Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?
Correct Answer: A
Question 447
Which of the following is the BEST way to evaluate the effectiveness of access controls to an internal network?
Correct Answer: A
Section: The process of Auditing Information System
Question 448
An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?
Correct Answer: B
Explanation Ongoing monitoring of the audit activities is the most important activity to include as part of the quality assurance (QA) program requirements for an internal audit department. An IS auditor should perform regular reviews and evaluations of the audit processes, methods, standards, and outcomes to ensure that they comply with the QA program objectives and criteria. This will help to maintain and improve the quality and consistency of the audit services and deliverables. The other options are less important activities to include as part of the QA program requirements, as they may involve long-term resource planning, user satisfaction reports, or feedback from internal audit staff. References: CISA Review Manual (Digital Version), Chapter 2, Section 2.61 CISA Review Questions, Answers & Explanations Database, Question ID 224
Question 449
An IS auditor learns that an in-house system development life cycle (SDLC) project has not met user specifications. The auditor should FIRST examine requirements from which of the following phases?
Correct Answer: C
Explanation The quality assurance (QA) phase is the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. This is because the QA phase is the phase where the system is tested and verified against the user specifications and the design specifications to ensure that it meets the functional and non-functional requirements, as well as the quality standards and expectations. The QA phase involves various testing activities, such as unit testing, integration testing, system testing, acceptance testing, performance testing, security testing, etc., to identify and resolve any defects, errors, or deviations from the specifications12. The configuration phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The configuration phase is the phase where the system is installed and configured on the target environment, such as hardware, software, network, etc., to prepare it for deployment and operation. The configuration phase may involve activities such as installation, customization, migration, integration, etc., to ensure that the system is compatible and interoperable with the existing infrastructure and systems34. The user training phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The user training phase is the phase where the end-users are trained and educated on how to use the system effectively and efficiently. The user training phase may involve activities such as developing training materials, conducting training sessions, providing feedback and support, etc., to ensure that the users are familiar and comfortable with the system features and functions56. The development phase is not the phase where the IS auditor should first examine requirements from an in-house SDLC project that has not met user specifications. The development phase is the phase where the system is coded and built based on the design specifications and the user specifications. The development phase may involve activities such as programming, debugging, documenting, etc., to create a working prototype or a final product of the system
Question 450
The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure:
Correct Answer: A
SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality. Although SSL allows the exchange of X509 certificates to provide for identification and authentication, this feature along with choices C and D are not the primary objectives.
