Auditing Systems Development, Acquisition and Maintenance

Review Questions with Answers

2

When testing program change management, how should the sample be selected?

A. Change management documents should be selected at random and examined for appropriateness.

B. Changes to production code should be sampled and traced to appropriate authorizing documentation. **

C. Change management documents should be selected based on system criticality and examined for appropriateness.

D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change.

Question 1

3

Question 2

To assist in testing a core banking system being acquired, an organization has provided the vendor with sensitive data from its existing production system. An IS auditor’s PRIMARY concern is that the data should be:

A. sanitized. **B. complete.C. representative.D. current.

4

Question 3

An IS auditor is performing a project review to identify whether a new application has met business objectives. Which of the following test reports offers the MOST assurance that business objectives are met?

A. User acceptance **B. PerformanceC. SociabilityD. Penetration

5

Question 4

A hash total of employee numbers is part of the input to a payroll master file update program. The program compares the hash total with the corresponding control total. What is the purpose of this procedure?

A. Verify that employee numbers are validB. Verify that only authorized employees are paidC. Detect errors in payroll calculationsD. Detect the erroneous update of records **

During the review, if the auditor detects that the transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST:

A. review the authorization on a sample of transactions.**B. immediately report this finding to upper management.C. request that auditee management review the

appropriateness of access rights for all users.D. use a generalized audit software to check the integrity of the

database.

Question 5

6

7

Question 6

An organization decides to purchase a package instead of developing it. In such a case, the design and development phases of a traditional software development life cycle (SDLC) would be replaced with:

A. selection and configuration phases. **B. feasibility and requirements phases.C. implementation and testing phases.D. nothing; replacement is not required.

Question 7

When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others?

A. OriginationB. Authorization**C. RecordingD. Correction

8

Question 8In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should an IS

auditor recommend?A. Automated logging of changes to development librariesB. Additional staff to provide segregation of dutiesC. Procedures that verify that only approved program changes are implemented**

9

Question 9Which of the following is the MOST effective

method for an IS auditor to use in testing the program change management process?

A. Trace from system-generated information to the change management documentation.**

B. Examine change management documentation for evidence of accuracy.

C. Trace from the change management documentation to a system-generated audit trail.

D. Examine change management documentation for evidence of completeness.

10