Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls?

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

CISA Question 561

Question

When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that:

A. increases in quality can be achieved, even if resource allocation is decreased.
B. increases in quality are only achieved if resource allocation is increased.
C. decreases in delivery time can be achieved, even if resource allocation is decreased.
D. decreases in delivery time can only be achieved if quality is decreased.

Answer

A. increases in quality can be achieved, even if resource allocation is decreased.

Explanation

The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant.

CISA Question 562

Question

While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management.
The MOST important concern for an IS auditor is the:

A. effectiveness of the QA function because it should interact between project management and user management
B. efficiency of the QA function because it should interact with the project implementation team.
C. effectiveness of the project manager because the project manager should interact with the QA function.
D. efficiency of the project manager because the QA function will need to communicate with the project implementation team.

Answer

A. effectiveness of the QA function because it should interact between project management and user management

Explanation

To be effective the quality assurance (QA) function should be independent of project management. The QA function should never interact with the project implementation team since this can impact effectiveness. The project manager does not interact with the QA function, which should not impact the effectiveness of the project manager. The QA function does not interact with the project implementation team, which should not impact the efficiency of the project manager.

CISA Question 563

Question

An IS auditor invited to a development project meeting notes that no project risks have been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risks and that, if risks do start impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to:

A. stress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans.
B. accept the project manager’s position as the project manager is accountable for the outcome of the project.
C. offer to work with the risk manager when one is appointed.
D. inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project.

Answer

A. stress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans.

Explanation

The majority of project risks can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with the risks. A project should have a clear link back to corporate strategy and tactical plans to support this strategy. The process of setting corporate strategy, setting objectives and developing tactical plans should include the consideration of risks. Appointing a risk manager is a good practice but waiting until the project has been impacted by risks is misguided. Risk management needs to be forward looking; allowing risks to evolve into issues that adversely impact the project represents a failure of risk management. With or without a risk manager, persons within and outside of the project team need to be consulted and encouraged to comment when they believe new risks have emerged or risk priorities have changed. The IS auditor has an obligation to the project sponsor and the organization to advise on appropriate project manage me practices. Waiting for the possible appointment of a risk manager represents an unnecessary and dangerous delay to implementing risk management.

CISA Question 564

Question

An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor’s MAIN concern should be that the:

A. complexity and risks associated with the project have been analyzed.
B. resources needed throughout the project have been determined.
C. project deliverables have been identified.
D. a contract for external parties involved in the project has been completed.

Answer

A. complexity and risks associated with the project have been analyzed.

Explanation

Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. The other choices, while important during the course of the project, cannot be fully determined at the time the project is initiated, and are often contingent upon the risk and complexity of the project

CISA Question 565

Question

At the completion of a system development project, a post project review should include which of the following?

A. Assessing risks that may lead to downtime after the production release
B. Identifying lessons learned that may be applicable to future projects
C. Verifying the controls in the delivered system are working
D. Ensuring that test data are deleted

Answer

B. Identifying lessons learned that may be applicable to future projects

Explanation

A project team has something to learn from each and every project. As risk assessment is a key issue for project management, it is important for the organization to accumulate lessons learned and integrate them into future projects. An assessment of potential downtime should be made with the operations group and other specialists before implementing a system. Verifying that controls are working should be covered during the acceptance test phase and possibly, again, in the post implementation review. Test data should be retained for future regression testing.

CISA Question 566

Question

When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those:

A. whose sum of activity time is the shortest.
B. that have zero slack time.
C. that give the longest possible completion time.
D. whose sum of slack time is the shortest.

Answer

B. that have zero slack time.

Explanation

A critical path’s activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing, i.e., for reduction in their time by payment of a premium for early completion. Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path.
By successively relaxing activities on a critical path, a curve showing total project costs vs. time can be obtained.

CISA Question 567

Question

To minimize the cost of a software project, quality management techniques should be applied:

A. as close to their writing (i.e., point of origination) as possible.
B. primarily at project start-up to ensure that the project is established in accordance with organizational governance standards.
C. continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate.
D. mainly at project close-down to capture lessons learned that can be applied to future projects.

Answer

C. continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate.

Explanation

While it is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects is rework. The general rule is that the earlier in the development life cycle that a defect occurs, and the longer it takes to find and fix that defect, the more effort will be needed to correct it. A well-written quality management plan is a good start, but it must also be actively applied. Simply relying on testing to identify defects is a relatively costly and less effective way of achieving software quality. For example, an error in requirements discovered in the testing phase can result in scrapping significant amounts of work. Capturing lessons learned will be too late for the current project.
Additionally, applying quality management techniques throughout a project is likely to yield its own insights into the causes of quality problems and assist in staff development.

CISA Question 568

Question

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?

A. Project database
B. Policy documents
C. Project portfolio database
D. Program organization

Answer

C. Project portfolio database

Explanation

A project portfolio database is the basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific project portfolio reports. A project database may contain the above for one specific project and updates to various parameters pertaining to the current status of that single project. Policy documents on project management set direction for the design, development, implementation and monitoring of the project. Program organization is the team required (steering committee, quality assurance, systems personnel, analyst, programmer, hardware support, etc.) to meet the delivery objective of the project.

CISA Question 569

Question

Which of the following is a characteristic of timebox management?

A. Not suitable for prototyping or rapid application development (RAD)
B. Eliminates the need for a quality process
C. Prevents cost overruns and delivery delays
D. Separates system and user acceptance testing

Answer

C. Prevents cost overruns and delivery delays

Explanation

Timebox management, by its nature, sets specific time and cost boundaries. It is very suitable for prototyping and RAD, and integrates system and user acceptance testing, but does not eliminate the need for a quality process.

CISA Question 570

Question

When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST?

A. The project budget
B. The critical path for the project
C. The length of the remaining tasks
D. The personnel assigned to other tasks

Answer

B. The critical path for the project

Explanation

Since adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will in fact shorten the project duration. Given that there may be slack time available on some of the other tasks not on the critical path, factors such as the project budget, the length of other tasks and the personnel assigned to them may or may not be affected.