Information Systems Acquisition, Development and Implementation 2 Flashcards
What would be considered a MAJOR concern to an IS auditor when reviewing they find out the development of an application has been outsourced to an offshore vendor?
That the business case was not established.
Why? - Because if the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and the appropriate information was not provided to senior management for formal approval.
What is the IS auditor’s MAJOR concern when auditing the software acquisition process?
To ensure the contract is reviewed and approved by the legal counsel before it is signed
i.e. This is one of the most important steps in the software acquisition process
What is an advantage of a component-based development approach?
The ability to support multiple development environments
Who is responsible for reviewing and approving system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application?
User management
i.e. They are responsible for assuming ownership of the project and resulting system, allocating qualified representatives to the team and actively participating in system requirements definition
What is of major concern for an IS auditor when reviewing an organization’s IT project portfolio?
The Business Plan
Why? - Because Portfolio management takes a holistic view of a company’s overall IT strategy; therefore an IT strategy should be aligned with the business strategy
Who is responsible for overseeing a IT (ERP) project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results?
The Project steering committee
They provides an overall direction for the enterprise resource planning (ERP) implementation project and are responsible for reviewing the project’s progress to ensure that it will deliver the expected results.
What task can an IS auditor do without jeopardizing their independence when reviewing an enterprise’ development strategy to upgrade to a newer version of its database software?
Review the acceptance test case documentation before the tests are carried out
i.e. This will facilitate the objective of a successful migration and ensure that proper testing is conducted
What would best assist an IS auditor to evaluate the quality of programming activities related to future maintenance capabilities?
Program coding standards
i.e. These are required for efficient program maintenance and modifications.
What is most relevant to an IS auditor when they are evaluating how a project manager has monitored the progress of a project?
The Gantt Chart
Why? - Because they help to identify activities that have been completed early or late through comparison to a baseline.
WHAT is a major concern/ responsibility of the project steering committee?
Project deliverables, costs and timetables
i.e. They take ultimate responsibility for the deliverables, costs and timetables
Why is assigning process ownership essential in system development projects?
Because it ensures that system design is based on business needs
i.e. A sign-off on the design by the process owners is crucial before development begins
What risk is like encountered due to a software as a service (SaaS) environment?
Performance issues due to Internet delivery method
Why? - Because because SaaS relies on the Internet for connectivity
What is a helpful method for controlling scope creep in a system development project?
Establishing a software baseline
i.e. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user requirements
What should an IS auditor review first when attempting to provide assurance of the data integrity controls of a newly implemented distributed accounting system?
Review the data flow diagram
Why? - To understand the flow of data within the application and to other systems
Note: This will enable the IS auditor to evaluate the design and effectiveness of the data integrity controls.
