| 1. | Software library control ensures that application programmers never have access to production application processing and that users do not have access to source code. Which of the following statements is NOT true regarding the software librarian's access to code or data? 
| A. | The software librarian does not have read-write access to application source code used by programmers. |
| B. | The software librarian has read-only access to application production code. |
| C. | The software librarian does not have access to live data. |
| D. | The software librarian has read access to test data. |
|
| A1: | Answer: B. Library control software restricts source code to read-only access. All other statements are true. |
| 2. | The use of decision trees implemented by leading users through a series of questions or choices from a knowledge base to compute a logical finding is implemented by which of the following?
| A. | Expert systems |
| B. | Artificial neural networks (ANN) |
| C. | Critical path analysis |
| D. | Function point analysis |
|
| A2: | Answer: A. Decision trees use questionnaires to lead the user through a series of choices to reach a conclusion. Artificial neural networks attempt to emulate human thinking by analyzing many attributes of knowledge to reach a conclusion. Critical path analysis is used in project management. Function point analysis is used in determining a proposed software application's size for development planning purposes. |
| 3. | Which of the following goals is MOST important to a system-development project?
| A. | The system to be developed makes the most efficient use of current IT resources. |
| B. | The system to be developed does not compromise the security of existing systems and controls. |
| C. | The system to be developed meets organizational goals and objectives. |
| D. | The system to be developed is approved by the project feasibility committee. |
|
| A3: | Answer: C. A primary high-level goal for an auditor who is reviewing a system-development project is to ensure that business objectives are achieved. This objective guides all other systems-development objectives. |
| 4. | When analyzing and developing a new system, when should security first be considered?
| A. | During the feasibility study of the proposed system |
| B. | During the development of the software project's functional specifications |
| C. | During user acceptance testing |
| D. | During the system development |
|
| A4: | Answer: B. Application controls should be considered as early as possible in the system-development process, even in the development of the project's functional specifications. Success of all other phases relies upon proactive security controls planning. |
| 5. | An IS auditor is reviewing an organization's change-development process and finds that the development calls for using fourth-generation programming languages (4GLs). Which of the following statements is NOT true regarding 4GLs?
| A. | 4GLs provide extensive lower-level detail commands necessary to perform data-intensive or online operations. |
| B. | 4GLs can use simple language subsets, which can be utilized by lesser-skilled users. |
| C. | 4GLs make extensive use of object-oriented programming concepts. |
| D. | 4GLs are often platform portable. |
|
| A5: | Answer: A. Fourth-generation languages (4GLs) are most appropriate for designing the application's graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation procedures. All other statements are true. |
| 6. | Within the Software Capability Maturity Model, Level 3, "Defined" best describes which of the following?
| A. | Develop and apply quantitative managed control over software-development processes. |
| B. | Management processes are established to oversee the project to plan and track cost, schedule, and functionality. Successfully defined and applied processes can be repeated on another project of similar size and scope. |
| C. | The organization improves upon managed development by implementing continuous process-improvement strategies facilitated by innovative solutions and state-of-the-art technologies. |
| D. | Repeatable processes are used to develop a standard software-development process across the organization. |
|
| A6: | Answer: D. A standard software-development process is included within Level 3 (Defined) of the software capability maturity model (CMM). Answer A describes CMM phase 4, "Managed." Answer B describes CMM phase 2, "Repeatable." Answer C describes CMM phase 5, "Optimized." |
| 7. | An organization's software-development projects are planned according to formal software Development Life Cycle (SDLC) processes. In which of the following phases would the software-development project's baselines and scope be established?
| A. | Feasibility |
| B. | Requirements definition |
| C. | Design |
| D. | Development |
| E. | Implementation |
|
| A7: | Answer: C. Although all answers are valid SDLC phases, procedures to prevent scope creep are baselined in the design phase of the systems-development life cycle (SDLC) model. |
| 8. | In planning a new software-application development project, function point analysis (FPA) can be used to understand the potential size of a projected application. Which of the following best describes how FPA works?
| A. | Based upon the number of function lines of source code, FPA can estimate the size of a software application. |
| B. | Based upon the number of functional intersections of source code design, FPA can estimate the size of a software application. |
| C. | Based upon the number of function application calls within an application, FPA can estimate the size of a software application. |
| D. | Based upon the number and complexity of inputs and files that a user interacts with, FPA can estimate the size of a software application. |
|
| A8: | Answer: D. Function point analysis (FPA) provides an estimate of the size of an information system based on the number and complexity of a system's inputs, outputs, and files. All other answers are misleaders. |
| 9. | When assessing the potential scope of an application-development project, which of the following provides the most reliable estimate of the size of an information system?
| A. | Critical path analysis |
| B. | Function point analysis |
| C. | Program evaluation review technique |
| D. | Rapid application development |
|
| A9: | Answer: B. A function point analysis (FPA) is a reliable technique for estimating the scope and cost of a software-development project. PERT is used in both the planning and control of projects for network management. RAD is a methodology that enables organizations to develop strategically important systems more quickly and to reduce development costs. Critical path analysis is a process for finding the shortest project duration by optimizing utilization of project resources. |
| 10. | When auditing software change-control practices, which of the following is considered MOST important to the IS auditor?
| A. | Change requests are well documented with thorough specifications. |
| B. | Change requests provide need justification. |
| C. | Appropriate business process user approval is obtained before change implementation. |
| D. | Business process users are informed about the change before implementation. |
|
| A10: | Answer: C. Although all answers are recognized as good practices, the IS auditor is primarily concerned with having the change properly evaluated and approved by business process users before implementation. |
