When reviewing the quality of an IS department's development
process, the IS auditor finds that they do not use any
formal, documented methodology and standards. The IS
auditor's MOST appropriate action would be to:
A. complete the audit and report the finding.
B. investigate and recommend appropriate formal standards.
C. document the informal standards and test for compliance.
D. withdraw and recommend a further audit when standards are
implemented.
Answer / guest
Answer: C
The IS auditor's first concern would be to ensure that
projects are consistently managed. Where it is claimed that
an internal standard exists, it is important to ensure that
it is operated correctly, even when this means documenting
the claimed standards first. Merely reporting the issue as a
weakness and closing the audit without findings would not
help the organization in any way and investigating formal
methodologies may be unnecessary if the existing, informal
standards prove to be adequate and effective.
Is This Answer Correct ? | 7 Yes | 0 No |
Which of the following types of risks assumes an absence of compensating controls in the area being reviewed? A. Control risk B. Detection risk C. Inherent risk D. Sampling risk
Which of the following is a benefit of using callback devices? A. Provide an audit trail B. Can be used in a switchboard environment C. Permit unlimited user mobility D. Allow call forwarding
What data should be used for regression testing? A. Different data than used in the previous test B. The most current production data C. The data used in previous tests D. Data produced by a test data generator
Which of the following techniques would provide the BEST assurance that the estimate of program development effort is reliable? A. Function point analysis B. Estimates by business area C. A computer-based project schedule D. An estimate by experienced programmer
According to the Committee of Sponsoring Organizations (COSO), the internal control framework consists of which of the following? A. Processes, people, objectives. B. Profits, products, processes. C. Costs, revenues, margins. D. Return on investment, earnings per share, market share.
Which of the following is a detective control? A. Physical access controls B. Segregation of duties C. Backup procedures D. Audit trails
When implementing and application software package, which of the following presents the GREATEST risk? A. Uncontrolled multiple software versions B. Source programs that are not synchronized with object code C. Incorrectly set parameters D. Programming errors
An IS auditor reviewing an organization's IS disaster recovery plan should verify that it is: A. tested every 6 months. B. regularly reviewed and updated. C. approved by the chief executive officer (CEO). D. communicated to every departmental head in the organization.
Which of the following tasks is normally performed by a clerk in the control group? A. Maintenance of an error log B. Authorization of transactions C. Control of noninformation systems assets D. Origination of changes to master files
Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users? A. System analysis B. Authorization of access to data C. Application programming D. Data administration
When reviewing a system development project an IS auditor would be PRIMARILY concerned with whether: A. business objectives are achieved. B. security and control procedures are adequate. C. the system utilizes the strategic technical infrastructure. D. development will comply with the approved quality management processes
A universal serial bus (USB) port: A. connects the network without a network card. B. connects the network with an Ethernet adapter. C. replaces all existing connections. D. connects the monitor.