth.

    The following were incorrect answers:

    Table Lookups – Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a code to a city name.

    Existence Check – Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

    Reasonableness check – Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

    Reference:

    CISA review manual 2014 Page number 215

  8. Which of the following control make sure that input data comply with predefined criteria maintained in computerized table of possible values?

    • Range Check
    • Table lookups
    • Existence check
    • Reasonableness check
    Explanation:

    In table lookups input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a code to a city name.

    For CISA exam you should know below mentioned data validation edits and controls

    Sequence Check – The control number follows sequentially and any sequence or duplicated control numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are numbered sequentially. The day’s invoice begins with 12001 and ends with 15045. If any invoice larger than 15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.

    Limit Check – Data should not exceed a predefined amount. For example, payroll checks should not exceed US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.

    Validity Check – Programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record should be rejected.

    Range Check – Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

    Reasonableness check – Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

    Table Lookups – Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a code to a city name.

    Existence Check – Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

    Key verification – The keying process is repeated by a separate individual using a machine that compares the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and compared to verify the keying process.

    Check digit – a numeric value that has been calculated mathematically is added to a data to ensure that original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in detecting transposition and transcription error. For ex. A check digit is added to an account number so it can be checked for accuracy when it is used.

    Completeness check – a filed should always contain data rather than zero or blanks. A check of each byte of that field should be performed to determine that some form of data, or not blanks or zeros, is present. For ex. A worker number on a new employee record is left blank. His is identified as a key in filed and the record would be rejected, with a request that the field be completed before the record is accepted for processing.

    Duplicate check – new transaction is matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice.

    Logical relationship check – if a particular condition is true, then one or more additional conditions or data input relationship may be required to be true and consider the input valid. For ex. The hire data of an employee may be required to be true and consider the input valid. For ex. The hire date of an employee may be required to be more than 16 years past his her date of birth.

    The following were incorrect answers:

    Range Check – Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

    Existence Check – Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

    Reasonableness check – Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

    Reference:

    CISA review manual 2014 Page number 215

  9. John had implemented a validation check on the marital status field of a payroll record. A payroll record contains a field for marital status and acceptable status code are M for Married or S for Single. If any other code is entered, record should be rejected. Which of the following data validation control was implemented by John?

    • Range Check
    • Validity Check
    • Existence check
    • Reasonableness check
    Explanation:

    In a validity check control programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record should be rejected.

    For CISA exam you should know below mentioned data validation edits and controls

    Sequence Check – The control number follows sequentially and any sequence or duplicated control numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are numbered sequentially. The day’s invoice begins with 12001 and ends with 15045. If any invoice larger than 15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.

    Limit Check – Data should not exceed a predefined amount. For example, payroll checks should not exceed US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.

    Validity Check – Programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record should be rejected.

    Range Check – Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

    Reasonableness check – Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

    Table Lookups – Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a code to a city name.

    Existence Check – Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

    Key verification – The keying process is repeated by a separate individual using a machine that compares the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and compared to verify the keying process.

    Check digit – a numeric value that has been calculated mathematically is added to a data to ensure that original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in detecting transposition and transcription error. For ex. A check digit is added to an account number so it can be checked for accuracy when it is used.

    Completeness check – a filed should always contain data rather than zero or blanks. A check of each byte of that field should be performed to determine that some form of data, or not blanks or zeros, is present. For ex. A worker number on a new employee record is left blank. His is identified as a key in filed and the record would be rejected, with a request that the field be completed before the record is accepted for processing.

    Duplicate check – new transaction is matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice.

    Logical relationship check – if a particular condition is true, then one or more additional conditions or data input relationship may be required to be true and consider the input valid. For ex. The hire data of an employee may be required to be true and consider the input valid. For ex. The hire date of an employee may be required to be more than 16 years past his her date of birth.

    The following were incorrect answers:

    Range Check -Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

    Existence Check – Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

    Reasonableness check – Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

    Reference:

    CISA review manual 2014 Page number 215

  10. While implementing an invoice system, Lily has implemented a database control which checks that new transactions are matched to those previously input to ensure that they have not already been entered. Which of the following control is implemented by Lily?

    • Range Check
    • Duplicate Check
    • Existence check
    • Reasonableness check
    Explanation:

    In a duplicate check control new transaction are matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice.

    For CISA exam you should know below mentioned data validation edits and controls

    Sequence Check – The control number follows sequentially and any sequence or duplicated control numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are numbered sequentially. The day’s invoice begins with 12001 and ends with 15045. If any invoice larger than 15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.

    Limit Check – Data should not exceed a predefined amount. For example, payroll checks should not exceed US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.

    Validity Check – Programmed checking of data validity in accordance with predefined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, record should be rejected.

    Range Check – Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

    Reasonableness check – Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

    Table Lookups – Input data comply with predefined criteria maintained in computerized table of possible values. For example, an input check enters a city code of 1 to 10. This number corresponds with a computerize table that matches a code to a city name.

    Existence Check – Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

    Key verification – The keying process is repeated by a separate individual using a machine that compares the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and compared to verify the keying process.

    Check digit – a numeric value that has been calculated mathematically is added to a data to ensure that original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in detecting transposition and transcription error. For ex. A check digit is added to an account number so it can be checked for accuracy when it is used.

    Completeness check – a filed should always contain data rather than zero or blanks. A check of each byte of that field should be performed to determine that some form of data, or not blanks or zeros, is present. For ex. A worker number on a new employee record is left blank. His is identified as a key in filed and the record would be rejected, with a request that the field be completed before the record is accepted for processing.

    Duplicate check – new transaction is matched to those previously input to ensure that they have not already been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice.

    Logical relationship check – if a particular condition is true, then one or more additional conditions or data input relationship may be required to be true and consider the input valid. For ex. The hire data of an employee may be required to be true and consider the input valid. For ex. The hire date of an employee may be required to be more than 16 years past his/her date of birth.

    The following were incorrect answers:

    Range Check – Data should not exceed a predefined range of values. For example, product type code range from 100 to 250. Any code outside this range should be rejected as an invalid product type.

    Existence Check – Data are entered correctly and agree with valid predefined criteria. For example, a valid transaction code must be entered in transaction code field.

    Reasonableness check – Input data are matched to predefined reasonable limits or occurrence rates. For example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program should be designed to print the record with a warning indicating that the order appears unreasonable.

    Reference:

    CISA review manual 2014 Page number 215

  11. William has been assigned a changeover task. He has to break the older system into deliverable modules. Initially, the first module of the older system is phased out using the first module of a new system. Then, the second module of the old system is phased out, using the second module of the newer system and so forth until reaching the last module. Which of the following changeover system William needs to implement?

    • Parallel changeover
    • Phased changeover
    • Abrupt changeover
    • Pilot changeover
    Explanation:

    In phased changeover approach, the older system is broken into deliverables modules. Initially, the first module of older system is phased out using the first module of a new system. Then, the second module of the newer system is phased out, using the second module of the newer system and so forth until reaching the last module.
    Some of the risk areas that may exist in the phased changeover area includes:

    Resource challenge
    Extension of the project life cycle to cover two systems.
    Change management for requirements and customizations to maintain ongoing support of the older systems.

    Changeover refers to an approach to shift users from using the application from the existing (old) system to the replacing (new) system.

    Changeover to newer system involves four major steps or activities
    Conversion of files and programs; test running on test bed
    Installation of new hardware, operating system, application system and the migrated data.
    Training employees or user in groups
    Scheduling operations and test running for go-live or changeover

    Some of the risk areas related to changeover includes:

    Asset safeguarding
    Data integrity
    System effectiveness
    Change management challenges
    Duplicate or missing records

    The following were incorrect answers:

    Parallel changeover – This technique includes running the old system, then running both the old and new systems in parallel and finally full changing over to the new system after gaining confidence in the working of new system.

    Abrupt changeover – In the abrupt changeover approach the newer system is changed over from the older system on a cutoff date and time, and the older system is discontinued once changeover to the new system takes place.

    Pilot changeover – Not a valid changeover type.

    Reference:

    CISA review manual 2014 Page number 172

  12. In which of the following payment mode, the payer creates payment transfer instructions, signs it digitally and sends it to issuer?

    • Electronic Money Model
    • Electronics Checks model
    • Electronic transfer model
    • Electronic withdraw model
    Explanation:

    Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.

    For CISA exam you should know below information about payment systems

    There are two types of parties involved in all payment systems – the issuer and the user. An issuer is an entity that operates the payment service. An issuer holds the items that the payment represents. The user of the payment service performs two main functions – making payments and receiving payments – and therefore can be described as a payer or payee receptively.

    Electronic Money Model – The objective of electronic money systems is emulating physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.

    Electronic Check Model – Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer’s signature on the payment and transfer the fund from the payer’s account to the payee’s account.

    Electronic Transfer Model – Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.

    The following were incorrect answers:

    Electronic Money Model – The objective of electronic money systems is emulating physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.

    Electronic Check Model – Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer’s signature on the payment and transfer the fund from the payer’s account to the payee’s account.

    Electronic Withdraw Model – Not a valid type of payment system.

    Reference:

    CISA review manual 2014 Page number 183

  13. In which of the following payment mode, an issuer attempts to emulate physical cash by creating digital certificates, which are purchased by users who redeem them with the issuer at a later date?

    • Electronic Money Model
    • Electronics Checks model
    • Electronic transfer model
    • Electronic withdraw model
    Explanation:

    In an electronic money model issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.

    For CISA exam you should know below information about payment systems

    There are two types of parties involved in all payment systems – the issuer and the user. An issuer is an entity that operates the payment service. An issuer holds the items that the payment represents. The user of the payment service performs two main functions- making payments and receiving payments – and therefore can be described as a payer or payee receptively.

    Electronic Money Model – The objective of electronic money systems is emulating physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.

    Electronic Check Model – Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer’s signature on the payment and transfer the fund from the payer’s account to the payee’s account.

    Electronic Transfer Model – Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.

    The following were incorrect answers:

    Electronic Check Model – Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer’s signature on the payment and transfer the fund from the payer’s account to the payee’s account.
    Electronic Transfer Model -Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.

    Electronic Withdraw Model – Not a valid type of payment system.

    Reference:

    CISA review manual 2014 Page number 183

  14. Identify the payment model from description presented below:

    A users write an electronic check, which is digitally signed with instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer’s signature on the payment and transfer the fund from the payer’s account to the payee’s account.

    • Electronic Money Model
    • Electronics Checks model
    • Electronic transfer model
    • Electronic withdraw model
    Explanation:

    Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer’s signature on the payment and transfer the fund from the payer’s account to the payee’s account.

    For CISA exam you should know below information about payment systems

    There are two types of parties involved in all payment systems – the issuer and the user. An issuer is an entity that operates the payment service. An issuer holds the items that the payment represents. The user of the payment service performs two main functions- making payments and receiving payments – and therefore can be described as a payer or payee receptively.

    Electronic Money Model – The objective of electronic money systems is emulating physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.

    Electronic Check Model – Electronic check system model real-world checks quite well and thus relatively simple to understand and implement. A users write an electronic check, which is digitally signed instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer’s signature on the payment and transfer the fund from the payer’s account to the payee’s account.

    Electronic Transfer Model – Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.

    The following were incorrect answers:

    Electronic Money Model – The objective of electronic money systems is emulating physical cash. An issuer attempts to do this by creating digital certificates, which are then purchased by users who redeem them with the issuer at a later date. In the interim, certificates can be transferred among users to trade for goods or services. For the certificate to take on some of the attributes of physical cash, certain techniques are used so that when a certificate is deposited, the issuer can not determine the original withdrawer of the certificate. This provides an electronic certificate with unconditional uncertainty.
    Electronic Transfer Model – Electronic systems are simplest of three payment models. The payer simply creates a payment transfer instructions, sign it digitally and send it to issuer. The issuer then verifies the signature on the request and performs the transfer. This type of systems requires payer to be on-line and not payee.

    Electronic Withdraw Model – Not a valid type of payment system.

    Reference:
    CISA review manual 2014 Page number 183

  15. Which of the following E-commerce model covers all the transactions between companies and government organization?

    • B-to-C relationships
    • B-to-B relationships
    • B-to-E relationships
    • B-to-G relationships
    Explanation:

    Business-to-Government(B-to-G) relationships covers all the transactions between companies and government organizations. Currently this category is infancy, but it could expand quit rapidly as government use their own operations to promote awareness and growth of e-commerce. In addition to public procurement, administrations may also offer the option of electronic interchange for such transactions as VAT returns and the payment of corporate taxes.

    For CISA exam you should know below E-commerce models:

    Business-to-Consumer (B-to-C) relationships – The greatest potential power of E-commerce comes from its ability to redefine relationship with customers in creating a new convenient, low-cost channel to transact business. Companies can tailor their marketing strategies to an individual customer’s needs and wants. As more of its business shifts on-line, a company will have an enhanced ability to track how its customer interact with it.

    Business-to-Business (B-to-B) relationships – The relationship among the selling services of two or more business opens up the possibility of re-engineering business process across the boundaries that have traditionally separated external entities from each other. Because of the ease of access and the ubiquity of the Internet, for example companies can build business process that combine previously separated activities. The result is faster, higher quality and lower-cost set of transactions. The market has ever created to subdivision of B-to-B called business-to-small business(B-to-SB) relationships

    Business-to-employee(B-to-E) relationships – Web technologies also assist in the dissemination of information to and among an organization employees.

    Business-to-Government(B-to-G) relationships – covers all the transactions between companies and government organizations. Currently this category is infancy, but it could expand quit rapidly as government use their own operations to promote awareness and growth of e-commerce. In addition to public procurement, administrations may also offer the option of electronic interchange for such transactions as VAT returns and the payment of corporate taxes.

    The following were incorrect answers:

    The other options presented does not covers all transactions between companies and government organizations.

    Reference:

    CISA review manual 2014 Page number 175

  16. Which of the following fourth generation language depends on self-contained database management systems?

    • Query and report generator
    • Embedded database 4GLs
    • Relational database 4GL
    • Application generators
    Explanation:

    Embedded database 4GLsare depend on self-contained database management systems. These characteristics often makes them more user-friendly but also may lead to applications that are not integrated well with other product applications. Example includes FOCUS, RAMIS II and NOMAD 2.

    For CISA exam you should know below mentioned types of 4GLs

    Query and report generator – These specialize language can extract and produce reports. Recently more powerful language has been produced that can access database records, produce complex on-line output and be developed in an almost natural language.

    Embedded database 4GLs – These depend on self-contained database management systems. These characteristics often makes them more user-friendly but also may lead to applications that are not integrated well with other product applications. Example includes FOCUS, RAMIS II and NOMAD 2.

    Relational database 4GLs – These high level language products are usually an optional feature on vendor’s DBMS product line. These allow the application developer to make better use of DBMS product, but they often are not end-user-oriented. Example include SQL+ MANTIS and NATURAL.

    Application generators – These development tools generate lower level programming languages(3GL) such as COBOL and C. The application can be further tailored and customized. Data processing development personnel, not end user, use application generators.

    The following were incorrect answers:

    Query and report generator – These specialize language can extract and produce reports.
    Relational database 4GLs – These high level language products are usually an optional feature on vendor’s DBMS product line.
    Application generators – These development tools generate lower level programming languages(3GL) such as COBOL and C.

    Reference:

    CISA review manual 2014 Page number 209

  17. Which of the following fourth generation language is a development tools to generate lower level programming languages?

    • Query and report generator
    • Embedded database 4GLs
    • Relational database 4GL
    • Application generators
    Explanation:

    Application generators – These development tools generate lower level programming languages(3GL) such as COBOL and C. The application can be further tailored and customized. Data processing development personnel, not end user, use application generators.

    For CISA exam you should know below mentioned types of 4GLs

    Query and report generator – These specialize language can extract and produce reports. Recently more powerful language has been produced that can access database records, produce complex on-line output and be developed in an almost natural language.

    Embedded database 4GLs – These depend on self-contained database management systems. These characteristics often makes them more user-friendly but also may lead to applications that are not integrated well with other product applications. Example includes FOCUS, RAMIS II and NOMAD 2.

    Relational database 4GLs – These high level language products are usually an optional feature on vendor’s DBMS product line. These allow the application developer to make better use of DBMS product, but they often are not end-user-oriented. Example include SQL+ MANTIS and NATURAL.

    Application generators – These development tools generate lower level programming languages(3GL) such as COBOL and C. The application can be further tailored and customized. Data processing development personnel, not end user, use application generators.

    The following were incorrect answers:

    Query and report generator – These specialize language can extract and produce reports.

    Relational database 4GLs – These high level language products are usually an optional feature on vendor’s DBMS product line.

    Embedded database 4GLs – These depend on self-contained database management systems. These characteristics often makes them more user-friendly but also may lead to applications that are not integrated well with other product applications.

    Reference:

    CISA review manual 2014 Page number 209

  18. Which of the following function in traditional EDI process is used for transmitting and receiving electronic documents between trading partners via dial up lines, public switched network or VAN?

    • Communication handler
    • EDI Interface
    • Application System
    • EDI Translator
    Explanation:

    Communication handler – Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN).

    For your exam you should know below information about Traditional EDI functions.

    Moving data in a batch transmission process through the traditional EDI process generally involves three functions within each trading partner’s computer system

    Communication handler – Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN). VAN use computerized message switching and storage capabilities to provide electronic mailbox services similar to post offices. The VAN receives all the outbound transactions from an organization, sort them by destination and passes them to precipitants when they log on to check their mailbox and receive transmission.

    EDI Interface – Interface function that manipulates and routes data between the application system and the communication handler. The interface consists of two components

    EDI Translator – The device translates data between standard format (ANSI X12) and trading partner’s propriety information.
    Application Interface – This interface moves electronic transactions to or from the application systems and perform data mapping. Data mapping is the process by which data are extracted from EDI translation process and integrated with the data or process of receiving company.

    3. Application System – The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually unaffected.

    The following were incorrect answers:

    EDI Interface – Interface function that manipulates and routes data between the application system and the communication handler.

    Application System – The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually unaffected.

    EDI Translator – The device translates data between standard format (ANSI X12) and trading partner’s propriety information.

    Reference:

    CISA review manual 2014 Page number 178

  19. Which of the following function in traditional EDI process manipulates and routes data between the application system and the communication handler?

    • Communication handler
    • EDI Interface
    • Application System
    • EDI Translator
    Explanation:

    EDI Interface manipulates and routes data between the application system and the communication handler.

    For your exam you should know below information about Traditional EDI functions.

    Moving data in a batch transmission process through the traditional EDI process generally involves three functions within each trading partner’s computer system

    Communication handler – Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN). VAN use computerized message switching and storage capabilities to provide electronic mailbox services similar to post offices. The VAN receives all the outbound transactions from an organization, sort them by destination and passes them to precipitants when they log on to check their mailbox and receive transmission.

    EDI Interface – Interface function that manipulates and routes data between the application system and the communication handler. The interface consists of two components

    EDI Translator – The device translates data between standard format (ANSI X12) and trading partner’s propriety information.
    Application Interface – This interface moves electronic transactions to or from the application systems and perform data mapping. Data mapping is the process by which data are extracted from EDI translation process and integrated with the data or process of receiving company.

    3. Application System – The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually unaffected.

    The following were incorrect answers:

    Communication handler – Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN).

    Application System – The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually unaffected.

    EDI Translator – The device translates data between standard format (ANSI X12) and trading partner’s propriety information.

    Reference:

    CISA review manual 2014 Page number 178

  20. Which of the following function in traditional EDI translate data between the standard format and trading partner’s propriety format?

    • Communication handler
    • Application Interface
    • Application System
    • EDI Translator
    Explanation:

    EDI Translator translates data between standard format (ANSI X12) and trading partner’s propriety information.

    For CISA Exam you should know below information about Traditional EDI functions.

    Moving data in a batch transmission process through the traditional EDI process generally involves three functions within each trading partner’s computer system

    Communication handler – Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN). VAN use computerized message switching and storage capabilities to provide electronic mailbox services similar to post offices. The VAN receives all the outbound transactions from an organization, sort them by destination and passes them to precipitants when they log on to check their mailbox and receive transmission.

    EDI Interface – Interface function that manipulates and routes data between the application system and the communication handler. The interface consists of two components

    EDI Translator – The device translates data between standard format (ANSI X12) and trading partner’s propriety information.

    Application Interface – This interface moves electronic transactions to or from the application systems and perform data mapping. Data mapping is the process by which data are extracted from EDI translation process and integrated with the data or process of receiving company.

    3. Application System – The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually unaffected.

    The following were incorrect answers:

    Communication handler – Process for transmitting and receiving electronic documents between trading partners via dial-up lines, public switched networks, multiple dedicated lines or a value added network (VAN).

    Application System – The program that process the data sent to, or received from, the trading partner. Although new controls should be developed for the EDI interface, the control for existing applications, if left unchanged, are usually unaffected.

    Application Interface – This interface moves electronic transactions to or from the application systems and perform data mapping.

    Reference:
    CISA review manual 2014 Page number 178