Exam CISA topic 1 question 418 discussion

C is the correct answer over D because testing with actual data verifies whether the application's controls function as intended in real execution, whereas code review only analyzes the logic without confirming its practical effectiveness.

Using test data is the most appropriate technique for verifying application program controls because it allows an IS auditor to simulate various input scenarios and evaluate how the application processes the data. This technique helps to verify whether controls, such as validation, authorization, and processing logic, are functioning as intended. Test data can include both valid and invalid inputs to check how the system handles different cases, ensuring the application enforces controls correctly.

it allows the IS auditor to simulate real-world scenarios and evaluate how the application processes data under various conditions. This method helps determine whether the controls embedded in the application are functioning as intended.

Code review involves examining the source code of an application to identify errors, vulnerabilities, and deviations from coding standards. This process allows for a thorough assessment of the implementation of application program controls within the code itself. By reviewing the code, auditors can evaluate the logic and functionality of the controls, ensuring they are correctly implemented to achieve the desired security, integrity, and reliability objectives. While the use of test data (Option C) is also an important technique for testing and validating application program controls, it primarily focuses on assessing the functionality and performance of the application, rather than directly verifying the implementation of controls within the code.

Using test data is the most appropriate technique for verifying application program controls. This method involves inputting mock data into the system and subsequently analyzing the output. This allows examination of how the system processes data and enables the verification of system behavior against expected results. It is especially beneficial in testing application program controls as it can help identify any weaknesses or errors in the system's processing controls. Other techniques such as observation of data entry, statistical sampling, and code review does not directly validate the processing controls within the application.

I'm going with C. Using test data. Non-operational, non-impact, and can see the test results. I'm not sure that auditors are SME's at reviewing code, enough to look for defects.

https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf What is Secure Code Review? Code review aims to identify security flaws in the application related to its features and design, along with the exact root causes. With the increasing complexity of applications and the advent of new technologies, the traditional way of testing may fail to detect all the security flaws present in the applications. One must understand the code of the application, external components, and configurations to have a better chance of finding the flaws. Such a deep dive into the application code also helps in determining exact mitigation techniques that can be used to avert the security flaws. It is the process of auditing the source code of an application to verify that the proper security and logical controls are present, that they work as intended, and that they have been invoked in the right places. Code review is a way of helping ensure that the application has been developed so as to be “self-defending” in its given environment.

D IS AnSWER

D. Code review