Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISADomainsInformation Systems Acquisition, Development, and Implementation
CISAFree — No Signup

Information Systems Acquisition, Development, and Implementation

Practice CISA Information Systems Acquisition, Development, and Implementation questions with full explanations on every answer.

108questions

Start practicing

Information Systems Acquisition, Development, and Implementation — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISA Domains

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceInformation System Auditing ProcessInformation Systems Acquisition, Development, and ImplementationProtection of Information Assets

Practice Information Systems Acquisition, Development, and Implementation questions

10Q20Q30Q50Q

All CISA Information Systems Acquisition, Development, and Implementation questions (108)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During a post-implementation review of a new financial system, the IS auditor finds that user acceptance testing (UAT) was completed with only 60% of test cases passed. Which of the following is the MOST significant risk?

2

An organization is implementing an enterprise resource planning (ERP) system. The project team plans to migrate legacy data without performing a full reconciliation between source and target systems. As an IS auditor, which of the following should be your PRIMARY concern?

3

In a waterfall SDLC, which phase requires formal sign-off from the business owner before proceeding to the next phase?

4

An IS auditor is reviewing an agile software development project. Which of the following would be the BEST evidence that adequate controls are in place for user acceptance?

5

During a vendor evaluation for a critical system, the IS auditor notes that the vendor's SOC 2 report includes an adverse opinion. What should be the auditor's PRIMARY recommendation?

6

An organization is using a spiral model for a high-risk project. The IS auditor wants to ensure that risk assessment is performed at each iteration. Which of the following is the BEST evidence that this control is effective?

7

Which of the following is a primary advantage of fixed-price contracts in systems acquisition?

8

An IS auditor is reviewing change management procedures. Which of the following situations would be of GREATEST concern?

9

During a build vs. buy analysis, the IS auditor observes that the organization decided to build a custom application because no vendor solution met all requirements. Which of the following risks should the auditor emphasize?

10

An organization is deploying a major system upgrade. The change request has been approved by CAB, but the deployment plan does not include a rollback procedure. As an IS auditor, what should you recommend?

11

Which of the following is a key objective of the design phase in the SDLC?

12

An IS auditor is assessing an ERP implementation. Which of the following control concerns is MOST likely to arise from segregation of duties conflicts?

13

Which TWO of the following are typical controls in the testing phase of the SDLC? (Select two.)

14

Which THREE of the following are essential elements of an emergency change request? (Select three.)

15

Which TWO of the following are benefits of an iterative SDLC approach compared to waterfall? (Select two.)

16

During which phase of the SDLC should security requirements be formally documented and approved by the business owner?

17

An IS auditor is reviewing an agile software development project. Which of the following practices would BEST help ensure that security controls are adequately addressed?

18

An organization is implementing a large ERP system. The project team plans to migrate legacy data to the new system. Which of the following is the MOST significant risk associated with data migration?

19

An IS auditor is evaluating the change management process. Which of the following is the BEST indicator that emergency changes are being properly controlled?

20

In a waterfall SDLC, when should user acceptance testing (UAT) typically occur?

21

An organization is considering whether to build a custom application or purchase a commercial off-the-shelf (COTS) product. Which of the following factors is MOST important when deciding to build rather than buy?

22

An IS auditor is reviewing a contract with a vendor for a new financial system. Which of the following clauses is MOST critical to ensure auditability?

23

During a post-implementation review of a system, an IS auditor finds that the actual transaction processing time is 30% slower than projected. What should the auditor recommend FIRST?

24

Which of the following is a key control in the deployment phase of the SDLC?

25

An IS auditor is assessing the controls in an agile development environment. What is the MOST effective way to verify that security testing is performed iteratively?

26

In a spiral model SDLC, risk analysis is performed at the beginning of each iteration. What is the PRIMARY benefit of this approach?

27

An organization is implementing a new ERP system and is concerned about segregation of duties (SoD) conflicts. What is the BEST approach to address this during the implementation?

28

An IS auditor is reviewing a vendor's SOC 2 report as part of a systems acquisition. Which TWO aspects should the auditor verify to ensure the report is reliable?

29

An organization is adopting a DevOps approach for system development. Which THREE controls should an IS auditor expect to see in place to maintain security and compliance?

30

Which TWO of the following are characteristics of the iterative SDLC model?

31

An organization is considering replacing its legacy financial system with a new ERP solution. Which of the following is the PRIMARY advantage of purchasing a commercial off-the-shelf (COTS) ERP package over building a custom system?

32

During a post-implementation review of a new customer relationship management (CRM) system, the IS auditor finds that the system is processing transactions slower than anticipated. What is the BEST initial course of action for the auditor?

33

An organization is implementing an agile methodology for a new software project. Which of the following is the MOST effective control to ensure that security requirements are addressed?

34

Which of the following is the PRIMARY purpose of a change advisory board (CAB) in the change management process?

35

An IS auditor is reviewing a software development project that follows the waterfall model. Which of the following is the MAIN advantage of this methodology?

36

During an ERP implementation, the project team decides to customize the software to align with existing business processes. Which of the following risks is MOST likely to increase as a result of extensive customization?

37

An IS auditor is reviewing the change management process for a critical financial application. Which of the following findings would be of GREATEST concern?

38

Which of the following is the BEST control to ensure that user acceptance testing (UAT) is effective?

39

What is the PRIMARY purpose of conducting a static application security testing (SAST) during the development phase?

40

An organization is selecting a vendor for a new procurement system. Which of the following is the MOST important factor to include in the contract?

41

During a spiral model SDLC project, an IS auditor is reviewing risk assessment documentation. Which of the following would be the GREATEST concern?

42

Which of the following BEST describes the role of threat modeling in the design phase of the SDLC?

43

An organization is implementing a new payroll system using an agile methodology. Which TWO of the following are the MOST important controls for the IS auditor to assess?

44

During a post-implementation review of a new accounting system, the IS auditor notes the following: the project was completed on time and within budget, but user satisfaction is low and there are several outstanding defect reports. Which THREE of the following are the MOST appropriate recommendations?

45

An organization is migrating from a legacy system to a new ERP. Which TWO of the following are the HIGHEST risks during data migration?

46

An organization is implementing a new financial system using the waterfall SDLC model. Which of the following is the MOST critical control to ensure that business requirements are met?

47

During an agile software development project, a sprint review meeting is conducted. What is the PRIMARY purpose of this meeting from an IS audit perspective?

48

An IS auditor is reviewing a systems acquisition project that involves purchasing an ERP system. Which of the following is the MOST significant risk related to data migration during implementation?

49

An organization is deciding between developing a custom application and purchasing a commercial off-the-shelf (COTS) product. The project manager favors a COTS solution because it offers faster deployment. Which of the following is the MOST important consideration for the IS auditor to evaluate in this build vs. buy decision?

50

During an SDLC audit, the IS auditor finds that security requirements were not formally documented during the requirements phase. Which of the following is the BEST recommendation to mitigate the associated risk?

51

An IS auditor is reviewing an emergency change that was implemented to fix a critical security vulnerability. Which of the following post-implementation controls is MOST important to ensure the change was properly managed?

52

Which of the following is the PRIMARY objective of a post-implementation review of an information system?

53

An IS auditor is reviewing a contract for a new software solution. Which of the following contract types poses the HIGHEST risk to the buyer if requirements are not well-defined?

54

In a spiral SDLC model, what is the primary purpose of risk analysis in each iteration?

55

During an ERP implementation, the project team decides to disable segregation of duties (SoD) controls in the system to accelerate go-live. After go-live, the IS auditor identifies that a single user can perform incompatible functions. What is the BEST course of action?

56

An IS auditor is reviewing change management procedures and finds that standard changes are approved by the change manager without CAB review. What is the auditor's BEST conclusion?

57

During a system development project, the IS auditor notes that code reviews are performed only after the code is unit tested. Which of the following is the MOST significant risk associated with this practice?

58

An IS auditor is evaluating an organization's SDLC controls for a new system. Which TWO of the following are key controls that should be in place during the design phase? (Select TWO.)

59

An organization is implementing a new CRM system using an iterative development methodology. The IS auditor wants to verify that appropriate controls are in place. Which THREE of the following are essential controls for iterative development? (Select THREE.)

60

An IS auditor is reviewing vendor management practices for a cloud-based SaaS solution. Which TWO of the following are critical elements to include in the contract's service level agreement (SLA)? (Select TWO.)

61

During which phase of the SDLC should security requirements be formally documented and approved?

62

An organization is implementing an ERP system and is concerned about segregation of duties conflicts. What is the most effective control to address this risk during implementation?

63

An IS auditor is reviewing an agile software development project. Which of the following is the most important control to assess?

64

An organization is deciding between building a custom application and purchasing a commercial off-the-shelf (COTS) product. The primary factor favoring the build option is:

65

Which of the following is a key objective of a post-implementation review?

66

In the context of ITIL change management, which change type requires approval from the Change Advisory Board (CAB)?

67

An IS auditor is evaluating the vendor selection process for a new system. Which of the following is the most important factor to include in the contract?

68

During a spiral SDLC project, the IS auditor should focus on which aspect as the primary risk?

69

Which testing type is performed by end-users to verify that the system meets their needs?

70

An organization is migrating data from a legacy system to a new ERP. What is the most critical data migration risk?

71

Which of the following is an example of a detective control in the SDLC testing phase?

72

An IS auditor is reviewing an emergency change that was implemented to fix a critical security vulnerability. What is the most important post-implementation step?

73

Which TWO of the following are key elements of a change request document?

74

Which THREE of the following are typical controls in the design phase of the SDLC?

75

An IS auditor is reviewing an agile project. Which THREE of the following are controls the auditor should evaluate?

76

An IS auditor is reviewing a waterfall SDLC project that has completed the requirements phase. Which of the following is the greatest risk to the project?

77

During an agile software development project, which of the following events provides the best opportunity for the IS auditor to assess the effectiveness of controls implemented in the current sprint?

78

An organization is considering whether to build a custom application or purchase a commercial off-the-shelf (COTS) product. Which of the following factors would most strongly support a build decision?

79

An IS auditor is reviewing a post-implementation review report for a new ERP system. Which of the following findings would be of greatest concern to the auditor?

80

During a change management audit, the IS auditor notes that an emergency change was implemented to fix a critical security vulnerability. Which of the following should the auditor expect to find in the change documentation?

81

Which of the following is the primary purpose of conducting a static application security test (SAST) during the development phase of the SDLC?

82

An organization is acquiring a new financial system. The contract includes a clause that allows the organization to audit the vendor's controls. Which type of report would most efficiently provide assurance over the vendor's internal controls?

83

During an ERP implementation, data migration is a critical activity. Which of the following controls would be most effective in ensuring the accuracy and completeness of migrated data?

84

An IS auditor is reviewing the system design phase of a project. Which of the following activities is most important to ensure that security is adequately addressed?

85

Which of the following is a key advantage of using an iterative SDLC model over a waterfall model?

86

An IS auditor is evaluating the change management process for a critical financial application. The auditor finds that all standard changes are approved by the Change Advisory Board (CAB). However, emergency changes are approved by the IT manager and later ratified by the CAB. Which of the following is the greatest risk associated with this process?

87

An organization is implementing a new CRM system using an agile methodology. The IS auditor wants to assess whether security requirements are being addressed. What is the best evidence for the auditor to review?

88

An IS auditor is reviewing a post-implementation review of a new payroll system. Which TWO findings should most concern the auditor? (Select two.)

89

An organization is planning to purchase a cloud-based HR system. Which THREE of the following should be included in the vendor contract to ensure adequate control and oversight? (Select three.)

90

During a change management audit, which TWO of the following are essential elements of a normal change request? (Select two.)

91

During which phase of the waterfall SDLC should security requirements be formally documented and approved by the business owner?

92

An IS auditor is reviewing an agile project that uses Scrum. Which event provides the best opportunity for the auditor to assess whether completed user stories meet the defined acceptance criteria?

93

An organization is considering acquiring a commercial off-the-shelf (COTS) ERP system. Which of the following risks is most effectively mitigated by including a contractual clause for audit rights?

94

An IS auditor is reviewing a post-implementation review report for a new financial system. Which finding would most indicate that the project did not meet its objectives?

95

Which type of change in ITIL requires approval from the Change Advisory Board (CAB) before implementation?

96

An organization is implementing a new CRM system and has chosen a build (in-house development) approach over buying a COTS product. Which of the following is the most significant risk of this decision?

97

During a spiral SDLC project, the project team has completed a risk analysis and created a prototype. What is the most likely next step in the spiral model?

98

An IS auditor is reviewing the change management process for a critical financial application. Which of the following is the most important element to verify in an emergency change request?

99

Which of the following is a key control during the deployment phase of a system development life cycle?

100

An organization is evaluating two vendors for a critical cloud-based ERP system. Which TWO contractual clauses are most important to include to ensure the organization can monitor vendor performance and security? (Select TWO)

101

An IS auditor is reviewing a project that uses an iterative SDLC approach. Which THREE controls should the auditor expect to see in place during the development iterations? (Select THREE)

102

During a post-implementation review of a new payroll system, the IS auditor identifies several outstanding issues. Which TWO issues should be considered most critical to address immediately? (Select TWO)

103

An organization is implementing a large ERP system. The project manager is concerned about segregation of duties conflicts. Which THREE controls should the IS auditor recommend to mitigate segregation of duties risks during implementation? (Select THREE)

104

An IS auditor is reviewing a change management process. Which TWO elements should be documented in a normal change request to ensure adequate governance? (Select TWO)

105

During the design phase of an SDLC, which TWO activities should be performed to ensure security is integrated into the system? (Select TWO)

106

An IS auditor is reviewing an agile software development project. Which TWO controls should the auditor expect to see in place?

107

During a post-implementation review of a new ERP system, the IS auditor identified that the project was delivered within budget but user satisfaction scores are low. Which THREE areas should the auditor examine further?

108

An organization is implementing a new customer relationship management (CRM) system using an agile methodology. Which THREE areas should the IS auditor focus on to assess the effectiveness of controls during the development process?

Practice all 108 Information Systems Acquisition, Development, and Implementation questions

Other CISA exam domains

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceInformation System Auditing ProcessProtection of Information Assets

Frequently asked questions

What does the Information Systems Acquisition, Development, and Implementation domain cover on the CISA exam?

The Information Systems Acquisition, Development, and Implementation domain covers the key concepts tested in this area of the CISA exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISA domains — no account required.

How many Information Systems Acquisition, Development, and Implementation questions are in the CISA question bank?

The Courseiva CISA question bank contains 108 questions in the Information Systems Acquisition, Development, and Implementation domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Information Systems Acquisition, Development, and Implementation for CISA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Information Systems Acquisition, Development, and Implementation questions for CISA?

Yes — the session launcher on this page draws questions exclusively from the Information Systems Acquisition, Development, and Implementation domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISMCRISC