Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Information Systems Acquisition, Development and Implementation practice sets

CISA Information Systems Acquisition, Development and Implementation • Complete Question Bank

CISA Information Systems Acquisition, Development and Implementation — All Questions With Answers

Complete CISA Information Systems Acquisition, Development and Implementation question bank — all 0 questions with answers and detailed explanations.

146
Questions
Free
No signup
Certifications/CISA/Practice Test/Information Systems Acquisition, Development and Implementation/All Questions
Question 1mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is replacing its legacy on-premises ERP system with a cloud-based SaaS solution. The project manager is concerned about data migration risks. Which of the following is the BEST approach to mitigate data integrity issues during migration?

Question 2easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is developing a new customer portal. The development team wants to use an agile methodology. Which of the following is a key benefit of using agile for this project?

Question 3hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During the user acceptance testing (UAT) phase of a new financial application, the business users report that the system calculates interest incorrectly for certain loan types. The project manager wants to fix this quickly. Which of the following is the BEST course of action?

Question 4mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IT auditor is reviewing the system development life cycle (SDLC) process for a critical application. Which of the following findings would be of MOST concern?

Question 5easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

When implementing a commercial off-the-shelf (COTS) software package, which of the following is the MOST important activity to ensure the software meets business requirements?

Question 6mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is implementing a new procurement system. The project team is considering using a rapid application development (RAD) methodology. Which of the following is a potential risk of using RAD?

Question 7hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is developing a mobile app that will handle personal health information (PHI). The security team mandates that data must be encrypted both in transit and at rest. Which of the following implementation strategies BEST ensures compliance?

Question 8easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

In a traditional waterfall SDLC, when should the test plan be developed?

Question 9mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IT auditor is evaluating the change management process for a financial trading system. Which of the following is the BEST indicator of a mature change management process?

Question 10mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is integrating a third-party payment gateway into its e-commerce platform. Which of the following is the MOST important security control to implement?

Question 11hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a post-implementation review of a new HR system, the auditor finds that the system's disaster recovery plan (DRP) was not tested before go-live. Which of the following is the BEST recommendation?

Question 12mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are key activities in the system design phase of the SDLC?

Question 13hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which THREE of the following are common risks associated with outsourcing software development?

Question 14easymulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are benefits of using a version control system in software development?

Question 15hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which THREE of the following are key considerations when selecting a software development methodology for a project?

Question 16hardmultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. An administrator applied this ACL to a VLAN interface. The server at 10.0.0.100 hosts a web application. What is the effect of this ACL?

Exhibit

Refer to the exhibit.

SW1(config)# access-list 101 permit tcp any host 10.0.0.100 eq 443
SW1(config)# access-list 101 deny tcp any host 10.0.0.100 eq 80
SW1(config)# access-list 101 permit ip any any
SW1(config)# interface vlan 10
SW1(config-if)# ip access-group 101 in
Question 17easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Refer to the exhibit. A developer is inserting a new employee record. What is the cause of this error?

Exhibit

Refer to the exhibit.

ERROR: ORA-00001: unique constraint (HR.EMP_EMAIL_UK) violated
INSERT INTO employees (employee_id, email) VALUES (101, 'john.doe@example.com');
Question 18mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Refer to the exhibit. A cloud load balancer uses this JSON configuration. A request arrives from source IP 10.0.1.100 to port 80. Which backend pool will receive the request?

Exhibit

Refer to the exhibit.

{
  "version": "2.0",
  "routeSelection": "lowest-cost",
  "rules": [
    {
      "action": "forward",
      "match": {
        "sourceIp": "10.0.1.0/24",
        "destinationPort": 8080
      },
      "target": "backend-pool-1"
    },
    {
      "action": "forward",
      "match": {
        "sourceIp": "10.0.2.0/24",
        "destinationPort": 80
      },
      "target": "backend-pool-2"
    }
  ]
}
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is replacing its legacy on-premises customer relationship management (CRM) system with a new cloud-based CRM solution. The project involves migrating data from the old system, customizing the new system to match business processes, and integrating with an existing enterprise resource planning (ERP) system. The project has a tight deadline of six months. During the planning phase, the project team decides to use a waterfall methodology because the requirements are well-defined. However, three months into the project, the business users request significant changes to the customer data fields, which were not originally specified. The project manager is concerned that accommodating these changes will delay the project. The integration with the ERP system is also proving more complex than anticipated, with data mapping errors causing delays. The go-live date is fixed due to the end-of-support for the legacy system. What is the BEST course of action for the project manager?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A hospital is implementing a new electronic health records (EHR) system. The system will be used by doctors, nurses, and administrative staff. During the user acceptance testing (UAT) phase, the nursing staff reports that the interface for entering patient vitals is too slow and requires many clicks, which slows down their workflow. The project team has already completed system testing and is preparing for go-live in two weeks. The development team can make a quick fix to streamline the vital signs entry by adding a shortcut, but this change has not been tested. The IT director is concerned about patient safety and wants to ensure the system is usable. What is the BEST course of action?

Question 21mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is implementing a new financial system and has completed user acceptance testing (UAT). The project manager reports that all critical defects have been fixed and retested, but several low-severity issues remain unresolved. What is the BEST course of action?

Question 22hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a nightly batch job, the above error appears in the application logs. The transaction table ACCT_TRANS has a unique constraint on the REF_NUM column. Which of the following is the MOST likely root cause?

Exhibit

Refer to the exhibit.

```
Error: ORA-00001: unique constraint (FIN.UK_ACCT_TRANS_REF) violated
INSERT INTO ACCT_TRANS (TRANS_ID, REF_NUM, AMOUNT, DATE) VALUES (?, ?, ?, ?)
Call stack:
  - com.finance.service.TransactionService.processPayment(TransactionService.java:145)
  - com.finance.batch.BatchJob.run(BatchJob.java:88)
```
Question 23easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is implementing a new customer relationship management (CRM) system. The project team is currently defining user roles and permissions. Which of the following is the PRIMARY reason to enforce segregation of duties (SoD) within the CRM?

Question 24mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is developing a web application using an Agile methodology. The security team wants to integrate security testing early in the development lifecycle. Which of the following is the BEST approach to achieve this?

Question 25hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a system development project, the project manager notices that the actual cost is significantly higher than the planned cost at the 50% completion point. The earned value (EV) is $500,000, the actual cost (AC) is $600,000, and the planned value (PV) is $550,000. Which of the following is the MOST appropriate action?

Question 26easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is planning to replace its legacy accounting system with a commercial off-the-shelf (COTS) software package. Which of the following is the PRIMARY risk of using a COTS solution?

Question 27mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is migrating its on-premises data center to a public cloud provider. Which of the following is the MOST important control to implement before migration to ensure data security?

Question 28mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are key benefits of using a system development life cycle (SDLC) methodology? (Select exactly two.)

Question 29hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which THREE of the following are common challenges when integrating a software package with existing legacy systems? (Select exactly three.)

Question 30mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Refer to the exhibit. An application log shows an error. What is the MOST likely cause of this error?

Exhibit

Refer to the exhibit.

```
ERROR 2019-11-15 14:23:45,123 [main] com.example.App - Error processing record ID 1045
java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (USERS.UK_USERNAME) violated
	at com.example.dao.UserDao.insert(UserDao.java:45)
	... 8 more
```
Question 31hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Refer to the exhibit. A security administrator is troubleshooting why external users cannot reach the web server at 203.0.113.10 from the internet. Based on the configuration, what is the MOST likely issue?

Exhibit

Refer to the exhibit.

```
! Cisco ASA configuration snippet
access-list OUTSIDE_IN extended permit tcp any host 203.0.113.10 eq www
access-list OUTSIDE_IN extended permit tcp any host 203.0.113.10 eq https
access-list OUTSIDE_IN extended deny ip any any log
!
object network WEB_SERVER
 host 203.0.113.10
nat (inside,outside) source static any any destination static WEB_SERVER WEB_SERVER no-proxy-arp route-lookup
!
```
Question 32hardmultiple choice
Read the full NAT/PAT explanation →

You are the IT audit manager for a multinational corporation. The company recently implemented a new enterprise resource planning (ERP) system using a phased rollout approach. The first phase (finance module) was deployed to three regional offices six months ago. During a post-implementation review, you discovered that the user acceptance testing (UAT) for the finance module was completed in only two days instead of the planned two weeks. The UAT was performed by a small group of power users selected by the project manager, and they reported no critical issues. However, after go-live, several finance staff in one region found that the system does not support a statutory reporting requirement specific to that country, which was not tested. The project manager argues that the requirement was never documented in the business requirements specification. The system has been live for six months, and the missing functionality requires a significant customization that will take three months and cost $200,000. Management is reluctant to fund the customization because the budget is exhausted. As the IT auditor, what is the BEST course of action?

Question 33mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During user acceptance testing (UAT) of a new financial system, users report that the system fails to enforce a segregation of duties rule where the same user should not be able to create a purchase order and approve it. The requirement was documented in the functional specifications. Which of the following is the MOST likely cause of this issue?

Question 34hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is reviewing the system development life cycle (SDLC) for a custom application. The project manager has decided to skip the design phase and proceed directly from requirements to coding. Which of the following risks are MOST likely to increase as a result? (Choose two.)

Question 35mediumdrag order
Read the full Information Systems Acquisition, Development and Implementation explanation →

Order the steps for conducting an audit engagement from start to finish.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 36mediumdrag order
Read the full Information Systems Acquisition, Development and Implementation explanation →

Arrange the steps to implement a password policy in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 37mediummatching
Read the full Information Systems Acquisition, Development and Implementation explanation →

Match each type of access control to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner determines access permissions

System-enforced based on labels

Roles assigned to users

Attributes used to grant access

Question 38mediummatching
Read the full Information Systems Acquisition, Development and Implementation explanation →

Match each encryption key type to its usage.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encrypt and decrypt

Public/private key pair

Temporary key for a session

Kept secret by owner

Question 39easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During the feasibility study for a new inventory system, the project team identifies that the expected benefits are significantly lower than the initial estimates. What is the MOST appropriate action for the IS auditor to recommend?

Question 40mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is implementing a new ERP system. The project team plans to use a parallel conversion strategy. What is the PRIMARY advantage of this approach?

Question 41hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is developing a custom application. The project manager reports that the development team has implemented 80% of the features but only 50% of the budget is used. What is the MOST significant risk from an IS audit perspective?

Question 42easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a post-implementation review of a financial system, an IS auditor finds that several critical reports are not being generated correctly. Which of the following should the auditor recommend FIRST?

Question 43mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is considering outsourcing its IT infrastructure management. Which of the following is the MOST important factor to include in the service level agreement (SLA)?

Question 44hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During data conversion from a legacy system to a new ERP, the project team decides to clean data during extraction but not during loading. What is the PRIMARY risk associated with this approach?

Question 45easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is reviewing the system development life cycle (SDLC) methodology. Which phase should include the development of detailed test plans?

Question 46mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is using an agile development methodology for a critical business application. The IS auditor is concerned about the lack of formal documentation. What is the BEST approach to mitigate this risk?

Question 47hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a global HR system. The project team decides to use a pilot implementation in one region before rolling out to others. What is the PRIMARY risk if the pilot region is not representative of the entire organization?

Question 48easymultiple choice
Review the full routing breakdown →

Refer to the exhibit. The IS auditor reviews the router's version output during an audit. What is the MOST significant finding?

Exhibit

Refer to the exhibit.

Exhibit:
```
[ROUTER1] show version
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Tue 27-Aug-13 23:32 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M14, RELEASE SOFTWARE (fc1)

Router uptime is 2 years, 3 months, 1 week, 4 days
System returned to ROM by power-on
System image file is "flash:c880data-universalk9-mz.151-4.M6.bin"
```
Question 49mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Refer to the exhibit. An IS auditor finds this bucket policy attached to an S3 bucket storing sensitive customer data. What should the auditor recommend?

Exhibit

Refer to the exhibit.

Exhibit:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
```
Question 50hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Refer to the exhibit. An IS auditor is reviewing the architecture. Which of the following is the MOST critical security weakness?

Exhibit

Refer to the exhibit.

Exhibit:
The following architecture description is for a financial transaction processing system:
- Web servers in DMZ handle user requests.
- Application servers process business logic.
- Database servers store transaction records.
- All traffic between tiers is encrypted usng TLS.
- Logs are collected centrally in a SIEM.
- A firewall separates the DMZ from internal network.
- Application servers can initiate outbound connections to the internet for updates.
Question 51easymulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are essential components of a business case for a new system?

Question 52mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which THREE of the following are best practices for managing system testing in an IS development project?

Question 53hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are indicators of poor project governance that an IS auditor should identify?

Question 54mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During the requirements gathering phase for a new financial system, stakeholders disagree on the priority of security controls versus user convenience. Which of the following is the BEST approach?

Question 55easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is migrating from a legacy system to a cloud-based ERP. Which of the following is the MOST important control to ensure data integrity during data conversion?

Question 56hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is developing a critical application using an agile methodology. The project sponsor demands frequent deliveries but the development team is concerned about insufficient testing. Which of the following BEST mitigates this risk?

Question 57easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which of the following is the PRIMARY benefit of using a prototype during system development?

Question 58mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company decides to outsource the development of a customer portal. Which of the following is the MOST critical control to include in the contract?

Question 59hardmultiple choice
Read the full NAT/PAT explanation →

During system implementation, a critical defect is found in the production environment. The project manager wants to apply an emergency patch without full testing. Which of the following is the BEST course of action?

Question 60easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

What is the PRIMARY purpose of a post-implementation review?

Question 61mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is implementing a new identity management system. Which testing approach is MOST effective for verifying access controls?

Question 62hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A project uses a waterfall model. After design, the team discovers that the requirements have changed significantly. What is the BEST action?

Question 63mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are key controls for ensuring data privacy during system development?

Question 64hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are BEST indicators that a system development project is at risk of failure?

Question 65easymulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which THREE of the following are essential components of a change management process?

Question 66mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a system deployment, the above error occurs. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

```
[ERROR] Deployment failed at step 3 of 5: Unable to connect to database 'DB_PROD'. Connection string: 'Server=prod-db.finance.contoso.com;Database=Finance;User Id=app_user;Password=*****;'
[WARN] Retry attempt 1: same error.
```
Question 67easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During user acceptance testing, a user with the above permission set cannot execute a fund transfer. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

```
{
  "UserName": "jdoe",
  "Role": "User",
  "Permissions": [
    {"Resource": "/finance/reports", "Access": "ReadOnly"},
    {"Resource": "/finance/transfers", "Access": "ReadOnly"}
  ]
}
```
Question 68hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A security review of the above Apache configuration identifies a critical vulnerability. Which of the following is the MOST significant issue?

Exhibit

Refer to the exhibit.

```
<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    <Directory "/var/www/html">
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>
```
Question 69easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A project manager is selecting a development methodology for a project with well-defined requirements and low uncertainty. Which methodology is most appropriate?

Question 70mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is reviewing a system development project and notices that user acceptance testing (UAT) is being conducted in the production environment due to lack of a separate test environment. What is the primary risk?

Question 71hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is implementing a COTS application. The project team plans to heavily customize the application to meet unique business processes. Which of the following is the most significant risk?

Question 72easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which of the following is the BEST control to ensure that system changes are authorized?

Question 73mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor finds that a project failed to meet its objectives because key stakeholders were not involved in the requirements definition phase. Which phase of the SDLC was most neglected?

Question 74hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

In an agile development environment, an IS auditor reviews the backlog and finds that security requirements are not explicitly included. What is the best recommendation?

Question 75easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which of the following is the MOST important objective of system testing?

Question 76mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is acquiring a third-party SaaS application. Which of the following should be included in the contract to ensure data protection?

Question 77hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a post-implementation review, an IS auditor identifies that the system's actual transaction processing time is significantly higher than the benchmark specified in the service level agreement (SLA). The vendor claims it is due to inadequate network bandwidth provided by the client. What should the auditor do first?

Question 78mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is evaluating the controls over program changes. Which TWO of the following are essential controls?

Question 79hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is developing a new financial application. Which THREE of the following are valid reasons to involve internal audit during the development phase?

Question 80easymulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is reviewing a request for proposal (RFP) for a new system. Which TWO elements should be included in the RFP?

Question 81mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is reviewing the configuration for a web application. Which of the following is the MOST significant security weakness?

Exhibit

Refer to the exhibit.

[WebApp]
BaseURL = https://app.example.com
AuthMethod = Basic
SessionTimeout = 600
Encryption = SSL
Question 82hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor reviews the change request. Which of the following is the most significant risk?

Exhibit

Refer to the exhibit.

Change Request #: 1234
Description: Update interest calculation module
Impact: Low (only affects reports)
Approval: Pending
Scheduled Date: 2025-03-20
Question 83mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is evaluating the security of the architecture. Which of the following is the MOST critical finding?

Exhibit

Refer to the exhibit.

The network architecture consists of:
- DMZ segment: web server (public IP), proxy server.
- Internal segment: application server, database server.
- Firewall rules: Allow HTTP/HTTPS from Internet to web server. Allow SQL traffic from web server to database server. Deny all else.
Question 84easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is developing a custom application. During the requirements phase, the project manager documents that the system must encrypt all sensitive data at rest. Which of the following is the BEST control to ensure this requirement is met throughout the development lifecycle?

Question 85mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is transitioning from a waterfall to an agile development methodology. Which of the following is a key risk that the IS auditor should highlight?

Question 86hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a third-party software vendor audit, the IS auditor discovers that the vendor uses a common shared database for multiple clients and relies on application-level access controls. Which of the following is the GREATEST concern?

Question 87easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is replacing its legacy customer relationship management (CRM) system. Which of the following is the MOST important control to ensure data integrity during the data conversion process?

Question 88mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A project team is using a prototyping approach for a new system. Which of the following is the BEST control to ensure the prototype accurately reflects user needs?

Question 89hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes bypass normal approval but are documented and reviewed within 48 hours. Which of the following is the BEST recommendation?

Question 90easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is selecting a vendor for a new enterprise resource planning (ERP) system. Which of the following is the MOST critical factor in the vendor selection process?

Question 91mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is developing a mobile application that processes credit card payments. During the testing phase, which of the following types of testing is MOST critical to ensure security?

Question 92hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is evaluating a system development project that uses an outsourced team. The contract allows the vendor to reuse some of the developed code in other projects. What is the auditor's PRIMARY concern?

Question 93mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are key controls that an IS auditor should expect to find in a well-managed system development life cycle (SDLC)?

Question 94hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are indicators that a project is at risk of failure according to ISACA's project governance framework?

Question 95easymulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which THREE of the following are typical phases in the system development life cycle (SDLC)?

Question 96easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is implementing a new financial system. Which of the following is the MOST important control to ensure data integrity during the data migration phase?

Question 97mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During system development, the project team discovers that the original requirements are incomplete. What is the BEST course of action?

Question 98hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is adopting agile development methodology. Which control is MOST critical to ensure security is integrated?

Question 99easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which testing phase is MOST effective for validating that the system meets business needs?

Question 100mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is outsourcing software development. What is the IS auditor's PRIMARY concern?

Question 101hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

In a DevOps environment, which practice BEST supports auditability?

Question 102easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

When implementing a commercial off-the-shelf (COTS) system, what is the MOST important factor?

Question 103mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which of the following is the BEST method to ensure that a system development project is completed on time?

Question 104hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a systems audit, the auditor finds that the project did not follow the organization's systems development methodology. What should the auditor do FIRST?

Question 105mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are key controls in the system development life cycle?

Question 106mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are common risks in the procurement of custom-developed software?

Question 107hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which THREE of the following are typical objectives of an IT governance framework for system acquisition?

Question 108easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a security audit, which rule poses the greatest risk?

Exhibit

Refer to the exhibit.

[admin@fw1]# show rules
Rule 10: allow from 10.0.1.0/24 to 10.0.2.0/24 dst-port 3306
Rule 20: allow from 10.0.1.0/24 to any dst-port 443
Rule 30: allow from any to 10.0.2.0/24 dst-port 22
Question 109mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

What is the primary control weakness in this IAM policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential/*",
      "Principal": {"AWS": "arn:aws:iam::123456789012:role/developer"}
    }
  ]
}
Question 110hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

What is the primary security concern in this architecture?

Exhibit

Refer to the exhibit.

Architecture description: The application is deployed across three tiers: web servers in DMZ, application servers in internal network, and database servers in a secured subnet. Traffic flows from web to app via HTTPS, and app to DB via port 3306.
Question 111easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is in the process of acquiring a new customer relationship management (CRM) system. During which phase of the systems development life cycle (SDLC) should the business requirements be formally documented?

Question 112mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is implementing a custom ERP system. During user acceptance testing (UAT), critical bugs are found that affect core financial processing. The project sponsor suggests deploying the system on schedule and fixing bugs after go-live. What is the BEST course of action?

Question 113hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During the design phase of a waterfall project, the development team discovers that a key security requirement was omitted from the functional specification. The design has already been partially completed based on the flawed specification. What is the MOST appropriate action?

Question 114mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is reviewing a system development project to assess whether it is on schedule. Which of the following would provide the BEST evidence of project progress against the planned timeline?

Question 115easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

In an Agile software development project, who is primarily responsible for prioritizing the product backlog?

Question 116mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A bank is converting data from its legacy core banking system to a new platform. Which control is MOST critical to ensure the completeness and accuracy of data conversion?

Question 117hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company plans to implement a commercial off-the-shelf (COTS) application and requires significant customization to match its unique business processes. The vendor advises against extensive customization because it may complicate future upgrades. What is the BEST course of action?

Question 118mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During system development, which testing phase is performed by developers to verify that individual program units function correctly?

Question 119easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

What is the PRIMARY purpose of conducting a feasibility study before acquiring a new information system?

Question 120mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are key objectives of a post-implementation review of a new system?

Question 121hardmulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which THREE of the following are common risks associated with the prototyping methodology?

Question 122easymulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are essential elements of a business continuity plan (BCP) for a newly developed system?

Question 123mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

Refer to the exhibit. A tester executes test case TC-101 and records the result shown. What is the NEXT appropriate step in the testing process?

Exhibit

Test Case ID: TC-101
Test Name: User Login
Step 1: Enter valid credentials
Expected Result: Redirect to dashboard
Actual Result: Error 'Invalid credentials' displayed
Status: Failed
Question 124mediummultiple choice
Read the full NAT/PAT explanation →

A large organization is implementing a new HR management system to handle payroll and employee data. The project is currently in the build phase with a planned go-live in three months. Recently, the vendor notified the project team that a critical security patch will be released in two months that addresses a data leakage vulnerability present in the current version. The patch includes new features that are not in the contract. The project manager estimates that integrating the patch and re-testing will delay the project by at least four months. Business stakeholders insist on meeting the original go-live date because the legacy system is being decommissioned. The organization has a strict policy that all systems processing sensitive data must have the latest security patches within 30 days of release. What should the project team do?

Question 125hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company has been developing a custom inventory management system using Scrum. In the current sprint, the team discovered that the integration module with the legacy ERP system has severe performance issues: under peak load, transactions time out and fail. The product owner is concerned because the release is scheduled in two weeks. The development team estimates that a proper fix will take three weeks. A similar issue occurred in a previous sprint and was temporarily resolved by reducing the number of concurrent transactions, which lowered performance but kept the system operational. The stakeholders are anxious about the deadline because the legacy ERP will be retired shortly after the planned go-live. What is the BEST action for the team to take?

Question 126mediummultiple choice
Read the full NAT/PAT explanation →

During the implementation of a new ERP system, the project team discovers that the legacy system data cannot be directly migrated due to incompatible data formats. The project manager proposes building a custom script to extract, transform, and load (ETL) data. Which of the following is the BEST course of action?

Question 127easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A systems analyst is gathering requirements for a new customer relationship management (CRM) system. Which of the following is the MOST important activity to ensure that the final system meets user needs?

Question 128hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is adopting an agile development methodology for a new financial application. During a sprint review, the product owner expresses concern that the system does not enforce segregation of duties (SoD). The development team argues that SoD will be addressed in a future sprint. As the IS auditor, what is the BEST recommendation?

Question 129mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

During the acquisition of a new software package, the procurement team evaluates two vendors. Vendor A offers a lower upfront cost but higher annual maintenance fees. Vendor B has a higher upfront cost but includes three years of maintenance. What is the MOST important factor for the IS auditor to consider?

Question 130easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A company is developing a mobile banking application. Which test phase is MOST critical to ensure that the application functions correctly from the end user's perspective?

Question 131mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

An IS auditor is reviewing the design phase of a new procurement system. Which TWO of the following controls are MOST critical to include in the system design to prevent unauthorized purchases?

Question 132hardmulti select
Read the full NAT/PAT explanation →

An organization is implementing a new cloud-based HR system. The project sponsor wants to skip regular project status meetings to speed up delivery. Which THREE of the following are the MOST significant risks of eliminating these meetings?

Question 133easymulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

During the system development life cycle (SDLC), which THREE of the following are recognized benefits of involving internal audit early in the process?

Question 134hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A financial services company is developing a new customer-facing web application for account management. The project is using a waterfall methodology. The initial requirements were gathered six months ago, and the coding phase is nearly complete. The business sponsor now requests a new feature that allows customers to view transaction receipts online. The project manager is concerned that this change will delay the project by two months and exceed the budget. The sponsor insists that the feature is critical for customer satisfaction and that the project must adapt. The development team estimates it will take 200 hours to implement. The steering committee is divided. As an IS auditor, what would be the BEST recommendation to resolve this?

Question 135mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A hospital is implementing a new electronic health record (EHR) system. The project team includes clinicians and IT staff. During integration testing, the system fails to exchange lab results with the existing legacy system due to format mismatches. The IT team suggests developing a custom interface. The clinical team is concerned that any custom solution may not comply with health data privacy regulations. The project sponsor pressures the team to quickly fix the issue to avoid delays. The IS auditor is reviewing this situation. What is the MOST appropriate action for the auditor to recommend?

Question 136easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A small manufacturing company decides to acquire an off-the-shelf inventory management system. The purchasing manager selects a vendor based solely on the lowest price, ignoring the vendor's financial stability and support history. After purchase, the vendor declares bankruptcy, leaving the company without support. The system has a critical bug that halts inventory tracking. The IT manager considers hiring a consultant to fix the bug. As an IS auditor, what should the auditor's PRIMARY concern be?

Question 137hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A government agency is developing a case management system for law enforcement. The project follows an agile approach, releasing iterations every two weeks. During a sprint demo, users discover that the system does not redact personally identifiable information (PII) in documents shared with external parties, violating privacy laws. The development team says they planned to add redaction in a future sprint. The product owner wants to prioritize PII redaction immediately. The project manager is concerned that this will disrupt the release schedule. The IS auditor is assessing the project's risk management. Which of the following is the BEST recommendation?

Question 138mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A university is implementing a new student information system. The project team uses an iterative development approach. During user acceptance testing, students report that the online course registration portal crashes when more than 100 users register simultaneously. The development team identifies a database connection pooling issue and estimates a fix will take three weeks. The project deadline is in two weeks. The project manager suggests deploying the system as is and fixing the issue after go-live, as the crash is rare. The IS auditor is consulted. What should the auditor recommend?

Question 139hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a new enterprise resource planning (ERP) system across multiple regions. The project uses a phased roll-out. After the first phase in Asia, the system experiences intermittent synchronization errors between the central database and regional servers. The IT team suspects network latency but cannot reproduce the issue consistently. The project sponsor wants to proceed with the next phase in Europe to avoid further delays. The IS auditor is performing a post-implementation review. What is the MOST appropriate recommendation?

Question 140easymultiple choice
Read the full NAT/PAT explanation →

A nonprofit organization develops a small online donation platform using a third-party payment gateway. The project team skips formal security testing because of budget constraints. After launch, a security researcher discovers that the application fails to validate input on the donation amount field, allowing manipulation. The nonprofit loses several thousand dollars before the issue is patched. The IS auditor is asked to review the system development process. Which of the following is the PRIMARY finding?

Question 141mediummulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

Which TWO of the following are essential controls to ensure data integrity during a cloud migration project?

Question 142easymultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A mid-sized company is upgrading its legacy financial system to a new cloud-based ERP. The project manager has decided to use a big-bang cutover approach to minimize costs and time. During the first week post-go-live, users report that several critical reports are generating incorrect totals. An initial investigation reveals that the data mapping from the old system to the new system was not fully validated. Which of the following should the IS auditor recommend as the most appropriate corrective action?

Question 143hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A large financial institution is developing a new online banking platform using an Agile methodology. The development team has implemented continuous integration and continuous deployment (CI/CD) pipeline. During a routine security scan, the IS auditor discovers that a developer accidentally committed a configuration file containing database credentials into the public-facing code repository. The credentials were exposed for 48 hours before being detected. Which of the following is the most critical control failure that allowed this incident to occur?

Question 144mediummultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

An organization is evaluating a vendor for a custom application development. The vendor states they are assessed at CMMI Level 2 (Managed). Which of the following best describes the implication of this rating?

Question 145easymulti select
Read the full Information Systems Acquisition, Development and Implementation explanation →

During a data migration from a legacy system to a new ERP, the following log entries were generated. Which TWO issues should the IS auditor flag as high risk?

Exhibit

Refer to the exhibit.

[2024-06-15 14:23:45] ERROR: Constraint violation on table 'ORDERS' - foreign key 'CUST_ID' referencing 'CUSTOMERS.CUST_ID' - record with CUST_ID = 9999 not found in target.
[2024-06-15 14:24:10] WARNING: Data type mismatch for column 'AMOUNT' in table 'ORDERS' - source decimal(10,2), target integer - truncation may occur.
[2024-06-15 14:25:30] ERROR: Duplicate key value 'INV-1001' on table 'INVOICES' violates unique constraint.
[2024-06-15 14:26:00] INFO: Rollback segment 'RBS1' is growing rapidly - check for long-running transactions.
Question 146hardmultiple choice
Read the full Information Systems Acquisition, Development and Implementation explanation →

A large financial institution is implementing a new core banking system to replace a legacy system. The project has been underway for 18 months and is behind schedule. User acceptance testing (UAT) has revealed significant data integrity issues, including missing customer records and incorrect interest calculations. The project manager, under pressure from senior management to meet a regulatory deadline, proposes going live with a promise to fix the issues in a post-implementation phase. The development team has been making ad hoc code changes directly in the test environment without version control or proper testing. Additionally, the IS auditor discovers that the business requirements were never formally signed off by the user community; only verbal approvals were obtained. The project has consumed 90% of the budget but only 60% of the functionality is tested. Which of the following is the BEST course of action for the IS auditor to recommend?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISA Practice Test 1 — 10 Questions→CISA Practice Test 2 — 10 Questions→CISA Practice Test 3 — 10 Questions→CISA Practice Test 4 — 10 Questions→CISA Practice Test 5 — 10 Questions→CISA Practice Exam 1 — 20 Questions→CISA Practice Exam 2 — 20 Questions→CISA Practice Exam 3 — 20 Questions→CISA Practice Exam 4 — 20 Questions→Free CISA Practice Test 1 — 30 Questions→Free CISA Practice Test 2 — 30 Questions→Free CISA Practice Test 3 — 30 Questions→CISA Practice Questions 1 — 50 Questions→CISA Practice Questions 2 — 50 Questions→CISA Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceProtection of Information AssetsInformation System Auditing Process

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Information Systems Acquisition, Development and Implementation setsAll Information Systems Acquisition, Development and Implementation questionsCISA Practice Hub