Practice CISA Information Systems Acquisition, Development, and Implementation questions with full explanations on every answer.
Start practicing
Information Systems Acquisition, Development, and Implementation — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a post-implementation review of a new financial system, the IS auditor finds that user acceptance testing (UAT) was completed with only 60% of test cases passed. Which of the following is the MOST significant risk?
2An organization is implementing an enterprise resource planning (ERP) system. The project team plans to migrate legacy data without performing a full reconciliation between source and target systems. As an IS auditor, which of the following should be your PRIMARY concern?
3In a waterfall SDLC, which phase requires formal sign-off from the business owner before proceeding to the next phase?
4An IS auditor is reviewing an agile software development project. Which of the following would be the BEST evidence that adequate controls are in place for user acceptance?
5During a vendor evaluation for a critical system, the IS auditor notes that the vendor's SOC 2 report includes an adverse opinion. What should be the auditor's PRIMARY recommendation?
6An organization is using a spiral model for a high-risk project. The IS auditor wants to ensure that risk assessment is performed at each iteration. Which of the following is the BEST evidence that this control is effective?
7Which of the following is a primary advantage of fixed-price contracts in systems acquisition?
8An IS auditor is reviewing change management procedures. Which of the following situations would be of GREATEST concern?
9During a build vs. buy analysis, the IS auditor observes that the organization decided to build a custom application because no vendor solution met all requirements. Which of the following risks should the auditor emphasize?
10An organization is deploying a major system upgrade. The change request has been approved by CAB, but the deployment plan does not include a rollback procedure. As an IS auditor, what should you recommend?
11Which of the following is a key objective of the design phase in the SDLC?
12An IS auditor is assessing an ERP implementation. Which of the following control concerns is MOST likely to arise from segregation of duties conflicts?
13Which TWO of the following are typical controls in the testing phase of the SDLC? (Select two.)
14Which THREE of the following are essential elements of an emergency change request? (Select three.)
15Which TWO of the following are benefits of an iterative SDLC approach compared to waterfall? (Select two.)
16During which phase of the SDLC should security requirements be formally documented and approved by the business owner?
17An IS auditor is reviewing an agile software development project. Which of the following practices would BEST help ensure that security controls are adequately addressed?
18An organization is implementing a large ERP system. The project team plans to migrate legacy data to the new system. Which of the following is the MOST significant risk associated with data migration?
19An IS auditor is evaluating the change management process. Which of the following is the BEST indicator that emergency changes are being properly controlled?
20In a waterfall SDLC, when should user acceptance testing (UAT) typically occur?
21An organization is considering whether to build a custom application or purchase a commercial off-the-shelf (COTS) product. Which of the following factors is MOST important when deciding to build rather than buy?
22An IS auditor is reviewing a contract with a vendor for a new financial system. Which of the following clauses is MOST critical to ensure auditability?
23During a post-implementation review of a system, an IS auditor finds that the actual transaction processing time is 30% slower than projected. What should the auditor recommend FIRST?
24Which of the following is a key control in the deployment phase of the SDLC?
25An IS auditor is assessing the controls in an agile development environment. What is the MOST effective way to verify that security testing is performed iteratively?
26In a spiral model SDLC, risk analysis is performed at the beginning of each iteration. What is the PRIMARY benefit of this approach?
27An organization is implementing a new ERP system and is concerned about segregation of duties (SoD) conflicts. What is the BEST approach to address this during the implementation?
28An IS auditor is reviewing a vendor's SOC 2 report as part of a systems acquisition. Which TWO aspects should the auditor verify to ensure the report is reliable?
29An organization is adopting a DevOps approach for system development. Which THREE controls should an IS auditor expect to see in place to maintain security and compliance?
30Which TWO of the following are characteristics of the iterative SDLC model?
31An organization is considering replacing its legacy financial system with a new ERP solution. Which of the following is the PRIMARY advantage of purchasing a commercial off-the-shelf (COTS) ERP package over building a custom system?
32During a post-implementation review of a new customer relationship management (CRM) system, the IS auditor finds that the system is processing transactions slower than anticipated. What is the BEST initial course of action for the auditor?
33An organization is implementing an agile methodology for a new software project. Which of the following is the MOST effective control to ensure that security requirements are addressed?
34Which of the following is the PRIMARY purpose of a change advisory board (CAB) in the change management process?
35An IS auditor is reviewing a software development project that follows the waterfall model. Which of the following is the MAIN advantage of this methodology?
36During an ERP implementation, the project team decides to customize the software to align with existing business processes. Which of the following risks is MOST likely to increase as a result of extensive customization?
37An IS auditor is reviewing the change management process for a critical financial application. Which of the following findings would be of GREATEST concern?
38Which of the following is the BEST control to ensure that user acceptance testing (UAT) is effective?
39What is the PRIMARY purpose of conducting a static application security testing (SAST) during the development phase?
40An organization is selecting a vendor for a new procurement system. Which of the following is the MOST important factor to include in the contract?
41During a spiral model SDLC project, an IS auditor is reviewing risk assessment documentation. Which of the following would be the GREATEST concern?
42Which of the following BEST describes the role of threat modeling in the design phase of the SDLC?
43An organization is implementing a new payroll system using an agile methodology. Which TWO of the following are the MOST important controls for the IS auditor to assess?
44During a post-implementation review of a new accounting system, the IS auditor notes the following: the project was completed on time and within budget, but user satisfaction is low and there are several outstanding defect reports. Which THREE of the following are the MOST appropriate recommendations?
45An organization is migrating from a legacy system to a new ERP. Which TWO of the following are the HIGHEST risks during data migration?
46An organization is implementing a new financial system using the waterfall SDLC model. Which of the following is the MOST critical control to ensure that business requirements are met?
47During an agile software development project, a sprint review meeting is conducted. What is the PRIMARY purpose of this meeting from an IS audit perspective?
48An IS auditor is reviewing a systems acquisition project that involves purchasing an ERP system. Which of the following is the MOST significant risk related to data migration during implementation?
49An organization is deciding between developing a custom application and purchasing a commercial off-the-shelf (COTS) product. The project manager favors a COTS solution because it offers faster deployment. Which of the following is the MOST important consideration for the IS auditor to evaluate in this build vs. buy decision?
50During an SDLC audit, the IS auditor finds that security requirements were not formally documented during the requirements phase. Which of the following is the BEST recommendation to mitigate the associated risk?
51An IS auditor is reviewing an emergency change that was implemented to fix a critical security vulnerability. Which of the following post-implementation controls is MOST important to ensure the change was properly managed?
52Which of the following is the PRIMARY objective of a post-implementation review of an information system?
53An IS auditor is reviewing a contract for a new software solution. Which of the following contract types poses the HIGHEST risk to the buyer if requirements are not well-defined?
54In a spiral SDLC model, what is the primary purpose of risk analysis in each iteration?
55During an ERP implementation, the project team decides to disable segregation of duties (SoD) controls in the system to accelerate go-live. After go-live, the IS auditor identifies that a single user can perform incompatible functions. What is the BEST course of action?
56An IS auditor is reviewing change management procedures and finds that standard changes are approved by the change manager without CAB review. What is the auditor's BEST conclusion?
57During a system development project, the IS auditor notes that code reviews are performed only after the code is unit tested. Which of the following is the MOST significant risk associated with this practice?
58An IS auditor is evaluating an organization's SDLC controls for a new system. Which TWO of the following are key controls that should be in place during the design phase? (Select TWO.)
59An organization is implementing a new CRM system using an iterative development methodology. The IS auditor wants to verify that appropriate controls are in place. Which THREE of the following are essential controls for iterative development? (Select THREE.)
60An IS auditor is reviewing vendor management practices for a cloud-based SaaS solution. Which TWO of the following are critical elements to include in the contract's service level agreement (SLA)? (Select TWO.)
61During which phase of the SDLC should security requirements be formally documented and approved?
62An organization is implementing an ERP system and is concerned about segregation of duties conflicts. What is the most effective control to address this risk during implementation?
63An IS auditor is reviewing an agile software development project. Which of the following is the most important control to assess?
64An organization is deciding between building a custom application and purchasing a commercial off-the-shelf (COTS) product. The primary factor favoring the build option is:
65Which of the following is a key objective of a post-implementation review?
66In the context of ITIL change management, which change type requires approval from the Change Advisory Board (CAB)?
67An IS auditor is evaluating the vendor selection process for a new system. Which of the following is the most important factor to include in the contract?
68During a spiral SDLC project, the IS auditor should focus on which aspect as the primary risk?
69Which testing type is performed by end-users to verify that the system meets their needs?
70An organization is migrating data from a legacy system to a new ERP. What is the most critical data migration risk?
71Which of the following is an example of a detective control in the SDLC testing phase?
72An IS auditor is reviewing an emergency change that was implemented to fix a critical security vulnerability. What is the most important post-implementation step?
73Which TWO of the following are key elements of a change request document?
74Which THREE of the following are typical controls in the design phase of the SDLC?
75An IS auditor is reviewing an agile project. Which THREE of the following are controls the auditor should evaluate?
76An IS auditor is reviewing a waterfall SDLC project that has completed the requirements phase. Which of the following is the greatest risk to the project?
77During an agile software development project, which of the following events provides the best opportunity for the IS auditor to assess the effectiveness of controls implemented in the current sprint?
78An organization is considering whether to build a custom application or purchase a commercial off-the-shelf (COTS) product. Which of the following factors would most strongly support a build decision?
79An IS auditor is reviewing a post-implementation review report for a new ERP system. Which of the following findings would be of greatest concern to the auditor?
80During a change management audit, the IS auditor notes that an emergency change was implemented to fix a critical security vulnerability. Which of the following should the auditor expect to find in the change documentation?
81Which of the following is the primary purpose of conducting a static application security test (SAST) during the development phase of the SDLC?
82An organization is acquiring a new financial system. The contract includes a clause that allows the organization to audit the vendor's controls. Which type of report would most efficiently provide assurance over the vendor's internal controls?
83During an ERP implementation, data migration is a critical activity. Which of the following controls would be most effective in ensuring the accuracy and completeness of migrated data?
84An IS auditor is reviewing the system design phase of a project. Which of the following activities is most important to ensure that security is adequately addressed?
85Which of the following is a key advantage of using an iterative SDLC model over a waterfall model?
86An IS auditor is evaluating the change management process for a critical financial application. The auditor finds that all standard changes are approved by the Change Advisory Board (CAB). However, emergency changes are approved by the IT manager and later ratified by the CAB. Which of the following is the greatest risk associated with this process?
87An organization is implementing a new CRM system using an agile methodology. The IS auditor wants to assess whether security requirements are being addressed. What is the best evidence for the auditor to review?
88An IS auditor is reviewing a post-implementation review of a new payroll system. Which TWO findings should most concern the auditor? (Select two.)
89An organization is planning to purchase a cloud-based HR system. Which THREE of the following should be included in the vendor contract to ensure adequate control and oversight? (Select three.)
90During a change management audit, which TWO of the following are essential elements of a normal change request? (Select two.)
91During which phase of the waterfall SDLC should security requirements be formally documented and approved by the business owner?
92An IS auditor is reviewing an agile project that uses Scrum. Which event provides the best opportunity for the auditor to assess whether completed user stories meet the defined acceptance criteria?
93An organization is considering acquiring a commercial off-the-shelf (COTS) ERP system. Which of the following risks is most effectively mitigated by including a contractual clause for audit rights?
94An IS auditor is reviewing a post-implementation review report for a new financial system. Which finding would most indicate that the project did not meet its objectives?
95Which type of change in ITIL requires approval from the Change Advisory Board (CAB) before implementation?
96An organization is implementing a new CRM system and has chosen a build (in-house development) approach over buying a COTS product. Which of the following is the most significant risk of this decision?
97During a spiral SDLC project, the project team has completed a risk analysis and created a prototype. What is the most likely next step in the spiral model?
98An IS auditor is reviewing the change management process for a critical financial application. Which of the following is the most important element to verify in an emergency change request?
99Which of the following is a key control during the deployment phase of a system development life cycle?
100An organization is evaluating two vendors for a critical cloud-based ERP system. Which TWO contractual clauses are most important to include to ensure the organization can monitor vendor performance and security? (Select TWO)
101An IS auditor is reviewing a project that uses an iterative SDLC approach. Which THREE controls should the auditor expect to see in place during the development iterations? (Select THREE)
102During a post-implementation review of a new payroll system, the IS auditor identifies several outstanding issues. Which TWO issues should be considered most critical to address immediately? (Select TWO)
103An organization is implementing a large ERP system. The project manager is concerned about segregation of duties conflicts. Which THREE controls should the IS auditor recommend to mitigate segregation of duties risks during implementation? (Select THREE)
104An IS auditor is reviewing a change management process. Which TWO elements should be documented in a normal change request to ensure adequate governance? (Select TWO)
105During the design phase of an SDLC, which TWO activities should be performed to ensure security is integrated into the system? (Select TWO)
106An IS auditor is reviewing an agile software development project. Which TWO controls should the auditor expect to see in place?
107During a post-implementation review of a new ERP system, the IS auditor identified that the project was delivered within budget but user satisfaction scores are low. Which THREE areas should the auditor examine further?
108An organization is implementing a new customer relationship management (CRM) system using an agile methodology. Which THREE areas should the IS auditor focus on to assess the effectiveness of controls during the development process?
The Information Systems Acquisition, Development, and Implementation domain covers the key concepts tested in this area of the CISA exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISA domains — no account required.
The Courseiva CISA question bank contains 108 questions in the Information Systems Acquisition, Development, and Implementation domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Information Systems Acquisition, Development, and Implementation domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included