Ensurepass

 

QUESTION 481

To minimize the cost of a software project, quality management techniques should be applied:

 

A.

as close to their writing (i.e., point of origination) as possible.

B.

primarily at project start-up to ensure that the project is established in accordance with organizational governance standards.

C.

continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate.

D.

mainly at project close-down to capture lessons learned that can be applied to future projects.

 

Correct Answer: C

Explanation:

While it is important to properly establish a software development proje
ct, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is thatthe earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work. Capturing lessons learned will be too late for the current project. Additionally, applying quality management techniques throughout a project is likely to yield its own insights into the causes of quality problems and assist in staff development.

 

 

QUESTION 482

An appropriate control for ensuring the authenticity of orders received in an EDI application is to:

 

A.

acknowledge receipt of electronic orders with a confirmation message.

B.

perform reasonableness checks on quantities ordered before filling orders.

C.

verify the identity of senders and determine if orders correspond to contract terms.

D.

encrypt electronic orders.

 

Correct Answer: C

Explanation:

An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers. Performing reasonableness checkson quantities ordered before placing orders is a control for ensuring the correctness of the company’s orders, not the authenticity of its customers’ orders. Encrypting sensitive messages is an appropriate step but does not apply to messages received.

 

 

QUESTION 483

Before implementing controls, management should FIRST ensure that the controls:

 

A.

satisfy a requirement in addressing a risk issue.

B.

do not reduce productivity.

C.

are based on a cost-benefit analysis.

D.

are detective or corrective.

 

Correct Answer: A

Explanation:

When designing controls, it is necessary to consider all the above aspects. In an ideal situation, controls that address all these aspects would be the best controls. Realistically, it may not be possible to design them all and cost may be prohibitive; therefore, it is necessary to first consider the preventive controls that attack the cause of a threat.

 

 

QUESTION 484

An IS auditor invited to a development project meeting notes that no project risks have been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risks and that, if risks do start impactingthe project, a risk manager will be hired. The appropriate response of the IS auditor would be to:

 

A.

stress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans.

B.

accept the project manager’s position as the project manager is accountable for the outcome of the project.

C.

offer to work with the risk manager when one is appointed.

D.

inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project.

 

Correct Answer: A

Explanation:

The majority of project risks can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with these risks. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risks. Appointing a risk manager is a good practice but waiting until the project has been impacted by risks is misguided. Risk management needs to be forward looking; allowing risks to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risks have emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project manage me ntpractices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management.

QUESTION 485

An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:

 

A.

correlation of semantic characteristics of the data migrated between the two systems.

B.

correlation of arithmetic characteristics of the data migrated between the two systems.

C.

correlation of functional characteristics of the processes between the two systems.

D.

relative efficiency of the processes between the two systems.

 

Correct Answer: A

Explanation:

Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor’s main concern should be to verify that the interpretation of the data is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database, and therefore are less important than the semantic characteristics. A review of the correlation of the functional characteristics or a review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

 

 

QUESTION 486

An IS auditor’s PRIMARY concern when application developers wish to use a copy of yesterday’s production transaction file for volume tests is that:

 

A.

users may prefer to use contrived data for testing.

B.

unauthorized access to sensitive data may result.

C.

error handling and credibility checks may not be fully proven.

D.

the full functionality of the new process may not necessarily be tested.

 

Correct Answer: B

Explanation:

Unless the data are sanitized, there is a risk of disclosing sensitive data.

 

 

QUESTION 487

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?

 

A.

Project database

B.

Policy documents

C.

Project portfolio database

D.

Program organization

 

Correct Answer: C

Explanation:

A project portfolio database is the basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. A project database may contain the above for one specific project and updates to various parameters pertaining to the current status of that single project. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objective of the project.

QUESTION 488

Functional acknowledgements are used:

 

A.

as an audit trail for EDI transactions.

B.

to functionally describe the IS department.

C.

to document user roles and responsibilities.

D.

as a functional description of application software.

 

Correct Answer: A

Explanation:

Functional acknowledgements are standard EDI transactions that tell trading partners that their electronic documents were received. Different types of functional acknowledgments provide various levels of detail and, therefore, can act as an audit trail for EDI transactions. The other choices are not relevant to the description of functional acknowledgements.

 

 

QUESTION 489

The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it:

 

A.

facilitates user involvement.

B.

allows early testing of technical features.

C.

facilitates conversion to the new system.

D.

shortens the development time frame.

 

Correct Answer: D

Explanation:

The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily always true.

 

 

QUESTION 490

Which of the following is the PRIMARY purpose for conducting parallel testing?

 

A.

To determine if the system is cost-effective

B.

To enable comprehensive unit and system testing

C.

To highlight errors in the program interfaces with files

D.

To ensure the new system meets user requirements

 

Correct Answer: D

Explanation:

The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements. Parallel testing may show that the old system is, in fact, better than the new system, but this is not the primary reason. Unit and system testing are completed before parallel testing. Program interfaces with files are tested for errors during system testing.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.