Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Systems Development, Acquisition and Maintenance

Published byJunior Richard Modified over 8 years ago

Similar presentations

Presentation on theme: "Auditing Systems Development, Acquisition and Maintenance"— Presentation transcript:

1 Auditing Systems Development, Acquisition and Maintenance
Review Questions with Answers

2 Question 1 When testing program change management, how should the sample be selected? A. Change management documents should be selected at random and examined for appropriateness. B. Changes to production code should be sampled and traced to appropriate authorizing documentation. ** C. Change management documents should be selected based on system criticality and examined for appropriateness. D. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change. The correct answer is B When testing a control, it is advisable to trace from the item being controlled to the relevant control documentation. When a sample is chosen, instead, from a set of control documents, there is no way to assure that every change was accompanied by appropriate control documentation. Accordingly, changes to production code provide the most appropriate basis for selecting a sample. These sampled changes should then be traced to appropriate authorizing documentation. In contrast, selecting from the population of change management documents will not reveal any changes that bypassed the normal approval and documentation process. Similarly, comparing production code changes to system-produced logs will not provide evidence of proper approval of changes prior to their being migrated to production. Review Manual Reference Pages: p. 70

3 Question 2 To assist in testing a core banking system being acquired, an organization has provided the vendor with sensitive data from its existing production system. An IS auditor’s PRIMARY concern is that the data should be: sanitized. ** complete. representative. current. The correct answer is A Test data should be sanitized to prevent sensitive data from leaking to unauthorized persons. Review Manual Reference Pages: p. 274

4 Question 3 An IS auditor is performing a project review to identify whether a new application has met business objectives. Which of the following test reports offers the MOST assurance that business objectives are met? User acceptance ** Performance Sociability Penetration The correct answer is A User acceptance testing (UAT) is performed to ensure that the application meets predefined user needs. Therefore, it is the most relevant from the list provided to determine whether business objectives have been met. Performance testing is an element of systems testing that is performed to ensure that the application functions properly. This includes both business and non-business requirements and is, therefore, less relevant than UAT to determine whether business requirements have been met. Sociability testing confirms that the new application can operate in the target environment without adversely impacting existing systems, not whether business objectives have been met. Penetration testing uses the tools and techniques available to a hacker to identify weaknesses in configurations and security settings. If the business objectives include security, penetration testing may identify whether this has been met. However, this will apply only for some applications, so penetration testing is less relevant than user acceptance testing. Review Manual Reference Pages: p. 274

5 Question 4 A hash total of employee numbers is part of the input to a payroll master file update program. The program compares the hash total with the corresponding control total. What is the purpose of this procedure? Verify that employee numbers are valid Verify that only authorized employees are paid C. Detect errors in payroll calculations D. Detect the erroneous update of records ** The correct answer is D A hash total is a technique to improve the accuracy of transaction processing by detecting omissions or errors. Hash totals do not verify that all payroll records are posted to the master file. Hash totals do not verify that only authorized employees are paid. Hash totals do not detect errors in payroll calculations Review Manual Reference Pages: p. 274

6 Question 5 During the review, if the auditor detects that the transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST: A. review the authorization on a sample of transactions.** B. immediately report this finding to upper management. C. request that auditee management review the appropriateness of access rights for all users. D. use a generalized audit software to check the integrity of the database. The correct answer is A The auditor should first review the authorization on a sample of transactions in order to determine and be able to report the impact and materiality of this issue. Whether the auditor would immediately report the issue or wait until the end of the audit to report this finding will depend on the impact and materiality of the issue, which would require reviewing a sample of transactions. The use of generalized audit software to check the integrity of the database would not help the auditor assess the impact of this issue. Review Manual Reference Pages: p. 70

7 Question 6 An organization decides to purchase a package instead of developing it. In such a case, the design and development phases of a traditional software development life cycle (SDLC) would be replaced with: selection and configuration phases. ** feasibility and requirements phases. implementation and testing phases. nothing; replacement is not required. The correct answer is A With purchase packages becoming more common, the design and development phases of the traditional life cycle have become replaceable with selection and configuration phases. A request for proposal from the supplier of packaged systems is called for and evaluated against predefined criteria for selection, before a decision is made to purchase the software. Thereafter, it is configured to meet the organization’s requirement. The other phases of the SDLC, e.g., feasibility study, requirements definition, implementation and postimplementation, remain unaltered. Review Manual Reference Pages: p. 274

8 Question 7 When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? A. Origination B. Authorization** C. Recording D. Correction The correct answer is B Authorization should be separated from all aspects of record keeping (origination, recording and correction). Such a separation enhances the ability to detect the recording of unauthorized transactions. Review Manual Reference Pages: p. 133

9 Question 8 In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should an IS auditor recommend? A. Automated logging of changes to development libraries B. Additional staff to provide segregation of duties C. Procedures that verify that only approved program changes are implemented** The correct answer is C In smaller organizations, it generally is not appropriate to recruit additional staff to achieve a strict segregation of duties. The IS auditor must look at alternatives. Of the choices, C is the only practical one that has an impact. The IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons, so the changes can be reviewed by a third party on a regular basis. This would be a compensating control process. Choice A, involving logging of changes to development libraries, would not detect changes to production libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical in a small organization. Review Manual Reference Pages: p. 134

10 Question 9 Which of the following is the MOST effective method for an IS auditor to use in testing the program change management process? Trace from system-generated information to the change management documentation.** Examine change management documentation for evidence of accuracy. Trace from the change management documentation to a system-generated audit trail. Examine change management documentation for evidence of completeness. The correct answer is A When testing change management, the IS auditor should always start with system-generated information, containing the date and time a module was last updated, and trace from there to the documentation authorizing the change. To trace in the opposite direction would run the risk of not detecting undocumented changes. Similarly, focusing exclusively on the accuracy or completeness of the documentation examined does not ensure that all changes were in fact documented. Review Manual Reference Pages: p. 357 10

Download ppt "Auditing Systems Development, Acquisition and Maintenance"

Similar presentations

Chapter 14 Audit of the Sales and Collection Cycle

Chapter 14 Audit of the Sales and Collection Cycle
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Systems Implementation and Operation

Systems Implementation and Operation
Auditing Concepts.

Auditing Concepts.
Audit of IT Systems SARQA / DKG Scandinavian Conference, October 2002, Copenhagen Sue Gregory.

Audit of IT Systems SARQA / DKG Scandinavian Conference, October 2002, Copenhagen Sue Gregory.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Group 3 John Gregory John Marsh Gerri Houston Samantha McNeily.

Group 3 John Gregory John Marsh Gerri Houston Samantha McNeily.
Auditing Computer Systems

Auditing Computer Systems
The Islamic University of Gaza

The Islamic University of Gaza
Purchases & Cash Disbursements Transactions By David N. Ricchiute

Purchases & Cash Disbursements Transactions By David N. Ricchiute
12 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.

Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
Computer Assisted Audit Techniques

Computer Assisted Audit Techniques
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
7.2 System Development Life Cycle (SDLC)

7.2 System Development Life Cycle (SDLC)
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Testing - an Overview September 10, 2008 1. What is it, Why do it? Testing is a set of activities aimed at validating that an attribute or capability.

Testing - an Overview September 10, What is it, Why do it? Testing is a set of activities aimed at validating that an attribute or capability.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 1 The Impact of Information Technology on the Audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
Short Course on Introduction to Meteorological Instrumentation and Observations Techniques QA and QC Procedures Short Course on Introduction to Meteorological.

Short Course on Introduction to Meteorological Instrumentation and Observations Techniques QA and QC Procedures Short Course on Introduction to Meteorological.

Similar presentations

Ads by Google