Domain 3 Vocabulary

Question 1

The application of knowledge, skills, tools and techniques to a broad range of activities to achieve a stated objective, such as meeting the defined user requirements, budget and deadlines for an IS project.

Answer 1

project management

Question 2

The project manager does not have formal management authority

Answer 2

Functional-structured organization

Question 3

The project manager has formal authority over those taking part in the project

Answer 3

Project-structured organization

Question 4

Type of management authority that is shared between the project manager and department heads

Answer 4

matrix-structured organization

Question 5

Which role….
o Provides overall direction and ensures appropriate representation of the major stakeholders in the project outcome
o Is ultimately responsible for all deliverables, project costs and schedules
o Includes a senior representative from each business area that will be significantly impacted by the proposed new system or system modification
o Requires the project manager to be a member of this committee
o Gives authority to each member to make decisions related to system designs that will affect their respective departments
o Includes the project sponsor, who assumes overall ownership and accountability of project and chairs the steering committee
o Reviews project progress regularly and holds emergency meetings when required
o Serves as a project coordinator and advisor; therefore, members should be available to answer questions and make user-related decisions about system and program design
o Takes corrective action if necessary due to project progress and issues escalated to the committee

Answer 5

Project steering committee

Question 6

Which role….
o Demonstrates commitment to the project, which ensures involvement by those needed to complete the project
o Approves necessary resources to complete the project

Answer 6

Senior Management

Question 7

Which role…
o Provides funding for the project
o Works closely with the project manager to define the critical success factors and metrics for measuring success of the project
o Assumes ownership of data and application
o Is typically the senior manager in charge of the primary business unit that the application will support

Answer 7

Project Sponsor

Question 8

Which role…
o Assumes ownership of the project and resulting system
o Allocate qualified representatives to the team
o Actively participates in business process redesign, system requirements definition, test case development, acceptance testing and user training
o Reviews and approves system deliverables as they are defined and implemented

Answer 8

User management

Question 9

Which role…
o Completes assigned tasks
o Communicates effectively with the systems developers by actively involving themselves in the development projects as subject matter experts
o Works according to local standards
o Advises the project manager of expected and actual project plan deviations

Answer 9

User project team

Question 10

Which role….
o Provides day-to-day management and leadership of the project
o Ensures that project activities remain in line with the overall direction
o Ensures appropriate representation of the affected departments
o Ensures that the project adheres to local standards
o Ensures that deliverables meet the quality expectations of key stakeholders
o Resolves interdepartmental conflicts
o Monitors and controls costs and the project timetable
o Often facilitates the definition of the project scope, manages the budget and controls the activities via a project schedule
o Has a line responsibility for personnel when projects are staffed by personnel dedicated to the project

Answer 10

Project manager

Question 11

Which role….
o Reviews results and deliverables within each phase and at the end of each phase and confirms compliance with requirements. The points where reviews occur depend on the:
o System development life cycle (SDLC) methodology used
o Structure and magnitude of the system
o Impact of potential deviations
o May review appropriate process-based activities related to either project management or the use of specific software engineering processes within a particular lifecycle phase. This is crucial to completing a project on schedule and within budget and in achieving a given software process maturity level
o Has the objective to ensure the quality of the project by measuring the adherence of the project staff to the enterprise SDLC, advise on the deviations, and propose recommendations for process improvements or greater controls points when deviations occur

Answer 11

Quality assurance (QA)

Question 12

Which role….
o Provides technical support for hardware and software environments by developing, installing, and operating the requested system
o Provides assurance that the system is compatible with the enterprise computing environment and strategic IT direction
o Assumes operating support and maintenance activities after installation

Answer 12

Systems development management

Question 13

Which role….
o Completes assigned tasks
o Communicates effectively with users by actively involving them in the development process
o Works according to local standards
o Advises the project manager of necessary project plan deviations

Answer 13

Systems development project team

Question 14

Which role….
o Ensures system controls and supporting processes provide an effective level of protection, based on the data classification set in accordance with enterprise security policies and procedures
o Consults throughout the life cycle on appropriate security measures that should be incorporated into the system
o Reviews security test plans and reports prior to implementation
o Evaluates security-related documents developed for reporting the system security effectiveness for accreditation
o Periodically monitors the security system effectiveness during its operational life

Answer 14

Security officer

Question 15

Which role….
o Applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risk associated with these vulnerabilities
o Defines the needs, requirements, architectures and designs to construct network, platform and application constructs according to the principles of both defense in breadth and security in depth

Answer 15

Information system security engineer

Question 16

Which role…
o Ensures that applicable data privacy considerations are made to ensure that the rights of data subjects are upheld, by ensuring that proper system controls and supporting processes provide required privacy-related requirements in line with the enterprise privacy program

Answer 16

Privacy Officer

Question 17

Defined as all of the projects being carried out in an enterprise at a given point in time

Answer 17

project portfolio

Question 18

Group of projects and tasks that are closely linked together through common strategies, objectives, budgets and schedules.

Answer 18

program

Question 19

As an owner of the project management and program management process, must be permanent structure and adequately staffed to provide professional support in these areas to maintain current, and develop new, procedures and standards. The objective of is to improve project and program management quality and secure project success, but it can focus only on activities and tasks and not on project or program content.

Answer 19

PMO

Question 20

May be measured as value of benefits over costs, which then can be compared with the enterprise costs of funds, to make a go/no-go decision.

Answer 20

ROI

Question 21

States the objective of the project, the stakeholders of the new system, the project manager and sponsor

Answer 21

project charter

Question 22

o One-on-one meetings – one-on-one meetings and a project start workshop help to facilitate two-way communication between the project team members and the project manager.
o Kick-off meetings – A kick-off meeting may be used by a project manager to inform the team of what must be done for the project. Communications involving significant project events should be documented as part of the project artifacts (project charter meeting, kick-off meeting, gate reviews, stakeholder meetings, etc.)
o Project start workshops – a preferred method to ensure that communication is open and clear among the project team members is to use a project start workshop to obtain cooperation from all team members and buy-in from stakeholders. This helps develop a common overview of the project and communicates the project culture early in the project.
o A combination of the three – An enterprise may choose to use two or more of these methods to initiate a project.

Answer 22

How the initiation of a project may be achieved

Question 23

Specific action statements that support attainment of project goals.

Answer 23

Project objectives

Question 24

It presents the individual components of the solution and their relationships to each other in a hierarchical manner, either graphically or in a table; can help, especially when dealing with intangible project results, such as organizational enterprise development, to ensure that a material deliverable is not overlooked.

Answer 24

object breakdown structure (OBS)

Question 25

Designed to structure all the tasks that are necessary to build up the elements of the OBS during the project; represents the project in terms of manageable and controllable units of work, serves as a central communications tools in the project and forms the baseline for cost and resource planning.

Answer 25

work breakdown structure (WBS)

Question 26

Must have a distinct owner and a list of main objectives and may have a list of additional objectives and out-of-scope objectives.

Answer 26

work packages (WP)

Question 27

What stage of the project?
o Scope of the project (with agreement from stakeholders)
o Various tasks that need to be performed to produce the expected business application system
o Sequence or order in which these tasks need to be performed
o Duration of time window for each task
o Priority of each task
o IT and non-IT supporting resources that are available and required to perform these tasks
o Budget or cost for each of these tasks
o Source and means of funding for labor, services, materials, and plant and equipment resources involved in the project

Answer 27

Project planning

Question 28

By using estimates from prior projects, the project manager can develop the estimated cost for a new project. This is the quickest estimation technique.

Answer 28

Analogous estimating

Question 29

The project manager looks at the same past data that were used in analogous estimating and leverages statistical data (estimated employee hours, material costs, technology, etc.) to develop the estimate. This approach is more accurate that analogous estimation.

Answer 29

Parametric estimating

Question 30

In this method, the costs of each activity in the project is estimated to the greatest detail (example – starting at the bottom), and then all the costs are added to arrive at the cost estimate of the entire project. Although the most accurate estimate, this is the most time-consuming approach.

Answer 30

Bottom-up estimating

Question 31

Like analogous estimate, this approach takes an extrapolation from the actual costs that were incurred on the same system during past projects

Answer 31

Actual costs

Question 32

Methods of determining the relative physical size of the application software to be developed. Estimates can be used to:
* guide the allocation of resources
* judge the time and cost required for its development
* compare the total effort required for the resources
-Has been performed using single-point estimations (based on a single parameter), such as source lines of code (SLOC
-Current technologies now take the form of more abstract representations, such as diagrams, objects, spreadsheet cells, database queries and graphical user interface (GUI) widgets. These technologies are more closely related to functionality deliverables than to work or lines that need to be created.

Answer 32

Software Size Estimation

Question 33

Multiple-point technique used for estimating complexity in developing large business applications; Measure of the size of an IS based on the number and complexity of the inputs, outputs, files, interfaces and queries with which a user sees and interacts. This is an indirect measure of software size and the process by which it is developed versus direct size-oriented measures, such as SLOC counts.

Answer 33

Function Point Analysis

Question 34

Chart shows when an activity should begin and when it should end along a timeline. The charts also show which activities can occur concurrently and which activities must be completed sequentially; also can reflect the resources assigned to each task and by what percent allocation, and aid in identifying activities that have been completed early or late by comparison to a baseline. Progress of the entire project can be ascertained to determine whether the project is behind, ahead or on schedule compared to the baseline project plan; can also be used to track the achievement of milestones or significant accomplishments for the project, such as the end of a project phase or completion of a key deliverable.

Answer 34

Gantt charts

Question 35

Sequence of activities that produces the longest path through a project; are important because, if everything goes according to schedule, they help estimate the shortest possible completion time for the overall project.

Answer 35

critical path

Question 36

Activities that are not in the critical path, which if the difference between the latest possible completion time of each activity that will not delay the completion time overall project and the earliest possible completion time based on the predecessor activities.

Answer 36

slack time

Question 37

CPM-type technique that uses three estimates of each activity duration. The three estimates are reduced to a single number (by applying a mathematical formula), and then the classic CPM algorithm is applied; is often used in system development project with uncertain durations (pharmaceuticals reach or complex software development). The first step is to identify all the activities and related events/milestones of the project and their relative sequence.

Answer 37

Program Evaluation Review Technique (PERT)

Question 38

Project management technique for defining and deploying software deliverables within a relatively short and fixed time period and with predetermined specific resources. There is a need to balance software quality and meet the delivery requirements; can be used to accomplish prototyping or rapid application development (RAD)-type approaches in which key features are to be delivered in a short time frame. Key features include interfaces for future integrations. The major advantage of this approach is that it prevents project cost overruns and delays from scheduled delivery. The project does not necessarily eliminate the need for a quality process. The design and development phase is shortened due to the use of newer developmental tools and techniques. The preparation of test cases and testing requirements are easily documented as a result of end-user participation. System test and user acceptance testing are normally performed together.

Answer 38

Timebox Management

Question 39

After planning efforts have been completed, the program manager, in coordination with the PMO, starts the actual project of the planned tasks as described in the plans, processes and procedures. The program and project management team initiates monitoring of internal team production and quality metrics and monitors these metrics from contractors and vendors. A key success factor is the project’s oversight of the integrated team in the IT system requirements, architecture, design, development, testing, implementing and transitioning to production operations.

Answer 39

Project execution

Question 40

Activities of a project include management of scope, resource usage and risk. It is important that new requirements for the project be documented and, if approved, allocated appropriate resources. Control of change during a project ensures that projects are completed within stakeholder requirements of time, use of funds and quality objectives. Stakeholder satisfaction should be addressed with effective and accurate requirements capture, proper documentation, baselining and skilled steering committee activity.

Answer 40

Project Controlling and Monitoring

Question 41

Process by which the project budget is spent. To determine whether actual spending is in line with planning spending resource usage must be measured and reported. In addition to spending, productivity must be monitored to determine if resource allocation is on task. Whether this is happening can be checked with a technique called earned value analysis (EVA).

EVA consists of comparing the metrics at regular intervals during the project, such as:
* Budget to date
* Actual spending to date
* Estimate to complete
* Estimate at completion

Answer 41

Management or Resource Usage

Question 42

Defined as an uncertain event or condition that would impact relevant aspects of the project. There are two main categories of project risk: the category that impacts the business benefits (and therefore, endangers the reasons for the project’s existence) and the category that impacts the project itself. The project sponsor is responsible for mitigating the first category of risk and the project manager is responsible for mitigating the second category.

Answer 42

Management of Risk

Question 43

Requires careful documentation in the form of a WBS. This documentation forms part of the project plan or the project baseline. Changes to the scope almost invariably lead to changes in required activities and impact deadlines and budget. Therefore, it is necessary to have a change management process, including a formal change request submitted to the project manager. Only stakeholders are allowed to submit change requests. Copies of all change requests should be archived in the project file. The project manager judges the impact of each change request (on behalf of the sponsor) and decides whether to recommend the change. If the change is accepted, the project manager is instructed to update the project plan to reflect the requested change. The updated project plan must be formally confirmed by the project sponsor – accepting or rejecting the recommendation of the change advisory board.

Answer 43

Management of Scope Changes

Question 44

New or modified system will be handed over to the users and/or system support staff. At this point, any outstanding issues will need to be assigned. The project sponsor should be satisfied that the system produced is acceptable and ready for delivery.

Answer 44

Project closing

Question 45

Typically completed after the project has been in use (or in production) for some time – long enough to realize its business benefits and costs and measure the project overall success and impact on the business units. Metrics used to quantify the value of the project include total cost of ownership (TCO) and ROI.

Answer 45

Postimplementation review

Question 46

Should be a key element of the decision process throughout the life cycle of any project. . If, at any stage, ??? is thought to no longer be valid, the project sponsor or IT steering committee should consider whether the project should proceed. If the ??? changes during an IT project, the project should be reapproved through the departmental planning and approval process.

Answer 46

Business case

Question 47

In a well-planned project, there will be decision points, at which a business case is formally reviewed to ensure that it is still valid

Answer 47

stage gates or kill points

Question 48

Undertaken as part of the project initiation/planning. This is an early study of a problem to assess if a solution is practical and meets requirements within established budgets and schedule requirements. Will normally include the following six elements:
1. Project Scope - Definition of the business problem and/or opportunity to be addressed. It should be clear, concise and to the point.
2. Current Analysis - Definition and establishment of an understanding of a system, a software project, etc. Based on this analysis, it may be determined that the current system or software product is working correctly, some minor modifications are needed, or a complete upgrade r replacement is required. At this point in the process, the strengths and weaknesses of the current system or software project are identified.
3. Requirements – Definition of project requirements based on stakeholder needs and constraints. Defining requirements for software differs from defining requirements for systems. The following are examples of needs and constraints used to define requirements:
a. Business, contractual and regulatory processes
b. End-user functional needs
c. Technical and physical attributes defining operational and engineering parameters
4. Approach – Definition of a course of action to satisfy the requirements for a recommended system and/or software solution. This step clearly identifies the alternatives that were considered and the rationale for why the preferred solution was selected. This is the process wherein the use of existing structures and commercial alternatives are considered (build vs buy decisions)
5. Evaluation – Examination of the cost-effectiveness of the project based on the previously completed elements within the feasibility study. The final report addresses the cost-effectiveness of the approach selected. Elements of the final report include:
a. The estimated total cost of the project if the preferred solution is selected, and the alternates to provide a cost comparison, including:
i. Estimate of employee hours required to complete
ii. Material and facility costs
iii. Vendors and third-party contractors’ costs
b. Project schedule start and end dates
c. A cost and evaluation summary encompassing cost-benefit analysis, ROI, etc.
6. Review – Reviews (formal) of the previously completed elements of the feasibility study to validate the completeness and accuracy of the feasibility study and render a decision to either approve or reject the project or ask for corrections before making a final decision. The review and report are conducted with all key stakeholders. If the feasibility study is approved, all key stakeholders signed the document. Rationale for rejection of the feasibility study should be explained

Answer 48

feasibility study

Question 49

Part of a life cycle process with defined phases applicable to deployment, maintenance and retirement. In this process, each phase is an incremental step that lays the foundation for the next phase, which ensures effective management control in building and operating business application systems.

Answer 49

Business application development

Question 50

Collect, collate, store, archive and share information with business users and various applicable support functions on a need-to-know basis. Thus, sales data are made available to accounts, administration, governmental levy payment departments, etc. Regulatory levy fulfillment (tax compliance) is also addressed by the presence of organization-centric applications; Usually use the SDLC or other, more detailed software engineering approaches for development.

Answer 50

Organization-centric

Question 51

Provide different views of date for their performance optimization. This objective includes decision support systems (DSSs) and geographic information systems (GISs). Most of these applications are developed using alternative development approaches.

Answer 51

End-user-centric

Question 52

Life cycle verification approach that ensures that any potential mistakes are corrected early and not solely during final acceptance testing. The life cycle approach is the oldest and most commonly used model for developing business applications. This approach works best when project requirements are likely to be stable and well defined. It facilitates the determination of a system architecture relatively early in the development effort. This approach is based on a systematic, sequential approach to system and/or software development. The traditional approach is useful in web applications in which prototypes of screens are necessary to aid in the completion of the requirements and design.
* Requirements
* Design
* Implementation
* Verification
* Maintenance
The primary advantage of the waterfall approach is that it provides a template into which methods for the requirements (example – definition, design, programming, etc.) can be place. However, some of the problems encountered with this approach include:
* Unanticipated events that result in iterations, creating problems in implementing the approach
* Difficulty obtaining an explicit set of requirements from the customer/user, which the approach requires
* Managing requirements and convincing the user about the undue or unwarranted requirements in the system functionality, which may lead to conflict in the project
* The necessity of customer/user patience, which is required because, with this approach, a working version of the system’s programs will not be available until late in the project’s lifecycle
* A changing business environment that alters or changes the customer/user requirements before they are delivered

Answer 52

Traditional waterfall

Question 53

Model is a cyclical process in which business requirements are developed and tested in iterations until the entire application is designed, built and tested. During each ???, the development process goes through each phase, from requirements through testing, and each subsequent cycle incrementally improves the process. This model is suitable for large projects and allows for independent features to be delivered to users periodically.

Some of the problems encountered with this approach include the following:
* Additional and more complex project management may be required
* Risk analysis is required more often and likely by an efficient and highly qualified resource
* Overall project completion date may be ambiguous.

Answer 53

Iteration

Question 54

Emphasizes the relationship between development phases and testing levels. The most granular testing – the unit test – occurs immediately after programs have been written to identify and fix defects at an early stage. Following this model, testing validates the detailed design. System testing relates to the architectural specification of the system to verify that it meets the specified requirements while final UAT references the requirements (software meets the business needs). UAT is user-friendly and makes sure that the software functions correctly in real-world scenarios.

Provides many advantages, particularly for smaller projects. This is a highly disciplined model with strict phases and verification and validation activities through the development life cycle. This emphasis on discipline and testing can give greater assurance that users requirements are met, and security is maintained during development.

Some of the problems encountered with this approach:
* The inflexibility may make it hard to leverage for complex projects or projects with a high-probability of change to occur during development.
* Concurrent events or development dependencies may cause delays to the overall development timeline
* An overreliance on documentation may lead to less time being spent on the development

Answer 54

verification and validation model, also called the V-model or V-shaped model

Question 55

Phase 1 of SDLC:
Feasibility Study - Determine the strategic benefits of implementing the system either in productivity gains or future cost avoidance, identify and quantify the cost savings of a new system, and estimate a payback schedule for costs incurred in implementing the system. Further, consider and assess intangible factors, such as the readiness of the business users and the maturity of the business processes. This business case justifies proceeding to the next phase.
* Defines a time frame for implementation
* Determines an optimum alternative risk-based solution for meeting business needs.
* Determines whether an existing system can correct the situation with slight or no modification.
* Determines whether a vendor product offers a solution to problem.
* Determines the approximate cost to develop the system.
* Determines whether the solution fits the business strategy.

Factors for whether to develop or acquire systems include the:
* Date the system needs to be functional
* Cost to develop the system as opposed to buying it
* Resources, staff, and hardware required to develop the system
* Compatibility with business plans, risk appetite and IT infrastructure

Answer 55

Feasibility Study

Question 56

Phase 2 of SDLC: Define the problem or need that requires resolution and the functional and quality requirements of the solution system. This can be a customized approach or a vendor-supplied software package, which entails following a defined and documented acquisition process. In either case, the user needs to be actively involved.
* What the system should do
* How users will interact with the system
* Conditions under which the system will operate
* Information criteria the system should meet

Example Activities:
* Identify and consult stakeholders
* Identify relevant data privacy and governance requirements
* Analyze requirements to detect and correct conflicts and determine priorities
* Identify system boundaries
* Identify any relevant security requirements

Answer 56

Requirements Definition

Question 57

Phase 3A of SDLC:
Based on the requirements defined, prepare a request for proposal outlining the entity requirements to invite bids from prospective suppliers for systems that are intended to be procured from vendors or solution providers.
* Risks and benefits of developing a new system vs acquiring a complete/tested system from a vendor
* Decision is based on factors such as cost, availability, and the time gap between development and acquisition

Answer 57

Software Selection and Acquisition

Question 58

Phase 3B of SDLC:
Based on the requirements defined, establish a baseline of system and subsystem specifications that describe the parts of the system, how they interface, and how the system will be implemented using the chosen hardware, software, and network facilities. Generally, the design also includes program and database specifications and will address any security considerations. Additionally, establish a formal change control process to prevent uncontrolled entry of new requirements into the development process.
* A detailed design is developed based on preliminary design and user requirements
* Includes illustrating how information will flow through the system describing inputs and outputs, and developing test plans

Answer 58

Design

Question 59

Phase 4A of SDLC:
For a packaged system, configure the system to tailor it to the enterprise’s requirements. This is best done through the configuration of system control parameters rather than changing program code. Software packages are extremely flexible, making it possible for one package to suit many enterprises simply by switching functionality on or off and setting parameters in tables. There may be a need to build interface programs that connect the acquired system with existing programs and databases.
* Define, track, and control changes in acquired system
* Integrate ERP systems into the existing IT architecture
* Is supported by change management policies and processes that define roles, assess impact and authorize changes

Answer 59

Configuration (purchased systems)

Question 60

Phase 4B of the SDLC:
Use the design specifications to begin programming and formalizing supporting operational processes of the system. Conduct various levels of testing in this phase to verify and validate what has been developed. This generally includes all unit and system testing and several iterations of user acceptance testing.
* Follows the detailed design developed in phase 3B
* Includes activities such as:
* Coding and debugging
* Ensuring security by design
* Converting data from the old system for use on the new system

Answer 60

Development (In-house development)

Question 61

Phase 5 of the SDLC:
Establish the actual operation of the new information system, with the final iteration of user acceptance testing and user sign-off. Also in this phase, the system may go through a certification and accreditation process to assess the effectiveness of the business application in mitigating risk to an appropriate level and providing management accountability for the effectiveness of the system to meet its intended objectives and to establish an appropriate level of internal control.
* The actual operation of the new system is established and tested.
* In the case of acquired software, implementation should be coordinated by user management.
* After a full-system test, the system is ready to migrate to the production environment.
* Full-systems are performed to ensure the system is production-ready.

Answer 61

Final Testing and Implementation

Question 62

Phase 6 of the SDLC:
Following the successful implementation of a new or extensively modified system, implement a formal process that assesses the adequacy of the system and projected cost-benefit or ROI measurements from the feasibility stage findings and deviations. In so doing, IS project and end-user management can provide lessons learned and/or plans for addressing system deficiencies, and recommendations for future projects regarding system development and project management processes followed.
Review objectives:
* Ensure system meets user requirements and business objectives
* Ensure controls have been defined and implemented
* Assess system adequacy
* Assess development project process
* Develop recommendations to address system inadequacies
* Evaluate projected cost benefits of ROI measurements

Answer 62

Post-implementation

Question 63

Arises when the business goals are identified and weighted without considering the enterprise strategy.

Answer 63

Strategic Risk

Question 64

Relates to the likelihood that the new system may not meet the users’ business needs, requirements, and expectations.

Answer 64

Business Risk

Question 65

Arises if the project activities to design and develop the system exceed the limits of the financial resources set aside for the project and, as a result, the project may be completed late or not at all. Software project risk exists at multiple levels:
* Within the project
* With suppliers
* Within the enterprise
* With the technology chosen

Answer 65

Project Risk

Question 66

Also known as heuristic or evolutionary development, is the process of quickly putting together a working model to test various aspects of a design, illustrate ideas or features, and gather early user feedback. It enables the developer and customer to understand and reach to each risk at each evolutionary level (using prototyping as a risk reduction mechanism). It combines the best features of classic SDLC by maintaining the systematic stepwise approach and incorporates it into an iterative framework that more realistically reflects the real world.

Answer 66

Prototyping

Question 67

Methodology that enables an organization to develop strategically important systems quickly, while reducing development costs and maintaining quality. This is achieved by using a series of proven application development techniques within a well-defined methodology. These techniques include the use of:
* Small, well-trained development teams
* Evolutionary prototypes
* Integrated power tools that support modeling, prototyping and component reusability
* A central repository
* Interactive requirements and design workshops
* Rigid limits on development timeframes

Answer 67

Rapid Application Development (RAD)

Question 68

Programming technique that is a process of solution specification and modeling in which data and procedures can be grouped into an entity known as an object. An object’s data is referred to as its attributes, and its functionality is referred to as its methods. This contrasts with the traditional approach that considers data separately from the procedures that act upon on them (ex: program and data specifications). Proponents claim that the combination of data and functionality is aligned with how human conceptualize everyday objects.

Answer 68

Object-oriented system Development (OOSD)

Question 69

• Only plans for the next iteration in detail, rather than planning subsequent development phases
• Uses and adaptive approach to requirements and does not emphasize managing a requirements baseline
• Focuses on quickly proving an architecture by building functionality versus formally defining, early on, software and data architecture in increasingly more details models and descriptions
• Assumes limits to defect testing but attempts to validate functions through a frequent-build test cycle and corrects problems in the next subproject before too much time and cost are incurred
• Does not emphasize defined and repeatable processes, but instead performs and adapts its development based on frequent inspections

A very flexible and iterative development methodology that emphasizes collaboration, adaptability, and continuous improvement.

Pros:
* Allows development to progress in small sprints which increases flexibility
* Increased collaboration between team members and stakeholders
* Faster go-to-market time with a lower risk of project failure
* Increased stakeholder collaboration
Cons:
* Resource intensive
* Potential for scope creep
* Lack of predictability
* Lack of documentation potentially
* Need for organizational culture change
* The project focus can shift quickly

Answer 69

Agile development

Question 70

Can be regarded as an outgrowth of object-oriented development. Means assembling applications from cooperating packages of executable software that make their services available through defined interfaces (example – enabling pieces of programs, called objects, to communicate with one another regardless of the programming language in which they were written or what OS they are running). The basic types of components are:
* In-process client components
* Stand-alone client components
* Stand-alone server components
* In-process server components

Answer 70

Component-based development

Question 71

Important software development approach designed to achieve easier and more effective integration of code modules within and between enterprises. Historically, software written in one language on a particular platform has used a dedicated application programming interface (API). The use of specialized APIs has caused difficulties in integrating software modules across platforms. Technologies such as common object request broker architecture (CORBA) and component object model (COM) that use remote procedure calls (RPCs) have been developed to allow real-time integration of code across platforms. However, using these RPC approaches for different APIs remain complex. Used with associated Extensible Markup Language (XML) technologies are designed to further facilitate and standardize code module and program integration.

Answer 71

Web-based application development

Question 72

Process of updating an existing system by extracting and reusing design and program components. This process is used to support major changes in the way an enterprise operates, and there are a number of tools available to support it. Typical methodologies used generally fall into the following categories:
* Business process re-engineering, BPR, is the thorough analysis and significant redesign of business processes and management systems to establish a better performing structure that is more responsive to the customer base and market conditions, while yielding material cost savings.
* The service-oriented software reengineering methodology is based on the service-oriented computer architecture, and the reengineering processes apply many concepts of RAD leveraging responsible, accountable, consulted and informed (RACI) charts and UML modeling.

Answer 72

Software reengineering

Question 73

Process of studying and analyzing an application, a software application or a product to see how it functions and to use that information to develop a similar system. This process can be carried out in different ways:
* Decompiling object or executable code into source code and using it to analyze the program
* Black-box testing the application to be reverse engineered to unveil its functionality

Answer 73

Reverse engineering

Question 74

Integration of development and operations processes to eliminate conflicts and barriers. This integration can create numerous benefits, but it can also create new risk. Decisions should be made based on factors, such as an enterprise’s climate risk tolerance and culture, and on the scope of the development project. Can cause changes the environment and often impacts the enterprise’s control environment and accepted level of risk, an IS auditor should ensure that there is proper SoD.

Answer 74

DevOps

Question 75

Processes can be done in a logical and systematic manner and used to enhance the maturity of software development. This helps promote concepts, such as security-by-design, which in turn will reduce the overall likelihood of vulnerabilities being introduced during the development process.

Answer 75

DevSecOps

Question 76

About improving business processes. It is defined as a continuous, systematic process for evaluating the products, services or work processes of enterprises that are recognized as world-class references in a globalized world. Reference products, services or processes are systematically analyzed for one or more of the following processes:
* Comparing and ranking
* Strategic planning; strengths, weaknesses, opportunities and threats (SWOT) analysis
* Investment decisions, enterprise takeovers, mergers
* Product or process design or redesign/reengineering
* BPR

Answer 76

Benchmarking process

Question 77

Process of responding to competitive and economic pressures and customer demands to survive in the current business environment. This is usually done by automating system processes so that there are few manual interventions and manual controls. BPR achieved with the help of implementing an ERP system is often referred to as package-enabled reengineering (PER). Advantages of BPR are usually experienced when the reengineering process appropriately suits the business needs. BPR has increased in popularity as a method for achieving the goal of cost savings through streamlining operations.

The steps in a successful BPR are to:
* Define the areas to be reviewed
* Develop a project plan
* Gain an understanding of the process under review
* Redesign and streamline the process
* Implement and monitor the new process
* Establish a continuous improves process

Answer 77

Business process reengineering

Question 78

Use may include the application of software tools for software requirements capture and analysis, software design, code production, testing, document generation and other software development activities; Provide a uniform approach to system development, facilitate storage and retrieval of documents and reduce the manual effort in developing and presenting system design information. This power of automation changes the nature of the development process by eliminating or combining some steps and altering the means of verifying specifications and applications.

Answer 78

CASE

Question 79

Tools that are often incorporated with CASE products, which generate program code based on parameters defined by a system analyst or on data/entity flow diagrams developed by the design module of the CASE product. These products allow most developers to implement software programs with efficiency. An IS auditor should be aware of source code generated by such tools

Answer 79

Code generators

Question 80

Used in software development to reduce the overall effort and cost. The common characteristics are:
* Nonprocedural language – Most 4GLs do not obey the procedural paradigm of continue statement execution and subroutine call and control structures. Instead, they are event-driven and make extensive use of object-oriented programming concepts such as objectives, properties and methods.
o For example, a COBOL programmer who wants to produce a report sorted in a given sequence must first open and read the data file, sort the file and finally produce the report. A typical 4GL treats the report as an object with properties, such as input file name and sort order, and methods, such as sort file and print report.
o Care should be taken when using 4GLs. Unlike traditional languages, 4GLs can lack the lower-level detail commands necessary to perform certain types of data-intensive or online operations. These operations are usually required when developing major applications. For this reason, the use of 4GLs as development languages should be weighed carefully against traditional languages already discussed.
* Environmental independence (portability) – Many 4GLs are portable across computer architectures, OSs and telecommunications monitors. Some 4GLs have been implemented on mainframe processors and microcomputers.
* Software facilities – These facilities include the ability to design or paint retrieval screen formats, develop computer-aided training routines or help screens, and produce graphical outputs.
* Programmer workbench concepts – The programmer has access through the terminal to easy filing facilities, temporary storage, text editing and OS commands. This type of workbench approach is closely associated with the CASE application development approach. It is often referred to as an IDE.
* Simple language subsets – 4GLs generally have simple language subsets that can be used by less-skilled users in an information center

Often classified in the following ways:
* Query and report generators – These specialized languages can extract and produce reports (audit software). Recently, more powerful languages have been produced that can access database records, been produced that can access database records, produce complex online outputs and be developed in an almost-natural language.
* Embedded database 4GLs – These depend on self-contained DBMSs. This characteristic often makes them more user-friendly but also may lead to applications that are not integrated well with other production applications. Examples include FOCUS, Rapid Access Management Information System (RAMIS) II, and NCSS Owned, Maintained, and Developed (NOMAD) 2.
* Relational database 4GLs – These high-level language products are usually an optional feature on a vendor’s DBMS product line. These allow the applications developer to make better use of the DBMS product, but they often are not end-user oriented. Examples include SQL+, MANTIS and Natural.
* Application generators – These development tools generate third-generation programming languages, such as COBOL and C. The application can be further tailored and customized. Data processing development personnel, not end users, use application generators.

Answer 80

4GLs

Question 81

Group input transactions to provide control totals; Based on the following:
o Total Monetary amount – verification that the total monetary value of the batch documents. Example: the total monetary value of the sales invoices in the batch agrees with the total monetary value of the sales invoices processed. This provides assurance on the completeness and accuracy of the sales value processed for the batch.
o Total Items – Verification that the total number of items included on each document in the batch agrees with the total number of items processed. Example – the total number of units ordered in the batch of invoices agrees with the total number of units processed. This provides assurance on the completeness and accuracy of the units ordered in the batch processed.
o Total documents – Verification that the total number of documents in the batch equals the total number of documents processed. Example – the total number of invoices in a batch agrees with the total number of invoices processed. This provides assurance on the completeness of the number of invoices processed.
o Hash totals – Verification that the total in a batch agrees with the total calculated by the system. Hash total is the total of nonvalue nonnumeric fields in the batch (ex – total amount of dates or customer number fields), which, by themselves, do not have informative value. This provides assurance on the completeness and accuracy of data entered for the numeric fields in the batch.

Answer 81

Batch Controls and Balancing

Question 82

Are a data preparation control. All input forms should be clearly identified with the application name and transaction codes. Batch balancing can be performed through manual or automated reconciliation. Batch totaling must be combined with adequate follow-up procedures. Adequate controls should exist to ensure that:
o Each transaction creates an input document
o All documents are included in a batch
o All batches are submitted for processing
o All batches are accepted by the computer
o Batch reconciliation is performed
o Procedures for the investigation and timely correction of differences are followed
o Controls exist over the resubmission of rejected items

Answer 82

Batch header forms

Question 83

The control numbers follow a sequential order, and any duplicated controls or control numbers outside of the sequence are rejected or noted on an exception report for follow-up purposes.

Answer 83

Sequence check

Question 84

Data should not exceed a predetermined amount. For example, payroll checks should not exceed US $4000. If a check exceeds US $4000, the data are rejected as an invalid project type.

Answer 84

Limit check

Question 85

Data should be within a predetermined range of values. For example, product type codes range from 100 to 250. Any code outside this range are rejected as an invalid product type.

Answer 85

range check

Question 86

Input data are matched to predetermined reasonable limits or occurrence rates. For example, a manufacturer usually receives orders for no more than 20 widgets. If an order for more than 20 widgets is received, the computer program is designed to print the record with a warning indicating that the order appears unreasonable.

Answer 86

Reasonable checks

Question 86

Programmed checking of the data validity in accordance with predetermined criteria. For example, a payroll record contains a field for marital status and the acceptable status codes are M or S. If any other code is entered, the record is rejected.

Answer 86

Validity check

Question 87

Data are entered correctly and agree with valid predetermined criteria. For example, a valid transaction code must be entered in the transaction code field.

Answer 87

existence check

Question 87

Input data comply with predetermined criteria maintained in a computerized table of possible values. For example, the input clerk enters a city code of 1 to 10. This number corresponds with a computerized table that matches the code to a city name.

Answer 87

Table lookup

Question 88

The keying process is repeated by a separate individual using a machine that compares the original keystrokes to the repeated keyed input. For example, the worker number is keyed twice and compared to verify the keying process.

Answer 88

Key verification

Question 89

A numeric value that has been calculated mathematically is added to data to ensure the original data have not been altered or an incorrect, but valid, value is not substituted. This control is effective in detecting transposition and transcription errors. For example, a check digit is added to an account number so it can be checked for accuracy when it is used.

Answer 89

Check digit

Question 90

A field should always contain data rather than zeros or blanks. A check of each byte of that field should be performed to determine that some form of data, not blanks or zeros, is present. For example, a worker number on a new employee record is left blank. This is identified as a key field and the record is rejected, with a request that the field be completed before the record is accepted for processing.

Answer 90

completeness check

Question 91

New transactions are matched to those previously input to ensure that they have not already been entered. For example, a vendor invoice number agrees with previously recorded invoices to ensure that the current order is not a duplicate and, therefore, the vendor will not be paid twice.

Answer 91

Duplicate check

Question 92

If a particular condition is true, then one or more additional conditions or data input relationships may be required to be true and consider the input validation. For example, the hire date of an employee may be required to be more than 16 years past their date of birth.

Answer 92

logical relationship check

Question 93

Meant to ensure the completeness and accuracy of accumulated data. They ensure that data in a file or database remain complete and accurate, until changed because of authorized processing or modification routines.
The following are processing control techniques:
o Manual recalculations – manual recalculation of a sample of transactions to ensure that processing is accomplishing the anticipated task
o Editing – A program instruction or subroutine that tests the accuracy, completeness and validity of data. It may be used to control input or later processing of data
o Run-to-run totals – Verification of data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process
o Programmed controls – Software that detects and initiates corrective action for errors in data and processing. For example, if the incorrect file or file version is provided for processing, the application program could display messages instructing that the proper file and version be used.
o Reasonableness verification of calculated amounts – An application program that verifies the reasonableness of calculated amounts. The reasonableness can be tested to ensure appropriateness to predetermined criteria. Any transaction that is determined to be unreasonable may be rejected pending further review
o Limit checks on amounts – Predetermined limits that ensure amounts have been keyed or calculated correctly. Any transaction exceeding the limit may be rejected for further investigation.
o Reconciliation of file totals – Should be performed on a routine basis. Reconciliations may be performed through the use of a manually maintained account, a file control record or an independent control file.
o Exception reports – Generated by a program that identifies transactions or data that appear to be incorrect. These items may be outside a predetermined range or may not conform to specified criteria

Answer 93

Processing Controls

Question 94

Ensure that only authorized processing occurs to stored data. Contents of data files, or database tables, generally fall into one of four categories:
o System Control parameters – The entries in these files change the workings of the system and ay alter controls exercised by the system (ex – the tolerance allowed before an exceptional transaction is reported or blocked). Any change to these files should be controlled in a similar way to program changes
o Standing data – These master files include data, such as supplier/customer names and addresses, that do not frequently change and are referred to during processing. These data should be authorized before entry or maintenance. Input controls may include a report of changed data that is checked and approved. Audit trails may log all changes.
o Master data/balance data – Running balances and totals that are updated by transactions should not be capable of adjustment except under strict approval and review controls. Audit trails are important here because there may be financial reporting implications for the change.
o Transaction files – These are controlled using validation checks, control totals, exception reports, etc.

Answer 94

Data File Control Procedures

Question 95

o Before and after image reporting – Computer data in a file prior to and after a transaction is processed can be recorded and reported. The before and after images make it possible to trace the impact that transactions have on computer records
o Maintenance error reporting and handling – Control procedures should be in place to ensure that all errors are properly reconciled and corrections are submitted on a timely basis. To ensure SoD, error corrections ahould be reviewed properly and authorized by personnel who did not authorize the transaction
o Source documentation retention should be maintained for an adequate time period to evaluate retrieval, reconstruction or verification of data. Policies regarding the retention of source documentation should be enforced. Originating departments should maintain copies of source documentation and ensure that only authorized personnel have access. When appropriate, source documentation should be destroyed in a secure, controlled environment
o Internal and external labeling or removable storage media is imperative to ensure that the proper data are loaded for processing. External labels provide the basic level of assurance that the correct data medium is loaded for processing. Internal labels, including file header records, provide assurance that the proper data files are used and allow for automated checking
o Version usage – For processing to be correct, it is critical that the proper version of a file and the correct file are used. For example, transactions should be applied to the most current database, while restart procedures should use earlier versions
o Data file security – prevent unauthorized access by unauthorized users that may have access to the application to alter data files. These controls do not provide assurances relating to the validity of data but ensure that unauthorized users who may have access to the application cannot alter stored data improperly.
o One-for-one checking – individual documents agree with a detailed listing of documents processed by the computer. It is necessary to ensure that all documents have been received for processing.
o Prerecorded input – Certain information fields are preprinted on blank input forms to reduce initial input errors
o Transaction logs – All transaction input activity is recorded by the computer. A detailed listing, including date of input, time of input, user ID and terminal location, can then be generated to provide an audit trail. It also permits operations personnel to determine which transactions have been posted. This will help to decrease the research time needed to investigate exceptions and decrease recovery time if a system failure occurs.
o File updating and maintenance authorization – proper authorization for file updating and maintenance is necessary to ensure that stored data are correct, up to date and safeguarded adequately. Application programs may contain access restrictions in addition to the overall system access restrictions. The additional security may provide levels of authorization and an audit trail of file maintenance
o Parity checking – Data transfers in a computer system are expected to be made in a relatively error-free environment. However, when programs or vital data are transmitted, additional controls are needed. Transmission errors are controlled primarily by error-detecting or correcting codes. The former is used more often because error-correcting codes are costly to implement and unable to correct all errors. Generally, error detection methods such as check bit and redundant transmission are adequate. Redundancy checking is a common error-detection routing. A transmitted block of data containing one of more records or messages is check for the number of characters or patterns of bits contained in it. If the numbers or patterns do not conform to the predetermined parameters, the receiving device ignores the transmitted data and instructs the user to retransmit. Check bits are often added to the transmitted data by the telecommunications control unit and may be applied to data characters within on-premises equipment. A parity check on a single character generally is referred to as a vertical of column check, and a parity check on all the equivalent bits is known as a horizontal, longitudinal or row check. Use of both checks greatly improves the possibilities of detecting a transmission error, which may be missed when either of those checks is used alone

Answer 95

Data controls

Question 96

Provide assurance that the data delivered to users will be presented, formatted and delivered in a consistent and secure manner.

These include:
o Logging and storage of negotiable, sensitive and critical forms in a secure place – Negotiable, sensitive or critical forms should be properly logged and secured to provide adequate safeguards against theft, damage or disclosure. The form log should be routinely reconciled to have inventory on hand and any discrepancies should be properly researched.
o Computer generation of negotiable instruments, forms and signatures – the computer generation of negotiable instruments, forms and signatures should be properly controlled. A detailed listing of generated forms should be compared to the physical forms received. One should properly account for all exceptions, rejections and mutilations.
o Report accuracy, completeness and timeliness – Often reports are generated using third-party data analysis and reporting applications. Even with the most reliable and accurate data sources, improperly configured, constructed and prepared reports are still a significant risk. Report design and generation specifications, templates and creation/change request processes are critical system output controls.
o Reports generated from the system – These represent the data that management relies on for business decisions and review of business results. Therefore, ensuring the integrity of data in reports is key for the reliability of information in information systems. An IS auditor should validate that the reports are accurate and provide current representation of the source data.

Answer 96

Output controls

Question 97

The testing of an individual program or module. Uses a set of test cases that focus on the control structure of the procedural design. These tests ensure that the internal operation of the program performs according to specification.

Answer 97

Unit Testing

Question 98

A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure dictated by design. Also used to refer to tests that verify and validate the functioning of the application under test with other systems, in which a set of data is transferred from one system to another.

Answer 98

Interface or integration testing

Question 99

Designed to ensure that modified programs, objects, database schemes, etc., which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non production test/development environment by software developers designated as a test team

Answer 99

System testing

Question 100

Checking the system’s ability to recover after a software or hardware failure

Answer 100

Recovery testing

Question 101

Making sure the modified/new system includes provisions for appropriate access controls and does not introduce any security holes that might compromise other systems

Answer 101

Security testing

Question 102

Testing an application with large quantities of data to evaluate its performance during peak hours

Answer 102

Loading testing

Question 103

Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records (data) that the application can process

Answer 103

stress testing

Question 104

Comparing the system performance to other equivalent systems using well-defined benchmarks

Answer 104

Performance testing

Question 105

Performed after the system staff is satisfied with the system tests. Ping occurs during the implementation phase. During this testing phased, the defined methods of testing to apply should be incorporated into the enterprise’s QA methodology.

Answer 105

Final acceptance testing

Question 106

Focuses on the documented specification and the technology employed. It verifies that the application works as documented by testing the logical design and the technology itself. It also ensures that the application meets the documented technical specifications and deliverables. Performed primarily by the IT department. The participation of the end user is minimal and on request. QAT does not focus on functionality testing.

Answer 106

QAT

Question 107

Supports the process of ensuring that the system is production ready and satisfies all documented requirements. The methods include:
o Definition of test strategies and procedures
o Design of test cases and scenarios
o Execution of the tests
o Use of the results to verify system readiness

Answer 107

UAT

Question 108

Often performed only by users within the enterprise who are developing the software

Answer 108

Alpha testing

Question 109

A form of UAT, generally involves a limited number of external users.

Answer 109

Beta testing

Question 110

Preliminary test that focuses on specific and predetermined aspects of a system. It is not meant to replace testing methods, but to provide a limited evaluation of the system. POCs are early tests – usually over interim platforms and with only basic functionalities.

Answer 110

Pilot test

Question 111

A test that assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program’s specific logic paths (example – applicable to unit and integration testing). However, testing all possible logical paths in large information systems is not feasible and would be cost prohibitive; therefor, used on a select basis only.

Answer 111

white box testing

Question 112

An integrity-based form of testing associated with testing components of an information system’s functional operating effectiveness without regard to any specific internal program structure. It is application to integration and UAT processes.

Answer 112

Black box testing

Question 113

Similar to system testing but often used to test the functionality of the system against the detailed requirements to ensure that the software that has been built in traceable to customer requirements (ex- Are we building the right product?)

Answer 113

Function/validation testing

Question 114

The process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. The data used in regression testing should be the same as the data used in the original.

Answer 114

Regression testing

Question 115

The process of feeding test data into two systems – the modified system and an alternate system (possibly the original system) and comparing the results. The purpose is to determine whether the new application performs in the same way as the original system and meets end-user requirements

Answer 115

parallel testing

Question 116

Tests to confirm that the new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will peform primary application processing and interfaces with other systems and, in a client server or web development, those that perform changes to the desk environment.

Answer 116

socialability testing

Question 117

Testing begins with atomic units, such as programs or modules, and works upward until a complete system testing has taken place. The advantages include:
o There is no need for stubs or drivers
o Testing can be started before all programs are complete
o Errors in critical modules are found early

Answer 117

Bottom up

Question 118

Testing follows the opposite path, either in-depth first or breadth-first search order. The advantages include:
o Tests of major functions and processing are conducted early
o Interface errors can be detected sooner
o Confidence in the system is increased because programmers and users see a working system

Answer 118

Top down

Question 119

Performed at the data element and record-based levels. Enforced through data validation routines built into the application or by defining the input condition constraints and data characteristics at the table definition in the database stage. Sometimes it is a combination of both.

Answer 119

Relational integrity tests

Question 120

Define existence relationships between entities in different tables of a database that needs to be maintained by the DBMS. It is required for maintaining interrelation integration in the relational data model. Whenever two or more relations are related through referential constraints (primary and foreign key), it is necessary that references be kept confidential in the event of insertions, deletions and updates to the relations. Database software generally provides various built-in automated procedures for checking and ensuring referential integrity. Referential integrity checks involve ensuring that all references to a primary key from another table (ex- foreign key) exist in their original table. In nonpointer databases (relational), referential integrity checks involve making sure that all foreign keys exist in their original table.

Answer 120

referential integrity tests

Question 121

From a user perspective, a transaction is either completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out.

Answer 121

atomicity

Question 122

All integrity conditions in the database are maintained with each transaction, taking the database from one consistent state into another consistent state.

Answer 122

consistency

Question 123

Each transaction is isolated from other transactions, so each transaction accesses only data that are part of a consistent database state.

Answer 123

Isolation

Question 124

If a transaction has been reported back to a user as complete, the resulting changes to the database survive subsequent hardware or software failures.

Answer 124

durability

Question 125

Records flow of designated transaction through logic paths within programs; Advantage - verifies program logic; disadvantages - requires extensive knowledge of the IS environment

Answer 125

Snapshot

Question 126

Identifies specific program logic that has not been testing and analyzes programs during execution to indicate whether program statements have been executed; Advantage - Increases efficiency by identifying unused code; Identifies potential exposures; Disadvantage - Cost of software

Answer 126

Mapping

Question 127

Shows the trail of instructions executed during an application; Involves placing an indicator on selected transactions at input and using <blah> to track them. Advantage - Provides an exact picture of sequence of events, and is effective wiht live and simulated transactions; Disadvantage - Requires extensive amounts of computer time, an intimate knowledge of the application program and additional programming to execute routines</blah>

Answer 127

Tracing and tagging

Question 128

Simulates transactions through real programs;

Answer 128

test data/deck

Question 129

Uses test data sets developed as part of a comprehensive testing of programs; Verifies correct system operations before acceptance and periodic revalidation

Answer 129

Base-case system evaluation

Question 130

Processes production data through existing and newly developed programs at the same time, compares results and verifies changed production prior to replacing existing procedures

Answer 130

Parallel operation

Question 131

Creates a fictitious file in the database with test transactions process simultaneously with live data

Answer 131

Integrated testing facility

Question 132

Processes production data using computer programs that simulate application program logic

Answer 132

parallel simulation

Question 133

Use audit software in host computer applications screens. It selects input transactions and generates transactions during production. Usually it is developed as part of system development. Types include: Systems control audit review file (SCARF) - auditor determines reasonableness of tests incorporated into normal processing. it provides information for further review. Sample audit review file (SARF) - randomly selects transactions to provide representative file for analysis; Advantage - Provides sampling and productions statistics; Disadvantage - high cost of development and maintenance; auditor independence issues

Answer 133

embedded audit data collection

Question 134

Gathers all data that have been affected by a particular program; Advantage - records are put into one convenient file; Disadvantage - Adds to data storage costs and overhead, and to system development costs

Answer 134

extended records