1. Trang chủ
  2. » Công Nghệ Thông Tin

The CISA Prep Guide Mastering the Certified Information Systems Auditor Exam phần 8 pdf

60 373 3

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 60
Dung lượng 575,32 KB

Nội dung

automated solutions they are interacting with on a daily basis. As described earlier in the section about vendor management, several of the enhance- ment best-practice techniques should be looked to for addressing these needs in a risk mitigating and effective manner. It might be prudent to aggregate changes and enhancements into a newer version of the product, especially if production functions are changing significantly along with the application modifications and new processes or functions are being intro- duced. This situation enables the reduction of risk because integrated test- ing and regression testing can evaluate not only more changes at once but also the interaction of these changes with the application and each other. All of the related documentation, procedures, training manuals, users, opera- tions, and maintenance manuals—along with the necessary and important recovery and contingency planning documentation—will need to be kept updated as changes occur. This task is often difficult to do when changes dribble in and overall processes and configurations drift over time until the documentation would not be adequate to serve the purpose it was initially created to address for the organization. Packaging enhancements into ver- sion upgrades and new releases is a way to reduce the overhead of change and limit the impact of change to the users at the same time. You should assess changes and the process for planning and implementing them for this opportunity and examine the business needs and change volume to see whether this makes sense. It is usually a more controlled way to introduce change and enables a better-quality product (and ultimately, more customer satisfaction as well). The system development life cycle then turns on itself because the prod- uct releases are no longer sufficient for meeting the challenges of future needs and because product maturity and technological advancements con- tinue over time. Sooner or later, a new product or production idea is pre- sented to management that will replace this process or modify it beyond recognition. A project team will be commissioned to perform some rudi- mentary functional requirements gathering, and a feasibility analysis will follow. Predictions of change, benefits, and improved cost structures will get the nod—and the process starts all over again. Resources ■■ Information Systems Control and Audit, Ron Weber, Prentice-Hall, 1999. ■■ International Organization for Standards (www.iso.ch). ■■ Carnegie Mellon University, Software Engineering Institute, Capa- bility Maturity Model ® for Software (SW-CMM ® ) at www.sei.cmu.edu/cmm/cmm.html. 402 Chapter 6 Sample Questions Here is a sampling of questions in the format of the CISA exam. The ques- tions are related to business application systems development, acquisition, implementation, and maintenance and will help test your understanding of this subject. Answers with explanations are provided in Appendix A. 1. When reviewing a systems development project, what would the most important objective be for an IS auditor? A. Ensuring that the data security controls are adequate to protect the data. B. Ensuring that the standards and regulatory commitments are met. C. Ensuring that the business requirements are satisfied by the project. D. Ensuring that the quality controls and development methodolo- gies are adhered to. 2. When participating in an application development project, which of the following would not be appropriate activities for an IS auditor? A. Testing the performance and behavior of the system controls to ensure that they are working properly B. Attending design and development meetings to monitor progress and provide input on control design options C. Reviewing reports of progress to management and contributing to their content based on fieldwork and opinions forms from reviewing documentation provided D. Assisting in the development of controls for application modules and user interfaces 3. When reviewing an application development project that uses a prototyping development methodology, with which of the following would the IS auditor be most concerned? A. The users are testing the systems before the designs are completely documented. B. The functional requirements were not documented and agreed to before the prototyping processes began. C. The documentation of the coding processes and testing criteria were not complete and well referenced. D. The systems specifications were not signed off on before the development processes were started. Business Application Systems 403 4. In a systems development life cycle, the following process steps occur: I. Systems Design II. Feasibility Analysis III.Systems Testing and Acceptance IV. Systems Specification Documentation V. Functional Requirements Definition VI.Systems Development What is the natural order of the processes in an SDLC methodology? A. V, IV, II, I, VI, III B. V, II, IV, I, VI, III C. II, IV, V, VI, I, III D. II, V, I, VI, III, IV 5. Where would be the ideal place for an IS auditor to find the first consideration of security controls? A. During the design phase of the system development process B. When determining what the systems specification will need to be C. When reviewing the functional requirements for the system D. When testing the system for overall compliance to regulatory, privacy, and security requirements 6. The main difference between a functional requirement and a sys- tems specification is: A. A functional requirement is a business process need, and a sys- tems specification defines what the system must do to meet that need. B. Functional requirements address the details of the need form a data perspective, and systems specifications define them from an operational systems perspective. C. Functional requirements define more of what needs to happen, and systems specifications define how something will happen. D. Functional requirements define all aspects of the process flow from a business process perspective while systems specifications are more hardware and operating system-specific. 404 Chapter 6 7. Which of the following is not a criterion for an effective feasibility analysis report? A. An assessment of the proposed solution approach and its viabil- ity in the existing business process B. An assessment of the impact of the new application on the busi- ness processes and workflows C. An analysis of the costs and projected benefits of the application, determining overall benefit or detraction from the business prospects of the overall business strategy D. An assessment of the systems development methodology pro- posed for the design of the application 8. If there was a most important place for the quality assurance teams to be involved in the development project, where would that place be? A. During the testing and code migration from test environments to production-ready code B. At the beginning of the project to ensure that quality standards are established and understood by all of the development team members C. During the code development to ensure that processes are fol- lowed according to standards and are well documented D. In the final phases to ensure that all of the quality processes and requirements were met prior to signing off on final acceptance 9. What aspect of the systems development testing process needs to be addressed during the systems design process? A. The use cases are documented to show how the product is sup- posed to work when completed. B. The detailed work plans and process steps are defined so that they can be checked for completeness during testing of the development process. C. The expectations and outcomes of the development process are defined formally for testing criteria. D. The project design is checked against the functional requirements. Business Application Systems 405 10. When reviewing a systems design, an IS auditor would be least con- cerned to find that which of the following was not considered? A. The provisions for adequate internal controls and the addressing of regulatory requirements B. Increased costs and delays in the project deadlines C. The observance of quality assurance standards and processes D. The failure to consider environmental and facility needs as part of the design 11. When reviewing a systems development project, an IS auditor observes that the decision has been made to use a purchased vendor package to address the business requirements. The IS auditors should: A. Discuss the contract and costs with the vendor to ensure that the best deal has been obtained for the organization B. Review the ROI assumptions and decide whether they are still valid C. Review the contract for a right to audit clause in the agreement D. Review the build versus buy recommendation and determine that the costs and benefits are fairly stated in the recommenda- tions made 12. The most important issue with change control during the develop- ment of large scale systems is: A. Managing the versions of code in development to ensure that testing will result in a workable system B. Ensuring that testing and backout procedures have been pro- vided for each change C. Ensuring that maintenance and disaster recovery procedures have been documented for each change promoted through the process D. Tracking which module has been tested with other modules to understand the development progress 406 Chapter 6 13. When reviewing a development effort where third-party programming staff are used, the IS auditor would be most concerned with? A. Ensuring that they are qualified and knowledgeable about the tools and techniques being used B. Ensuring that the code is reviewed independently from the third-party staff and ensuring that the ownership rights are maintained within the organization C. Ensuring that background checks are made for individual third-party staff members to protect the organization from undesirable persons participating in the effort D. The impact to the cost and timeline estimates originally presented and approved by management 14. An independent quality assurance function should perform all of the following roles except: A. Ensuring that the development methods and standards are adhered to throughout the process B. Ensuring that the testing assumptions and approved modules of developed code are aligned to give a final product that meets the design criteria C. Reviewing the code to ensure that proper documentation and practices were followed D. Correcting development deficiencies and resubmitting corrected code through the testing process 15. Which of the following are not considered communication controls? A. Network traffic monitoring and alert systems B. Encryption techniques to limit accessibility to traffic in transit C. Access control devices that limit network access D. Bandwidth management tools to shift data based on traffic volumes Business Application Systems 407 16. Review of documentation in a systems development review is very important for all of the following reasons except: A. Training and maintenance efforts require that good documenta- tion be made available for their processes to work effectively B. Allowing the IS auditor to review the process without actually having to perform code-level reviews of programming efforts C. Disaster recovery and support processes depend on the quality of the systems and user documentation D. User effectiveness and production processing depends on the user’s ability to read and understand the manuals and proce- dures associated with the application development process 17. In reviewing a vendor solution bidding process during a systems development review, an IS auditor would be most concerned to find that: A. A vendor solution had been chosen prior to documenting the vendor criteria. B. The chosen vendor’s cost was not the lowest of the providers of an acceptable solution. C. Some of the vendors received more information about the bid request than the others did. D. Some of the bidders on the vendor list were not capable of responding effectively to the bid based on their business model and the product being requested. 18. Which of the following is not a risk associated with the decision to use a vendor software solution? A. The risk that the vendor might discontinue support of a product that is mission critical to the business B. The risk that the costs and contract provisions might adversely impact the business model in the long term C. The risk that in-house support expertise might be insufficient to adequately address ongoing support and maintenances need of the product D. The risk that business needs for enhancements and corrections might not be addressed in a timely manner 408 Chapter 6 19. During go-live, security and change management controls are often relaxed to facilitate the implementation. What actions are most appropriate for the IS auditor during this process? A. Raising concerns about the control deficiencies to business man- agement and suggesting additional controls B. Waiting until the implementation process is completed and run- ning audit and analysis tools on all transactions during the implementation period C. Recommending that the risks of reduced controls be accepted and encouraging the process to move into a more controlled phase as quickly as possible D. Observing the implementation process to understand the extent of control risk that is residual to the process and recommending prudent, additional steps to regain assurance of data integrity 20. During the user testing of the application under development, the IS auditor would be most concerned if he or she found that: A. Users were accessing the test system from their normal worksta- tions to test the system B. Production data was being used for testing the system C. Users were not all trained to the same level of competency for the testing process D. Interfaces were simulated to provide input to testing and were not actually being represented by live input feeds Business Application Systems 409 411 This chapter will examine the business process aspects of the information systems auditor’s skill requirements and knowledge tool set. The knowl- edge of this subject matter comprises 15 percent of the CISA exam’s con- tent. To be proficient at this set of processes, you must develop intuitive reasoning skills and be able to understand the business compromises and basis for those decisions that are not black and white but many shades of gray. Unlike Chapter 2 where we examined the management processes from an IS perspective, this chapter focuses on the business risks and con- trols and their management from a business perspective. You will need to master this perspective in order to communicate effectively with the busi- ness management—that is the ultimate consumers of your product—if for no other reason. Many of your conclusions and opinions in this area will be based on the documented direction set forth by the business objectives and goals, so you will need these items as a basis for beginning your work in this area. Understanding every business process and the best practices for the business management of them is beyond the scope of this book and unique to each individual business in many aspects. The Key Performance Indica- tors (KPIs) that are the drivers for a business process will vary according to Business Process Evaluation and Risk Management C H A P T E R 7 [...]... down the wrong path before realizing it is too late Evaluating the Effectiveness of the Information Systems in Supporting the Business Process In addition to being asked about the IS themselves and drawing conclusions about their effectiveness and efficient use, management also will be concerned with how well these systems actually meet the needs of the business, and whether they are providing the right... indicators to the businesses management therefore will be an understanding of the necessary outcomes and service levels required of the information systems from the perspective of the business These business requirements then will have to be meaningfully mapped back to the available system measurements and metrics so that the system’s information can be used to effectively provide information about the business... to the business that fall under the category for which they apply Key Performance Indicators (KPIs) Key Performance Indicators were described in Chapter 2, “Management, Planning, and Organization of Information Systems. ” Like other management controls, their design and use will give the IS auditor some indications of the effectiveness of the business process that the information 421 422 Chapter 7 systems. .. points are then can be translated to the role that the information systems must play in satisfying the business needs You will want to review any available business reports and evaluate the deliverables and products of the business to get an understanding of what role the information system might have in providing for the success of the business Talking to the customers of that business is another way... supporting the direction to present business processes through an online means Let’s look at some of the ways e-business support can manifest itself, the risks associated with them, the possible benefits of these uses of the Internet, and how they might be examined to assess their usefulness in support of the business model Advertising is the most common way to use the World Wide Web A large percentage of the. .. way of controlling the risk at a lower cost to the organization Many questions on the CISA exam will be geared toward running the cost and risk numbers on a given risk/control pairing to determine whether the control is worth the cost and effort of applying If fact, these questions may be more geared toward the costs because they are easier to measure, but the effort and disruption to the business also... and increase buy-in from the workers on the floor The IS leadership may be important in these processes, certainly if the solution is to be technologically driven and supported, but the reality is that the business owns the process and has to champion changes to their processes and people’s work The “we versus them” mentality will otherwise drive a 425 426 Chapter 7 wedge into the process because IS... the management controls for the business process Many of these outcomes also will be information system driven and can be systematically produced and maintained You will want to review these mechanisms to ensure they are providing good feedback about the business and the systems supporting it to conclude on the overall effectiveness and efficiency of the process in meeting the business objectives The. .. on the Internet and provides the business the look and feel of an in-house operation at reduced costs The risk associated with this model include the loss of control over customer or company proprietary data When the provider is managing the business, they are holding the account, data, and transaction information, thus making it more difficult for the business to leverage this information for other... direction The evaluation of a best practice design should have these steps documented as part of the strategic decision-making process used to determine an approach for the future direction of systems supporting the business Consideration of the other processes currently used by the business, the companies’ strategic direction, and the organizational culture will need to be kept in mind as the information . Organization of Information Systems. ” Like other manage- ment controls, their design and use will give the IS auditor some indica- tions of the effectiveness of the business process that the information Business. detraction from the business prospects of the overall business strategy D. An assessment of the systems development methodology pro- posed for the design of the application 8. If there was a most. IS auditors should: A. Discuss the contract and costs with the vendor to ensure that the best deal has been obtained for the organization B. Review the ROI assumptions and decide whether they

Ngày đăng: 13/08/2014, 12:21

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN