SALEM Branch of SIRC of

The Institute of Chartered Accountants of India

Virtual Refresher Course for DISA
Day 3
ICAI Information Systems Audit 3.0 Course

Wednesday ! 21st JULY 2021 ! 05:00 PM to 06:00 PM ! www.3spro.blogspot.com

CA Dr GOPAL KRISHNA RAJU FCA, ACMA, ACS, PGDOR, PGDFM, DISA
Chartered Accountant, Insolvency Professional & Registered Valuer
Chairman, Valuation Standards Board, AIIOVF (RVO Recognised by IBBI)
 Pointers

• ISA 3.0 (new syllabus) is an enriched version of ISA 2.0

(old syllabus). Not to be distinguished

• Read the ICAI Study Material minimum 2 - 3 times for

getting clarity and confidence

• Exam Preparation Tip: Practice eliminating the three

choices by reasoning

• All references made in this material is based on the

following BGM of ICAI – Module 3 - SDLC
https://resource.cdn.icai.org/60972daab49637bgmisa-mod2.pdf
[email protected] | www.3spro.blogspot.com
 ISA 2.0 (with weightage) and 3.0
Weightage ISA 2.0 ISA 3.0

18% Primer on Information Technology, IS Information Systems Process Audit

Infrastructure and Emerging Technology
12% Information Systems Assurance Services Governance and Management of
Enterprise Information Technology, Risk
Management, Compliance and Business
Continuity Management
12% Governance and Management of System Development, Acquisition,
Enterprise Information Technology, Risk Implementation and Maintenance
Management and Compliance Reviews Application System Audit

18% Protection of Information Systems Information Systems Operations and

Infrastructure and Information Assets Management

12% Systems Development: Acquisition, Protection of Information Assets

Maintenance and Implementation
6% Business Continuity Management Emerging Technologies

12% Business Applications Software audit

10% Project Report

[email protected] | www.3spro.blogspot.com
 Module 3
Systems Development, Acquisition, Implementation
and Maintenance Application Systems Audit

Project Management for SDLC 3.1

SDLC – Need, Benefits and Phases 3.2

Software Testing & Implementation 3.3

Application Controls 3.4

[email protected] | www.3spro.blogspot.com
Effective software project management focuses on the four P’s: people, product, process, and project. The
order is not arbitrary.
• The manager who forgets that software engineering work is an intensely human endeavour will never
have success in project management.
• A manager who fails to encourage comprehensive stakeholder communication early in the evolution of a
product risks building an elegant solution for the wrong problem.
• The manager who pays little attention to the process runs the risk of inserting competent technical
methods and tools into a vacuum.
• The manager who embarks without a solid project plan jeopardizes the success of the project.

[email protected] | www.3spro.blogspot.com
 1. Who among the following is responsible for
ongoing facilitation of a SDLC project?

a) Project Sponsor

b) Project Manager

c) Steering Committee

d) Board of Directors

Page 16; Para 1.9.2

An IT project manager is responsible for overseeing an organization's IT department and managing teams to
execute IT projects on time and within budget.
Some of the duties of an IT project manager include: Setting project goals and creating plans to meet them;
Managing resources, including the team, equipment, etc
[email protected] | www.3spro.blogspot.com
 2. A Multi-National organization has decided to
implement an ERP solution across all geographical
locations. The organization shall initiate a:

a) Project

b) Program

c) Portfolio

d) Feasibility study

Page 85; Para 3.8.1

[email protected] | www.3spro.blogspot.com
[email protected] | www.3spro.blogspot.com
 3. Which of the following primarily helps Project
Manager in mitigating the risk associated with
change in scope of software development project?

a) Change Management Process

b) Use of Prototyping

c) Revising Effort Estimates

d) Baselining requirements

Page 11; Para 1.7

[email protected] | www.3spro.blogspot.com
[email protected] | www.3spro.blogspot.com
 4. Monitoring which of the following aspect of
SDLC project shall help organization in benefit
realization over sustained period of time?

a) Quality

b) Budget

c) Schedule

d) Methodology

Page 15; Para 1.8

[email protected] | www.3spro.blogspot.com
 Function Point Analysis (FPA)

• The function point is a "unit of measurement" to

express the amount of business functionality
an information system (as a product) provides to a user.

• Function points are used to compute a functional size

measurement (FSM) of software. The cost (in dollars or
hours) of a single unit is calculated from past projects.

[email protected] | www.3spro.blogspot.com
 5. Which of the following tools and techniques
primarily help in improving productivity of SDLC
project team members?

a) Use of Standard Methodology

b) Software Sizing using FPA

c) Developers’ Workbench

d) Appropriate HR Policies

Page 21; Para 1.10

[email protected] | www.3spro.blogspot.com
 6. While performing mid-term review of SDLC
project, the IS Auditor primarily focuses on:

a) Project Risk Management Process

b) Adherence to the schedule

c) Reviewing minutes of Steering Committee Meeting

d) Cost Management is as per budget

Page 13; Para 1.7.3

[email protected] | www.3spro.blogspot.com
 7. A Project Manager's main responsibility in a
project meant to create a product is:

a) Ensuring it is high grade

b) To pack exciting features in the product

c) Ensuring it is high quality

d) Creating a product within allocated cost and

schedule

Page 13; Para 1.7.3

[email protected] | www.3spro.blogspot.com
 8. The Project Manager should be able to fulfill the
role of:

a) An Integrator

b) A Functional Manager

c) A Line Manager

d) A Sponsor

Page 13; Para 1.7.3

The project manager integrates a project as a whole; meaning unifies various aspects and
processes of initiating, planning, executing, monitoring, control and closure.
[email protected] | www.3spro.blogspot.com
 9. The most successful Project Manager usually:

a) Works his/her way up from Assistants in the project office to

full-fledged Project Managers, supplementing that experience
with formal education.

b) Comes right from Harvard's MBA program into managing very

large projects.

c) Are the Technical Experts.

d) Have considerable experience as a Functional Manager before

moving into the Project Management arena.
Page 13; Para 1.7.3

[email protected] | www.3spro.blogspot.com
[email protected] | www.3spro.blogspot.com
• Software is developed or engineered; it is not manufactured in the classical sense.
• Software doesn’t “wear out.”
• Although the industry is moving toward component-based construction, most software
continues to be custom built.

[email protected] | www.3spro.blogspot.com
10. SDLC primarily refers to the process of:

a) Developing IT based solution to improve business

service delivery.

b) Acquiring upgraded version of hardware for

existing applications.

c) Redesigning network infrastructure as per service

provider’s needs.

d) Understanding expectations of business managers

from technology.
[email protected] | www.3spro.blogspot.com
11. Organizations should adopt programming /
coding standards mainly because, it:

a) Is a requirement for programming using High Level

Languages?

b) Helps in maintaining and updating System

Documentation.

c) Is required for Security and Quality Assurance

function of SDLC.

d) Has been globally accepted practice by large

organizations
[email protected] | www.3spro.blogspot.com
12. An organization decided to purchase a
configurable application product instead of
developing in-house. Outcome of which of the
following SDLC phase help organization in this
decision?
a) Requirement Definition

b) Feasibility Study

c) System Analysis

d) Development Phase

[email protected] | www.3spro.blogspot.com
13. In which of the following phases of SDLC,
controls for security must be considered FIRST?

a) Requirements Definition

b) Feasibility Study

c) System Design

d) Implementation

[email protected] | www.3spro.blogspot.com
14. IS Auditor has been part of SDLC project team.
Which of the following situation does not prevent
IS Auditor from performing post implementation
review? The IS Auditor has:

a) Designed the Security Controls.

b) Implemented Security Controls.

c) Selected Security Controls.

d) Developed Integrated Test facility.

[email protected] | www.3spro.blogspot.com
15. An organization has implemented an IT based
solution to support business function. Which of the
following situation shall indicate the need to initiate
SDLC project?

a) Vendor has launched a new hardware which is faster.

b) Organizations has unused surplus budget for IT.

c) Regulators have requested additional reports from

business.
d) Competitor has launched an efficient IT based service.

[email protected] | www.3spro.blogspot.com
16. A “Go or No Go” decision for SDLC project is
primarily based on:

a) Feasibility Study

b) Business Case

c) Budget Provision

d) Market Situation

[email protected] | www.3spro.blogspot.com
 Go / No-Go
The determining factors that control whether we’re going to do the Go/No-Go are:

Go/No-Go Drivers

• Type of Project

• Type of Product

• Project Lifecycle

• Corporate Constraints

• Regulations

Go/No-Go Decisions are a formal check. Many projects have informal checks all
throughout them, but go no-go decisions are a formal check.

For those of you who are familiar with the space program, it’s like that countdown before launch, “Do we
push the final lift or go button?” You’re checking with everybody, “Is all the work correct? Is it ready? Do we
verify that we should be able to go?”
[email protected] | www.3spro.blogspot.com
17. Which of the following is the primary reason for
organization to outsource the SDLC project? Non-
availability of:

a) Skilled Resources

b) Budgetary Approvals

c) Security Processes

d) Infrastructure

[email protected] | www.3spro.blogspot.com
18. Which of the following is an example of
addressing social feasibility issue in SDLC
project?

a) Organization decides to use existing infrastructure.

b) Beta version of the application is made available to

users.

c) Configuration of purchased software requires more

cost.

d) Allowing employees to access social media sites.

[email protected] | www.3spro.blogspot.com
 Software Beta Version

• A pre-release of software that is given out to a large

group of users to try under real conditions.

• Beta versions have gone through alpha testing in-house

and are generally fairly close in look, feel and function to
the final product; however, design changes often occur
as a result.

[email protected] | www.3spro.blogspot.com
19. Which of the following is not an indicator to
assess benefit realization for internal application
software developed in-house?
a) Increase in number of customers because of new
application.

b) Decrease in audit findings related to regulatory non-

compliance.

c) Reduced number of virus attacks after implementing new

software.

d) Increase in productivity of employees after implementation.

[email protected] | www.3spro.blogspot.com
Benefits Realization Management (BRM) (also benefits management, benefits
realisation or project benefits management) is one of the many ways of managing how
time and resources are invested into making desirable changes.
Benefits Realization Management has four main definitions.
• The first definition is to consider benefits management as an organisational change
process. It is defined as "the process of organizing and managing, such that the
potential benefits arising from the use of IT are actually realized".
• The second definition perceives it as a process. Benefits management is defined by
the Association for Project Management (APM) as the identification, definition,
planning, tracking and realization of business benefits.
• The third definition is to apply this concept on project management level. Project
benefits management is defined as "the initiating, planning, organizing, executing,
controlling, transitioning and supporting of change in the organisation and its
consequences as incurred by project management mechanisms to realize predefined
project benefits".
• Finally, the last definition perceives benefits realization management as a set of
processes structured to close the gap between strategy planning and execution by
ensuring the implementation of the most valuable initiatives.
[email protected] | www.3spro.blogspot.com
Verification: “Are we building the product right?”
Validation: “Are we building the right product?”

[email protected] | www.3spro.blogspot.com
20. Which of the following is main reason to
perform User Acceptance Test (UAT)?

a) To train and educate users on features of new

solution.

b) To confirm from users that solution meets

requirements.

c) To complete formality of sign-off to mark end of

project.

d) To finalize the implementation plan for new IT

solution.
[email protected] | www.3spro.blogspot.com
21. An organization has developed a web-based
application for the use of internal users to be
hosted on intranet. Before finalizing and making it
live it was decided to make it available to users for
providing feedback. This is an example of:

a) Internal Audit

b) Alpha Testing

c) Beta Testing

d) User Training

[email protected] | www.3spro.blogspot.com
22. A major concern associated with using
sanitized old production data for testing new
application is that:

a) User may not provide sign off.

b) Production data may be leaked.

c) Integration testing cannot be performed.

d) All conditions cannot be tested.

[email protected] | www.3spro.blogspot.com
23. A tester is executing a test to evaluate that it
complies with the user requirement
that a certain field be populated by using a
dropdown box containing a list of values. Tester is
performing …..

a) White-Box Testing

b) Black-Box Testing

c) Load Testing

d) Regression Testing

[email protected] | www.3spro.blogspot.com
24. What is the order in which test levels are
performed?

a) Unit, Integration, System, Acceptance

b) Unit, System, Integration, Acceptance

c) Unit, Integration, Acceptance, System

d) It depends on nature of a project

[email protected] | www.3spro.blogspot.com
25. Which testing is concerned with behaviour of
whole product as per specified requirements?

a) Acceptance Testing

b) Component Testing

c) System Testing

d) Integration Testing

[email protected] | www.3spro.blogspot.com
26. Verifying that whether software components
are functioning correctly and identifying the
defects in them is objective of which level of
testing?

a) Integration Testing

b) Acceptance Testing

c) Unit Testing

d) System Testing

[email protected] | www.3spro.blogspot.com
 27. Which technique is applied for usability
testing?

a) White Box

b) Black Box

c) Grey Box

d) Combination of all

Grey-box testing is a combination of white-box testing and black-box testing. The aim of this testing is to
search for the defects if any due to improper structure or improper usage of applications
[email protected] | www.3spro.blogspot.com
 Key Pointers
• SYSTEM TESTING is a level of testing that validates the complete and
fully integrated software product. The purpose of a system test is to
evaluate the end-to-end system specifications.

• UNIT TESTING is a type of software testing where individual units or

components of a software are tested. The purpose is to validate that
each unit of the software code performs as expected.

• Usability testing is a technique used in user-centered interaction

design to evaluate a product by testing it on users. This can be seen as
an irreplaceable usability practice, since it gives direct input on how
real users use the system.

[email protected] | www.3spro.blogspot.com
Software Testing Steps

[email protected] | www.3spro.blogspot.com
28. If a company decides to migrate from Windows
XP to Windows 7, which type of testing is done to
ensure whether your software works on new
platform?

a) Interoperability Testing

b) Portability Testing

c) Usability Testing

d) Performance Testing

[email protected] | www.3spro.blogspot.com
 Key Pointers
• Portability testing is the process of determining the degree of ease or
difficulty to which a software component or application can be
effectively and efficiently transferred from one hardware, software or
other operational or usage environment to another.

• Boundary testing is the process of testing between extreme ends

or boundaries between partitions of the input values. So these extreme
ends like Start- End, Lower- Upper, Maximum-Minimum, Just Inside-
Just Outside values are called boundary values and the testing is called
"boundary testing".

[email protected] | www.3spro.blogspot.com
Testing Strategy

[email protected] | www.3spro.blogspot.com
29. Boundary value analysis belongs to?

a) White Box Testing

b) Black Box testing

c) White Box & Black Box testing

d) None of the above

[email protected] | www.3spro.blogspot.com
[email protected] | www.3spro.blogspot.com
30. A company’s labour distribution report requires
extensive corrections each month because of
labour hours charged to inactive jobs. Which of
the following data processing input controls
appears to be missing?

a) Completeness Test

b) Valid Code Check

c) Limit Test

d) Control Total

[email protected] | www.3spro.blogspot.com
 Key Pointers
Code and cross-reference check
• Code and cross-reference validation includes operations to
verify that data is consistent with one or more possibly-external
rules, requirements, or collections relevant to a particular
organization, context or set of underlying assumptions.

• These additional validity constraints may involve cross-

referencing supplied data with a known look-up table or
directory information service such as LDAP.

• For example, a user-provided country code might be required to

identify a current geopolitical region.
[email protected] | www.3spro.blogspot.com
 31. A customer inadvertently orders part number
1234-8 instead of 1243-8. Which of the following
controls would detect this error during
processing?

a) Hash Total

b) Check Digit

c) Limit Check

d) Financial Batch Total

PAN is a ten-digit unique alphanumeric number issued by the Income Tax Department. PAN is issued in the form of a
laminated plastic card (commonly known as PAN card). Last character, i.e., the tenth character is an alphabetic check
digit.
[email protected] | www.3spro.blogspot.com
32. Which of the following are not Application
Controls?

a) Numerical Sequence Check

b) Access Security

c) Manual follow-up of Exception Reports

d) Chart of Accounts

[email protected] | www.3spro.blogspot.com
 33. Which of the following ensures completeness
and accuracy of accumulated data?

a) Processing Control Procedures

b) Data File Control Procedures

c) Output Controls

d) Application Controls

• Processing controls ensure the completeness and accuracy of accumulated data, viz., editing and run-
to-run totals.
• Data file control procedures ensure that only authorized processing occurs to stored data, viz.,
transaction logs. [email protected] | www.3spro.blogspot.com
[email protected] | www.3spro.blogspot.com
34. An integrated test facility is considered a
useful audit tool because it:

a) Is a cost-efficient approach to auditing Application

Controls.

b) Enables the financial and IS Auditors to integrate

their audit tests.

c) Compares processing output with independently

calculated data.

d) Provides the IS Auditor with a tool to analyze a large

range of information.
[email protected] | www.3spro.blogspot.com
 Key Pointers
• Check digit is a form of redundancy check used for error detection on
identification numbers, such as bank account numbers, which are
used in an application where they will at least sometimes be input
manually. It is analogous to a binary parity bit used to check for errors
in computer-generated data.
• An integrated test facility (ITF) creates a fictitious entity in
a database to process test transactions simultaneously with live input.
ITF can be used to incorporate test transactions into a normal
production run of a system. Its advantage is that periodic testing does
not require separate test processes. However, careful planning is
necessary, and test data must be isolated from production data.

[email protected] | www.3spro.blogspot.com
[email protected] | www.3spro.blogspot.com
[email protected] | www.3spro.blogspot.com
[email protected] | www.3spro.blogspot.com
[email protected] | www.3spro.blogspot.com
 CA Dr GOPAL KRISHNA RAJU
Chartered Accountant, Insolvency Professional & Registered Valuer
Partner : K GOPAL RAO & CO | Chartered Accountants | Mumbai, Chennai, Bengaluru, Hyderabad, Trichy, Madurai & Tiruvallur

Email: [email protected] Blog: www.3spro.blogspot.com

Mobile: 98400 63269 | 98401 63269
[email protected] | www.3spro.blogspot.com