Auditing Systems Development, Acquisition and Maintenance Review Questions with Answers Question 1 When testing program change management, how should the sample be selected? A. B. C. D. Change management documents should be selected at random and examined for appropriateness. Changes to production code should be sampled and traced to appropriate authorizing documentation. ** Change management documents should be selected based on system criticality and examined for appropriateness. Changes to production code should be sampled and traced back to system-produced logs indicating the date and time of the change. 2 Question 2 To assist in testing a core banking system being acquired, an organization has provided the vendor with sensitive data from its existing production system. An IS auditor’s PRIMARY concern is that the data should be: A. sanitized. ** B. complete. C. representative. D. current. 3 Question 3 An IS auditor is performing a project review to identify whether a new application has met business objectives. Which of the following test reports offers the MOST assurance that business objectives are met? A. User acceptance ** B. Performance C. Sociability D. Penetration 4 Question 4 A hash total of employee numbers is part of the input to a payroll master file update program. The program compares the hash total with the corresponding control total. What is the purpose of this procedure? A. Verify that employee numbers are valid B. Verify that only authorized employees are paid C. Detect errors in payroll calculations D. Detect the erroneous update of records ** 5 Question 5 During the review, if the auditor detects that the transaction authorization control objective cannot be met due to a lack of clearly defined roles and privileges in the application, the auditor should FIRST: A. review the authorization on a sample of transactions.** B. immediately report this finding to upper management. C. request that auditee management review the appropriateness of access rights for all users. D. use a generalized audit software to check the integrity of the database. 6 Question 6 An organization decides to purchase a package instead of developing it. In such a case, the design and development phases of a traditional software development life cycle (SDLC) would be replaced with: A. B. C. D. selection and configuration phases. ** feasibility and requirements phases. implementation and testing phases. nothing; replacement is not required. 7 Question 7 When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? A. B. C. D. Origination Authorization** Recording Correction 8 Question 8 In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should an IS auditor recommend? A. B. C. Automated logging of changes to development libraries Additional staff to provide segregation of duties Procedures that verify that only approved program changes are implemented** 9 Question 9 Which of the following is the MOST effective method for an IS auditor to use in testing the program change management process? A. B. C. D. Trace from system-generated information to the change management documentation.** Examine change management documentation for evidence of accuracy. Trace from the change management documentation to a system-generated audit trail. Examine change management documentation for evidence of completeness. 10