Evaluate System Acquisition And Implementation Controls
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate System Acquisition And Implementation Controls
Which of the following best describes the primary purpose of controls over system acquisition and implementation?
To reduce the cost of technology procurement by standardizing vendor selection criteria.
To comply with vendor licensing agreements for all purchased software.
To ensure new systems are authorized, properly configured, adequately tested, and transitioned into production in a controlled manner that maintains data integrity and operational continuity.
To ensure IT staff receive adequate training on new system functionality.
Explanation
System acquisition and implementation controls govern the entire lifecycle from selection through go-live, ensuring systems are authorized, tested, configured correctly, and deployed safely. Answer A is correct. Cost reduction (B), training (C), and licensing (D) are important considerations but not the primary control objective.
User acceptance testing (UAT) is performed during system implementation primarily to:
Test the system's cybersecurity controls against known attack vectors.
Confirm that the system meets business requirements and operates correctly from the perspective of end users before go-live.
Ensure the vendor has fulfilled all contractual obligations before payment.
Verify that the system meets technical performance benchmarks established by IT.
Explanation
UAT validates that the system does what the business needs it to do - verifying business requirements are met through user-led testing before the system is deployed to production. Answer C is correct. Technical benchmarks (A) are IT performance testing. Contract fulfillment (B) is a vendor management activity. Security testing (D) is a separate test phase.
Which of the following is the most significant risk of implementing a new financial system without adequate parallel processing?
The new system's vendor may not provide timely support after implementation.
Differences between the old and new system outputs may go undetected, and if the new system contains errors, there is no validated baseline to compare against.
The old system's licenses may expire before the new system is fully deployed.
IT staff may not be adequately trained on the new system before go-live.
Explanation
Parallel processing runs both systems simultaneously, allowing comparison of outputs to detect discrepancies in the new system before fully committing to it. Without parallel processing, errors in the new system may not be identified until they affect financial reporting. Answer D is correct. License expiry (A), training (B), and vendor support (C) are operational concerns.
A company is evaluating three ERP systems from different vendors. Which of the following represents a key control in the vendor selection process?
Selecting the vendor with the lowest upfront licensing cost.
Delegating vendor selection entirely to the IT department without business unit involvement.
Selecting the system used by the largest number of competitors.
Using a formal RFP process with defined evaluation criteria aligned to business requirements, including financial stability of vendors, security capabilities, and reference checks.
Explanation
A formal RFP with documented evaluation criteria ensures selection decisions are objective, risk-aware, and aligned to both business and technical requirements. Answer A is correct. Lowest cost (B) ignores TCO and risk. Competitor usage (C) may not fit the organization's specific needs. IT-only selection (D) lacks business alignment.
Which of the following system implementation controls most directly addresses the risk that configuration errors in a new financial system will produce incorrect transaction processing?
Performing comprehensive configuration testing and validation, including processing sample transactions and verifying outputs against expected results.
Requiring all project team members to sign confidentiality agreements.
Conducting cybersecurity penetration testing of the new system before go-live.
Backing up all legacy system data before beginning the implementation.
Explanation
Configuration testing with sample transactions directly validates that the system's setup produces correct outputs - the most targeted control for detecting configuration errors that could affect transaction accuracy. Answer C is correct. Confidentiality agreements (A) and penetration testing (B) address different risks. Legacy backup (D) is a data protection control, not a configuration validation control.
Which of the following represents a significant control weakness in a system implementation project?
The system has both automated and manual controls.
The same individuals who developed and configured the system are also responsible for approving go-live and performing production deployment without independent review.
The project uses an agile development methodology with two-week sprints.
The project team includes both IT developers and business analysts.
Explanation
Having developers approve their own work and deploy to production without independent review eliminates segregation of duties - creating risk of undetected errors and unauthorized changes making it to production. Answer B is correct. Cross-functional teams (A), agile methodology (C), and mixed control types (D) are all appropriate practices.
An organization is implementing a new payroll system. Which of the following tests should be completed before go-live to specifically address the risk of incorrect payroll calculations?
Reviewing the new payroll system's vendor security certifications.
Testing the system's report generation speed and performance under peak load.
Verifying that the payroll system is backed up nightly.
Processing a full payroll run with test employee data and reconciling calculated pay to manually computed expected amounts for a representative sample.
Explanation
Parallel payroll calculation testing - running the new system with known test data and comparing outputs to manually computed expectations - directly validates calculation accuracy before production use. Answer A is correct. Security certifications (B), performance testing (C), and backup verification (D) are important but don't specifically test calculation accuracy.
During an audit of a recent system implementation, the auditor finds no documented test plans, test scripts, or test results. The system is now in production processing live financial transactions. This finding indicates:
An acceptable practice for small, low-risk system implementations.
The system was tested informally and the results were adequate.
A minor documentation gap that can be remediated through post-implementation review.
A significant implementation control deficiency - without documented testing, there is no evidence the system was adequately validated before processing live financial transactions.
Explanation
Absence of test documentation means there is no evidence that the system was validated - the system may contain errors that will affect financial data integrity, and the risk cannot be assessed retroactively. Answer C is correct. Informal testing (A) leaves no evidence. It is not minor when the system is processing live transactions (B). System scope does not eliminate testing requirements (D).
An organization is implementing a cloud-based financial system as a SaaS solution. Which of the following implementation controls is uniquely important in a SaaS context?
Negotiating the physical location of the servers hosting the SaaS application.
Configuring the on-premises database servers to synchronize with the cloud application.
Reviewing and configuring the SaaS application's security and access control settings, since the vendor controls the underlying infrastructure and the organization is responsible for application-level configuration.
Installing the SaaS application on all employee workstations.
Explanation
In a SaaS model, the organization cannot control infrastructure but is fully responsible for configuring application-level security, access controls, and data settings - a critical implementation control in cloud deployments. Answer B is correct. On-premises database configuration (A) is not applicable to SaaS. Local installation (C) is not how SaaS works. Physical server location (D) may be relevant for data residency but is not the most critical implementation control.
Which of the following represents a key control during the post-implementation phase of a system deployment?
Finalizing the system architecture design documentation.
Performing a post-implementation review (PIR) to assess whether the system met its objectives, identify issues, and capture lessons learned.
Conducting final vendor contract negotiations.
Completing user acceptance testing sign-off.
Explanation
A PIR after go-live evaluates whether the system delivered its intended benefits, identifies post-production issues, and captures process improvements for future projects - closing the implementation lifecycle. Answer C is correct. Contract negotiations (A) and UAT (B) occur before go-live. Architecture documentation (D) should be completed during, not after, implementation.