CISA Domain 3 - Information Systems Acquisition, Development and Implementation

CISA Domain 3
Information Systems
Acquisition, development
& implementation
sales@infosectrain.com
https://www.infosectrain.com
+91-97736-67874

Authorized Training Partner
Business
Partner
Global Training Provider
Authorized Training
TM
R
01
Email: sales@infosectrain.com Web: https://www.infosectrain.com
Overall understanding of the domain:
Weightage - This domain constitutes 18 percent of the CISA exam (approximate-
ly 27 questions)
Covers 14 Knowledge statements covering the process of auditing information
systems
1. Knowledge of benefits realization practices, (e.g., feasibility studies, busine-
ss cases, total cost of ownership [TCO], return on investment [ROI])
2. Knowledge of IT acquisition & vendor management practices (e.g., evaluati-
on & selection process, contract management, vendor risk and relationship
management, escrow, software licensing) including third-party outsourcing
relationships, IT suppliers and service providers.
3. Knowledge of project governance mechanisms (e.g., steering committee,
project oversight board, project management office)
4. Knowledge of project management control frameworks, practices and tools
5. Knowledge of risk management practices applied to projects
6. Knowledge of requirements analysis & management practices (e.g., require-
ments verification, traceability, gap analysis, vulnerability management, sec-
urity requirements)
7. Knowledge of enterprise architecture related to data, applications, technolo-
gy (e.g., web-based applications, web services, n-tier applications, cloud ser
vices, virtualization)
8. Knowledge of system development methodologies & tools including their s-
trengths & weaknesses (e.g, agile development practices, prototyping, rapid
application development [RAD], object-oriented design techniques, secure
coding practices, system version control)
9. Knowledge of control objectives & techniques that ensure the completeness,
accuracy, validity and authorization of transactions and data
10. Knowledge of testing methodologies & practices related to the information
system development life cycle (SDLC)
11. Knowledge of configuration & release management relating to the develop-
ment of information systems
12. Knowledge of system migration & infrastructure deployment practices &
data conversion tools, techniques and procedures
13. Knowledge of project success criteria and project risk
14. Knowledge of post-implementation review objectives & practices (e.g., -
control implementation, benefits realization, performance measurement)

1. Benefits realization:
The objectives of benefits realization are
 is to ensure that IT & business fulfill their value management responsibilities
 IT-enabled business investments achieve the promised benefits and deliver
measurable business value
 Required capabilities (solutions & services) are delivered on time and within
budget
Business
Partner
Authorized Training
TM
R
02
Important concepts from exam point of view:
2. Portfolio/Program Management:
The objectives of project portfolio management are:
 Optimization of results of the project portfolio (not of the individual project)
 Prioritizing and scheduling projects
 Resource coordination (internal and external)
 Knowledge transfer throughout the projects
https://www.infosectrain.com/courses/cisa-certification-training/

Business
Partner
Authorized Training
TM
R
03
3. Business case development and approval:
 A business case provides the information required for an organization to de
cide whether a project should proceed
 A business case is the first step in a project or a precursor to the commenc-
ement of the project
 The business case should also be a key element of the decision process th-
roughout the life cycle of any project
 The initial business case would normally
derive from a feasibility study undertaken
as part of project initiation/planning
 The feasibility study will normally
include the following six elements:
I. Project Scope - defines the
business problem and/or
opportunity to be
addressed
II. Current Analysis -
defines and
establishes an
understanding of a
system, a software
Product. At this point in
the process, the strengths
and weaknesses of the
current system or software
product are identified.
III. Requirements - defined based
upon stakeholder needs and constraints
IV. Approach - Recommended system and/or software solution to satisfy the
Requirements
V. Evaluation is based upon the previously completed elements within the feas
ibility study. The final report addresses the cost-effectiveness of the appro-
ach selected
VI. Review – A formal review of feasibility study report is conducted with all
stakeholders

Business
Partner
Authorized Training
TM
R
04
4. Benefit realization techniques:
 COBIT 5 provides the industry accepted framework under which IT governa-
nce goals & objectives are derived from stakeholder drivers with the intent
of enterprise IT generating business value from IT-enabled investments
 COBIT 5 based on 5 principles and 7 enablers
5 Principles 7 Enablers
4. Culture, Ethics and Behaviour
5. Separate governance from
management
5. Information
1. Meeting Shareholders needs 1. Principles, Policies & Frameworks
2. End-to-End coverage 2. Processes
3. Holistic Approach 3. Organizational Structures
4. Integrated Framework 4. Culture, Ethics and Behaviour
5. Separate governance from
management
5. Information
6. Services, Infrastructure &
Applications
7. People, Skills and Competencies
5. Project Management structure:
 Project management is business process in a project-oriented organization
 Some of the most prominent standards and organizations - PRINCE2TM
 The project management process begins with the project charter and ends
with the completion of the project
 Project Charter provides a preliminary delineation of roles & responsibilities,
outlines the project objectives, identifies the main stakeholders, and defines
the authority of the project manager

Business
Partner
Authorized Training
TM
R
05
6. Project Organizational forms:
 Three major forms of organizational alignment for project management are
 Influence project organization –
 The project manager has only a staff function without formal managem-
ent authority
 The project manager is only allowed to advise peers and team members
as to which activities should be completed
 Pure project organization –
 The project manager has formal authority over those taking part in the
project
 providing a special working area for the project team that is separated
from their normal office space
 Matrix project organization -
 Management authority is shared between the project manager and the
department heads.

Business
Partner
Authorized Training
TM
R
06
7. Project communication and culture:
 Project communication can be achieved by
 One-on-one meetings - One-on-one meetings and a project start workshop
help to facilitate two-way communication between the project team memb-
ers and the project manager
 Kick-off meetings - A kick-off meeting may be used by the project manager
to inform the team of what has to be done for the project
 Project start workshops - communication is open & clear among the project
team to use a project start workshop to obtain cooperation from all team
members and buy-in from stakeholders. This helps develop a common over
view of the project & communicates the project culture early in the project.
 A combination of the three
 A project culture is comprised of shared norms, beliefs, values & assumpti-
ons of the project team.
 A key success factor for establishing the correct project culture is defining
and adapting the unique characteristics of a project

Business
Partner
Authorized Training
TM
R
07
8. Project objectives:
 Project objectives are the specific action statements
that support the road map to obtain established project
goals
 A project needs clearly defined results that are
specific, measurable, attainable,
realistic and timely (SMART)
 These objectives are broken
down into three –
 Main objectives are the
primary reason for the
project and will always be
directly coupled with
business success
 Additional objectives are
objectives that are not directly
related to the main results of
the project but may contribute
to project success
 Non-objectives are the results that are
not to be expected on completion of the
project.
 A commonly accepted approach to define project objectives is to start off
with an object breakdown structure (OBS).
 After the OBS has been compiled or a solution is defined, a work breakdown
structure (WBS) is designed to structure all the tasks that are necessary to
build up the elements of the OBS during the project

Business
Partner
Authorized Training
TM
R
08
9. OBS – Object based Structure:
 It represents the individual components of the solution and their relationshi-
ps to each other in a hierarchical manner, either graphically or in a table.
 An OBS can help, especially when dealing with nontangible project results
such as organizational development, to ensure that a material deliverable is
not overlooked.
10. WBS – Object based Structure:
 WBS is designed to structure all the tasks that are necessary to build up the
elements of the OBS during the project.
 The WBS represents the project in terms of manageable and controllable
units of work, serves as a central communications tool in the project, and
forms the baseline for cost and resource planning.

Business
Partner
Authorized Training
TM
R
09
11. Roles and Responsibilities:
 Senior Management - Demonstrates commitments to the project & approve
the resources
 User management – Assumes ownership of the project & resulting systems,
allocates qualified resources, and actively participates in business process
redesign, system requirement definitions, test case development, acceptan-
ce testing and user training
 Project steering committee–It provides overall directions & also responsibl-
e for all deliverables, project cost, and schedules
 Project sponsor – Providing funding for the project.
 Systems development management – Provides technical supports for hard
ware and software environment by developing, installing User project team
Completes assigned task, communicates effectively with user by actively
involving them in the development process as a subject matter expert.
 Security officer – Ensures that systems controls and supporting processes
provide an effective level of protection based on data classifications
 Quality assurance – person who review results and deliverables within each
phase & at the end of each phase and confirm compliance requirement &
operating the requested systems.
 Project manager – Day to day management and leadership of the project
 Systems development project team – Completes assigned task, communi-
cates effectively with user by actively involving them in the development
process.
Points to remember:
 The CISA candidate should be familiar with general roles and responsi
bilities of groups or individuals involved in the systems development
process.

Business
Partner
Authorized Training
TM
R
10
12. Project Management practices:
 Project management is the application of knowledge, skills, tools & techni-
ques to a broad range of activities to achieve a stated objective such as
meeting the defined user requirements, budget and deadlines for an IS
project
 Project management knowledge and practices are best described in terms
of their component processes of
a. initiating,
b. planning,
c. executing and controlling and
d. closing a project
 Initiation of the project
 Initiated by project manager or sponsor
 often be compiled into terms of reference or project charter that states the
objective of the project, the stakeholders in the system to be produced, &
the project manager and sponsor
 Approval of a project initiation document (PID) or a project request docum-
ent (PRD) is the authorization for a project to begin
 Project planning
 The project manager should determine the following as part of project
planning
 Project scope
 The various tasks that need to be performed to produce the expected busi-
ness application system
 The sequence or the order in which these tasks need to be performed
 The duration or the time window for each task
 The priority of each task
 The IT resources that are available and required to perform these tasks
 Budget or costing for each of these tasks
 Source and means of funding

Business
Partner
Authorized Training
TM
R
11
 System Development Project Cost Estimation
The following are the four methods in determining the cost of system dev-
elopment project:
1. Analogous estimating
2. Parametric estimating
3. Bottom-up estimating
4. Actual costs
 Software size estimation
 Relates to methods of determining the
relative physical size of the application
software to be developed
 Can be used as a guide for the
allocation of resources, estimates of
time and cost required for its development,
and as a comparison of the total effort
required by the resources available
 Methods of software sizing
 Single line of code (SLOC) –
 The traditional and simplest method in measuring size by counting the
number of lines of source code, measured in SLOC, is referred to as kilo
lines of code (KLOC)
 Functional Point Analysis (FPA) –
 Indirect measurement of software size
 It is based on the number & complexity of inputs, outputs, files, interfaces
and queries.
 a multiple point technique widely used for estimating complexity in develo-
ping large business applications.
 Five functional points - user inputs, user outputs, user inquiries, files and
external interfaces.

Business
Partner
Authorized Training
TM
R
12
Points to remember:
 The CISA candidate should be familiar with concepts of SLOC & FPA &
should be able to differentiate between the two. CISA question will be
based on a scenario where the candidate should be able to justify on
the method of software estimation
 A reliable technique for estimating the scope & cost of a software-de-
velopment project – Functional Point Analysis (FPA)
 Scheduling and establishing the time frame
 While budgeting involves totaling the human and machine effort involved in
each task, scheduling involves establishing the sequential relationship am-
ong tasks.
 The schedule can be graphically represented using various techniques such
as
a. Gantt charts,
b. Critical Path Methodology (CPM) or
c. Program Evaluation Review Technique (PERT) diagrams.
 Gantt charts:
a. constructed to aid in scheduling the activities (tasks) needed to complete
a project
b. The charts show when an activity should begin and when it should end
along a timeline.
c. Gantt charts can also reflect the resources assigned to each task and by
what percent allocation.
d. Gantt charts can also be used to track the achievement of milestones or
significant accomplishments for the project such as the end of a project
phase or completion of a key deliverable.

Business
Partner
Authorized Training
TM
R
13
 Critical Path Methodology (CPM):
a. the critical path is the sequence of activities whose sum of activity time
is longer than that for any other path through the network
b. Critical path are important because if everything goes according to the
schedule, their duration gives the shortest possible completion time for
the overall project
c. Activities that are not in the critical path have slack time
d. Slack time - It is defined as the amount of time a task can be delayed
without causing another task to be delayed or impacting the completion
date of the overall project.
e. Activities on a critical path have zero slack time, and conversely, activiti-
es with zero slack time are on a critical path
 Program Evaluation Review Technique (PERT):
a. CPM-type technique which uses three different estimates of each activi-
ty duration in lieu of using a single number for each activity duration.
b. The three estimates are then reduced (applying mathematical formula)
to a single number and then the classic CPM algorithm is applied
1. First one - Most optimistic one (if everything went well)
2. Second one – Most likely scenario
3. Third one – Most pessimistic or worst-case scenario
Points to remember:
 A program evaluation review technique that considers different scenari
os for planning & control projects – Program Evaluation Review Techn-
ique (PERT)

Business
Partner
Authorized Training
TM
R
14
 Project executing and controlling:
 The controlling activities of the project includes:
1. Management of scope changes
2. Management of resource usage
3. Management of risk
 The risk management process consists of five steps:
1. Identify risk
2. Access and evaluate risk
3. Manage risk
4. Monitor risk
5. Evaluate the risk management process
 Closing a project:
 A Project should have a finite life so, at some point, it is closed and the new
or modified system is handed over to the user
 When closing a project, there may still be some issues that need to be
resolved, ownership of which needs to be assigned
 The project sponsor should be satisfied that the system produced is accept-
able and ready for delivery

Business
Partner
Authorized Training
TM
R
15
13. Traditional SDLC approach:
 Also referred to as the waterfall technique
 Traditional system Development Life Cycle Approach
 Phase 1 – Feasibility Study:
1. Includes development of a business case, which determine the strategic
benefits of implementing the system either in productivity gains or in future
cost avoidance
2. Intangible factors such as readiness of the business users and maturity of
the business processes will also be considered and assessed.
3. This business case provides the justification for proceeding to the next
phase.
 Phase 2 – Requirements definition - Define the problem or need that requir-
es resolution & define the functional & quality requirements of the solution
system
 Phase 3A – Software selection and acquisition (Purchased systems) - Bas-
ed on requirements defined, prepare a request for proposal outlining the en-
tity requirements to invite bids from suppliers
 Phase 3B – Design (In-house development) - Based on the requirements
defined, establish a baseline of system and subsystem specifications that
describe the parts of the system, how they interface, & how the system will
be implemented using the chosen hardware, software & network facilities.
 Phase 4A – Configuration (purchased systems) - Configure the system, if it
is a packaged system, to tailor it to the organization’s requirements. This is
best done through the configuration of system control parameters, rather
than changing program code.

Business
Partner
Authorized Training
TM
R
16
 Phase 4B – Development (In-house development) - Use the design specific-
ations to begin programming & formalizing supporting operational process-
es of the System
 Phase 5 – Final testing and implementation - The system also may go thro-
ugh a certification and accreditation process to assess the effectiveness of
the business application in mitigating risk
 Phase 6 – Post implementation - Following the successful implementation
of a new or extensively modified system, implement a formal process that
assesses the adequacy of the system and projected cost benefit or ROI me-
asurements vis-à-vis the feasibility stage findings and deviations
Points to remember:
 The CISA candidate should be familiar with the phases of traditional
SDLC.
 The candidate should be aware of what IS auditor should look for
when reviewing the feasibility study

Business
Partner
Authorized Training
TM
R
17
14. Approaches of test plans:
 Bottom-up approach:
 a testing strategy in which the modules at the lower level are tested with hi-
gher modules until all the modules and aspects of the software are tested
properly
 Benefits of bottom-up approach:
 No need for stubs or drivers
 Can be started before all programs are complete
 Errors in critical modules are found early
 Top-down approach:
 High-level modules are tested first and then low-level modules & finally inte-
grating the low-level modules to a high level to ensure the system is working
as intended.
 Benefits of top-down approach:
 Tests of major functions and processing are conducted early
 Interface errors can be detected sooner
 Confidence is raised in the system because programmers & users actually
see a working system
Points to remember:
 The type of approach to the development of organizational policies is
often driven by risk assessment – Bottom-up approach
 The MOST appropriate method to ensure that internal application inter
face errors are identified as soon as possible – Top-down approach

Business
Partner
Authorized Training
TM
R
18
15. Testing classifications:
 Unit testing:
 The testing of an individual program or module.
 Unit testing uses a set of test cases that focus on the control structure of the
procedural design.
 These tests ensure that the internal operation of the program performs acc-
ording to specification.
 Interface or integration testing
 The tests that verify & validate the functioning of the application under test
with other systems, where a set of data is transferred from one system to
another
 A hardware or software test that evaluates the connection of two or more
components that pass information from one area to another
 The objective is to take unit-tested modules & build an integrated structure
dictated by design.
 System testing:
 The testing of the software application as a whole to check if the system is
complaint with the user requirements.
 It is an end to end user perspective testing intended to find defects in the
software system.
 Final acceptance testing:
 After the system staff is satisfied with their system tests, the new or modifi-
ed system is ready for the acceptance testing, which occurs during the imp-
lementation phase.
 Final acceptance testing has two major parts:
1. Quality assurance testing (QAT):
 QAT focuses on the documented specifications & the technology employed.
 QAT is performed primarily by the IT department.
 The participation of the end user is minimal and on request.
 QAT does not focus on functionality testing.

Business
Partner
Authorized Training
TM
R
19
2. User acceptance testing (UAT):
 UAT should be performed in a secure testing or staging environment
 On completion of acceptance testing, the final step is usually a certification
and accreditation process
Points to remember:
 Failure in this testing stage would have the GREATEST impact on the
implementation of new application software – Acceptance testing

Business
Partner
Authorized Training
TM
R
20
16. Other types of testing
 Alpha and beta testing:
 An alpha version is an early version of the application system (or software
product) submitted to internal users for testing.
 The first stage, called alpha testing, is often performed only by users within
the organization developing the software
 The second stage, called beta testing, a
form of user acceptance testing, generally
involves a limited number of external
users.
 Pilot testing:
 A preliminary test that focuses on
specific and predetermined aspects
of a System
 Proof of concept are early pilot
testing.
 White box testing:
 Software testing
method in which the
internal structure/
design/impleme-
ntation of
the item being
tested is known to
the tester
 Black box testing:
 Software testing method in which the internal structure
/ design/implementation of the item being tested is NOT KNOWN to the
tester.
 An integrity-based form of testing associated with testing components of
an information system’s “functional” operating effectiveness without regard
to any specific internal program structure

24
Business
Partner
Authorized Training
TM
R
21
 Functional testing: It ensures that the product actually meets the client's
needs
 Regression testing: The process of
rerunning a portion of a test scenario or
test plan to ensure that changes or
corrections have not introduced new
errors.
 Parallel testing:
This is the
process of feeding
test data into two
systems - the
modified system &
an alternative
system (possibly
the original system)
& comparing the results
 Sociability testing: Purpose of this test to confirm that the new or modified
system can operate in its target environment without adversely impacting
existing systems.
Points to remember:
 The CISA candidate should be familiar with all the above types of test
ing. CISA question will be scenario based & the candidate is expected
to identify which type of testing is to be used.
 White box testing - dynamic analysis tool for the purpose of testing
software modules

Business
Partner
Authorized Training
TM
R
22
17. Changeover (Go-live or cutover) techniques:
 Parallel changeover:
 This technique includes running the old system, then running both the old &
new systems in parallel, and finally, fully changing over to
the new system after gaining
confidence in the working of
the new system.
 Advantages:
 minimize the risk of using
the newer system
 help in identifying problems,
issues or any concerns that
the user comes across in the
newer system in the
beginning
 Disadvantages:
 running two systems at the
same time is higher costs.
 The parallel changeover process
also can be quite time-consuming.
 Phased changeover:
 The phased changeover technique is considered a compromise between
parallel and direct changeovers.
 In a phased changeover, the new system is implemented one stage at time
 Advantages:
 Low cost and
 Isolates errors
 Disadvantages:
 the process takes a long time to complete because phases need to be impl-
emented separately.

Business
Partner
Authorized Training
TM
R
23
 Abrupt changeover:
 In this approach the newer system is changed over from the older system
on a cutoff date and time, & the older system is discontinued once change
over to the new system takes place
 Advantages:
 Low cost
 Disadvantages:
 Asset safeguarding
 Data integrity
 System effectiveness
 System efficiency
 Change management challenges (depending on the configuration items
considered)
 Duplicate or missing records (duplicate or erroneous records may exist if
data cleansing is not done correctly)
Points to remember:
 The CISA candidate should be familiar with all the changeover techni-
ques with its advantages and disadvantages.
 The CISA candidate is expected to know where the use which type of
changeover technique.
 Most Risky changeover technique/Low cost changeover – Abrupt/Dir-
ect changeover
 Costliest changeover technique/ Least risky changeover technique –
Parallel changeover
 Changeover in Phases – Phased changeover

Business
Partner
Authorized Training
TM
R
25
19. Artificial Intelligence (AI) and Expert Systems:
 Artificial intelligence (AI) is the study and application of the principles by
which:
 Knowledge is acquired and used.
 Goals are generated and achieved.
 Information is communicated.
 Collaboration is achieved.
 Concepts are formed.
 Languages are developed.
 AI fields include, among others:
 Expert systems
 Natural and artificial (such as programming) languages
 Neural networks
 Intelligent text management
 Theorem proving
 Abstract reasoning
 Pattern recognition
 Voice recognition
 Problem solving
 Machine translation of foreign languages

Business
Partner
Authorized Training
TM
R
26
 Expert systems:
 Expert systems are an area of AI and perform a specific function or are prev
alent in certain industries.
 An expert system allows the user to specify certain basic assumptions or
formulas and then uses these assumptions or
formulas to analyze arbitrary events.
Based on the information used as input
to the system, a conclusion is produced.
 Key to the system is the knowledge
base (KB), which contains specific infor
mation or fact patterns associated with
particular subject matter and the rules
for interpreting these facts.
 Knowledge base: This component
consists of data, facts & rules for
certain topic, industry or skill,
usually equivalent to that of a
human expert. The information in
the KB can be expressed in several ways:
1. Decision trees – Using questioners to lead the user through series of ch-
oices, until a conclusion is reached.
2. Rules - Expressing declarative knowledge through the use of if-then rela-
tionships. For example, if a patient’s body temperature is over 39°C (102.2-
°F) and his/her pulse is under 60, then the patient might be suffering from a
certain disease.
3. Semantic nets - A semantic network is a system in which commonly und-
erstood labeling is used to show relationships between its parts

Business
Partner
Authorized Training
TM
R
24
18. Certification and Accreditation:
 Certification:
 Certification is the process of evaluating, testing, and examining security
controls that have been pre-determined based on the data type in an information
system
 The certification process ensures that security weaknesses are identified
and plans for mitigation strategies are in place
 Testing laboratories may also certify that certain products meet pre-estab-
lished standards, or governmental agencies may certify that a company is meet-
ing existing regulations (e.g., emission limits).
 Accreditation:
 Accreditation is the formal declaration by a neutral third party that the certifi-
cation program is administered in a way that meets the relevant norms or stan-
dards of certification program (e.g., ISO/IEC 17024).
 Accreditation is the official management decision (given by a senior official)
to authorize operation of an information system and to explicitly accept the risk
to the organization’s operations, assets or individuals based on the implementa-
tion of an agreed-upon set of requirements and security controls.
Points to remember:
 The CISA candidate should be familiar with the auditor’s role in the cer
tification process

Business
Partner
Authorized Training
TM
R
27
20. Agile development:
 The term “agile development” refers to a family of similar development pro
cesses that espouse a nontraditional way of developing complex systems.
One of the first agile processes, Scrum (a rugby analogy), emerged in the
early 1990s
 a lightweight software engineering framework that promotes iterative devel
opment throughout the life-cycle of the project, close collaboration between
the development team & business side, constant communication, & tightly-
knit teams
21. Software re-engineering:
 Re-engineering is a process of updating an existing system by extracting
and reusing design and program components
 the act of recreating a core business process with the goal of
 improving product output,
 improving product quality, or
 reducing costs.
 The following are the steps involved in business process re-engineering
 Define objectives and framework
 Identify customer needs
 Study the existing process
 Formulate a Redesign Business plan
 Implement and monitor the redesigned process
 Establish continuous improvement process
Points to remember:
 The MOST likely to result from a business process reengineering (BPR)
Project - An increased number of people using technology
 The FIRST step of Re-engineering process – Identify current/existing
business processes. If option on Identifying customer needs is availabl-
e, then it would be the best option

Business
Partner
Authorized Training
TM
R
28
22. Reverse engineering:
 Reverse engineering is the process of studying and analyzing an application,
a software application or a product to see how it functions and to use that
information to develop a similar system
 This process can be carried out in several ways:
 Decompiling object or executable code into source code & using it to analy-
ze the program
 Black box testing the application to be reverse-engineered to unveil its func-
tionality
 Advantages:
 Faster development and reduced SDLC duration
 Possibility of introducing improvements by overcoming the reverse-engine-
ered application drawbacks
23. Benchmarking process:
 Benchmarking is about improving business processes.
 It is defined as a continuous, systematic process for evaluating the product,
services or work processes of organizations recognized as a world-class
“reference” in a globalized world
 Benchmarking process includes the following exercise:
 Plan
 Research
 Observe
 Analyze
 Adopt
 Improve

Business
Partner
Authorized Training
TM
R
29
24. Capacity Maturity Model Integration (CMMI):
 Capability Maturity Model Integration (CMMI) is a process level improveme-
nt training and appraisal program. Administered by the CMMI Institute, a
subsidiary of ISACA.
 The following are the characteristics of the maturity levels:
 Level 1 – Initial – Processes are unpredictable, poorly controlled & reactive.
 Level 2 – Managed–Process is characterized for projects & is often reactive.
 Level 3 – Defined–Process characterized for the organization & is proactive
 Level 4 – Quantatively managed – Process is measured and controlled
 Level 5 – Optimizing – Focus is on process improvement.
25. Processing procedures and controls:
 Processing procedures and controls are meant to ensure the reliability of
application program processing.
 IS auditors need to understand the procedures & controls that can be exerc-
ised over processing to evaluate what exposures are covered by these con-
trols and what exposures remain.

Business
Partner
Authorized Training
TM
R
30
26. Data validation edits and controls:
1. Sequence check:
 The control number follows sequentially & any sequence or duplicated cont-
rol numbers are rejected or noted on an exception report for follow-up
purposes.
 For example, invoices are numbered sequentially. The day’s invoices begin
with 12001 and end with 15045. If any invoice larger than 15045 is encoun-
tered during processing, that invoice would be rejected as an invalid invoice
number.
2. Limit check:
 Data should not exceed a predetermined amount.
 For example, payroll checks should not exceed US $4,000. If a check exceed
US $4,000, the data would be rejected for further verification/authorization.
3. Range check:
 Data should be within a predetermined range of values.
 For example, product type codes range from 100 to 250. Any code outside
this range should be rejected as an invalid product type.
4. Validity check:
 Programmed checking of the data validity in accordance with predetermined
criteria.
 For example, a payroll record contains a field for marital status and the
acceptable status codes are M or S. If any other code is entered, the record
should be rejected.
5. Reasonableness check:
 Input data are matched to predetermined reasonable limits or occurrence
rates.
 For example, a widget manufacturer usually receives order for no more than
20 widgets. If an order for more than 20 widgets is received, the computer
program should be designed to print the record with a warning indicating
that the order appears unreasonable.

Business
Partner
Authorized Training
TM
R
31
6. Existence check:
 Data are entered correctly and agree with valid predetermined criteria.
 For example, a valid transaction code must be entered in the transaction
code field.
7. Key verification:
 The keying process is repeated by a separate individual using a machine that
compares the original keystrokes to the repeated keyed input.
 For example, the worker number is keyed twice and compared to verify the
keying process.
8. Check digit:
 A numeric value that has been calculated mathematically is added to data to
ensure that the original data have not been altered or an incorrect, but valid,
value substituted.
 This control is effective in detecting transposition and transcription errors.
 For example, a check digit is added to an account number so it can be chec-
ked for accuracy when it is used.
9. Completeness check:
 A field should always contain data rather than zeros or blanks (No Null value)
 A check of each byte of that field should be performed to determine that
some form of data, not blanks or zeros, is present.
 For example, a worker number on a new employee record is left blank. This
is identified as a key field and the record would be rejected, with a request
that the field be completed before the record is accepted for processing.
10. Duplicate check:
 New transactions are matched to those previously input to ensure that they
have not already been entered.
 For example, a vendor invoice number agrees with previously recorded invo-
ices to ensure that the current order is not a duplicate and, therefore, the ve-
ndor will not be paid twice.

username
login
Forgot password?
Remeber me
Business
Partner
Authorized Training
TM
R
32
11. Logical relationship check:
 If a particular condition is true, then one or more additional conditions or da-
ta input relationships may be required to be true & consider the input valid.
 For example, the hire date of an employee may be required to be more than
16 years past his/her date of birth.
Points to remember:
 The CISA is expected to be familiar with each one of the data edit and
controls
 Check digit - Effective in detecting transposition & transcription errors
 Reasonableness check – A data validation edit control that matches
input data to an occurrence rate

Business
Partner
Authorized Training
TM
R
33
27. Data integrity testing:
 Data integrity testing is a set of substantive tests that examines accuracy,
completeness, consistency and authorization of data presently held in a
system
 Two common types of data integrity tests are
 Relational Integrity tests – Relational integrity tests are performed at the
data element and record-based levels.
 Referential integrity tests - tests whether the table relationships are consist
ent. In other words, any foreign key field must agree with the primary key th
at is referenced by the foreign key.
Points to remember:
 Referential integrity - will prevent dangling tuples in a database
28. Data Integrity in Online Transaction Processing
Systems:
 The four online data integrity requirements known collectively as the ACID
principle, which are as follows:
 Atomicity - From a user perspective, a transaction is either completed in its
entirety or not at all. If an error or interruption occurs, all changes made up
to that point are backed out.
 Consistency - All integrity conditions in the database are maintained with
each transaction, taking the database from one consistent state into anoth-
er consistent state.
 Isolation - Each transaction is isolated from other transactions, & hence, ea-
ch transaction only accesses data that are part of a consistent database
state.
 Durability - If transaction has been reported back to a user as complete, the
resulting changes to the database survive subsequent hardware or software
failures.
Points to remember:
 In an online transaction processing system, data integrity is maintained
by ensuring that a transaction is either completed in its entirety or not at
all. This principle of data integrity is known as - Atomicity

Business
Partner
Authorized Training
TM
R
34
29. Online auditing techniques:
 Systems Control Audit Review File and Embedded Audit Modules (SCARF/
/EAM) - The use of this technique involves embedding specially written au-
dit software in the organization’s host application system so the application
systems are monitored on a selective basis
 Snapshots - This technique involves taking what might be termed pictures
of the processing path that a transaction follows, from the input to the out-
put stage.
 Audit hooks - This technique involves embedding hooks in application syst-
ems to function as red flags and to induce IS security & auditors to act bef-
ore an error or irregularity gets out of hand.
 Integrated test facility (ITF) - It creates a fictitious entity in a database to
process test transactions simultaneously with live input. It can be used to
incorporate test transactions into a normal production run of a system.
 Continuous and intermittent simulation (CIS) – This means that the simula-
tion is notified about each transaction that is entered to the application and
accesses to database by the DBMS
Points to remember:
 An online auditing techniques is most effective for the early detection
of errors or irregularities – Audit hooks
 Generalized audit software (GAS) – Used by IS auditor to detect dupli-
cate invoice records within an invoice master file

Business
Partner
Authorized Training
TM
R
35
sales@infosectrain.com
https://www.infosectrain.com
+91-97736-67874
THANKS

CISA Domain 3 - Information Systems Acquisition, Development and Implementation

Recommended

More Related Content

What's hot (20)

Similar to CISA Domain 3 - Information Systems Acquisition, Development and Implementation (20)

More from InfosecTrain (16)

Recently uploaded (20)

CISA Domain 3 - Information Systems Acquisition, Development and Implementation