Domain 3: Information Systems Acquisition, Development and Implementation Flashcards

Question 1

Q

Which of the following is a characteristic of timebox management?
A.Not suitable for prototyping or rapid application development
B.Eliminates the need for a quality process
C.Prevents cost overruns and delivery delays
D.Separates system and user acceptance testing (UAT)

Answer

A

C. Timebox management, by its nature, sets specific time and cost boundaries. It is effective in controlling costs and delivery timelines by ensuring that each segment of the project is divided into small controllable time frames.

Question 2

Q

Which of the following is the MOST important factor in the design of a data warehouse?
A.Quality of the metadata
B.Speed of the transactions
C.Volatility of the data
D.Vulnerability of the system

Answer

A

A. Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information. Organizations that have built warehouses believe that metadata are the most important component of the warehouse.

Question 3

Q

An information systems (IS) auditor who is auditing the software acquisition process will ensure that the:
A. A.contract is reviewed and approved by the legal counsel before it is signed.
B. B.requirements cannot be met with the systems already in place.
C. C.requirements are found to be critical for the business.
D. D.user participation is adequate in the process.

Answer

A

A. Reviewing and approving the contract is one of the most important steps in the software acquisition process. An information systems (IS) auditor should verify that legal counsel reviewed and approved the contract before management signs the contract.

Question 4

Q

An organization sells books and music online on its secure website. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BESTensures that sales processed on the secure website are transferred to both systems?
A.Transaction totals are recorded daily in the sales systems. Daily sales system totals are aggregated and totaled.
B.Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for.
C.Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected.
D.System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.

Answer

A

B. Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions are identified by a gap.

Question 5

Q

An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?
A.Pilot
B.Parallel
C.Direct cutover
D.Phased

Answer

A

C. Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. This approach has the highest risk and may have a significant impact on the organization.

Question 6

Q

Ideally, stress testing should be carried out in a:
A.test environment using test data.
B.production environment using live workloads.
C.test environment using live workloads.
D.production environment using test data.

Answer

A

C. Stress testing is carried out to ensure that a system can cope with production workloads. Testing with production-level workloads is important to ensure that the system will operate effectively when moved into production.

Question 7

Q

The specific advantage of white box testing is that it:
A.verifies that a program can operate successfully with other parts of the system.
B.ensures a program’s functional operating effectiveness without regard to the internal program structure.
C.determines procedural accuracy or conditions of a program’s specific logic paths.
D.examines a program’s functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.

Answer

A

C. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s logic paths.

Question 8

Q

An information systems (IS) auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process MOST likely:
A.checks to ensure that the type of transaction is valid for the card type.
B.verifies the format of the number entered, then locates it on the database.
C.ensures that the transaction entered is within the cardholder’s credit limit.
D.confirms that the card is not shown as lost or stolen on the master file.

Answer

A

B. The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number entered by the user.

Question 9

Q

Change control for business application systems being developed using prototyping can be complicated by the:
A.iterative nature of prototyping.
B.rapid pace of modifications in requirements and design.
C.emphasis on reports and screens.
D.lack of integrated tools.

Answer

A

B. Changes in requirements and design happen so quickly that they are seldom documented or approved.

Question 10

Q

When a new system is to be implemented within a short time frame, it is MOST important to:
A.finish writing user manuals.
B.perform user acceptance testing (UAT).
C.add last-minute enhancements to functionalities.
D.ensure that the code has been documented and reviewed.

Answer

A

B. It is most important to complete the user acceptance testing to ensure that the system to be implemented is working correctly.

Question 11

Q

At the end of the testing phase of software development, an information systems (IS) auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:
A.report the error as a finding and leave further exploration to the auditee’s discretion.
B.attempt to resolve the error.
C.recommend that problem resolution be escalated.
D.ignore the error because it is not possible to get objective evidence for the software error.

Answer

A

C. When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted, including escalation if necessary.

Question 12

Q

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system?
A.Enough data for each test case
B.Data representing expected conditions in actual processing
C.Completing the test on schedule
D.A random sample of actual data

Answer

A

B. Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but also be representative of actual processing; quality is more important than quantity.

Question 13

Q

Which of the following is an advantage of the top-down approach to software testing?
A.Interface errors are identified early.
B.Testing can be started before all programs are complete.
C.It is more effective than other testing approaches.
D.Errors in critical modules are detected sooner.

Answer

A

A. The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner.

Question 14

Q

When reviewing input controls, an information systems (IS) auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should:
A.not be concerned, because there may be other compensating controls to mitigate the risk.
B.ensure that overrides are automatically logged and subject to review.
C.verify whether all such overrides are referred to senior management for approval.
D.recommend that overrides not be permitted.

Answer

A

B. If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log.

Question 15

Q

Which of the following BEST helps to prioritize project activities and determine the timeline for a project?
A.Gantt chart
B.Earned value analysis
C.Program evaluation review technique (PERT)
D.Function point analysis

Answer

A

C. The PERT method works on the principle of obtaining project timelines based on project events for three likely scenarios—worst, best and normal. The timeline is calculated by a predefined formula and identifies the critical path, which identifies the key activities that must be prioritized.

Question 16

Q

Which of the following is of GREATEST concern to an information systems (IS) auditor when performing an audit of a client relationship management system migration project?
A.The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks.
B.Employees pilot testing the system are concerned that the data representation in the new system is completely different from the old system.
C.A single implementation is planned, immediately decommissioning the legacy system.
D.Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system’s software.

Answer

A

C. Major system migrations should include a phase of parallel operation or a phased cutover to reduce implementation risk. Decommissioning or disposing of the old hardware would complicate any fallback strategy if the new system does not operate correctly.

Question 17

Q

Which of the following types of risk is MOST likely encountered in a software as a service (SaaS) environment?
A.Noncompliance with software license agreements
B.Performance issues due to Internet delivery method
C.Higher cost due to software licensing requirements
D.Higher cost due to the need to update to compatible hardware

Answer

A

B. The risk that can be most likely encountered in a SaaS environment is speed and availability issues because SaaS relies on the Internet for connectivity.

Question 18

Q

During a postimplementation review of an enterprise resource management system, an information systems (IS) auditor is MOST likely to:
A.review access control configuration.
B.evaluate interface testing.
C.review detailed design documentation.
D.evaluate system testing.

Answer

A

A. Reviewing access control configuration is the first task performed to determine whether security has been appropriately mapped in the system.

Question 19

Q

Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques provides the GREATEST assistance in developing an estimate of project duration?
A.Function point analysis
B.Program evaluation review technique (PERT) chart
C.Rapid application development
D.Object-oriented system development

Answer

A

B. The program evaluation review technique (PERT) method works on the principle of obtaining project timelines based on project events for three likely scenarios—worst, best and normal. The timeline is calculated by a predefined formula and identifies the critical path, which identifies the key activities that must be prioritized. A PERT chart helps determine project duration after all the activities and the work involved with those activities are known.

Question 20

Q

Which of the following BEST helps an information systems (IS) auditor assess and measure the value of a newly implemented system?
A.Review of business requirements
B.System certification
C.Postimplementation review
D.System accreditation

Answer

A

C. One key objective of a postimplementation review is to evaluate the projected cost-benefits or the return-on-investment measurements.

Question 21

Q

The most common reason for the failure of information systems to meet the needs of users is that:
A.user needs are constantly changing.
B.the growth of system requirements was forecast inaccurately.
C.the hardware system limits the number of concurrent users.
D.user participation in defining the system’s requirements was inadequate.

Answer

A

D. Lack of adequate user involvement, especially in the system’s requirements phase, usually results in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are and, therefore, what the system should accomplish.

Question 22

Q

Following good practices, formal plans for implementation of new information systems are developed during the:
A.development phase.
B.design phase.
C.testing phase.
D.deployment phase.

Answer

A

B. The method of implementation may affect the design of the system. Therefore, planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses.

Question 23

Q

An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the information systems (IS) auditor is to determine that there is a:
A.correlation of semantic characteristics of the data migrated between the two systems.
B.correlation of arithmetic characteristics of the data migrated between the two systems.
C.correlation of functional characteristics of the processes between the two systems.
D.relative efficiency of the processes between the two systems.

Answer

A

A. Because the two systems can have a different data representation, including the database schema, the information systems (IS) auditor’s main concern should be to verify that the interpretation of the data (structure) is the same in the new system as it was in the old system.

Question 24

Q

An information systems (IS) auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find?
A.Use of a capability maturity model (CMM).
B.Regular monitoring of task-level progress against schedule.
C.Extensive use of software development tools to maximize team productivity.
D.Post-iteration reviews that identify lessons learned for future use in the project.

Answer

A

D. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. The team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four-to-eight weeks, which instills considerable performance discipline within the team. These practices, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, render task-level tracking against a schedule redundant.

Question 25

Q

An organization recently deployed a customer relationship management application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed?
A.user acceptance testing (UAT)
B.Project risk assessment
C.Postimplementation review
D.Management approval of the system

Answer

A

C. The purpose of a postimplementation review is to evaluate how successfully the project results match original goals, objectives and deliverables. The postimplementation review also evaluates how effective the project management practices were in keeping the project on track.

Question 26

Q

Which of the following should an information systems (IS) auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?
A.Project information
B.Policy documents
C.Project portfolio information
D.Program organization

Answer

A

C. Project portfolio information is the basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports.

Question 27

Q

The MOST important point of consideration for an information systems (IS) auditor while reviewing an enterprise’s project portfolio is that it:
A.does not exceed the existing IT budget.
B.is aligned with the investment strategy.
C.has been approved by the IT steering committee.
D.is aligned with the business plan.

Answer

A

D. Portfolio management takes a holistic view of an enterprise’s overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an information systems (IS) auditor.

Question 28

Q

In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:
A.isolation.
B.consistency.
C.atomicity.
D.durability.

Answer

A

C. The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out.

Question 29

Q

Which of the following types of risk can result from inadequate software project baselining?
A.Sign-off delays
B.Software integrity violations
C.Scope creep
D.Inadequate controls

Answer

A

C. A software baseline is the cutoff point in the design and development of a system. Beyond this point, additional requirements or modifications to the scope must go through formal, strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage a system through baselining can result in uncontrolled changes in a project’s scope and may incur time and budget overruns.

Question 30

Q

A project manager for a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The information systems (IS) auditor should FIRST determine:
A.the amount of progress achieved compared to the project schedule.
B.if the project budget can be reduced.
C.if the project can be completed ahead of schedule.
D.if the budget savings can be applied to increase the project scope.

Answer

A

A. Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project.

Question 31

Q

Which of the following system and data conversion strategies provides the GREATEST redundancy?
A.Direct cutover
B.Pilot study
C.Phased approach
D.Parallel run

Answer

A

D. Parallel runs are the safest—although the most expensive—approach because both the old and new systems are run, thus incurring what might appear to be double costs.

Question 32

Q

Normally, it is essential to involve which of the following stakeholders in the initiation stage of a project?
A.System owners
B.System users
C.System designers
D.System builders

Answer

A

A. System owners are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems.

Question 33

Q

An information systems (IS) auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization’s project management process is the MOSTlikely cause of this issue?
A.Project scope management
B.Project time management
C.Project risk management
D.Project procurement management

Answer

A

A. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project.

Question 34

Q

A project development team is considering using production data for its test deck. The team removed sensitive data elements before loading it into the test environment. Which of the following additional concerns should an information systems (IS) auditor have with this practice?
A.Not all functionality will be tested.
B.Production data are introduced into the test environment.
C.Specialized training is required.
D.The project may run over budget.

Answer

A

A. A primary risk of using production data in a test deck is that not all transactions or functionality may be tested if there are no data that meet the requirement.

Question 35

Q

Which of the following controls helps prevent duplication of vouchers during data entry?
A.Range check
B.Transposition and substitution
C.Sequence check
D.Cyclic redundancy check

Answer

A

C. A sequence check involves increasing the order of numbering and validates whether the vouchers are in sequence, and, thus, prevents duplicate vouchers.

Question 36

Q

An advantage of using sanitized live transactions for test data is that:
A.all transaction types are included.
B.every error condition is likely to be tested.
C.no special routines are required to assess the results.
D.test transactions are representative of live processing.

Answer

A

D. Test data is representative of live processing; however, it is important that all sensitive information in the live transaction file is sanitized to prevent improper data disclosure.

Question 37

Q

During the audit of an acquired software package, an information systems (IS) auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal. The IS auditor should FIRST:
A.test the software for compatibility with existing hardware.
B.perform a gap analysis.
C.review the licensing policy.
D.ensure that the procedure had been approved.

Answer

A

D. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities.

Question 38

Q

During the requirements definition stage of a proposed enterprise resource planning system, the project sponsor requests that the procurement and accounts payable modules be linked. Which of the following test methods is the BEST to perform?
A.Unit testing
B.Integration testing
C.Sociability testing
D.Quality assurance (QA) testing

Answer

A

B. Integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure dictated by design.

Question 39

Q

Regression testing is undertaken PRIMARILY to ensure that:
A.system functionality meets customer requirements.
B.a new system can operate in the target environment.
C.applicable development standards have been maintained.
D.applied changes have not introduced new errors.

Answer

A

D. Regression testing is used to test for the introduction of new errors in the system after changes have been applied.

Question 40

Q

During which of the following phases in system development are user acceptance testing (UAT) plans normally prepared?
A.Feasibility study
B.Requirements definition
C.Implementation planning
D.Postimplementation review

Answer

A

B. During requirements definition, the project team works with the users to define their precise objectives and functional needs. The users should be working with the team to consider and document how the system functionality can be tested to ensure that it meets their stated needs. An information systems (IS) auditor should know at what point user testing should be planned to ensure that it is most effective and efficient.

Question 41

Q

When auditing the proposed acquisition of a new computer system, an information systems (IS) auditor should FIRST ensure that:
A.a clear business case has been approved by management.
B.corporate security standards will be met.
C.users will be involved in the implementation plan.
D.the new system will meet all required user functionality.

Answer

A

A. The first concern of an information systems (IS) auditor is to ensure that the proposal meets the needs of the business. This should be established by a clear business case.

Question 42

Q

Which of the following has the MOST significant impact on the success of an application system implementation?
A.Prototyping application development methodology
B.Compliance with applicable external requirements
C.Overall organizational environment
D.Software reengineering technique

Answer

A

C. The overall organizational environment has the most significant impact on the success of application systems implemented. This includes the alignment between IT and the business, the maturity of the development processes and the use of change control and other project management tools.

Question 43

Q

A small company cannot segregate duties between its development processes and its change control function. What is the BEST way to ensure that the tested code is the code that is moved into production?
A.Release management software
B.Manual code comparison
C.Regression testing in preproduction
D.Management approval of changes

Answer

A

A. Automated release management software can prevent unauthorized changes by moving code into production without any manual intervention.

Question 44

Q

An information systems (IS) auditor is involved in the reengineering process that aims to optimize IT infrastructure. Which of the following will BEST identify the issues to be resolved?
A.Self-assessment
B.Reverse engineering
C.Prototyping
D.Gap analysis

Answer

A

D. Gap analysis is the best method to identify issues that need to be addressed in the reengineering process. Gap analysis indicates which parts of current processes conform to good practices (desired state) and which parts do not.

Question 45

Q

Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application?
A.Total cost of ownership of the application
B.The resources required for implementation
C.Return on investment (ROI) for the enterprise
D.The cost and complexity of security requirements

Answer

A

C. The proposed ROI benefits, and targets or metrics that can be measured, are the most important aspects of a business case. While reviewing the business case, it should be verified that the proposed ROI is achievable, does not make unreasonable assumptions and can be measured for success. (Benefits realization should look beyond project cycles to longer-term cycles that consider the total benefits and total costs throughout the life of the new system.)

Question 46

Q

An information systems (IS) auditor who is invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project, a risk manager will be hired. The appropriate response of the IS auditor is to:
A.stress the importance of spending time at this point in the project to consider and document risk and to develop contingency plans.
B.accept the project manager’s position because the project manager is accountable for the outcome of the project.
C.offer to work with the risk manager when one is appointed.
D.inform the project manager that the IS auditor will conduct a review of the risk at the completion of the requirements definition phase of the project.

Answer

A

A. The majority of project risk can be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate strategy, enterprise risk management and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risk.

Question 47

Q

During the review of a web-based software development project, an information systems (IS) auditor realizes that coding standards are not enforced and code reviews are rarely carried out. These issues will MOST likely increase the likelihood of a successful:
A.buffer overflow.
B.brute force attack.
C.distributed denial of service (DDoS) attack.
D.war dialing attack.

Answer

A

A. Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques.

Question 48

Q

Which of the following data validation edits is effective in detecting transposition and transcription errors?
A.Range check
B.Check digit
C.Validity check
D.Duplicate check

Answer

A

B. A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered (e.g., an incorrect, but valid, value substituted for the original). This control is effective in detecting transposition and transcription errors.

Question 49

Q

Which of the following is the PRIMARY purpose for conducting parallel testing?
A.To determine whether the system is cost-effective
B.To enable comprehensive unit and system testing
C.To highlight errors in the program interfaces with files
D.To ensure the new system meets user requirements

Answer

A

D. The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements by comparing the results of the old system with the new system to ensure correct processing.

Question 50

Q

What is the PRIMARY goal of natural language processing in the field of artificial intelligence?
A.To create algorithms that mimic human cognitive processes and decision making
B.To build intelligent systems capable of autonomously learning from data
C.To develop machines capable of understanding and generating human language
D.To design robots and physical agents that can interact with the environment

Answer

A

C. The primary goal of NLP is to enable machines to understand, interpret and generate human language in a way that is similar to how humans process language. NLP involves tasks such as language translation, sentiment analysis, text summarization and speech recognition.

Question 51

Q

An information systems (IS) auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOSTsignificant potential risk from this situation?
A.The test environment may not have adequate controls to ensure data accuracy.
B.The test environment may produce inaccurate results due to use of production data.
C.Hardware in the test environment may not be identical to the production environment.
D.The test environment may not have adequate access controls implemented to ensure data confidentiality.

Answer

A

D. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing purposes), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed and is especially important in a health care organization where patient data confidentiality is critical and privacy laws in many countries impose strict penalties on misuse of these data.

Question 52

Q

Which of the following BEST describes the concept of overfitting in machine learning (ML)?
A.Overfitting happens when a model fails to capture the underlying patterns and relationships in the training data.
B.Overfitting occurs when advanced algorithms are underused in machine learning (ML).
C.Overfitting occurs when the training data are insufficient to train a ML model effectively.
D.Overfitting occurs when a model performs well on the training data but fails to generalize to new, unseen data.

Answer

A

D. Overfitting happens when a model becomes overly complex and starts fitting the noise or random fluctuations in the training data, which leads to poor performance on new, unseen data.

Question 53

Q

The BEST time for an information systems (IS) auditor to assess the control specifications of a new application software package that is being considered for acquisition is during:
A.the internal lab testing phase.
B.testing and prior to user acceptance.
C.the requirements gathering phase.
D.the implementation phase.

Answer

A

C. The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software, providing maximum opportunity for review of the vendors and their products. Early engagement of an IS auditor also minimizes the potential of a business commitment to a given solution that might be inadequate and more difficult to overcome as the process continues.

Question 54

Q

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results?
A.Project sponsor
B.System development project team
C.Project steering committee
D.User project team

Answer

A

C. A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project’s progress to ensure that it will deliver the expected results.

Question 55

Q

The PRIMARY objective of conducting a postimplementation review for a business process automation project is to:
A.ensure that the project meets the intended business requirements.
B.evaluate the adequacy of controls.
C.confirm compliance with technological standards.
D.confirm compliance with regulatory requirements.

Answer

A

A. Ensuring that the project meets the intended business requirements is the primary objective of a postimplementation review.

Question 56

Q

During the system testing phase of an application development project, the information systems (IS) auditor should review the:
A.conceptual design specifications.
B.vendor contract.
C.error reports.
D.program change requests.

Answer

A

C. Testing is crucial in determining that user requirements have been validated. The information systems (IS) auditor should be involved in this phase, review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors.

Question 57

Q

Which of the following types of testing determines whether a new or modified system can operate in its target environment without adversely impacting other existing systems?
A.Parallel testing
B.Pilot testing
C.Interface/integration testing
D.Sociability testing

Answer

A

D. The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, and changes to the desktop in a client-server or web development.

Question 58

Q

The PRIMARY objective of performing a postincident review is that it presents an opportunity to:
A.improve the internal control process.
B.harden the network to industry good practices.
C.highlight the importance of incident response management to management.
D.improve employee awareness of the incident response process.

Answer

A

A postincident review examines the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program. Improving the incident response plan based on the incident review is an internal (corrective) control.

Question 59

Q

A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision?
A.Technical skills and knowledge within the organization related to sourcing and software development
B.Privacy requirements applied to the data processed by the application
C.Whether the legacy system being replaced was developed in-house
D.The users not devoting reasonable time to defining the functionalities of the solution

Answer

A

A. Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application.

Question 60

Q

A failure discovered in which of the following testing stages would have the GREATEST impact on the implementation of new application software?
A.System testing
B.Acceptance testing
C.Integration testing
D.Unit testing

Answer

A

B. Acceptance testing is the final stage before the software is installed and available for use. Software failure at the acceptance testing level has the greatest impact on implementation because this can result in delays and cost overruns.

Question 61

Q

Which of the following is an advantage of prototyping?
A.The finished system normally has strong internal controls.
B.Prototype systems can provide significant time and cost savings.
C.Change control is often less complicated with prototype systems.
D.Prototyping ensures that functions or extras are not added to the intended system.

Answer

A

B. Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements; however, they also have several disadvantages, including loss of overall security focus, project oversight and implementation of a prototype that is not yet ready for production.

Question 62

Q

An advantage of using a bottom-up versus a top-down approach to software testing is that:
A.interface errors are detected earlier.
B.confidence in the system is achieved earlier.
C.errors in critical modules are detected earlier.
D.major functions and processing are tested earlier.

Answer

A

C. The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until complete system testing has taken place. The advantage of using a bottom-up approach to software testing is that errors in critical modules are found earlier.

Question 63

Q

Documentation of a business case used in an IT development project should be retained until:
A.the end of the system’s life cycle.
B.the project is approved.
C.user acceptance of the system.
D.the system is in production.

Answer

A

A. A business case should be used throughout the life cycle of the product. It serves as an anchor for new management personnel, helps to maintain focus and provides valuable information on estimates versus actuals. Questions, such as “Why do we do that?”, “What was the original intent?” and “How did we perform against the plan?”, can be answered, and lessons for developing future business cases can be learned.

Question 64

Q

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?
A.Bottom-up testing
B.Sociability testing
C.Top-down testing
D.System testing

Answer

A

C. The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early.

Answer 65

A

A. One of the major benefits of object-oriented design and development is the ability to reuse modules.

Answer 66

A

D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing off that the data are migrated completely and accurately and are valid.

Answer 67

A

C. Projects often tend to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all the cost benefits and the payback period.

Answer 68

A

D. In reviewing the proposed application, the auditor should ensure that the products to be purchased are compatible with the current or planned OS.

Answer 69

A

B. The IS auditor should recommend that the business case be kept current throughout the project because it is a key input to decisions made throughout the life of any project.

Answer 70

A

A. The changes from a testing environment with instrumentation inserted into the code and the production environment for the code can mask timing-related issues like race conditions.

Answer 71

A

A. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user.

Answer 72

A

B. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached.

Answer 73

A

A. A standardized IT infrastructure provides a consistent set of platforms and operating systems across the organization. This standardization reduces the time and effort required to manage a set of disparate platforms and operating systems. In addition, the implementation of enhanced operational support tools (e.g., password management tools, patch management tools and auto provisioning of user access) is simplified. These tools can help the organization reduce the cost of IT service delivery and operational support.

Answer 74

A

D. Automated systems balancing is the best way to ensure that no transactions are lost because any imbalance between total inputs and total outputs is reported for investigation and correction.

Answer 75

A

B. Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and the appropriate information was not provided to senior management for formal approval. This situation presents the biggest risk to the organization.

Answer 76

A

C. If there are significant security issues identified by an information systems (IS) auditor, the first question is whether the security requirements were correct in the project plan. Depending on whether the requirements were included in the plan affects the recommendations the auditor would make.

Answer 77

A

D. A project manager performs a postimplementation review to obtain feedback regarding the project deliverables and business needs and to determine whether the project has successfully met them.

Answer 78

A

B. The feasibility study determines the strategic benefits of the project. Therefore, the feasibility study’s results determine the organizational impact—a comparison report of costs, benefits, risks, etc. The project portfolio is a part of measuring the organizational strategy.

Answer 79

A

A. Any scope change might have an impact on the duration and cost of the project; that is the reason why an impact study is conducted and the client is informed of the potential impact on the schedule and cost.

Answer 80

A

B. Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functionality, which can help identify the optimum set of projects (from the full set of ideas) to take forward within a given budget.

Answer 81

A

A. There is risk associated with the use of production data for testing. These include compromising customer or employee confidentiality (which may also involve breaching legislation) and corrupting production of the data. Additionally, there are certain cases in which effective testing requires specifically designed data. There are other cases in which using production data provides insights that are difficult or impossible to get from manufactured test data. One example is testing of interfaces to legacy systems. Management information systems are a further example where access to real data is likely to enhance testing. Some flexibility on the use of production data is likely to be the best option. In addition to obtaining senior management approval, conditions that mitigate the risk associated with using production data can be agreed on, such as masking names and other identifying fields to protect privacy.

Answer 82

A

C. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation.

Answer 83

A

D. Tracing is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer transactions, the direction on tracing may start from the customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions.

Answer 84

A

B. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user requirements. Any changes thereafter will undergo strict formal change control and approval procedures. Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements.

Answer 85

A

A. A separate environment, or environments, is normally necessary for testing to be efficient and effective and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified, they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. Separate environments enforce a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained.

Answer 86

A

D. Project performance criteria must be established as a baseline to identify deviations from the project plan. Successful completion of the project plan is indicative of project success.

Answer 87

A

C. Although quality management is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is that the earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work.

Answer 88

A

A. A checksum that is calculated on an amount field and included in the electronic data interchange communication can be used to identify unauthorized modifications.

Answer 89

A

C. One of the most important determining factors for which projects get funded is how well a project meets an organization’s strategic objectives. Portfolio management takes a holistic view of a company’s overall IT strategy. IT strategy should be aligned with the business strategy and, hence, reviewing the business plan should be the major consideration.

Answer 90

A

A. Load testing evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate.

Answer 91

A

C. The project steering committee provides overall direction; ensures appropriate representation of the major stakeholders in the project outcome; and takes ultimate responsibility for the deliverables, costs and timetables.

Answer 92

A

C. Before approving any exception, the security manager should first check for compensating controls and assess the possible risk due to deviation.

Answer 93

A

B. User acceptance testing is undertaken to provide confidence that a system or system component operates as intended, to provide a basis for evaluating the implementation of the requirements, or to demonstrate the effectiveness or efficiency of the system or component. If the testing results are poor, then the system is unlikely to be adopted by the users.

Answer 94

A

A. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards can be treated as a specific work package assigned to new project resources.

Answer 95

A

C. The objective of a postimplementation review is to reveal whether the implementation of a system has achieved planned objectives (i.e., meets business objectives and risk acceptance criteria).

Answer 96

A

D. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic.

Answer 97

A

A. One of the benefits of deploying a new system in parallel with an existing system is that the original system can always be used as a back-out plan. In an immediate cutover scenario, not having a back-out plan can create significant issues because it can take considerable time and cost to restore operations to the prior state if there is no viable plan to do so.

Answer 98

A

D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise about the completeness of the test cases.

Answer 99

A

D. Although the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a good practice. Although overtime costs may be an indicator that something is wrong with the plan, in many organizations, the programming staff may be salaried, so overtime costs may not be directly recorded.

Answer 100

A

C. Parameters that are not set correctly is the greatest concern when implementing an application software package. Incorrectly set parameters are an immediate problem that can lead to system breach, failure or noncompliance.

Answer 101

A

A. It is extremely important that the project is planned properly and that the specific phases and deliverables are identified during the early stages of the project. This enables project tracking and resource management.

Answer 102

A

A. User management assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented.

Answer 103

A

D. Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed.

Answer 104

A

B. A project team has something to learn from every project. Because risk assessment is a key issue for project management, it is important for the organization to accumulate lessons learned and integrate them into future projects.

Answer 105

A

C. Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to use unit-tested modules, thus building an integrated structure according to the design.

Answer 106

A

B. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data.

Answer 107

A

C. Parallel operation provides a high level of assurance that the new system functions properly compared to the old system, and therefore, the new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (e.g., batch jobs and backups) on both systems, to ensure that the new system is reliable before unplugging the old system.

Answer 108

A

C. Because management is aware that the project had problems, reviewing the subsequent impact provides insight into the types and potential causes of the project issues. This insight helps to identify whether IT has adequately planned for those issues in subsequent projects.

Answer 109

A

C. The business case should demonstrate feasibility for any potential project. By including a feasibility study in the business case along with a cost-benefit analysis, management can make an informed decision.

Answer 110

A

B. Unless the data are sanitized, there is a risk of disclosing sensitive data.

Answer 111

A

A. Rapid methodologies require available resources with good expertise and a fast decision-making process because the plan duration is usually short. Reviewing the project plan and approach is the best recommendation to make the appropriate changes to compensate for the missing end users.

Answer 112

A

B. When dealing with offshore operations, it is essential to create detailed specifications. Language differences, a lack of interaction between developers and physically remote end users can create gaps in communication in which assumptions and modifications may not be adequately communicated. Inaccurate specifications cannot easily be corrected.

Answer 113

A

C. Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers.

Answer 114

A

A. For testing the full code, a white box test is required.

Answer 115

A

B. Function point analysis is a technique used to determine the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal sites.

Answer 116

A

B. A critical path’s activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing (i.e., for reduction in their time by payment of a premium for early completion). Activities on the critical path have zero slack time and, conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs versus time can be obtained.

Answer 117

A

B. Adding resources may change the route of the critical path. The critical path must be reevaluated to ensure that additional resources will shorten the project duration.

Answer 118

A

D. It is important that the data entered from a remote site are edited and validated prior to transmission to the central processing site.

Answer 119

A

D. The information systems (IS) auditor should review the application data flow diagram to understand the flow of data within the application and to other systems. This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls.

Answer 120

A

A. Verification of the products produced ensures that the produced products match the orders in the order system.

Answer 121

A

B. An integrated audit approach focuses on combining different types of audits at the same time; the results of different audit scopes can be shared to provide a focused and quality audit report.

Answer 122

A

C. Collusion is an active attack where users collaborate to bypass controls, such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented.

Answer 123

A

B. Change management approval of changes mitigates the risk of unauthorized changes being introduced to the production environment. Unauthorized changes might result in disruption of systems or fraud. It is, therefore, imperative to ensure that each change has appropriate change management approval.

Answer 124

A

A. Testing and releasing a pilot with reduced functionality reduces risk in several ways. Reduced functionality should result in fewer test cases to run, fewer defects to fix and retest and less regression testing. A pilot release that is made available to a select group of users will reduce the risk associated with a full implementation. All of the benefits of releasing the system to the full user population will not be realized, but some benefits should start to be realized. Additionally, some useful comments from real users should be obtained to guide what extra functionality and other improvements need to be included in an entire release.

Answer 125

A

C. Business unit management assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software.

Answer 126

A

A. The purpose of a control is to mitigate a risk; therefore, the primary consideration when selecting a control is that it effectively mitigates an identified risk. When designing controls, it is necessary to consider all the aspects in the presented options. In an ideal situation, controls that address all these aspects are the best controls. Realistically, it may not be possible to design them all and the cost may be prohibitive; therefore, it is necessary to consider the controls that are related primarily to the treatment of existing risk in the organization.

Answer 127

A

C. The mean time between failures that are first reported represents flaws in the software that users in the production environment report. This information helps the information systems (IS) auditor evaluate the quality of the developed and implemented software.

Answer 128

A

B. Using a software baseline provides a cut-off point for the system’s design and allows the project to proceed as scheduled without being delayed by scope creep.

Answer 129

A

A. Checking in is the process of moving an item to the controlled environment. When a change is required (and supported by a change control form), the configuration manager will check out the item.

Answer 130

A

B. Automated deployment pipelines are an important aspect of configuration and release management. They involve automating the deployment process, including building, testing and deploying software to different environments. Automated pipelines ensure consistency, reduce manual errors and enable frequent and efficient releases. Automated pipelines also provide visibility into the deployment process and allow for quick rollbacks in case of issues or failures.

Answer 131

A

A. earned value analysis (EVA) is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule because the value of the eight hours spent on the task should be only four hours, considering that 20 hours of effort remain to be completed.

Answer 132

A

B. Increasing the speed for the creation and delivery of software is the main goal of implementing continuous integration and continuous deployment (CICD). The other options are pieces required to implement CICD.

Answer 133

A

D. Gantt charts help to identify activities that have been completed early or late through comparison to a baseline. Progress of the entire project can be read from the Gantt chart to determine whether the project is behind, ahead of or on schedule.

Answer 134

A

B. Disabling vendor default accounts and passwords is a critical part of implementing a new application.

Answer 135

A

C. Standard maintenance changes not being documented is the main concern for the IS auditor because documentation of all changes is one of the controls for change management in continuous integration and continuous deployment (CICD). At least, minimum information (e.g., description of the change, success criteria, risk and rollback procedure) should be included for all changes.

Answer 136

A

D. Parallel changeover involves running the old system, then running both the old and new systems in parallel, and finally fully changing to the new system after gaining confidence in the new system’s functionality.

Answer 137

A

D. Audit is primarily a quality control activity; however, the auditor can help an organization in improving quality assurance by guiding it on control effectiveness. This is the role of a consultant.

Answer 138

A

B. The purpose of the out-of-scope section is to make clear to readers what items are not considered project objectives so that all project stakeholders understand the project boundaries and what is in scope versus out of scope. This applies to all types of projects, including individual audits.

Answer 139

A

D. Beta testing is the final stage of testing and typically includes users outside of the development area. Beta testing is a form of user acceptance testing and generally involves a limited number of users who are external to the development effort.

Answer 140

A

D. The involvement of process owners ensures that the system will be designed according to the needs of the business processes that depend on system functionality. A sign-off on the design by the process owners is crucial before development begins.

Answer 141

A

B. A quality plan is an essential element of all projects. It is critical that the contracted supplier is required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when.

Answer 142

A

D. A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance testing (UAT) specification should be developed during this phase.

Answer 143

A

C. Data authentication is the process of confirming the origin and integrity of data. It is critical that enterprises can rely on the origin and integrity of data exchanged through system interfaces.

Answer 144

A

A. This approach maximizes the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects.

Answer 145

A

B. The most significant risk after a payroll system conversion is loss of data integrity resulting in the organization being unable to pay employees in a timely and accurate manner. Loss of data integrity can also result in incorrect records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount.

Answer 146

A

A. Historically, the waterfall model has been best suited to stable conditions and well-defined requirements.

Answer 147

A

C. Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project.

Answer 148

A

A. When one application is expanded to multiple departments, it is important to ensure the mapping between the process owner and system functions. The absence of a defined process owner may cause issues with monitoring or authorization controls.

Answer 149

A

B. An IS auditor’s task is to identify and ensure that key controls have been incorporated into the reengineered process.

Answer 150

A

B. The transaction journal records all transaction activity, which then can be compared to the authorized source documents to identify any unauthorized input.

Answer 151

A

D. Program coding standards are required for efficient program maintenance and modifications. To enhance the quality of programming activities and future maintenance capabilities, program coding standards should be applied. Program coding standards are essential to writing, reading and understanding code simply and clearly, without referring to design specifications.

Answer 152

A

A. The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process.

Answer 153

A

B. Parallel testing is the best method for testing data results and system behavior because it allows the users to compare results from both systems before decommissioning the legacy system. Parallel testing also results in better user adoption of the new system.

Answer 154

A

B. The most significant risk in this case is that the factory default passwords are not changed on critical network equipment. This can allow anyone to change the configurations of network equipment.

Answer 155

A

D. Before making any recommendations, an information systems (IS) auditor needs to understand the project and the factors that have contributed to bringing the project over budget and over schedule.

Answer 156

A

C. The communications protocols must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization.

Answer 157

A

C. Both systems must be reviewed for input/output controls because the output for one system is the input for the other.

Answer 158

A

B. Processing controls should be implemented as close as possible to the point of data entry. Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered, because values must fall within a predetermined limit.

Answer 159

A

A. The agile software development methodology is an iterative process where each iteration (sprint) produces functional code. If a development team is producing code for demonstration purposes, this is an issue because the following iterations of the project build on the code developed in the prior sprint.

Answer 160

A

C. Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta testing is the last stage of testing and involves sending the product’s beta version to independent beta test sites or offering it free to interested users.

Answer 161

A

D. By evaluating the organization’s development projects against the CMM, an information systems (IS) auditor determines whether the development organization follows a stable, predictable software development process.

Answer 162

A

B. Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction because less rework is involved.

Answer 163

A

C. When developing a large and complex IT infrastructure, a good practice is to use a phased approach to fit the entire system together. This provides greater assurance of quality results.

Answer 164

A

A. Functionality is the set of attributes that apply to the existence of a set of functions and their specified properties. The functionality of a system represents the tasks, operations and purpose of the system in achieving its objective (i.e., supporting a business requirement).

Answer 165

A

C. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule).

Answer 166

A

A. Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome.

Answer 167

A

C. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed.

Answer 168

A

B. Following implementation, a cost-benefit analysis or return on investment (ROI) should be reperformed to verify that the original business case benefits are delivered and business value is created.

Answer 169

A

C. The major risk of combining QA testing and UAT is that the users may apply pressure to accept a program that meets their needs even though it does not meet QA standards.

Brainscape's Knowledge GenomeTM

Domain 3: Information Systems Acquisition, Development and Implementation Flashcards

Brainscape's Knowledge Genome^TM