CISA Exam-Test 20 /30 246 Sorry, Your time is over. CISA EXAM-TEST 20 1 / 30 1. What kind of software application testing is considered the final stage of testing and typically includes users outside the development team? Regression testing White box testing Beta testing Alpha testing Beta testing is the final stage of testing and typically includes users outside the development area. Beta testing is a form of user acceptance testing (UAT) and generally involves a limited number of users who are external to the development effort. 2 / 30 2. Which of the following should be a concern to an IS auditor reviewing a digital forensic process for a security incident? The affected computer was not immediately shut down after the incident. The media with the original evidence was not write-btocked Analysis was performed using an image of the original media. The forensic expert used open-source forensic tools. 3 / 30 3. The MOST significant level of effort for business continuity planning (BCP) generally is required during the: maintenance stage early stages of planning testing stage evaluation stage 4 / 30 4. Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities? The programming language Program coding standards A version control system The development environment Program coding standards are required for efficient program maintenance and modifications. To enhance the quality of programming activities and future maintenance capabilities, program coding standards should be applied. Program coding standards are essential to writing, reading and understanding code, simply and clearly, without having to refer back to design specifications. 5 / 30 5. What is the PRIMARY purpose of performing a parallel run of a new system? To provide a failover plan in case of system Issues. To validate the operation of the new system against its predecessor. To verify the new system can process the production load To verify the new system provides required business functionality 6 / 30 6. The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during: the implementation phase. the requirements gathering process. the internal lab testing phase. testing and prior to user acceptance. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues. 7 / 30 7. A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision? Whether the legacy system being replaced was developed in-house The users not devoting reasonable time to define the functionalities of the solution Technical skills and knowledge within the organization related to sourcing and software development Privacy requirements as applied to the data processed by the application Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. 8 / 30 8. Which of the following is the MOST likely cause of a successful firewall penetration? Loophole m firewall vendor's code Use of a Trojan to bypass the firewall Firewall misconfiguration by the administrator Virus infection 9 / 30 9. A LAN administrator normally would be restricted from: having end-user responsibilities. reporting to the end-user manager having programming responsibilities being responsible for LAN security administration. 10 / 30 10. An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? Performance tuning Program output testing System configuration Program logic specification A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. 11 / 30 11. An offsite information processing facility having electrical wiring, air conditioning and flooring, but no computer or communications equipment is a: duplicate processing facility dial-up site warm site cold site. 12 / 30 12. The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning (ERP) system. As the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy? Assurance that the new system meets functional requirements Significant cost savings over other testing approaches Assurance that new, faster hardware is compatible with the new system Increased resiliency during the parallel processing time Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (batch jobs, backups) on both systems to ensure that the new system is reliable before unplugging the old system. 13 / 30 13. What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning (ERP) payroll system that is replacing an existing legacy system? Prototype testing Integration testing Parallel testing Multiple testing Parallel testing is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommission of the legacy system. Parallel testing also results in better user adoption of the new system. 14 / 30 14. An organization having a number of offices across a wide geographical area has developed a disaster recovery plan (DRP). Using actual resources, which of the following is the MOST cost-effective test of the DRP? Regression test Preparedness test Full operational test Paper test 15 / 30 15. During a system development life cycle (SDLC) audit of a human resources (HR) and payroll application, the IS auditor notes that the data used for user acceptance testing (UAT) have been masked. The purpose of masking the data is to ensure the: reliability of the data. accuracy of the data. confidentiality of the data. completeness of the data. Masking is used to ensure the confidentiality of data, especially in a user acceptance testing (UAT) exercise in which the testers have access to data that they would not have access to in normal production environments. 16 / 30 16. A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? Confidentiality of the information stored in the database The hardware being used to run the database application Backups of the information in the overseas database Remote access to the backup database The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users. 17 / 30 17. An IS auditor who is auditing the software acquisition process will ensure that the: contract is reviewed and approved by the legal counsel before it is signed. requirements cannot be met with the systems already in place. requirements are found to be critical for the business. user participation is adequate in the process. The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS auditor should verify that legal counsel reviewed and approved the contract before management signs the contract. 18 / 30 18. Which of the following controls helps prevent duplication of vouchers during data entry? A range check A cyclic redundancy check (CRC) Transposition and substitution A sequence check A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. 19 / 30 19. An IS auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation? The test environment may not have adequate controls to ensure data accuracy. Hardware in the test environment may not be identical to the production environment. The test environment may not have adequate access controls implemented to ensure data confidentiality. The test environment may produce inaccurate results due to use of production data. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed. 20 / 30 20. An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the test phase be shortened. The project manager asks the IS auditor for recommendations to mitigate the risk associated with reduced testing. Which of the following is a suitable risk mitigation strategy? Test and release a pilot with reduced functionality. Implement a test tool to automate defect tracking. Eliminate planned testing by the development team, and proceed straight to acceptance testing. Fix and retest the highest-severity functional defects. Testing and releasing a pilot with reduced functionality reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group of users will reduce the risk associated with a full implementation. All of the benefits of releasing the system to the full user population will not be realized, but some benefits should start to flow. Additionally, some useful comments from real users should be obtained to guide what extra functionality and other improvements need to be included in a full release. 21 / 30 21. Regression testing is undertaken PRIMARILY to ensure that: applicable development standards have been maintained. a new system can operate in the target environment system functionality meets customer requirements. applied changes have not introduced new errors. Regression testing is used to test for the introduction of new errors in the system after changes have been applied. 22 / 30 22. Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an organization's incident response process? Incident response staff experience and qualifications Incident response roles and responsibilities Past incident response actions Results from management testing of incident response procedures 23 / 30 23. An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site are transferred to both the delivery and accounting systems? Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for. Transaction totals are recorded on a daily basis in the sales systems. Daily sales system totals are aggregated and totaled. System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp. Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected. Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap. 24 / 30 24. Which of the following test techniques would the IS auditor use to identify specific program logic that has not been tested? A snapshot Logging Mapping Tracing and tagging Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed. 25 / 30 25. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? Log all table update transactions. Implement integrity constraints in the database. Implement before and after image reporting. Use tracing and tagging. Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, which prevents any undefined data from being entered. 26 / 30 26. An IS auditor is conducting a pre-implementation review to determine a new system's production readiness. users were involved in the quality assurance (QA) testing. benefits realization has been evidenced the project adhered to the budget and target date there are unresolved high-risk items 27 / 30 27. Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds? Regression tests Snapshots Integrated test facility Generalized audit software (GAS) Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts of data. 28 / 30 28. Which of the following is a data validation edit and control? Reasonableness checks Hash totals Online access controls Before and after image reporting 29 / 30 29. During the review of data file change management controls, which of the following BEST helps to decrease the research time needed to investigate exceptions? Transaction logs One-for-one checking Data file security File updating and maintenance authorization Transaction logs generate an audit trail by providing a detailed list of date of input, time of input, user ID, terminal location, etc. Research time can be reduced in investigating exceptions because the review can be performed on the logs rather than on the entire transaction file. It also helps to determine which transactions have been posted to an account—by a particular individual during a particular period. 30 / 30 30. A project development team is considering using production data for its test deck. The team removed sensitive data elements from the bed before loading it into the test environment. Which of the following additional concerns should an IS auditor have with this practice? Production data are introduced into the test environment. The project may run over budget. Specialized training is required. Not all functionality will be tested. A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement. Your score is LinkedIn Facebook Twitter Exit