The quality assurance (QA) function should be prevented from
Correct Answer: A
Question 237
Which of the following should an IS auditor review when evaluating information systems governance for a large organization?
Correct Answer: A
Explanation Information systems governance is the set of policies, processes, structures, and practices that ensure the alignment of IT with business objectives, the delivery of value from IT investments, the management of IT risks, and the optimization of IT resources1. Information systems governance is a strategic and high-level function that covers the entire organization and its IT portfolio. Therefore, an IS auditor should review the aspects of information systems governance that are relevant to the organization's vision, mission, goals, and strategies. One of the aspects that an IS auditor should review when evaluating information systems governance for a large organization is the approval processes for new system implementations. This is because new system implementations are significant IT investments that require careful planning, analysis, design, development, testing, deployment, and evaluation to ensure that they meet the business requirements, deliver the expected benefits, comply with the relevant standards and regulations, and minimize the potential risks2. The approval processes for new system implementations should involve the appropriate stakeholders, such as senior management, business owners, IT managers, project managers, users, and auditors, who have the authority and responsibility to approve or reject the proposed system implementations based on predefined criteria and metrics3. The approval processes for new system implementations should also be documented, transparent, consistent, and timely to ensure accountability and traceability4. Therefore, an IS auditor should review the approval processes for new system implementations to assess whether they are aligned with the information systems governance framework and objectives. The other possible options are: Procedures for adding a new user to the invoice processing system: This is an operational task that involves granting access rights and permissions to a specific user for a specific system based on the principle of least privilege. This is not a strategic or high-level function that falls under information systems governance. Therefore, an IS auditor should not review this aspect when evaluating information systems governance for a large organization. Approval processes for updating the corporate website: This is a tactical task that involves making changes or enhancements to the content or design of the corporate website based on the business needs and feedback. This is not a strategic or high-level function that falls under information systems governance. Therefore, an IS auditor should not review this aspect when evaluating information systems governance for a large organization. Procedures for regression testing system changes: This is a technical task that involves verifying that existing system functionalities are not adversely affected by new system changes or updates. This is not a strategic or high-level function that falls under information systems governance. Therefore, an IS auditor should not review this aspect when evaluating information systems governance for a large organization. References: 1: What is IT Governance? - Definition from Techopedia 2: System Implementation - an overview | ScienceDirect Topics 3: Project Approval Process - Project Management Knowledge 4: 5 Best Practices For A Successful Project Approval Process | Kissflow Project : Principle of Least Privilege (POLP) | Imperva : How to Update Your Website Content - 7 Step Guide | HostGator Blog : What Is Regression Testing? Definition & Best Practices | BrowserStack
Question 238
Which of the following testing method examines the functionality of an application without peering into its internal structure or knowing the details of it's internals?
Correct Answer: A
Explanation/Reference: Black-box testing is a method of software testing that examines the functionality of an application (e.g. what the software does) without peering into its internal structures or workings (see white-box testing). This method of test can be applied to virtually every level of software testing: unit, integration, system and acceptance. It typically comprises most if not all higher level testing, but can also dominate unit testing as well. For your exam you should know the information below: Alpha and Beta Testing - An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically, software goes to two stages testing before it consider finished. The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user. Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests - usually over interim platform and with only basic functionalities. White box testing - Assess the effectiveness of a software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's specific logic path. However, testing all possible logical path in large information system is not feasible and would be cost prohibitive, and therefore is used on selective basis only. Black Box Testing - An integrity based form of testing associated with testing components of an information system's "functional" operating effectiveness without regards to any specific internal program structure. Applicable to integration and user acceptance testing. Function/validation testing - It is similar to system testing but it is often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements. Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data. Parallel Testing - This is the process of feeding test data into two systems - the modified system and an alternative system and comparing the result. Sociability Testing -The purpose of these tests is to confirm that new or modified system can operate in its target environment without adversely impacting existing system. This should cover not only platform that will perform primary application processing and interface with other system but, in a client server and web development, changes to the desktop environment. Multiple application may run on the user's desktop, potentially simultaneously, so it is important to test the impact of installing new dynamic link libraries (DLLs), making operating system registry or configuration file modification, and possibly extra memory utilization. The following answers are incorrect: Parallel Testing - This is the process of feeding test data into two systems - the modified system and an alternative system and comparing the result. Regression Testing -The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be same as original data. Pilot Testing -A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests - usually over interim platform and with only basic functionalities The following reference(s) were/was used to create this question: CISA review manual 2014 Page number 167 Official ISC2 guide to CISSP CBK 3rd Edition Page number 176
Question 239
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
Correct Answer: B
Explanation This must be in place before an IS auditor initiates audit follow-up activities, because it indicates that management has acknowledged and accepted the audit findings and recommendations, and has agreed to take corrective actions within a specified timeframe. Audit follow-up activities are the processes and procedures that the IS auditor performs to verify that management has implemented the agreed-upon actions effectively and in a timely manner, and that the audit findings have been resolved or mitigated. The other options are not required to be in place before an IS auditor initiates audit follow-up activities: Available resources for the activities included in the action plan. This is a factor that may affect the feasibility and success of the action plan, but it is not a prerequisite for the audit follow-up activities. The IS auditor should assess the availability and adequacy of the resources for the action plan during the audit planning and execution phases, and provide recommendations accordingly. However, the IS auditor does not need to wait for the resources to be available before initiating the audit follow-up activities. A heat map with the gaps and recommendations displayed in terms of risk. This is a tool that may help the IS auditor prioritize and communicate the gaps and recommendations, but it is not a requirement for the audit follow-up activities. A heat map is a graphical representation of data that uses colors to indicate the level of risk or impact of each gap or recommendation. The IS auditor may use a heat map to support the audit report or presentation, but it does not replace the need for a management response with a committed implementation date. Supporting evidence for the gaps and recommendations mentioned in the audit report. This is a component that should be included in the audit report, but it is not a condition for the audit follow-up activities. Supporting evidence is the information or data that supports or substantiates the audit findings and recommendations. The IS auditor should collect and document sufficient, reliable, relevant, and useful evidence during the audit execution phase, and present it in the audit report. However, the IS auditor does not need to have supporting evidence in place before initiating the audit follow-up activities.
Question 240
Which type of testing is MOST important to perform during a project audit to help ensure business objectives are met?
