Practice CISA Information Systems Acquisition, Development and Implementation questions with full explanations on every answer.
Start practicing
Information Systems Acquisition, Development and Implementation — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is replacing its legacy on-premises ERP system with a cloud-based SaaS solution. The project manager is concerned about data migration risks. Which of the following is the BEST approach to mitigate data integrity issues during migration?
2An organization is developing a new customer portal. The development team wants to use an agile methodology. Which of the following is a key benefit of using agile for this project?
3During the user acceptance testing (UAT) phase of a new financial application, the business users report that the system calculates interest incorrectly for certain loan types. The project manager wants to fix this quickly. Which of the following is the BEST course of action?
4An IT auditor is reviewing the system development life cycle (SDLC) process for a critical application. Which of the following findings would be of MOST concern?
5When implementing a commercial off-the-shelf (COTS) software package, which of the following is the MOST important activity to ensure the software meets business requirements?
6A company is implementing a new procurement system. The project team is considering using a rapid application development (RAD) methodology. Which of the following is a potential risk of using RAD?
7An organization is developing a mobile app that will handle personal health information (PHI). The security team mandates that data must be encrypted both in transit and at rest. Which of the following implementation strategies BEST ensures compliance?
8In a traditional waterfall SDLC, when should the test plan be developed?
9An IT auditor is evaluating the change management process for a financial trading system. Which of the following is the BEST indicator of a mature change management process?
10A company is integrating a third-party payment gateway into its e-commerce platform. Which of the following is the MOST important security control to implement?
11During a post-implementation review of a new HR system, the auditor finds that the system's disaster recovery plan (DRP) was not tested before go-live. Which of the following is the BEST recommendation?
12Which TWO of the following are key activities in the system design phase of the SDLC?
13Which THREE of the following are common risks associated with outsourcing software development?
14Which TWO of the following are benefits of using a version control system in software development?
15Which THREE of the following are key considerations when selecting a software development methodology for a project?
16Refer to the exhibit. An administrator applied this ACL to a VLAN interface. The server at 10.0.0.100 hosts a web application. What is the effect of this ACL?
17Refer to the exhibit. A developer is inserting a new employee record. What is the cause of this error?
18Refer to the exhibit. A cloud load balancer uses this JSON configuration. A request arrives from source IP 10.0.1.100 to port 80. Which backend pool will receive the request?
19A multinational corporation is replacing its legacy on-premises customer relationship management (CRM) system with a new cloud-based CRM solution. The project involves migrating data from the old system, customizing the new system to match business processes, and integrating with an existing enterprise resource planning (ERP) system. The project has a tight deadline of six months. During the planning phase, the project team decides to use a waterfall methodology because the requirements are well-defined. However, three months into the project, the business users request significant changes to the customer data fields, which were not originally specified. The project manager is concerned that accommodating these changes will delay the project. The integration with the ERP system is also proving more complex than anticipated, with data mapping errors causing delays. The go-live date is fixed due to the end-of-support for the legacy system. What is the BEST course of action for the project manager?
20A hospital is implementing a new electronic health records (EHR) system. The system will be used by doctors, nurses, and administrative staff. During the user acceptance testing (UAT) phase, the nursing staff reports that the interface for entering patient vitals is too slow and requires many clicks, which slows down their workflow. The project team has already completed system testing and is preparing for go-live in two weeks. The development team can make a quick fix to streamline the vital signs entry by adding a shortcut, but this change has not been tested. The IT director is concerned about patient safety and wants to ensure the system is usable. What is the BEST course of action?
21An organization is implementing a new financial system and has completed user acceptance testing (UAT). The project manager reports that all critical defects have been fixed and retested, but several low-severity issues remain unresolved. What is the BEST course of action?
22During a nightly batch job, the above error appears in the application logs. The transaction table ACCT_TRANS has a unique constraint on the REF_NUM column. Which of the following is the MOST likely root cause?
23A company is implementing a new customer relationship management (CRM) system. The project team is currently defining user roles and permissions. Which of the following is the PRIMARY reason to enforce segregation of duties (SoD) within the CRM?
24An organization is developing a web application using an Agile methodology. The security team wants to integrate security testing early in the development lifecycle. Which of the following is the BEST approach to achieve this?
25During a system development project, the project manager notices that the actual cost is significantly higher than the planned cost at the 50% completion point. The earned value (EV) is $500,000, the actual cost (AC) is $600,000, and the planned value (PV) is $550,000. Which of the following is the MOST appropriate action?
26An organization is planning to replace its legacy accounting system with a commercial off-the-shelf (COTS) software package. Which of the following is the PRIMARY risk of using a COTS solution?
27A company is migrating its on-premises data center to a public cloud provider. Which of the following is the MOST important control to implement before migration to ensure data security?
28Which TWO of the following are key benefits of using a system development life cycle (SDLC) methodology? (Select exactly two.)
29Which THREE of the following are common challenges when integrating a software package with existing legacy systems? (Select exactly three.)
30Refer to the exhibit. An application log shows an error. What is the MOST likely cause of this error?
31Refer to the exhibit. A security administrator is troubleshooting why external users cannot reach the web server at 203.0.113.10 from the internet. Based on the configuration, what is the MOST likely issue?
32You are the IT audit manager for a multinational corporation. The company recently implemented a new enterprise resource planning (ERP) system using a phased rollout approach. The first phase (finance module) was deployed to three regional offices six months ago. During a post-implementation review, you discovered that the user acceptance testing (UAT) for the finance module was completed in only two days instead of the planned two weeks. The UAT was performed by a small group of power users selected by the project manager, and they reported no critical issues. However, after go-live, several finance staff in one region found that the system does not support a statutory reporting requirement specific to that country, which was not tested. The project manager argues that the requirement was never documented in the business requirements specification. The system has been live for six months, and the missing functionality requires a significant customization that will take three months and cost $200,000. Management is reluctant to fund the customization because the budget is exhausted. As the IT auditor, what is the BEST course of action?
33During user acceptance testing (UAT) of a new financial system, users report that the system fails to enforce a segregation of duties rule where the same user should not be able to create a purchase order and approve it. The requirement was documented in the functional specifications. Which of the following is the MOST likely cause of this issue?
34An IS auditor is reviewing the system development life cycle (SDLC) for a custom application. The project manager has decided to skip the design phase and proceed directly from requirements to coding. Which of the following risks are MOST likely to increase as a result? (Choose two.)
35Order the steps for conducting an audit engagement from start to finish.
36Arrange the steps to implement a password policy in the correct order.
37Match each type of access control to its definition.
38Match each encryption key type to its usage.
39During the feasibility study for a new inventory system, the project team identifies that the expected benefits are significantly lower than the initial estimates. What is the MOST appropriate action for the IS auditor to recommend?
40A company is implementing a new ERP system. The project team plans to use a parallel conversion strategy. What is the PRIMARY advantage of this approach?
41An organization is developing a custom application. The project manager reports that the development team has implemented 80% of the features but only 50% of the budget is used. What is the MOST significant risk from an IS audit perspective?
42During a post-implementation review of a financial system, an IS auditor finds that several critical reports are not being generated correctly. Which of the following should the auditor recommend FIRST?
43An organization is considering outsourcing its IT infrastructure management. Which of the following is the MOST important factor to include in the service level agreement (SLA)?
44During data conversion from a legacy system to a new ERP, the project team decides to clean data during extraction but not during loading. What is the PRIMARY risk associated with this approach?
45An IS auditor is reviewing the system development life cycle (SDLC) methodology. Which phase should include the development of detailed test plans?
46A company is using an agile development methodology for a critical business application. The IS auditor is concerned about the lack of formal documentation. What is the BEST approach to mitigate this risk?
47A multinational corporation is implementing a global HR system. The project team decides to use a pilot implementation in one region before rolling out to others. What is the PRIMARY risk if the pilot region is not representative of the entire organization?
48Refer to the exhibit. The IS auditor reviews the router's version output during an audit. What is the MOST significant finding?
49Refer to the exhibit. An IS auditor finds this bucket policy attached to an S3 bucket storing sensitive customer data. What should the auditor recommend?
50Refer to the exhibit. An IS auditor is reviewing the architecture. Which of the following is the MOST critical security weakness?
51Which TWO of the following are essential components of a business case for a new system?
52Which THREE of the following are best practices for managing system testing in an IS development project?
53Which TWO of the following are indicators of poor project governance that an IS auditor should identify?
54During the requirements gathering phase for a new financial system, stakeholders disagree on the priority of security controls versus user convenience. Which of the following is the BEST approach?
55A company is migrating from a legacy system to a cloud-based ERP. Which of the following is the MOST important control to ensure data integrity during data conversion?
56An organization is developing a critical application using an agile methodology. The project sponsor demands frequent deliveries but the development team is concerned about insufficient testing. Which of the following BEST mitigates this risk?
57Which of the following is the PRIMARY benefit of using a prototype during system development?
58A company decides to outsource the development of a customer portal. Which of the following is the MOST critical control to include in the contract?
59During system implementation, a critical defect is found in the production environment. The project manager wants to apply an emergency patch without full testing. Which of the following is the BEST course of action?
60What is the PRIMARY purpose of a post-implementation review?
61An organization is implementing a new identity management system. Which testing approach is MOST effective for verifying access controls?
62A project uses a waterfall model. After design, the team discovers that the requirements have changed significantly. What is the BEST action?
63Which TWO of the following are key controls for ensuring data privacy during system development?
64Which TWO of the following are BEST indicators that a system development project is at risk of failure?
65Which THREE of the following are essential components of a change management process?
66During a system deployment, the above error occurs. What is the MOST likely cause?
67During user acceptance testing, a user with the above permission set cannot execute a fund transfer. What is the MOST likely reason?
68A security review of the above Apache configuration identifies a critical vulnerability. Which of the following is the MOST significant issue?
69A project manager is selecting a development methodology for a project with well-defined requirements and low uncertainty. Which methodology is most appropriate?
70An IS auditor is reviewing a system development project and notices that user acceptance testing (UAT) is being conducted in the production environment due to lack of a separate test environment. What is the primary risk?
71An organization is implementing a COTS application. The project team plans to heavily customize the application to meet unique business processes. Which of the following is the most significant risk?
72Which of the following is the BEST control to ensure that system changes are authorized?
73An IS auditor finds that a project failed to meet its objectives because key stakeholders were not involved in the requirements definition phase. Which phase of the SDLC was most neglected?
74In an agile development environment, an IS auditor reviews the backlog and finds that security requirements are not explicitly included. What is the best recommendation?
75Which of the following is the MOST important objective of system testing?
76An organization is acquiring a third-party SaaS application. Which of the following should be included in the contract to ensure data protection?
77During a post-implementation review, an IS auditor identifies that the system's actual transaction processing time is significantly higher than the benchmark specified in the service level agreement (SLA). The vendor claims it is due to inadequate network bandwidth provided by the client. What should the auditor do first?
78An IS auditor is evaluating the controls over program changes. Which TWO of the following are essential controls?
79A company is developing a new financial application. Which THREE of the following are valid reasons to involve internal audit during the development phase?
80An IS auditor is reviewing a request for proposal (RFP) for a new system. Which TWO elements should be included in the RFP?
81An IS auditor is reviewing the configuration for a web application. Which of the following is the MOST significant security weakness?
82An IS auditor reviews the change request. Which of the following is the most significant risk?
83An IS auditor is evaluating the security of the architecture. Which of the following is the MOST critical finding?
84A company is developing a custom application. During the requirements phase, the project manager documents that the system must encrypt all sensitive data at rest. Which of the following is the BEST control to ensure this requirement is met throughout the development lifecycle?
85An organization is transitioning from a waterfall to an agile development methodology. Which of the following is a key risk that the IS auditor should highlight?
86During a third-party software vendor audit, the IS auditor discovers that the vendor uses a common shared database for multiple clients and relies on application-level access controls. Which of the following is the GREATEST concern?
87An organization is replacing its legacy customer relationship management (CRM) system. Which of the following is the MOST important control to ensure data integrity during the data conversion process?
88A project team is using a prototyping approach for a new system. Which of the following is the BEST control to ensure the prototype accurately reflects user needs?
89An IS auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes bypass normal approval but are documented and reviewed within 48 hours. Which of the following is the BEST recommendation?
90An organization is selecting a vendor for a new enterprise resource planning (ERP) system. Which of the following is the MOST critical factor in the vendor selection process?
91A company is developing a mobile application that processes credit card payments. During the testing phase, which of the following types of testing is MOST critical to ensure security?
92An IS auditor is evaluating a system development project that uses an outsourced team. The contract allows the vendor to reuse some of the developed code in other projects. What is the auditor's PRIMARY concern?
93Which TWO of the following are key controls that an IS auditor should expect to find in a well-managed system development life cycle (SDLC)?
94Which TWO of the following are indicators that a project is at risk of failure according to ISACA's project governance framework?
95Which THREE of the following are typical phases in the system development life cycle (SDLC)?
96An organization is implementing a new financial system. Which of the following is the MOST important control to ensure data integrity during the data migration phase?
97During system development, the project team discovers that the original requirements are incomplete. What is the BEST course of action?
98An organization is adopting agile development methodology. Which control is MOST critical to ensure security is integrated?
99Which testing phase is MOST effective for validating that the system meets business needs?
100A company is outsourcing software development. What is the IS auditor's PRIMARY concern?
101In a DevOps environment, which practice BEST supports auditability?
102When implementing a commercial off-the-shelf (COTS) system, what is the MOST important factor?
103Which of the following is the BEST method to ensure that a system development project is completed on time?
104During a systems audit, the auditor finds that the project did not follow the organization's systems development methodology. What should the auditor do FIRST?
105Which TWO of the following are key controls in the system development life cycle?
106Which TWO of the following are common risks in the procurement of custom-developed software?
107Which THREE of the following are typical objectives of an IT governance framework for system acquisition?
108During a security audit, which rule poses the greatest risk?
109What is the primary control weakness in this IAM policy?
110What is the primary security concern in this architecture?
111A company is in the process of acquiring a new customer relationship management (CRM) system. During which phase of the systems development life cycle (SDLC) should the business requirements be formally documented?
112An organization is implementing a custom ERP system. During user acceptance testing (UAT), critical bugs are found that affect core financial processing. The project sponsor suggests deploying the system on schedule and fixing bugs after go-live. What is the BEST course of action?
113During the design phase of a waterfall project, the development team discovers that a key security requirement was omitted from the functional specification. The design has already been partially completed based on the flawed specification. What is the MOST appropriate action?
114An IS auditor is reviewing a system development project to assess whether it is on schedule. Which of the following would provide the BEST evidence of project progress against the planned timeline?
115In an Agile software development project, who is primarily responsible for prioritizing the product backlog?
116A bank is converting data from its legacy core banking system to a new platform. Which control is MOST critical to ensure the completeness and accuracy of data conversion?
117A company plans to implement a commercial off-the-shelf (COTS) application and requires significant customization to match its unique business processes. The vendor advises against extensive customization because it may complicate future upgrades. What is the BEST course of action?
118During system development, which testing phase is performed by developers to verify that individual program units function correctly?
119What is the PRIMARY purpose of conducting a feasibility study before acquiring a new information system?
120Which TWO of the following are key objectives of a post-implementation review of a new system?
121Which THREE of the following are common risks associated with the prototyping methodology?
122Which TWO of the following are essential elements of a business continuity plan (BCP) for a newly developed system?
123Refer to the exhibit. A tester executes test case TC-101 and records the result shown. What is the NEXT appropriate step in the testing process?
124A large organization is implementing a new HR management system to handle payroll and employee data. The project is currently in the build phase with a planned go-live in three months. Recently, the vendor notified the project team that a critical security patch will be released in two months that addresses a data leakage vulnerability present in the current version. The patch includes new features that are not in the contract. The project manager estimates that integrating the patch and re-testing will delay the project by at least four months. Business stakeholders insist on meeting the original go-live date because the legacy system is being decommissioned. The organization has a strict policy that all systems processing sensitive data must have the latest security patches within 30 days of release. What should the project team do?
125A company has been developing a custom inventory management system using Scrum. In the current sprint, the team discovered that the integration module with the legacy ERP system has severe performance issues: under peak load, transactions time out and fail. The product owner is concerned because the release is scheduled in two weeks. The development team estimates that a proper fix will take three weeks. A similar issue occurred in a previous sprint and was temporarily resolved by reducing the number of concurrent transactions, which lowered performance but kept the system operational. The stakeholders are anxious about the deadline because the legacy ERP will be retired shortly after the planned go-live. What is the BEST action for the team to take?
126During the implementation of a new ERP system, the project team discovers that the legacy system data cannot be directly migrated due to incompatible data formats. The project manager proposes building a custom script to extract, transform, and load (ETL) data. Which of the following is the BEST course of action?
127A systems analyst is gathering requirements for a new customer relationship management (CRM) system. Which of the following is the MOST important activity to ensure that the final system meets user needs?
128An organization is adopting an agile development methodology for a new financial application. During a sprint review, the product owner expresses concern that the system does not enforce segregation of duties (SoD). The development team argues that SoD will be addressed in a future sprint. As the IS auditor, what is the BEST recommendation?
129During the acquisition of a new software package, the procurement team evaluates two vendors. Vendor A offers a lower upfront cost but higher annual maintenance fees. Vendor B has a higher upfront cost but includes three years of maintenance. What is the MOST important factor for the IS auditor to consider?
130A company is developing a mobile banking application. Which test phase is MOST critical to ensure that the application functions correctly from the end user's perspective?
131An IS auditor is reviewing the design phase of a new procurement system. Which TWO of the following controls are MOST critical to include in the system design to prevent unauthorized purchases?
132An organization is implementing a new cloud-based HR system. The project sponsor wants to skip regular project status meetings to speed up delivery. Which THREE of the following are the MOST significant risks of eliminating these meetings?
133During the system development life cycle (SDLC), which THREE of the following are recognized benefits of involving internal audit early in the process?
134A financial services company is developing a new customer-facing web application for account management. The project is using a waterfall methodology. The initial requirements were gathered six months ago, and the coding phase is nearly complete. The business sponsor now requests a new feature that allows customers to view transaction receipts online. The project manager is concerned that this change will delay the project by two months and exceed the budget. The sponsor insists that the feature is critical for customer satisfaction and that the project must adapt. The development team estimates it will take 200 hours to implement. The steering committee is divided. As an IS auditor, what would be the BEST recommendation to resolve this?
135A hospital is implementing a new electronic health record (EHR) system. The project team includes clinicians and IT staff. During integration testing, the system fails to exchange lab results with the existing legacy system due to format mismatches. The IT team suggests developing a custom interface. The clinical team is concerned that any custom solution may not comply with health data privacy regulations. The project sponsor pressures the team to quickly fix the issue to avoid delays. The IS auditor is reviewing this situation. What is the MOST appropriate action for the auditor to recommend?
136A small manufacturing company decides to acquire an off-the-shelf inventory management system. The purchasing manager selects a vendor based solely on the lowest price, ignoring the vendor's financial stability and support history. After purchase, the vendor declares bankruptcy, leaving the company without support. The system has a critical bug that halts inventory tracking. The IT manager considers hiring a consultant to fix the bug. As an IS auditor, what should the auditor's PRIMARY concern be?
137A government agency is developing a case management system for law enforcement. The project follows an agile approach, releasing iterations every two weeks. During a sprint demo, users discover that the system does not redact personally identifiable information (PII) in documents shared with external parties, violating privacy laws. The development team says they planned to add redaction in a future sprint. The product owner wants to prioritize PII redaction immediately. The project manager is concerned that this will disrupt the release schedule. The IS auditor is assessing the project's risk management. Which of the following is the BEST recommendation?
138A university is implementing a new student information system. The project team uses an iterative development approach. During user acceptance testing, students report that the online course registration portal crashes when more than 100 users register simultaneously. The development team identifies a database connection pooling issue and estimates a fix will take three weeks. The project deadline is in two weeks. The project manager suggests deploying the system as is and fixing the issue after go-live, as the crash is rare. The IS auditor is consulted. What should the auditor recommend?
139A multinational corporation is implementing a new enterprise resource planning (ERP) system across multiple regions. The project uses a phased roll-out. After the first phase in Asia, the system experiences intermittent synchronization errors between the central database and regional servers. The IT team suspects network latency but cannot reproduce the issue consistently. The project sponsor wants to proceed with the next phase in Europe to avoid further delays. The IS auditor is performing a post-implementation review. What is the MOST appropriate recommendation?
140A nonprofit organization develops a small online donation platform using a third-party payment gateway. The project team skips formal security testing because of budget constraints. After launch, a security researcher discovers that the application fails to validate input on the donation amount field, allowing manipulation. The nonprofit loses several thousand dollars before the issue is patched. The IS auditor is asked to review the system development process. Which of the following is the PRIMARY finding?
141Which TWO of the following are essential controls to ensure data integrity during a cloud migration project?
142A mid-sized company is upgrading its legacy financial system to a new cloud-based ERP. The project manager has decided to use a big-bang cutover approach to minimize costs and time. During the first week post-go-live, users report that several critical reports are generating incorrect totals. An initial investigation reveals that the data mapping from the old system to the new system was not fully validated. Which of the following should the IS auditor recommend as the most appropriate corrective action?
143A large financial institution is developing a new online banking platform using an Agile methodology. The development team has implemented continuous integration and continuous deployment (CI/CD) pipeline. During a routine security scan, the IS auditor discovers that a developer accidentally committed a configuration file containing database credentials into the public-facing code repository. The credentials were exposed for 48 hours before being detected. Which of the following is the most critical control failure that allowed this incident to occur?
144An organization is evaluating a vendor for a custom application development. The vendor states they are assessed at CMMI Level 2 (Managed). Which of the following best describes the implication of this rating?
145During a data migration from a legacy system to a new ERP, the following log entries were generated. Which TWO issues should the IS auditor flag as high risk?
146A large financial institution is implementing a new core banking system to replace a legacy system. The project has been underway for 18 months and is behind schedule. User acceptance testing (UAT) has revealed significant data integrity issues, including missing customer records and incorrect interest calculations. The project manager, under pressure from senior management to meet a regulatory deadline, proposes going live with a promise to fix the issues in a post-implementation phase. The development team has been making ad hoc code changes directly in the test environment without version control or proper testing. Additionally, the IS auditor discovers that the business requirements were never formally signed off by the user community; only verbal approvals were obtained. The project has consumed 90% of the budget but only 60% of the functionality is tested. Which of the following is the BEST course of action for the IS auditor to recommend?
The Information Systems Acquisition, Development and Implementation domain covers the key concepts tested in this area of the CISA exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISA domains — no account required.
The Courseiva CISA question bank contains 146 questions in the Information Systems Acquisition, Development and Implementation domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Information Systems Acquisition, Development and Implementation domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included