Having hard time understanding the logic behind these answers for CISA

BrainTrust
Ready for some brain storming?
While studying CISA questions, I am having very hard time picking up the right answer, well the right answer according to ISACA. I am almost always able to eliminate the 2 answers but there are several questions that are not technical in nature whose answers I find "controversial" for lack of better words. In some case I have issues with grammar or sentence syntax, others defy the practical experience.
I want to understand if I am not looking at the scenario properly or otherwise what would you do to arrive at correct answer, at least from the exam perspective.
Here are some examples of such QnAs that have left me baffled.

1. Which of the following is the BEST option to ensure that a in in house developed CRM application operates as designed?

A. User acceptance testing (UAT)

C. Postimplementation review

You answered A. The correct answer is C.

(How will post implementation review ensure operation as designed? Implementation has already occurred

2. IS Auditor finds that some output transaction values were wrong because some input values were not entered properly. What is best control to prevent this from happening?

A. A sample of transactions may be recalculated manually

B. Limit checks

Answer is B. I think A is correct because limit check will work to ensure proper format of input data, not correct data necessarily.

3. An org is doing process re-engineering of marketing process. What is main control IS Auditor should worry about?

A. the inclusion of the key controls and verify that the controls are in place before implementing the new process.

D. Separation of duties

I chose D but A is correct. BUT BUT BUT - We are talking about marketing here. Why would marketing affect assets of org?

Can someone please enlighten me?

Find more posts tagged with

Comments

NetworkNewb

jaguaar wrote: »

How will post implementation review ensure operation as designed? Implementation has already occurred

Right, now they are wanting a review of how the implementation went.

jaguaar wrote: »

Answer is B. I think A is correct because limit check will work to ensure proper format of input data, not correct data necessarily.

How would A prevent this from happening in the future? At least option B has a chance to prevent some data to not be improperly entered

jaguaar wrote: »

I chose D but A is correct. BUT BUT BUT - We are talking about marketing here. Why would marketing affect assets of org?

Maybe I'm not understanding this one, but why are talking about assets? They are redesigning a process. From an auditing perspective the key controls are what you want to be focused on. A is correct since they want what the auditor's focus is on.

TechGuru80

The first...UAT happens during development to help make sure no requirements were missed. Postimplementation review is indeed after the fact to make sure the app works in practice instead of just theory during design. I could see how this could be confusing but think of UAT as part of the development process.

The second...A first of all isn’t a control...also the question specifically says input values were entered incorrectly. They aren’t testing the integrity in this question.

Third...separation of duties is a type of control but it’s not always possible to be used, and doesn’t hit on ALL the controls needed like answer A. The question doesn’t mention assets so that’s another discussion, but an auditor should be concerned that ALL protections are in place not JUST separation of duties.

jaguaar

TechGuru80 wrote: »

The first...UAT happens during development to help make sure no requirements were missed. think of UAT as part of the development process.

The second...A first of all isn’t a control...also the question specifically says input values were entered incorrectly. They aren’t testing the integrity in this question.

Third...separation of duties is a type of control but it’s not always possible to be used, and doesn’t hit on ALL the controls needed like answer A. The question doesn’t mention assets so that’s another discussion, but an auditor should be concerned that ALL protections are in place not JUST separation of duties.

1. Yes you do have a strong point about UAT being part of development process. Good Point. Thanks.
2. I was thinking of manual recalculations as the control from input perspective that someone should recheck the input but then again it is not same as recalculate. Manual recalculation wont work. Agreed.
3. OK fine, all controls are better than SoD.
NetworkNewb and TechGuru80 - Thanks a lot for the answers. Big help indeed.