Transcript Part II

Auditing Systems Development,
Acquisition and Maintenance
Review Questions with Answers
Question 1
When testing program change management, how
should the sample be selected?
A.
B.
C.
D.
Change management documents should be selected at
random and examined for appropriateness.
Changes to production code should be sampled and traced to
appropriate authorizing documentation. **
Change management documents should be selected based on
system criticality and examined for appropriateness.
Changes to production code should be sampled and traced
back to system-produced logs indicating the date and time of
the change.
2
Question 2
To assist in testing a core banking system being
acquired, an organization has provided the vendor with
sensitive data from its existing production
system. An
IS auditor’s PRIMARY concern is that the data should be:
A. sanitized. **
B. complete.
C. representative.
D. current.
3
Question 3
An IS auditor is performing a project review to
identify whether a new application has met business
objectives. Which of the following test reports offers
the MOST assurance that business objectives are met?
A. User acceptance **
B. Performance
C. Sociability
D. Penetration
4
Question 4
A hash total of employee numbers is part of the input to a
payroll master file update program. The program compares
the hash total with the corresponding control total. What
is the purpose of this procedure?
A. Verify that employee numbers are valid
B. Verify that only authorized employees are
paid
C. Detect errors in payroll calculations
D. Detect the erroneous update of records **
5
Question 5
During the review, if the auditor detects that the transaction
authorization control objective cannot be met due to a lack
of clearly defined roles and privileges in the application, the
auditor should FIRST:
A. review the authorization on a sample of transactions.**
B. immediately report this finding to upper management.
C. request that auditee management review the
appropriateness of access rights for all users.
D. use a generalized audit software to check the integrity of the
database.
6
Question 6
An organization decides to purchase a package instead of
developing it. In such a case, the design and development
phases of a traditional software development life cycle
(SDLC) would be replaced with:
A.
B.
C.
D.
selection and configuration phases. **
feasibility and requirements phases.
implementation and testing phases.
nothing; replacement is not required.
7
Question 7
When a complete segregation of duties
cannot be achieved in an online system
environment, which of the following functions
should be separated from the
others?
A.
B.
C.
D.
Origination
Authorization**
Recording
Correction
8
Question 8
In a small organization, where segregation of duties
is not practical, an employee performs the function of
computer operator and application programmer.
Which of the following controls should an IS auditor
recommend?
A.
B.
C.
Automated logging of changes to development
libraries
Additional staff to provide segregation of duties
Procedures that verify that only approved program
changes are implemented**
9
Question 9
Which of the following is the MOST effective
method for an IS auditor to use in testing the
program change management process?
A.
B.
C.
D.
Trace from system-generated information to the
change management documentation.**
Examine change management documentation for
evidence of accuracy.
Trace from the change management documentation
to a system-generated audit trail.
Examine change management documentation for
evidence of completeness.
10