Thursday, April 2, 2026

Mocktest on Internal Control Governence Accounting Information System Technology and Data Analytics

 


GMSi Gmsisuccess <gmsi2022cia@gmail.com>
RAPID FIRE MOCKTEST CASEBASED ON INTERNAL CONTROL GOVERNENCE AIS
GMSi Gmsisuccess <gmsi2022cia@gmail.com>Thu, Apr 2, 2026 at 9:00 AM
To: GMSi Gmsisuccess <gmsi2022cia@gmail.com>

Case-based questions and answers focused on Internal Control, Corporate Governance, Risk Assessment, and Technology/Data Analytics, based on real-world scenarios and professional auditing standards. 

Case 1: Fraud and Internal Control Failure (Procurement) 

Scenario: GlobalTech Solutions suffered a significant financial loss due to a procurement fraud perpetrated by a Senior Procurement Manager. The manager created fictitious vendors and approved payments over two years. An audit revealed that the manager was responsible for both vendor onboarding and payment approval. The company had no continuous monitoring system to detect duplicate payments or unusual vendor patterns. 

·         Q1.1: What are the primary internal control weaknesses in this scenario?

o    Answer: (1) Lack of Segregation of Duties: The same individual was responsible for onboarding (authorization) and payment approval (custody/processing). (2) Inadequate Vendor Management Control: No independent verification of vendor legitimacy before adding to the Master Vendor File.

·         Q1.2: Which Data Analytics tests could have detected this fraud earlier?

o    Answer: (1) Vendor-Employee Matching: Matching vendor bank accounts or addresses with employee personal data. (2) Duplicate Payment Analysis: Searching for identical amounts, invoice numbers, or payment dates within a short period. (3) Benford’s Law Analysis: Testing for unnatural distribution of invoice amounts.

·         Q1.3: How can the company remediate these control deficiencies?

o    Answer: (1) Segregate duties: Implement a policy where vendor creation is done by a different department than vendor payment. (2) Implement Continuous Control Monitoring (CCM) tools to run daily checks on payments. (3) Perform a thorough risk assessment on procurement risks. 

Risk Management Association of India +4

Case 2: IT Governance and Cybersecurity Risk

Scenario: Pinnacle Bank experienced a major data breach exposing customer financial information. It was found that a previous risk assessment identified vulnerabilities in the security system, but these were not addressed due to resource constraints. The Board of Directors had not reviewed IT security risks in the past 18 months. 

Risk Management Association of India

·         Q2.1: Identify the failures in the bank’s governance structure.

o    Answer: (1) Weak Oversight: The Board failed to monitor IT risks effectively. (2) Ineffective Risk Management: The risk assessment process was not followed by remedial action.

·         Q2.2: What are the key elements of a robust IT Governance framework?

o    Answer: (1) Alignment of IT strategy with business objectives. (2) Clear policies and accountability for risk management. (3) Regular monitoring and reporting of security breaches and threats. (4) Dedicated Risk Committee.

·         Q2.3: How can AI enhance this company's risk mitigation efforts?

o    Answer: AI can be used to simulate cyber-attacks (penetration testing), analyze network behavior in real-time for anomalies, and automate compliance checks with data protection laws. 

LinkedIn +4

Case 3: Data Analytics in Auditing (Inventory)

Scenario: An auditor is assessing the valuation of inventory for a client with over 100,000 SKUs across 50 locations. Historically, physical inventory counts at year-end are rushed, leading to inaccurate records. 

·         Q3.1: How can the auditor use data analytics to replace traditional sampling for inventory?

o    Answer: The auditor can analyze the entire population of inventory data rather than just a sample. This includes checking for negative quantities, extreme high/low unit costs, and identifying items with no movement over a long period (slow-moving inventory).

·         Q3.2: What specific analysis helps detect potential overstatement of inventory?

o    Answer: (1) Disaggregated analysis of inventory: Comparing inventory quantities at current period with prior periods by class, location, or SKU. (2) Comparing Perpetual Records to Physical Counts: Using data analytics to match the two datasets and identify discrepancies. 

Riskcue +3

Case 4: Risk Management & Corporate Governance (Fintech Startup)

Scenario: FintechPay, a rapidly growing P2P mobile payment startup, has experienced several compliance failures. The company focuses heavily on growth and has delayed the hiring of a Chief Risk Officer (CRO) and an Internal Audit team.

·         Q4.1: As an external consultant, what is the most critical risk that needs to be addressed?

o    Answer: Compliance Risk & Regulatory Non-compliance. Fintech companies face stringent regulations regarding Know Your Customer (KYC), Anti-Money Laundering (AML), and data protection. Failure can lead to shut down.

·         Q4.2: How should the board of FintechPay structure its risk management?

o    Answer: (1) Establish a dedicated Risk Management Committee that reports directly to the board. (2) Implement a Risk-Based Internal Audit (RBIA) approach, focusing on key risks like cybersecurity and transaction monitoring.

·         Q4.3: Mention a key control to be added to their P2P payment app.

o    Answer: Real-time transaction monitoring AI that flags unusual peer-to-peer transfers or high-volume transactions to prevent fraudulent activities. 

LinkedIn +4

Key Takeaways for Case Studies

·         Internal Control (IC): Focus on segregation of duties, authorization, and safeguarding assets.

·         Governance: Focus on board oversight, transparency, and accountability.

·         Risk Assessment: Identify, analyze, and mitigate (Prob x Impact).

·         Technology/Data Analytics: Use data to move from detective controls (after the fact) to preventive/continuous controls.

 

 ðŸ”· CASE 1: INTERNAL CONTROL WEAKNESS (Revenue Fraud)

A company allows sales staff to approve credit sales, record transactions, and handle collections. Recently, large receivables became uncollectible.

🔹 MCQ

Q1. What is the primary internal control weakness?
A. Lack of documentation
B. Lack of segregation of duties
C. Lack of audit trail
D. Lack of authorization

✅ Answer: B
👉 Same person handling authorization, recording & custody → high fraud risk.

🔹 Assertion–Reason

Q2. Assertion (A): Segregation of duties reduces fraud risk.
Reason (R): It ensures one person handles all stages of transaction.

A. Both true
B. Both false
C. A true, R false
D. A false, R true

Answer: C
👉 Segregation means dividing duties, not combining them.

🔹 True/False,WITH REASON

Q3. Internal controls are only necessary for large organizations.

 Answer: False
👉 Even small firms need controls.

🔹 Fill in the Blank

Q4. Separating authorization, custody, and recording is called ________.

 Answer: Segregation of duties

🔹 Odd Man Out

Q5. Identify the control element that does NOT belong:
A. Authorization
B. Custody
C. Recording
D. Profitability

 Answer: D
👉 Others are internal control components.

🔷 CASE 2: CORPORATE GOVERNANCE FAILURE

A listed company’s board is dominated by executive directors, and no independent audit committee exists. Financial misstatements go unnoticed.

🔹 MCQ

Q6. Which governance principle is violated?
A. Transparency
B. Accountability
C. Independence
D. Sustainability

 Answer: C
👉 Lack of independent oversight.

🔹 Assertion–Reason

Q7. Assertion: Independent directors improve governance.
Reason: They bring unbiased judgment.

A. Both true, R explains A
B. Both true, not explanation
C. A true, R false
D. A false, R true

 Answer: A

 

🔹 True/False WITH REASON

Q8. Audit committees should consist mainly of executive directors.

 Answer: False
👉 Should be independent.

🔹 Fill in the Blank

Q9. The audit committee ensures integrity of ________ reporting.

 Answer: Financial

🔹 Odd Man Out

Q10. Choose the non-governance element:
A. Board oversight
B. Risk management
C. Internal audit
D. Sales promotion

 Answer: D

🔷 CASE 3: RISK ASSESSMENT FAILURE

A bank fails to update its cybersecurity controls despite rising cyber threats, leading to data breaches.

🔹 MCQ

Q11. What type of risk is primarily involved?
A. Market risk
B. Credit risk
C. Operational risk
D. Liquidity risk

 Answer: C

🔹 Assertion–Reason

 

Q12. Assertion: Risk assessment should be continuous.
Reason: Business environment changes frequently.

A. Both true, R explains A
B. Both true, not explanation
C. A true, R false
D. A false, R true

A. Both true, R explains A
 Answer: A

🔹 True/False

Q13. Risk assessment is a one-time activity.

 Answer: False

🔹 Fill in the Blank

Q14. Identifying and analyzing risks is part of ________ component of COSO.

 Answer: Risk Assessment

🔹 Odd Man Out

Q15. Identify non-risk element:
A. Identification
B. Analysis
C. Mitigation
D. Marketing

 Answer: D

🔷 CASE 4: TECHNOLOGY & DATA ANALYTICS

An auditor uses data analytics to identify duplicate payments and unusual transactions in procurement.

🔹 MCQ

Q16. What is the main benefit of data analytics?
A. Reduce audit scope
B. Improve audit quality
C. Eliminate internal control
D. Replace auditors

 Answer: B

🔹 Assertion–Reason

Q17. Assertion: Data analytics helps detect anomalies.
Reason: It analyzes entire data population.

A. Both true, R explains A
B. Both true, not explanation
C. A true, R false
D. A false, R true

A. Both true, R explains A
 Answer: A

🔹 True/False

Q18. Data analytics can only be used in financial audits. FALSE

Data analytics is widely used across various types of audits and business functions, including: 

·         Internal Audit: For assessing risks, testing controls, and improving efficiency.

·         Compliance Audit: To monitor for policy breaches (e.g., procurement fraud, travel records).

·         Operational Audit: To identify inefficiencies, patterns of wasted resources, and improve processes.

·         Forensic Audits/Investigations: To detect fraud, money laundering, and suspicious transactions.

·         Information System Audits: To audit controls in IT systems

🔹 Fill in the Blank

Q19. Detecting duplicate invoices is an example of ________ analytics

 Answer: Diagnostic / Investigative analytics

🔹 Odd Man Out

Q20. Identify tool not used in analytics:
A. ACL
B. IDEA
C. Excel
D. Typewriter

 Answer: D

🔷 CASE 5: INTERNAL CONTROL OVER PAYROLL

An employee creates fake employees and processes salary payments.

🔹 MCQ

Q21. What type of fraud is this?
A. Asset misappropriation
B. Financial statement fraud
C. Corruption
D. Tax evasion

 Answer: A

These terms represent different categories of occupational fraud and financial crimes, often differentiated by the method used and the objective of the perpetrator. Asset misappropriation is the most common, while financial statement fraud is typically the most costly. 

A. Asset Misappropriation

Asset misappropriation involves the theft, misuse, or unauthorized use of an organization's assets by employees, contractors, or insiders for personal gain. It is often referred to as "stealing" or "skimming from the top". 

·         Examples: Cash skimming, payroll fraud (ghost employees), fraudulent expense reimbursements, stealing inventory, or using company equipment for personal business.

·         Key Characteristic: Direct theft of tangible or intangible company resources. 

B. Financial Statement Fraud 

Financial statement fraud is the deliberate misrepresentation, omission, or alteration of financial data to deceive stakeholders (investors, creditors) and make the organization appear more financially stable or profitable than it actually is. It is usually perpetrated by upper management. 

·         Examples: Overstating revenues (fictitious sales), understating expenses, inflating asset values, or hiding liabilities/debts.

·         Key Characteristic: "Cooking the books" to create a false picture of financial health. 

C. Corruption

Corruption is defined as the abuse of entrusted power for private gain, involving dishonest behavior by those in positions of authority. It involves using influence to secure improper advantages. 

·         Examples: Bribery (giving/accepting cash to influence decisions), kickbacks (receiving money for favorable business terms), conflicts of interest, and extortion.

·         Key Characteristic: Misuse of influence to sway business or government decisions. 

D. Tax Evasion

Tax evasion is the illegal, intentional act of not paying or underpaying taxes that are owed to tax authorities (government). It involves deliberate concealment of income or falsification of financial records. 

·         Examples: Underreporting income, inflating deductions, hiding money in offshore accounts, or keeping "double sets of books".

·         Key Characteristic: Misrepresenting financial data specifically to avoid tax liability. 

 

Key Differences at a Glance

Type 

Main Perpetrator

Objective

Asset Misappropriation

Employees

Steal company assets.

Financial Statement Fraud

Management

Manipulate perception of company health.

Corruption

Influential Personnel

Misuse power for personal gain.

Tax Evasion

Entity/Individual

Avoid paying taxes.

Note: According to the ACFE (Association of Certified Fraud Examiners), these types of fraud are often interrelated; for example, corruption often facilitates asset misappropriation, and asset misappropriation can necessitate financial statement fraud to cover the theft.

🔹 Assertion–Reason

Q22. Assertion: Payroll controls prevent ghost employees.
Reason: Proper authorization & verification is required.

A. Both true, R explains A
B. Both true, not explanation
C. A true, R false
D. A false, R true

A. Both true, R explains A
 Answer: A

🔹 True/False

Q23. Payroll should be handled by one person for efficiency.

False.

While having one person handle payroll might seem faster, it is highly discouraged due to the risk of fraud, errors, and lack of internal controls. Segregation of duties—where one person authorizes payments and another processes them—is essential for security. Automated systems and specialized payroll teams are better for ensuring accuracy, compliance, and efficiency

🔹 Fill in the Blank

Q24. Fake employees are called ________ employees.

Fake employees are called ghost employees. 

Key Details:

·         ghost employee is a fictitious or non-existent person listed on a company's payroll system.

·         They are created to enable payroll fraud, allowing a fraudster to collect wages or benefits.

·         The term can also refer to a former employee who is not removed from the payroll system after they have left the organization

🔹 Odd Man Out

Q25. Identify non-payroll control:
A. Employee verification
B. Bank reconciliation
C. Attendance tracking
D. HR approval

 Answer: B

SUMMARY OF KEY CONCEPTS

  • Internal Control: Segregation of duties, authorization, monitoring
  • Corporate Governance: Independence, transparency, accountability
  • Risk Assessment: Continuous, dynamic process
  • Technology & Analytics: Full data analysis, anomaly detection
  • Fraud Prevention: Strong controls + audit procedures

MCQs ON INTERNAL CONTROL WEAKNESSES (AIS)

A company’s AIS does not maintain logs of transaction edits or deletions.

Q1. What is the major control weakness?
A. Lack of authorization
B. Lack of audit trail
C. Lack of segregation
D. Lack of supervision

 Answer: B
👉 No tracking → fraud/errors cannot be detected.

🔹 CASE 2: Unauthorized Changes in Master Data

Employees can modify vendor master records without approval.

Q2. Which control is missing?
A. Input control
B. Processing control
C. Access control
D. Output control

 Answer: C
👉 Master data requires restricted access.

🔹 CASE 3: Incomplete Documentation

Invoices are processed without supporting purchase orders.

Q3. This indicates failure of:
A. Matching control
B. Authorization control
C. Reconciliation control
D. Backup control

 Answer: A
👉 3-way matching (PO, GRN, Invoice) missing.

🔹 CASE 4: Duplicate Payments

System lacks validation checks, leading to duplicate vendor payments.

Q4. Which control would prevent this?
A. Hash totals
B. Edit checks
C. Encryption
D. Batch control

 Answer: B
👉 Edit checks identify duplicates.

🔹 CASE 5: Weak Password Controls

Users share login credentials in AIS.

Q5. What risk arises?
A. Data redundancy
B. Lack of accountability
C. Data normalization
D. Processing delay

 Answer: B
👉 Cannot identify responsible person.

🔹 CASE 6: Missing Deliverables in System Development

System implementation completed without user acceptance testing (UAT).

Q6. Which deliverable is missing?
A. System design document
B. Test plan
C. User acceptance sign-off
D. Data dictionary

 Answer: C
👉 UAT approval is critical before go-live.

 

🔹 CASE 7: No Backup Policy

Company does not maintain backups of financial data.

Q7. This affects which control objective?
A. Confidentiality
B. Integrity
C. Availability
D. Authorization

 Answer: C

Financial reports are modified without tracking versions.

Q8. Which document control is weak?
A. Document retention
B. Version control
C. Authorization
D. Encryption

 Answer: B

🔹 CASE 9: Unapproved System Changes

IT team deploys changes directly into production.

Q9. Which control is violated?
A. Change management control
B. Input control
C. Output control
D. Processing control

 Answer: A

🔹 CASE 10: Missing Reconciliation

Bank statements are not reconciled regularly.

Q10. This leads to:
A. Data redundancy
B. Undetected errors/fraud
C. Faster reporting
D. Improved accuracy

 Answer: B

🔹 Q11

Which of the following is the BEST control for ensuring completeness of input data?
A. Check digits
B. Sequence checks
C. Password controls
D. Encryption

 Answer: B

🔹 Q12

Absence of source documents primarily affects:
A. Accuracy
B. Authorization
C. Auditability
D. Confidentiality

 Answer: C

Auditability is the capacity of an organization's records, processes, or AI systems to be independently verified, traced, and reviewed for accuracy, compliance, and security. It requires structured logging, transparent documentation, and accessible data trails to ensure accountability, prevent fraud, and meet regulatory standards

🔹 Q13

Which control ensures transactions are processed only once?
A. Run-to-run totals
B. Validity checks
C. Reasonableness tests
D. Limit checks

 Answer: A

In the context of IT auditing and application controls, these terms refer to programmed procedures designed to ensure data integrity, accuracy, and completeness: 

·         Run-to-run totals: These are control totals (such as record counts, hash totals, or financial sums) calculated at one processing step and compared to totals at the next step to ensure no data was lost, added, or unauthorized changes occurred during processing.

·         Validity checks: These controls compare data entered into a field against a list of pre-defined, acceptable values to ensure the data is legitimate (e.g., verifying a vendor code exists in the master file).

·         Reasonableness tests: These verify if a data value is logical or plausible when compared to other related data fields (e.g., checking if an employee's $80/hour pay rate is "reasonable" for their specific job skill code).

·         Limit checks: These ensure that numerical data falls within a predetermined upper or lower boundary (e.g., a check to ensure a "hours worked per day" field does not exceed 24).

🔹 Q14

Failure to segregate system development and operations leads to:
A. Increased efficiency
B. Higher fraud risk
C. Better control
D. Reduced cost

 Answer: B

🔹 Q15

Which document is MOST critical for understanding system flow?
A. Trial balance
B. Flowchart
C. Ledger
D. Journal

 Answer: B

🔹 Q16

Which weakness may result from lack of data validation?
A. Unauthorized access
B. Incorrect data entry
C. Data theft
D. System crash

 Answer: B

🔹 Q17

Which deliverable ensures system meets user needs?
A. Program code
B. User manual
C. UAT report
D. Backup file

ANSWER C   A User Acceptance Testing (UAT) report summarizes final testing results by actual users to confirm software meets requirements before launch. It details testing efforts, pass/fail status of scenarios, identified defects, and provides a final recommendation (sign-off) for deployment, ensuring the product is fit for purpose

🔹 Q18

Which control prevents unauthorized program changes?
A. Access logs
B. Change approval process
C. Edit checks
D. Hash totals

 Answer: B

A. Access Logs

Access logs are digital files that record chronological events related to user interactions with a computer system, application, or network. They act as a "security camera" for digital assets, capturing who accessed a resource, when they accessed it (timestamp), the source IP address, the action taken, and whether the attempt was successful. 

·         Purpose: To monitor for suspicious activity, investigate breaches, and comply with security regulations (e.g., PCI-DSS, HIPAA). 

B. Change Approval Process

This is a structured, authorized procedure within IT service management (ITIL) that ensures any change to a production system—such as software updates or hardware changes—is reviewed, evaluated, and approved before implementation. 

·         Key Elements: It involves assessing risk and impact, often requiring approval from a Change Advisory Board (CAB) or a designated manager to prevent unplanned downtime or security vulnerabilities. 

C. Edit Checks

Edit checks are automated input controls (validation rules) integrated into a data processing system to ensure data is accurate, complete, and reasonable before it is processed. Examples include: 

·         Range Checks: Checking if an age field is between 0 and 120.

·         Consistency Checks: Ensuring "not applicable" is not selected for pregnancy status in male patients.

·         Format Checks: Ensuring valid date formats.

·         Purpose: To detect data entry errors early and ensure data integrity. 

D. Hash Totals

A hash total is a control total calculated by summing non-monetary, numeric fields (such as employee IDs, account numbers, or invoice numbers) to verify that all records have been processed correctly. 

·         Purpose: The sum itself has no financial meaning, but if the hash total calculated before processing does not match the hash total calculated after, it signals that records were lost, added, or changed maliciously. 

🔹 Q19

Which is an example of poor output control?
A. Encryption of data
B. Report distribution without authorization
C. Input validation
D. Data backup

 Answer: B

🔹 Q20

Lack of proper documentation results in:
A. Better efficiency
B. Poor audit trail
C. Faster processing
D. Improved security

 Answer: B

🔷 CASE-BASED INTEGRATED QUESTION

A company processes payroll through AIS. One employee enters data, approves payroll, and distributes salary. No logs or documents are maintained.

🔹 Q21

Primary weakness:
A. Lack of audit trail
B. Lack of segregation of duties
C. Lack of encryption
D. Lack of backups

 Answer: B

🔹 Q22

Which fraud risk is highest?
A. Inventory theft
B. Ghost employees
C. Tax evasion
D. Insider trading

 Answer: B

🔹 Q23 Which document is missing?
A. Payroll register
B. Purchase order
C. Invoice
D. Ledger

 Answer: A

🔥 KEY EXAM INSIGHTS

  • AIS weaknesses mostly arise due to:
    • Lack of segregation of duties
    • Missing audit trail
    • Weak access controls
    • Poor documentation
    • Inadequate change management
  • Important AIS Controls:
    • Input → validation, completeness
    • Processing → run-to-run totals
    • Output → controlled distribution
    • Master data → restricted access
    • Documentation → audit trail

www.gmsisuccess.in



Casebased q & a internal control governence AIS .docx
131K View as HTML Scan and download
Gmsisuccess/casebased question answers
Posted by at No comments:
Labels: , ,
Location: Goregaon East, Mumbai, Maharashtra, India

Wednesday, April 1, 2026

CISA Domain 3 notes & question answer

 


Here are detailed, exam-focused notes on Domain 3 of the CISA (Certified Information Systems Auditor) certification:

📘 CISA Domain 3: Information Systems Acquisition, Development & Implementation (≈12%)

This domain focuses on how organizations build, acquire, test, and implement information systems while ensuring proper controls, governance, and risk management.

🔑 1. Project Governance & Management

🔹 Key Concepts:

  • Alignment of IT projects with business objectives
  • Use of project management frameworks
  • Monitoring project performance (time, cost, quality)

🔹 Important Points:

  • Projects must have:
    • Clear scope
    • Defined deliverables
    • Budget & timeline
  • Use tools like:
    • Gantt charts
    • Critical Path Method (CPM)

🔹 Risks:

  • Scope creep
  • Cost overrun
  • Poor stakeholder involvement

🔹 Controls:

  • Steering committee oversight
  • Periodic status reporting
  • Change approval process

🔹 Example:

A bank implementing a mobile app fails due to unclear scope → Auditor checks governance and finds no formal project charter.

🔑 2. Business Case & Feasibility Analysis

🔹 Types of Feasibility:

  • Technical feasibility – Can system be built?
  • Economic feasibility – Cost vs benefits
  • Operational feasibility – Will users accept it?
  • Legal feasibility – Compliance with laws

🔹 Important Metrics:

  • ROI (Return on Investment)
  • NPV (Net Present Value)
  • Payback Period

🔹 Example:

A company invests ₹50 lakh in ERP:

  • Expected savings ₹10 lakh/year
  • Payback period = 5 years

👉 Auditor checks whether assumptions are realistic.

🔑 3. System Development Life Cycle (SDLC)

🔹 Phases:

  1. Initiation
  2. Requirement Analysis
  3. Design
  4. Development
  5. Testing
  6. Implementation
  7. Maintenance

🔹 Key Exam Points:

  • Each phase must have:
    • Documentation
    • Approval
  • Errors fixed earlier → cheaper

🔹 Controls:

  • Phase-end reviews
  • User sign-offs
  • Documentation standards

🔹 Example:

Missing requirement documentation → leads to system not meeting user needs.

🔑 4. SDLC Models / Methodologies

🔹 Types:

  • Waterfall Model (sequential)
  • Agile Model (iterative & flexible)
  • Spiral Model (risk-driven)
  • RAD (Rapid Application Development)

🔹 Comparison:

Model Best For Risk
Waterfall Stable requirements Inflexible
Agile Changing requirements Less documentation
Spiral High-risk projects Complex

🔹 Example:

Startup uses Agile → frequent updates but weak documentation → audit issue.

🔑 5. Requirements Management

🔹 Types:

  • Functional requirements
  • Non-functional (security, performance)

🔹 Key Points:

  • Requirements must be:
    • Clear
    • Complete
    • Approved

🔹 Risks:

  • Ambiguous requirements
  • Frequent changes

🔹 Controls:

  • Requirement traceability matrix (RTM)
  • User validation

🔹 Example:

ATM system lacks security requirement → leads to fraud risk.

🔑 6. System Design & Development Controls

🔹 Key Concepts:

  • Input, processing, output controls
  • Secure coding practices

🔹 Important Controls:

  • Data validation checks
  • Error handling
  • Encryption

🔹 Risks:

  • Poor coding → vulnerabilities
  • Lack of testing

🔹 Example:

No input validation → user enters invalid data → system crash.

🔑 7. Testing Methodologies

🔹 Types of Testing:

  • Unit testing
  • Integration testing
  • System testing
  • User Acceptance Testing (UAT)

🔹 Key Points:

  • UAT must be done by users
  • Testing should be documented

🔹 Risks:

  • Incomplete testing
  • Lack of test data

🔹 Example:

Payroll system tested without real scenarios → wrong salary calculations.

🔑 8. Data Conversion & Migration

🔹 Key Points:

  • Accuracy and completeness of data
  • Data cleansing before migration

🔹 Risks:

  • Data loss
  • Data corruption

🔹 Controls:

  • Reconciliation checks
  • Backup before migration

🔹 Example:

Customer records lost during migration → business disruption.

🔑 9. System Implementation & Deployment

🔹 Methods:

  • Direct Cutover (risky)
  • Parallel Run (safe but costly)
  • Phased Implementation
  • Pilot Implementation

🔹 Example:

Bank uses parallel run → compares old & new system outputs.

🔑 10. Post-Implementation Review (PIR)

🔹 Purpose:

  • Evaluate system performance
  • Check if objectives achieved

🔹 Key Points:

  • Identify lessons learned
  • Improve future projects

🔹 Example:

ERP system implemented but users unhappy → PIR reveals lack of training.

🔑 11. Change Management

🔹 Key Concepts:

  • Managing system changes
  • Prevent unauthorized modifications

🔹 Controls:

  • Change requests
  • Approval process
  • Version control

🔹 Risks:

  • Unauthorized changes
  • System instability

🔹 Example:

Developer modifies code directly → causes system failure.

🔑 12. Segregation of Duties (SoD)

🔹 Key Principle:

No single person should:

  • Develop
  • Test
  • Deploy

🔹 Example:

Same person coding & approving → fraud risk.

🎯 MOST IMPORTANT EXAM HIGHLIGHTS

✔ Auditor focus areas:

  • SDLC controls
  • Testing completeness
  • Change management
  • Data migration accuracy

✔ Frequently tested concepts:

  • UAT responsibility (users, not IT)
  • Early error detection saves cost
  • Parallel run = safest implementation method
  • RTM ensures all requirements covered

🧠 Quick Revision Summary

  • SDLC must be controlled and documented
  • Testing is critical before implementation
  • Data migration requires validation
  • Change management prevents unauthorized access
  • Governance ensures project success

www.gmsisuccess.in

Here are 100 tricky, exam-oriented questions on CISA Domain 3 (MCQs, Assertion-Reason, Fill in the Blanks, Odd One Out, etc.) with answers. These are designed to test concept clarity, audit judgment, and traps commonly seen in CISA exams.

📘 SECTION A: MCQs (1–50)

1.

The MOST critical factor for project success is: A. Budget approval
B. User involvement
C. Technical feasibility
D. Vendor selection
Answer: B

2.

Which SDLC phase is MOST effective for detecting errors at lowest cost? A. Testing
B. Design
C. Requirement analysis
D. Implementation
Answer: C

3.

An auditor reviewing SDLC should FIRST check: A. Test results
B. Documentation
C. Business case
D. Coding standards
Answer: C

4.

The PRIMARY objective of UAT is: A. Identify coding errors
B. Validate user requirements
C. Test system integration
D. Verify database integrity
Answer: B

5.

Which implementation method has HIGHEST risk? A. Parallel
B. Phased
C. Pilot
D. Direct cutover
Answer: D

6.

Which control ensures all requirements are addressed? A. Change log
B. RTM
C. Test plan
D. Audit trail
Answer: B

7.

Agile methodology emphasizes: A. Documentation
B. Sequential phases
C. Iterative development
D. Fixed requirements
Answer: C

8.

Which is a key risk in Agile? A. Slow delivery
B. Excess documentation
C. Weak documentation
D. No testing
Answer: C

9.

MOST important control in data migration: A. Encryption
B. Backup
C. Reconciliation
D. Compression
Answer: C

10.

Which role should perform UAT? A. Developer
B. Auditor
C. End user
D. Tester
Answer: C

11.

Scope creep occurs due to: A. Strong controls
B. Poor requirement definition
C. Good governance
D. Fixed scope
Answer: B

12.

Which is NOT a feasibility type? A. Technical
B. Operational
C. Financial
D. Coding
Answer: D

13.

The BEST method for high-risk projects: A. Waterfall
B. Agile
C. Spiral
D. RAD
Answer: C

14.

Which control prevents unauthorized code changes? A. Testing
B. Version control
C. Documentation
D. Backup
Answer: B

15.

The PRIMARY purpose of PIR: A. Debug system
B. Evaluate success
C. Train users
D. Develop code
Answer: B

16.

Which is a preventive control? A. Audit logs
B. Error reports
C. Input validation
D. Reconciliation
Answer: C

17.

Which phase defines system architecture? A. Development
B. Design
C. Testing
D. Maintenance
Answer: B

18.

Which testing ensures modules work together? A. Unit
B. System
C. Integration
D. UAT
Answer: C

19.

MOST critical in change management: A. Speed
B. Approval
C. Coding
D. Testing
Answer: B

20.

Which is detective control? A. Encryption
B. Input validation
C. Logs review
D. Access control
Answer: C

21–50 (condensed but tricky)

  1. RTM links → Requirements to testing ✅
  2. Parallel run → Safest method ✅
  3. Agile best for → Changing requirements ✅
  4. Waterfall risk → Inflexibility ✅
  5. Missing UAT → User dissatisfaction ✅
  6. Data cleansing → Before migration ✅
  7. SoD violation → Same person dev + deploy ✅
  8. Critical path → Longest project duration path ✅
  9. Payback period → Time to recover investment ✅
  10. NPV considers → Time value of money ✅
  11. Lack of documentation → Audit risk ✅
  12. Pilot → Limited rollout ✅
  13. Phased → Step-by-step implementation ✅
  14. Direct cutover → No fallback ✅
  15. Change log → Tracks modifications ✅
  16. Test data → Must be realistic ✅
  17. Security requirement → Non-functional ✅
  18. Functional requirement → System behavior ✅
  19. Error handling → Development control ✅
  20. Encryption → Confidentiality control ✅
  21. Testing incomplete → High risk ✅
  22. Requirement ambiguity → Rework cost ↑ ✅
  23. Early detection → Cost ↓ ✅
  24. Audit trail → Accountability ✅
  25. System failure → Poor testing ✅
  26. Governance → Oversight role ✅
  27. Stakeholder involvement → Critical ✅
  28. Budget overrun → Poor planning ✅
  29. Change approval → Mandatory ✅
  30. Documentation → Evidence for audit ✅

📘 SECTION B: ASSERTION–REASON (51–70)

51.

Assertion: UAT is performed by users
Reason: Users validate business needs
A. Both true & reason correct
Answer: A

52.

Assertion: Agile requires heavy documentation
Reason: Agile focuses on flexibility
Answer: D (Assertion false, Reason true)

53.

Assertion: Parallel run reduces risk
Reason: Both systems run together
Answer: A

54.

Assertion: Direct cutover is safest
Reason: No overlap exists
Answer: D

55.

Assertion: RTM ensures requirement coverage
Reason: It maps requirements to tests
Answer: A

56–70 (pattern-based answers)

  1. Spiral reduces risk → True
  2. Missing documentation → Audit issue → True
  3. Testing after deployment → Wrong → False
  4. Change mgmt prevents unauthorized changes → True
  5. UAT by developers → False
  6. Data migration without backup → Risk → True
  7. Agile less documentation → True
  8. Waterfall flexible → False
  9. SoD reduces fraud → True
  10. PIR improves future → True
  11. Input validation prevents errors → True
  12. Encryption ensures integrity → False (confidentiality)
  13. Logs are preventive → False
  14. Testing optional → False
  15. Requirements must be approved → True

📘 SECTION C: FILL IN THE BLANKS (71–85)

  1. ______ ensures requirement coverage → RTM
  2. ______ is user-based testing → UAT
  3. ______ method runs two systems → Parallel
  4. ______ is highest risk implementation → Direct cutover
  5. ______ phase defines requirements → Analysis
  6. ______ feasibility checks cost-benefit → Economic
  7. ______ ensures data accuracy → Reconciliation
  8. ______ control prevents errors → Preventive
  9. ______ tracks system changes → Change log
  10. ______ ensures no single control → SoD
  11. ______ testing checks modules → Integration
  12. ______ review done after implementation → PIR
  13. ______ model is iterative → Agile
  14. ______ risk arises from unclear requirements → Scope creep
  15. ______ ensures secure coding → Development controls

📘 SECTION D: ODD ONE OUT (86–95)

  1. Waterfall, Agile, Spiral, Encryption
    Answer: Encryption
  1. UAT, System Testing, Integration Testing, Encryption
    Answer: Encryption
  1. RTM, Change log, Audit trail, Payroll
    Answer: Payroll
  1. Technical, Operational, Legal, Coding
    Answer: Coding
  1. Parallel, Pilot, Phased, Encryption
    Answer: Encryption
  1. Input validation, Logs, Encryption, Backup
    Answer: Logs (detective)
  1. Developer, Tester, Auditor, End user (UAT)
    Answer: Auditor
  1. ROI, NPV, Payback, Firewall
    Answer: Firewall
  1. Requirement, Design, Testing, Payroll
    Answer: Payroll
  1. Preventive, Detective, Corrective, Development
    Answer: Development

📘 SECTION E: CASE-BASED LOGIC (96–100)

96.

System failed due to missing requirements
👉 Root cause?
Answer: Poor requirement analysis

97.

Data mismatch after migration
👉 Best control missing?
Answer: Reconciliation

98.

Unauthorized code deployed
👉 Control failure?
Answer: Change management

99.

Users reject system
👉 Reason?
Answer: No UAT / poor requirement validation

100.

Project exceeds budget & time
👉 Root cause?
Answer: Poor project governance / scope creep

🎯 FINAL EXAM STRATEGY

✔ Focus on:

  • SDLC controls
  • UAT responsibility
  • Data migration risks
  • Change management
  • Implementation methods

✔ Golden rules:

  • Users validate, not developers
  • Earlier error detection = cheaper
  • Parallel = safest
  • RTM = coverage assurance

www.gmsisuccess.inCISA Domain 3 Notes




Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)