Digital Accounting and Assurance Board

The Institute of Chartered Accountants of India ISA 3.0

(Set up by an Act of Parliament)

Module - 3

System Development, Acquisition,

Implementation and Maintenance Application
System Audit

1
 Learning Objectives

 Evaluate whether proposed changes to information system are

meeting business objectives.
 Evaluate policies and practices about the organization’s project
management.
 Evaluate the effectiveness of controls at all stages of SDLC.
 Evaluate the process for migration of new system to the
production.
 Post implementation review of system to ensure that new
system met business requirement, controls and project
deliverables.
 Evaluate change management, configuration management,
release management and patch management.

2
 Chapter 1
Project Management for SDLC

3
Introduction

Project Management Framework

• Project Management Body of Knowledge (PMBOK®)
version 6, i.e. IEEE standard 1490 from the Project
Management Institute (PMI),
• Projects in a Controlled Environment (PRINCE2 6th
Edition) from the Office of Government Commerce
(OGC) in the UK, and the International Project
Management Association (IPMA).

4
Capability Maturity Model Integration (CMMI)

5
Key Concepts of Project Management
• Project Initiation
• Project Planning
• Project Execution
• Project Controlling and Monitoring
• Project Closing

6
 Program and Project Management and
Organization
• Portfolio/Program Management
• Program/Project Management Organization Forms

Portfolio/Program Management Program/Project Management

• Program scope Organization Forms
• Program financials (costs, resources,
cash flow, etc.) • Functional organization that is
• Program schedules influenced by the projects
• Program objectives and deliverables • Projectile organization
• Program context and environment • Matrix project organization
• Program communication and culture
• Program organization

7
Project Initiation
• Project Management Methodology
• Project Context and Environment
• Project Communication and Culture
• Project Objectives
• Project Management Practices

8
Project Planning

Project Controlling
• Management of Scope
• Resource Management
• Project Risk Management Standards and Methods
o PMBOK of PMI
o ISO/IEC 25010:2011
o ISO/IEC 25012:2008
o ISO/IEC 25023:2016

9
Project Risk Management Standards and
Methods
Project Planning Phase
• Plan Risk
• Identify Risk,
• Qualitative Analyses of Risks
• Quantitative Analysis of Risks
• Plan Risk Response

Project Monitoring Phase

• Control Risks

10
Project Risk Management Standards and
Methods

Risk in Project Management

Risk Management Process

• Identify Risk
• Assess and Evaluate Risk
• Manage Risk
• Monitor Risk
• Evaluate the Risk management

11
Project Closing
• Project deliverables are completed and are ready to be
implemented
• Project is suffering from Risk Materialization and has to be
terminated

12
Roles and responsibilities
Steering Committee Technology Specialist
Project Sponsor Systems Analyst
Project Manager Programmers/Developers
Senior Management Testers
Business Management Documentation Specialist
Systems Development Project Database Administrator (DBA)
Team
Business Function Data Administrator (DA)
Representatives/Domain
Specialists
Security Officer User Manager
Quality Assurance (QA) IS Auditor
13
SDLC Project Management Techniques and
Tools

• Computer-Aided Software Engineering (CASE) tools

o Code Generators
o Development Environments and
o Non-Procedural Languages
• Software Size Estimation
o Source Lines Of Code (SLOC)
o Function Point Analysis (FPA)

14
Project Controlling Tools and Techniques

• Project Evaluation Review Technique (PERT)

• Critical Path Method (CPM)
• Gantt Chart

15
 Summary

 Every project has unique success criteria based on the

expectations of stakeholders.
 The project sponsor is a key stakeholder who defines such
success criteria.
 Success criteria allow the Project Manager to focus on managing
risks that can affect desirable outcome and successful completion
of the project.

16
Practice Questions

17
1. Who among the following is responsible for ongoing
facilitation of a SDLC project?
A. Project Sponsor
B. Project Manager
C. Steering Committee
D. Board of Directors

A is the correct answer.

Project Sponsor is a stakeholder having maximum interest / stake
in the success of project and his primary responsibility is to
coordinate with various stakeholders for success of project.
Option B: Project Manager is responsible for executing the
project activities. Option C: Steering Committee monitors
project progress but is not ongoing activity. Option D: Board of
Directors provides direction.

18
2. A Multi-National organization has decided to
implement an ERP solution across all geographical
locations.The organization shall initiate a:
A. Project
B. Program
C. Portfolio
D. Feasibility study

B is the correct answer.

A program is concerned with the benefits received, from
implementing it, whereas project deals with specific deliverables.
The scope of the program is wider in comparison to the project.
The project works on a single functional unit, while
the program works on various functional units. A portfolio contains
both projects and programs and is managed by a portfolio manager.
Option D: Feasibility study either has been completed or shall be
initiated as part of program.
19
3. Which of the following primarily helps Project Manager
in mitigating therisk associated with change in scope of
software development project?
A. Change Management Process
B. Use of Prototyping
C. Revising Effort Estimates
D. Baselining requirements

D is the correct answer.

Scope Creep of continued changes in requirements during SDLC
project is most common risk. If not properly handled the project may
be delayed and benefit realization from the project shall be affected.
The Project Manager therefore, must freeze the scope by base-lining
requirements. Any change after base-lining shall follow. Option A:
Change Management process without base-lining may not help.
Project Manager may or may not. Option B: is used for freezing the
requirements. Option D: revised effort estimate are applicable after
change is approved. 20
4. Monitoring which of the following aspect of SDLC
project shall help organization in benefit realization
over sustained period of time?
A. Quality
B. Budget
C. Schedule
D. Methodology

A is the correct answer.

Quality is most important aspect for SDLC project, since it
minimizes errors that can impact operations. Options B, C and D
are of prior to monitoring phase.

21
5. Which of the following tools and techniques primarily
help in improving productivity of SDLC project team
members?
A. Use of Standard Methodology
B. Software Sizing using FPA
C. Developers’ Workbench
D. Appropriate HR Policies

C is the correct answer.

Automated tools help team in improving productivity as these tools
help in managing mundane and structure activities and developers can
focus on core activities. Developers’ workbench provides various
functions that help in improving productivity. Option A: Use of
standards help in following uniform methods and reducing rework.
Option B: Software Sizing is the main input parameter to cost
estimation models. Option D: HR policies may help in motivating
team but it is secondary. 22
6. While performing mid-term review of SDLC project,
the IS Auditor primarily focuses on:
A. Project Risk Management Process
B. Adherence to the schedule
C. Reviewing minutes of Steering Committee Meeting
D. Cost Management is as per budget

A is the correct answer.

Auditor should primarily focus on risk management that will
provide inputs on events that has impact on all aspects of
project. Options B, C and D help in confirming the findings
from review of Risk Management process.

23
7. A Project Manager's main responsibility in a project
meant to create a product is:
A. Ensuring it is high grade
B. To pack exciting features in the product
C. Ensuring it is high quality
D. Creating a product within allocated cost and schedule

C is the correct answer.

A Project Manager is responsible to ensure high quality in a way
that the final product meets the specifications and quality
benchmarks. Options A, B and C are not the main responsibility of
a Project Manager.

24
8. The Project Manager should be able to fulfill the
role of:
A. An Integrator
B. A Functional Manager
C. A Line Manager
D. A Sponsor

A is the correct answer.

The Project Manager is responsible for collective project
success. The Project Manager integrates a project as a whole.
He/she unifies various aspects and processes of initiating,
planning, executing, monitoring, control and closure. Options
B,C and D is not the role of the Project Manager.

25
9. The most successful Project Manager usually:
A. Works his/her way up from Assistants in the project office to
full-fledged Project Managers, supplementing that experience
with formal education.
B. Comes right from Harvard's MBA program into managing
very large projects.
C. Are theTechnical Experts.
D. Have considerable experience as a Functional Manager before
moving into the Project Management arena.

A is the correct answer.

A Project Manager must have experience in working on projects
in various roles including the role of a Project Manager. Options
B, C and D are secondary aspect.

26
 Chapter 2
SDLC – Need, Benefits and Phases

27
Learning Objectives
• Traditional SDLC phases and overview of the main activities;
• Additional phases due to availability of outsourcing and
generic customizable software; and
• Steps added in different phases due to security requirements
(Secure SDLC or SSDLC).

28
SDLC
• Relevance of SDLC for Business Process Automation
• Need for SDLC
• Benefits of SDLC

29
Phases of SDLC
• Phase 1 – Feasibility Study – Gap Analysis
• Phase 2 – Requirement Analysis
• Phase 3a – System Analysis
• Phase 3b – System Design
• Phase 4 – Development
• Phase 5 – Testing
• Phase 6 – Implementation
• Phase 7 – Maintenance

30
Types of SDLC Model
• Waterfall Model
• Incremental Model
• Software Engineering and Reverse Engineering
• Object Oriented Software Development
• Component Based Development
• Web-Based Application Development

Selection of SDLC Model

• Assess the needs of Stakeholders
• Define the criteria – size, technology, complexity

31
New Development Iterative Model
• Prototyping Methodology
• Spiral Model
• Rapid Application Development
• Agile Software Development Methodology

32
• DevOps: integration of development and
operations processes

• DevSecOps: building security into app

development from end to end
•
• Secure SDLC: OWASP top 10, Threat modelling

33
 Summary

 SDLC is an essential aspect of automating business processes

using InformationTechnology.
 Controlling SDLC process helps organizations in mitigating risks
associated with implementation and use of IT.
 An IS Auditor must be aware of phases and key steps of each of
the SDLC phases.

34
Practice Questions

35
1. SDLC primarily refers to the process of:
A. Developing IT based solution to improve business service
delivery.
B. Acquiring upgraded version of hardware for existing
applications.
C. Redesigning network infrastructure as per service provider’s
needs.
D. Understanding expectations of business managers from
technology.

A is the correct answer.

SDLC primarily focuses on identifying IT based solution to
improve business processes delivering services to customers.
Other activities may be part of SDLC however, these are IT
projects not SDLC projects.

36
2. Organizations should adopt programming/coding
standards mainly because, it:
A. Is a requirement for programming using High Level
Languages.
B. Helps in maintaining and updating System Documentation.
C. Is required for Security and Quality Assurance function of
SDLC.
D. Has been globally accepted practice by large organizations.

C is the correct answer.

Adopting coding standards helps organization in ensuring
quality of coding and in minimizing the errors. It also helps in
reducing obvious errors which may lead to vulnerabilities in
application. A is not true since it is required for all languages; B
is partially true but is not main reason. D is not main reason.
37
3. An organization decided to purchase a configurable
application product instead of developing in-house.
Outcome of which of the following SDLC phase helped
organization in this decision?
A. Requirement Definition
B. Feasibility Study
C. System Analysis
D. Development Phase

B is the correct answer.

Make or buy decision is the outcome of feasibility study where
technical, economical and social feasibilities are considered.
Option A is a statement that indicates what a system needs to do in
order to provide a capability. Options C and D are the phases of
developing a software.
38
4. In which of the following phases of SDLC, controls for
security must be considered FIRST?
A. Requirement Definition
B. Feasibility Study
C. System Design
D. Implementation

A is the correct answer.

Security requirements must be considered during requirement
definition. Option B is a phase in which technical, economical and
social feasibilities are considered. Option C is the phase during
which, the nature of controls to be implemented for security must
be considered first. This will ensure that necessary security
controls are built while developing application.

39
5. IS Auditor has been part of SDLC project team. Which
of the following situation does not prevent IS Auditor
from performing post implementation review? The IS
Auditor has:
A. Designed the Security Controls.
B. Implemented Security Controls.
C. Selected Security Controls.
D. Developed Integrated Test facility.

D is the correct answer.

Active role of IS Auditor in design and development of controls
affects the independence. Hence, IS Auditor cannot perform
review or audit of the application system. However, developing
integrated test facility within the application is not a control, but a
facility to be used by auditors in future. Hence, this does not
impact independence of IS auditor. Options A, B and C affect
independence of an IS Auditor. 40
6. An organization has implemented an IT based
solutions to support business function. Which of the
following situation shall indicate the need to initiate
SDLC project?
A. Vendor has launched a new hardware which is faster.
B. Organizations has unused surplus budget for IT.
C. Regulators have requested additional reports from business.
D. Competitor has launched an efficient IT based service.

D is the correct answer.

When a competitor launches new IT based efficient service, it
becomes necessary for management to consider the impact in
market place and in order to remain in competition organization
should provide similar or better services. Option A and C may not
require SDLC since it can be adopted with change management
process. B may help in deciding for D, but is not the reason for
initiating SDLC project. 41
7. A “Go or No Go” decision for SDLC project is
primarily based on:
A. Feasibility Study
B. Business Case
C. Budget Provision
D. Market Situation

B is the correct answer.

Business case is a document that narrates all aspect including
benefit realization, cost and effort estimates, outcome of
feasibility study, available budget. That helps management in
decision on the need of the SDLC project. Rest are secondary
aspects.

42
8. Which of the following is the primary reason for
organization to outsource the SDLC project? Non-
availability of:
A. Skilled Resources
B. Budgetary Approvals
C. Security Processes
D. Infrastructure

A is the correct answer.

Non availability of skilled resources required for application
development is primary reason for outsourcing the SDLC project.
Other reasons can be addressed. i.e. (B) budget can be made
available; (C) security processes can be established. (D)
Infrastructure can be acquired, depending upon design of new
application and hence it is not a reason.

43
9. Which of the following is an example of addressing
social feasibility issue in SDLC project?
A. Organization decides to use existing infrastructure.
B. Beta version of the application is made available to users.
C. Configuration of purchased software requires more cost.
D. Allowing employees to access social media sites.

B is the correct answer.

In order to ensure the acceptability by users, beta version of
solution is made available to users. Based on feedback changes are
made so that the solution can be socialized. Option A addresses
technical feasibility, Option C addresses economic feasibility.
Option D addresses IT policy that has nothing to do with SDLC.

44
10. Which of the following is not an indicator to assess
benefit realization for internal application software
developed in-house?
A. Increase in number of customers because of new application.
B. Decrease in audit findings related to regulatory non-
compliance.
C. Reduced number of virus attacks after implementing new
software.
D. Increase in productivity of employees after implementation.

C is the correct answer.

Since the application is for internal use and developed in house it
has nothing to do with reduction in virus attacks. This can be
benefit realization for anti-virus solution.

45
 Chapter 3
Software Testing and Implementation

46
Importance of Software Testing

Methods of Software Testing

• Black-Box Testing
• White-Box Testing
• Grey-Box Testing

47
Comparison of Testing Methods
Black-Box Testing Grey-Box Testing White-Box Testing
No Knowledge of Limited Knowledge of Complete Knowledge
internal workings internal workings of internal workings
Closed-Box, Data Translucent Testing Clear-Box, Structural
Driven or Functional or Code-based testing
testing
Performed by end Performed by end Performed by testers
users, testers and users, testers and and developers
developers developers
Based on external basis of high-level Tester can design test
expectations database diagrams and on the basis of internal
data flow diagrams and external working
exhaustive and the least Partly time-consuming The most exhaustive
time-consuming and exhaustive and time-consuming 48
Levels of Testing
• Functional Testing
• Non-Functional Testing

Strategies of Software Testing

• Different Test Approaches
• Factors to be Considered for Testing

49
Types of Software Testing

Unit Testing
• Functional Tests
o Positive Test
o Negative Test
• Performance Test
• Stress Test
• Structural Test
• Parallel Test

50
Types of Software Testing (Contd…)
• Static Testing
o Desk Check
o Structured Walk-through
o Code Inspection
• Load Testing
• Usability Testing
• Portability Testing
• Integration Testing
o Bottom-up Integration
o Top-down Integration

51
Types of Software Testing (Contd…)
• Regression Testing
• System Testing
o Recovery Testing
o Security Testing
o Stress or Volume Testing
o Performance Testing

52
Other Types of Software Testing
• Alpha Testing
• Beta Testing
• Automated Testing
• Integrated Testing
• Accreditation of Software
• Security Testing (Application scan or Penetration
testing)
• Final testing
• Quality Assurance Testing
• User Acceptance Testing

53
Implementation Strategies
• Cut-off or Direct Implementation / Abrupt Change-Over
• Phased Changeover
• Pilot Changeover
• Parallel Changeover

54
Preparing for Implementation
• Site preparation and hardware installation
• Conversion of data to the new system files;
• Training of end users;
• Completion of user documentation;
• System changeover
• Post implementation review and evaluation

55
Conversion
• Data Conversion
• Procedure Conversion
• System Conversion
• Scheduling Personnel and Equipment

56
Change Management Process
• Emergency Changes
• Implementing Changes into Production
• Segregation of Duties
• Configuration Management

57
 Summary

 Testing is a process that focuses on correctness, completeness

and quality of developed computer software.
 Testing should systematically uncover different classes of errors
in a minimum amount of time with a minimum amount of
efforts
 The data collected through testing can also provide an indication
of the software's reliability and quality.
 However, testing cannot show the absence of defect, it can only
show that software defects are present.

58
Practice Questions

59
1. Which of the following is main reason to perform
User Acceptance Test (UAT)?
A. To train and educate users on features of new solution.
B. To confirm from users that solution meets requirements.
C. To complete formality of sign-off to mark end of project.
D. To finalize the implementation plan for new IT solution.

B is the correct answer.

UAT is mainly conducted to confirm from the users and
application owners that application meets their requirements.
Option C is a formality to be completed only if requirements are
met. Training and implementation planning are different activities
which are not dependent on UAT.
60
2. An organization has developed a web based
application for the use of internal users to be hosted on
intranet. Before finalizing and making it live it was
decided to make it available to users for providing
feedback.This is an example of:
A. Internal Audit
B. Alfa Testing
C. Beta Testing
D. User Training

C is the correct answer.

Beta testing is making product available to users for feedback
before launching. Option A Internal Audits seek to identify any
shortcomings in a company's internal controls. Option B Alpha
Testing is performed by the developers to identify bugs before
releasing the product to real or intended users. Option D User
Training helps successful system implementation. 61
3. A major concern associated with using sanitized old
production data for testing new application is that:
A. User may not provide sign off.
B. Production data may be leaked.
C. Integration testing cannot be performed.
D. All conditions cannot be tested.

D is the correct answer.

Sanitized data generally may not cover all paths the data can take
and hence system cannot be tested for all possible cases. Option B
leakage of production data is not a major concern since data is
sanitized. Options A and C are not concerns.

62
4. A tester is executing a test to evaluate that it complies
with the user requirement that a certain field be
populated by using a dropdown box containing a list of
values.Tester is performing __________
A. White-Box Testing
B. Black-Box Testing
C. Load Testing
D. RegressionTesting

B is the correct answer.

Black Box testing focuses on the inputs and outputs without
knowing their internal code implementation. Option A White Box
testing evaluates the code and the internal structure of a program.
Option C Load Testing is performed to determine a system's
behaviour under both normal and at peak conditions. Option D
Regression Testing is defined as a type of software testing to confirm
that a recent program or code change has not adversely affected
existing features. 63
5. What is the order in which test levels are performed?
A. Unit, Integration, System, Acceptance
B. Unit, System, Integration, Acceptance
C. Unit, Integration, Acceptance, System
D. It depends on nature of a project

D is the correct answer.

Test levels can be combined or reorganized depending upon
nature of a project or system architecture. Unit testing refers to
test a function, individual program or even a procedure.
Integration Testing allows individuals to find interface defects
between the modules/functions. System Testing is the first level
in which the complete application is tested as a whole.
Acceptance Testing (or User Acceptance Testing) determines
whether the system is ready for release.
64
6. Which testing is concerned with behavior of whole
product as per specified requirements?
A. Acceptance Testing
B. ComponentTesting
C. System Testing
D. Integration Testing

C is the correct answer.

System Testing is based on Functional Requirement Specification
(FRS), which tells about general behavior of a system. Acceptance
testing (or User Acceptance Testing) determines whether the
system is ready for release. Component Testing, also known as
Unit, Module or Program Testing, is defined as a software testing
type, in which the testing is performed on each individual
component separately without integrating with
other components. Integration testing allows individuals to find
interface defects between the modules/functions. 65
7. Verifying that whether software components are
functioning correctly and identifying the defects in
them is objective of which level of testing?
A. Integration Testing
B. Acceptance Testing
C. Unit Testing
D. System Testing

C is the correct answer.

Separately testable components are tested in Unit Testing or
Component Testing. A Unit Testing tends to test a function,
individual program or even a procedure. Option B Acceptance
Testing (or User Acceptance Testing) determines whether the
system is ready for release. Option A Integration Testing allows
individuals to find interface defects between the
modules/functions. Option D System Testing is the first level in
which the complete application is tested as a whole. 66
8. Which technique is applied for usability testing?
A. White Box
B. Black Box
C. Grey Box
D. Combination of all

B is the correct answer.

Usability Testing is mostly done by users. They are not
familiar with internal structure of the system and hence
Black Box technique is correct answer. Option A White
Box testing evaluates the code and the internal structure of
a program. Option C Grey Box testing is a process for
debugging software applications by making an input through
the front-end, and verifying the data on the back-end.
Option D does not exist.
67
9. If a company decides to migrate from Windows XP to
Windows 7, which type of testing is done to ensure
whether your software works on new platform?
A. InteroperabilityTesting
B. PortabilityTesting
C. UsabilityTesting
D. PerformanceTesting

68
B is the correct answer.
Portability Testing shows the ease with which a computer software
component or application can be moved from one environment to
another, e.g. moving of any application from Windows XP to Windows 7.
Option A Interoperability testing checks whether software can inter-
operate with other software component, softwares or systems. Option C
Usability Testing, is a non-functional testing technique that is a measure
of how easily the system can be used by end users. Option D
Performance Testing is the process of determining the speed,
responsiveness and stability of a computer, network, software program
or device under a workload.

69
10. Boundary value analysis belongs to?
A. White Box Testing
B. Black Box testing
C. White Box & Black Box testing
D. None of the above

B is the correct answer.

Boundary Value Analysis is based on testing at the boundaries
between partitions and checks the output with expected output.
Option A White Box testing evaluates the code and the internal
structure of a program. Option C also known as Grey Box
testing is a process for debugging software applications by
making an input through the front-end, and verifying the data on
the back-end. Option D is not applicable.

70
 Chapter 4
Application Controls

71
Application Control
• Logical access controls
• Data entry/field validations
• Business rules
• Field entries being enforced based on predefined values
• Work flow rules
• Work steps being enforced based on predefined status
transitions Reconciliations
• Review and follow-up of application-generated exception
reports
• Automated activity logs
• Automated calculations
• Management and audit trails

Features and Benefits of Application Control

72
Types of Application Controls
• Input Controls
• Processing Controls
• Output Controls

Business Process Control Assurance

73
 Application Control Objectives

Control Objectives Control criteria

• Completeness • Effectiveness
• Accuracy • Efficiency
• Validity • Confidentiality
• Authorization • Integrity
• Segregation of Duties • Availability
• Compliance
• Reliability

74
• Designs and Implementation of
Application Controls

• Application Controls and the System

Development Life Cycle

75
Business Processes and Application Controls

76
Business Risks and Information Processing
• Incomplete and/or inaccurate information
processing
• Invalid or unauthorized transactions being
processed
• Unauthorized changes to standing data
• Bypasses, overrides, manual entries that circumvent
controls
• Inefficiencies
• Loss of confidentiality
• Unavailability of information
• Lack of integrity

77
Application Controls Assurance

• Financial Statement Audit Opinion

• Internal Audit Report on review of a given business
process
• ISO 27001 Accreditation
• Service Auditor Reports
• Management Assertion on Internal Controls as required
by Sarbanes-Oxley Section 404
• CIO ‘Sub-Certification to the Chief Financial Officer
(CFO)/CEO as to the reliability of IT general controls

78
Assurance over Application Controls
Materiality
• Factor in determining the amount of evidence
necessary to support the assurance provider’s
conclusion
• Measure of the significance of a finding
relative to the subject matter

Audit risk
• Detection Risk
• Inherent Risk
• Control Risk

79
 Summary

 Application Control may consist of edit tests, totals,

reconciliations and identification and reporting of
incorrect, missing or exception data.
 Automated controls should be coupled with manual
procedures to ensure proper investigation of exceptions.
 These controls help ensure data accuracy, completeness,
validity, verifiability, and consistency, thus achieving data
integrity and data reliability.

80
Practice Questions

81
1. A company’s labour distribution report requires
extensive corrections each month because of labour
hours charged to inactive jobs. Which of the following
data processing input controls appears to be missing?
A. CompletenessTest
B. Valid Code Check
C. LimitTest
D. ControlTotal

B is the correct answer.

It may check the validity and concurrency of the job code. Option A
is used for checking the integrity of the data. Option C is used for
keeping input up to a certain limit and option D is a figure
calculated by the system, adding the values in one of the fields in a
segment.This field is called the control totals key figure field.

82
2. A customer inadvertently orders part number
1234-8 instead of 1243-8. Which of the following
controls would detect this error during processing?
A. Hash Total
B. Check Digit
C. Limit Check
D. Financial Batch Total

B is the correct answer.

It checks the transposition of the digits. Option A is used for
checking the integrity of the data. Option C is used for
keeping input up to a certain limit and option D is used to
check the integrity of all records.

83
3. Which of the following are not Application
Controls?
A. Numerical Sequence Check
B. Access Security
C. Manual follow-up of Exception Reports
D. Chart of Accounts

B is the correct answer.

Access Security is not part of application domain. However
options A, C and D are part of the Application Controls.

84
4. Which of the following ensures completeness and
accuracy of accumulated data?
A. Processing Control Procedures
B. Data File Control Procedures
C. Output Controls
D. Application Controls

A is the correct answer.

Processing controls ensure the completeness and accuracy of
accumulated data, for example, editing and run-to-run totals.
Option B data file control procedures ensure that only authorized
processing occurs to stored data, for example, transaction logs.
Option C output controls ensure that data delivered to users will be
presented, formatted and delivered in a consistent and secure
manner, for example, using report distribution. Option D
"Application Controls" is a general term comprising all kinds of
controls used in an application. 85
5. An integrated test facility is considered a useful audit
tool because it:
A. Is a cost-efficient approach to auditing Application Controls.
B. Enables the financial and IS Auditors to integrate their audit tests.
C. Compares processing output with independently calculated data.
D. Provides the IS Auditor with a tool to analyze a large range of
information.

C is the correct answer.

Integrated test facility compares processing output with
independently calculated data. Explanation: An integrated test facility
is considered a useful audit tool because it uses the same programs to
compare processing using independently calculated data. This
involves setting up dummy entities on an application system and
processing test or production data against the entity as a means of
verifying processing accuracy. Option A, B and D are not the
dimensions of integrated test facility. 86
? Questions

87
Thank You

88