CCNA Cisa Systems Development Questions

75 of 108 questions · Page 1/2 · Cisa Systems Development topic · Answers revealed

1
MCQmedium

During a build vs. buy analysis, the IS auditor observes that the organization decided to build a custom application because no vendor solution met all requirements. Which of the following risks should the auditor emphasize?

A.Lack of customization
B.Dependence on external support
C.Vendor lock-in
D.Increased time-to-market and development costs
AnswerD

Custom development often takes longer and costs more than buying.

Why this answer

Custom development carries risk of longer time-to-market and higher cost due to unforeseen complexities.

2
MCQmedium

An IS auditor is reviewing a post-implementation review report for a new financial system. Which finding would most indicate that the project did not meet its objectives?

A.Three minor change requests were submitted in the first month
B.Users required additional training after go-live
C.The project budget was exceeded by 5%
D.The system processed transactions 20% slower than projected
AnswerD

Performance against projections is a key metric; significant shortfall indicates objectives were not met.

Why this answer

The post-implementation review should compare actual performance against projections. Significant performance degradation indicates the system is not meeting its intended performance objectives, which is a key project goal.

3
MCQeasy

Which type of change in ITIL requires approval from the Change Advisory Board (CAB) before implementation?

A.Emergency change
B.Normal change
C.Standard change
D.All changes
AnswerB

Normal changes require CAB approval as they are not pre-authorized.

Why this answer

Normal changes are those that are not pre-approved or emergency. They require assessment and approval by the CAB to evaluate risks and impacts.

4
Multi-Selectmedium

An organization is implementing a new customer relationship management (CRM) system using an agile methodology. Which THREE areas should the IS auditor focus on to assess the effectiveness of controls during the development process?

Select 3 answers
A.Use of formal change request documentation for each change
B.Inclusion of security requirements in user stories
C.Conduct of sprint retrospectives to identify improvements
D.Performance of code reviews and static analysis
E.Adherence to the original detailed project plan
AnswersB, C, D

Security requirements should be part of each sprint's backlog to ensure security is built in.

Why this answer

In agile, security requirements must be integrated into user stories, code reviews and static analysis are key for code quality, and sprint retrospectives help identify process improvements. Maintaining a detailed project plan is less relevant in agile, and formal change requests are not typical.

5
MCQeasy

Which of the following is a key control in the deployment phase of the SDLC?

A.Rollback plan
B.Threat modeling
C.User acceptance testing
D.Code review
AnswerA

Essential for deployment phase to mitigate failure risks.

Why this answer

A rollback plan ensures that if deployment fails, the system can be restored to a known good state.

6
MCQhard

During an ERP implementation, the project team decides to disable segregation of duties (SoD) controls in the system to accelerate go-live. After go-live, the IS auditor identifies that a single user can perform incompatible functions. What is the BEST course of action?

A.Require reconfiguration of SoD controls before the next audit
B.Document the issue and accept the risk
C.Implement compensating controls such as enhanced monitoring and audit logs
D.Advise management to terminate the project manager
AnswerC

Compensating controls provide a temporary but effective mitigation until the system can be properly configured.

Why this answer

SoD conflicts are a high-risk issue. The auditor should recommend immediate implementation of compensating controls (e.g., enhanced monitoring, dual approval) to mitigate risk until the system is reconfigured.

7
MCQeasy

In a spiral SDLC model, what is the primary purpose of risk analysis in each iteration?

A.To identify and resolve potential project risks early
B.To assess user satisfaction with the prototype
C.To plan the next iteration's tasks
D.To define detailed functional requirements
AnswerA

Risk analysis is a distinguishing feature of the spiral model, allowing iterative risk mitigation.

Why this answer

The spiral model is risk-driven; each iteration includes a risk analysis to identify and mitigate project risks before proceeding to the next phase.

8
Multi-Selectmedium

An organization is migrating from a legacy system to a new ERP. Which TWO of the following are the HIGHEST risks during data migration?

Select 2 answers
A.Incorrect data mapping between old and new systems
B.Insufficient network bandwidth during cutover
C.Lack of user training on the new system
D.Lack of segregation of duties in the new system
E.Incomplete or inaccurate source data
AnswersA, E

Mapping errors can cause data loss or corruption.

Why this answer

Data quality issues (incomplete/inaccurate data) and mapping errors are common risks that can lead to system failures.

9
MCQmedium

Which of the following is an example of a detective control in the SDLC testing phase?

A.Security awareness training
B.Threat modeling
C.Penetration testing
D.Code review
AnswerC

Correct. Penetration testing detects security weaknesses.

Why this answer

Dynamic application security testing (DAST) is a detective control that identifies vulnerabilities in a running application.

10
Multi-Selectmedium

An IS auditor is reviewing a vendor's SOC 2 report as part of a systems acquisition. Which TWO aspects should the auditor verify to ensure the report is reliable?

Select 2 answers
A.The report was issued within the last 12 months
B.The report includes a description of the vendor's business continuity plan
C.The report was prepared by an independent CPA firm
D.The report includes a list of the vendor's customers
E.The report contains the vendor's internal control objectives
AnswersA, C

Recency ensures relevance.

Why this answer

The auditor must ensure the SOC 2 report is from a qualified auditor and covers the relevant period for the current evaluation.

11
MCQmedium

An IS auditor is reviewing change management procedures. Which of the following situations would be of GREATEST concern?

A.A standard change was implemented without CAB approval
B.An emergency change was implemented and not reviewed after resolution
C.The change request did not include an impact analysis
D.A normal change had a rollback plan that was not tested
AnswerB

Post-review ensures emergency changes are documented and validated.

Why this answer

Emergency changes bypass normal controls; without post-change review, unauthorized or flawed changes may persist unnoticed.

12
MCQmedium

An IS auditor is assessing the controls in an agile development environment. What is the MOST effective way to verify that security testing is performed iteratively?

A.Observing a daily standup meeting
B.Interviewing the product owner about security priorities
C.Examining the final security test report after release
D.Reviewing the project's definition of done for each sprint
AnswerD

The Definition of Done should include security testing criteria.

Why this answer

In agile development, security testing must be integrated into each sprint to ensure continuous validation. The 'definition of done' (DoD) is the team's checklist for completing a user story; if it explicitly includes security testing tasks (e.g., static analysis, dynamic scans, or penetration tests), then verifying the DoD proves that security testing was performed iteratively. Option D directly examines this artifact, providing objective evidence of iterative security testing.

Exam trap

The trap here is that candidates confuse 'planning for security' (e.g., standups or product owner interviews) with 'evidence of security execution' (the DoD), or they mistakenly think a final report proves iterative testing when it only shows a single snapshot.

How to eliminate wrong answers

Option A is wrong because observing a daily standup meeting only reveals what the team plans to discuss, not whether security testing was actually completed; standups are status updates, not evidence of testing execution. Option B is wrong because interviewing the product owner about security priorities captures intent and backlog ordering, but does not confirm that security testing was performed in each iteration. Option C is wrong because examining the final security test report after release shows only a single point-in-time assessment, not iterative testing across sprints; it misses the continuous integration of security checks throughout development.

13
MCQhard

An organization is deciding between building a custom application and purchasing a commercial off-the-shelf (COTS) product. The primary factor favoring the build option is:

A.Greater control over features
B.Faster time to market
C.Lower initial cost
D.Reduced vendor dependency
AnswerA

Correct. Building provides full control over customization and features.

Why this answer

Building a custom application allows for tailored functionality that meets unique business requirements, which is a key advantage over COTS.

14
MCQhard

An organization is deciding between developing a custom application and purchasing a commercial off-the-shelf (COTS) product. The project manager favors a COTS solution because it offers faster deployment. Which of the following is the MOST important consideration for the IS auditor to evaluate in this build vs. buy decision?

A.Availability of skilled developers to maintain the custom solution
B.User training requirements for the new system
C.Total cost of ownership including maintenance and licensing
D.The degree of vendor dependency and ability to customize
AnswerD

Vendor lock-in can limit future options and increase costs if the vendor changes terms or goes out of business.

Why this answer

Vendor dependency is a critical risk in COTS acquisitions. The organization may become reliant on the vendor for updates, support, and customizations, which can affect long-term flexibility and costs.

15
MCQeasy

Which of the following is a key control during the deployment phase of a system development life cycle?

A.Rollback plan
B.Code review
C.Threat modeling
D.User acceptance testing (UAT)
AnswerA

A rollback plan is essential during deployment to ensure the ability to revert if issues arise.

Why this answer

The deployment phase should include a rollback plan to revert to the previous state if the new system fails. This is a critical control to minimize downtime and data loss.

16
MCQmedium

An organization is migrating data from a legacy system to a new ERP. What is the most critical data migration risk?

A.Data loss or corruption
B.Increased storage costs
C.Longer migration time
D.Incompatible hardware
AnswerA

Correct. Data integrity risk is paramount.

Why this answer

Data integrity is the top risk during migration, as errors can lead to incorrect business operations and decisions.

17
Multi-Selecthard

During a post-implementation review of a new accounting system, the IS auditor notes the following: the project was completed on time and within budget, but user satisfaction is low and there are several outstanding defect reports. Which THREE of the following are the MOST appropriate recommendations?

Select 3 answers
A.Compare actual benefits achieved against the business case
B.Establish a formal plan to resolve outstanding defects
C.Request additional budget to fix the defects
D.Immediately escalate the defect reports to the project sponsor
E.Conduct a lessons learned session to identify process improvements
AnswersA, B, E

This is a key part of post-implementation review.

Why this answer

The review should identify lessons learned, address outstanding defects, and assess whether objectives were met beyond budget/schedule.

18
MCQhard

An IS auditor is reviewing an emergency change that was implemented to fix a critical security vulnerability. What is the most important post-implementation step?

A.Document the change and obtain retrospective approval
B.Update the configuration management database
C.Notify all users
D.Conduct a risk assessment
AnswerA

Correct. Retrospective approval ensures accountability and control.

Why this answer

After an emergency change, it is essential to document the change and obtain retrospective approval to maintain change management integrity.

19
MCQmedium

An organization is considering whether to build a custom application or purchase a commercial off-the-shelf (COTS) product. Which of the following factors would most strongly support a build decision?

A.Short time to market is critical.
B.The vendor offers a robust service-level agreement (SLA).
C.The required functionality is unique to the organization's competitive advantage.
D.The organization has limited in-house development resources.
AnswerC

Unique needs often cannot be met by COTS without extensive customization.

Why this answer

When the organization's processes are unique and provide a competitive advantage, custom development allows for exact fit and control.

20
Multi-Selectmedium

Which TWO of the following are benefits of an iterative SDLC approach compared to waterfall? (Select two.)

Select 2 answers
A.Early and frequent feedback from stakeholders
B.Simpler documentation requirements
C.Predictable project timeline
D.Ability to incorporate changing requirements
E.Reduced need for user involvement
AnswersA, D

Iterative cycles provide regular feedback.

Why this answer

Iterative approaches allow early feedback and adaptability to changing requirements, unlike waterfall's rigid sequential phases.

21
MCQeasy

Which of the following is the PRIMARY objective of a post-implementation review of an information system?

A.To assess the performance of the project team
B.To evaluate whether the system achieved its planned objectives and benefits
C.To document the technical architecture for future reference
D.To identify new requirements for future enhancements
AnswerB

This is the core purpose of a post-implementation review.

Why this answer

The post-implementation review aims to assess whether the system meets its intended objectives, including performance, user satisfaction, and business goals. Lessons learned are a secondary outcome.

22
MCQmedium

An IS auditor is evaluating the vendor selection process for a new system. Which of the following is the most important factor to include in the contract?

A.Timeframe for delivery
B.Fixed price
C.Audit rights
D.Warranty period
AnswerC

Correct. Audit rights allow the organization to assess vendor controls.

Why this answer

Audit rights are critical for the organization to verify the vendor's controls and compliance, especially for outsourced systems.

23
Multi-Selectmedium

During a post-implementation review of a new payroll system, the IS auditor identifies several outstanding issues. Which TWO issues should be considered most critical to address immediately? (Select TWO)

Select 2 answers
A.The system is running 5% slower than expected
B.The system's tax calculation module produced incorrect results for a subset of employees
C.Some employees have not completed training
D.Unauthorized overtime payments were processed due to a configuration error
E.The user manual is not yet finalized
AnswersB, D

Incorrect tax calculations can lead to regulatory non-compliance and penalties; must be fixed urgently.

Why this answer

Unauthorized overtime payments indicate a segregation of duties or control weakness that could lead to fraud. Inaccurate tax calculations could result in regulatory penalties and employee dissatisfaction. Both have significant financial and compliance impacts.

24
MCQhard

An IS auditor is reviewing a post-implementation review report for a new ERP system. Which of the following findings would be of greatest concern to the auditor?

A.Several segregation of duties conflicts were identified and not resolved.
B.The implementation took three months longer than planned.
C.The project exceeded the budget by 15%.
D.User acceptance testing (UAT) was completed with only 80% test coverage.
AnswerA

Unresolved conflicts pose a direct risk to internal controls.

Why this answer

Segregation of duties conflicts in an ERP can lead to fraud or errors. The other findings are important but not as critical from a control perspective.

25
MCQmedium

An IS auditor is reviewing an agile software development project. Which of the following is the most important control to assess?

A.Sprint review
B.Daily standup meetings
C.Retrospective
D.Product backlog
AnswerA

Correct. The sprint review is a control point where stakeholders validate delivered functionality.

Why this answer

In agile, the sprint review provides an opportunity to demonstrate completed work and obtain stakeholder feedback, acting as a key control for quality and acceptance.

26
MCQhard

An organization is implementing a large ERP system. The project team plans to migrate legacy data to the new system. Which of the following is the MOST significant risk associated with data migration?

A.Insufficient training of end users
B.Lack of executive sponsorship
C.Inadequate segregation of duties in the new system
D.Inaccurate data mapping between legacy and new systems
AnswerD

This can cause data integrity issues and system failures.

Why this answer

Data migration often involves mapping old data to new structures. Inaccurate mapping can lead to data corruption or loss, which is a critical risk.

27
MCQmedium

An IS auditor is reviewing the change management process for a critical financial application. Which of the following is the most important element to verify in an emergency change request?

A.Approval from the Change Advisory Board (CAB)
B.Extensive user acceptance testing (UAT) results
C.A completed impact analysis
D.A documented rollback plan
AnswerD

A rollback plan is crucial for emergency changes to quickly restore service if the change fails.

Why this answer

For emergency changes, speed is critical, but a rollback plan is essential to ensure the change can be reversed if it causes issues. This minimizes the impact on operations.

28
MCQmedium

An IS auditor is assessing an ERP implementation. Which of the following control concerns is MOST likely to arise from segregation of duties conflicts?

A.Data migration errors
B.Inadequate system performance
C.Integration complexity
D.Unauthorized transactions or fraud
AnswerD

Conflicting roles can allow a user to initiate and approve transactions.

Why this answer

ERP systems often combine roles that were separate in legacy systems, increasing risk of fraud.

29
MCQmedium

Which of the following is the PRIMARY purpose of a change advisory board (CAB) in the change management process?

A.To approve all standard changes without review
B.To assess, prioritize, and authorize changes
C.To authorize emergency changes immediately
D.To develop technical solutions for change requests
AnswerB

This is the core function of the CAB.

Why this answer

The CAB is responsible for reviewing and approving changes, assessing risks, and ensuring proper planning and testing.

30
MCQeasy

During which phase of the SDLC should security requirements be formally documented and approved?

A.Design phase
B.Requirements phase
C.Development phase
D.Testing phase
AnswerB

Correct. Security requirements are defined and approved by the business owner during this phase.

Why this answer

Security requirements must be formally documented and approved during the Requirements phase of the SDLC because this is when functional and non-functional needs, including security controls, are defined before any design or coding begins. Integrating security at this stage ensures that confidentiality, integrity, and availability requirements are captured in the system specification, preventing costly rework later. The Requirements phase is the earliest point where stakeholders can review and approve security constraints, such as encryption standards or access control policies, aligning them with business objectives.

Exam trap

The trap here is that candidates often confuse the Requirements phase with the Design phase, mistakenly thinking security requirements are documented during design because that is when security controls are technically specified, but formal approval must occur earlier in the requirements stage to drive the entire development lifecycle.

How to eliminate wrong answers

Option A is wrong because the Design phase translates approved requirements into technical architecture and detailed specifications, but security requirements must already be documented and approved before design begins to guide secure design decisions. Option C is wrong because the Development phase focuses on coding and unit testing based on the design, and introducing security requirements at this stage would lead to retrofitting controls, increasing risk and cost. Option D is wrong because the Testing phase validates that the system meets documented requirements, including security ones, but it is too late to formally document and approve security requirements; they must be established earlier to define test cases.

31
Multi-Selectmedium

Which THREE of the following are typical controls in the design phase of the SDLC?

Select 3 answers
A.Designing security controls
B.Architecture review
C.Code review
D.Threat modeling
E.User acceptance testing
AnswersA, B, D

Correct. Security controls should be designed in, not bolted on.

Why this answer

Architecture review, threat modeling, and designing security controls are key design-phase controls to ensure security is built in.

32
MCQmedium

An organization is implementing a new ERP system and is concerned about segregation of duties (SoD) conflicts. What is the BEST approach to address this during the implementation?

A.Assign all administrative rights to a single user for efficiency
B.Configure role-based access controls with SoD rules in the system
C.Rely on manual compensating controls after go-live
D.Document SoD conflicts for future resolution
AnswerB

Proactive configuration prevents conflicts.

Why this answer

Configuring SoD rules within the ERP system helps enforce segregation and prevent conflicts during operations.

33
MCQeasy

In a waterfall SDLC, which phase requires formal sign-off from the business owner before proceeding to the next phase?

A.Development phase
B.Requirements phase
C.Design phase
D.Testing phase
AnswerB

Formal sign-off on requirements is a key control to prevent scope creep.

Why this answer

In waterfall, each phase ends with a formal sign-off; the requirements phase is critical to ensure business needs are documented and approved.

34
MCQmedium

During an agile software development project, a sprint review meeting is conducted. What is the PRIMARY purpose of this meeting from an IS audit perspective?

A.To identify and document lessons learned for process improvement
B.To demonstrate the working product increment to stakeholders and gather feedback
C.To assign tasks to team members for the current sprint
D.To plan the tasks for the next sprint
AnswerB

The sprint review is a control point where stakeholders review the increment and provide input, which is critical for iterative validation.

Why this answer

The sprint review is a key control in agile to demonstrate completed work to stakeholders and obtain feedback. It serves as a form of user acceptance testing and helps ensure the product meets stakeholder needs.

35
MCQeasy

Which testing type is performed by end-users to verify that the system meets their needs?

A.Security testing
B.Integration testing
C.User acceptance testing
D.Unit testing
AnswerC

Correct. UAT involves end-users validating the system.

Why this answer

User acceptance testing (UAT) is the final phase of the testing lifecycle where actual end-users validate that the system fulfills their business requirements and is ready for production deployment. Unlike technical testing types, UAT focuses on real-world workflows, data accuracy, and usability to confirm the system meets the agreed-upon acceptance criteria.

Exam trap

The trap here is that candidates often confuse user acceptance testing with system testing or integration testing, assuming any 'end-user' involvement means UAT, but UAT specifically requires users to validate business needs, not technical correctness.

How to eliminate wrong answers

Option A is wrong because security testing is a specialized technical test focused on identifying vulnerabilities, threats, and compliance gaps (e.g., OWASP Top 10, penetration testing), not on verifying that the system meets end-user needs. Option B is wrong because integration testing verifies that individual modules or services interact correctly (e.g., API contracts, data flow between subsystems), but it does not involve end-user validation of business requirements. Option D is wrong because unit testing is performed by developers on individual code components (e.g., functions, methods) to catch defects early, and it has no involvement from end-users.

36
MCQmedium

Which of the following is the BEST control to ensure that user acceptance testing (UAT) is effective?

A.UAT scripts are written by developers
B.UAT is performed after deployment
C.UAT testers are from the business and use realistic data
D.UAT is conducted by the quality assurance team
AnswerC

This ensures the system meets business needs.

Why this answer

UAT should be performed by actual end users using real data to validate business requirements.

37
Multi-Selectmedium

An IS auditor is reviewing a change management process. Which TWO elements should be documented in a normal change request to ensure adequate governance? (Select TWO)

Select 2 answers
A.Test plan
B.Vendor contact information
C.Change requester's name
D.Rollback plan
E.Project budget remaining
AnswersA, D

A test plan ensures the change is validated before production deployment.

Why this answer

A change request should include a test plan to verify the change works as intended and a rollback plan to revert if the change fails. These are critical for risk management and governance.

38
MCQmedium

An IS auditor is evaluating the change management process. Which of the following is the BEST indicator that emergency changes are being properly controlled?

A.Emergency changes are documented with a justification and promptly reviewed after implementation
B.Emergency changes are approved by the change manager within 24 hours
C.Emergency changes are tested in a production-like environment before implementation
D.Emergency changes require approval from the CAB before implementation
AnswerA

This ensures accountability and learning from emergencies.

Why this answer

Emergency changes require a documented rationale and timely post-implementation review to ensure proper authorization and minimal risk.

39
MCQmedium

An IS auditor is reviewing a waterfall SDLC project that has completed the requirements phase. Which of the following is the greatest risk to the project?

A.The project manager left the company.
B.A key business stakeholder did not sign off on the requirements.
C.The development team is unfamiliar with the technology.
D.The design phase is behind schedule.
AnswerB

Without sign-off, requirements may not reflect actual needs, leading to rework.

Why this answer

In waterfall, requirements are defined upfront and changes are difficult. If a key stakeholder did not sign off, there is a risk that later phases will be based on incomplete or incorrect requirements.

40
MCQhard

An IS auditor is reviewing the change management process for a critical financial application. Which of the following findings would be of GREATEST concern?

A.Standard changes are documented but not tracked individually
B.Change requests are logged in a spreadsheet instead of a dedicated system
C.Emergency changes are implemented without subsequent CAB approval
D.The CAB meets only once per month
AnswerC

This violates the principle of retrospective review for emergency changes.

Why this answer

Emergency changes bypassing CAB approval pose high risk as they may not undergo proper testing and review.

41
Multi-Selectmedium

Which TWO of the following are key elements of a change request document?

Select 2 answers
A.Vendor contract
B.Justification
C.Project budget
D.Rollback plan
E.User manual
AnswersB, D

Correct. Justification explains why the change is needed.

Why this answer

A change request should include justification for the change and a rollback plan to mitigate risks.

42
MCQmedium

During a post-implementation review of a new financial system, the IS auditor finds that user acceptance testing (UAT) was completed with only 60% of test cases passed. Which of the following is the MOST significant risk?

A.The system deployment was delayed
B.The system performance is below expectations
C.The project was not completed within the planned budget
D.The system may not fully meet business requirements, leading to user workarounds
AnswerD

Unpassed test cases mean functionality gaps that users may bypass, increasing error and fraud risk.

Why this answer

Low UAT pass rate indicates unresolved defects or unmet user requirements, leading to user dissatisfaction and potential workarounds that compromise controls.

43
MCQeasy

During which phase of the SDLC should security requirements be formally documented and approved by the business owner?

A.Design phase
B.Requirements phase
C.Testing phase
D.Development phase
AnswerB

Security and regulatory requirements are captured here and signed off by the business owner.

Why this answer

Security requirements must be identified and approved early to ensure proper controls are built into the system. The requirements phase is the appropriate stage for this.

44
MCQhard

An IS auditor is reviewing an emergency change that was implemented to fix a critical security vulnerability. Which of the following post-implementation controls is MOST important to ensure the change was properly managed?

A.The change request included a rollback plan
B.The change was tested in a production-like environment before deployment
C.A post-implementation review was performed by the Change Advisory Board (CAB)
D.The change was documented and approved by the change manager after implementation
AnswerC

Retrospective CAB review ensures that the emergency change is justified and properly documented, maintaining control over the change process.

Why this answer

Emergency changes bypass normal CAB approval, so it is critical to document the change and have it retrospectively reviewed by the CAB to ensure proper governance.

45
MCQmedium

An organization is acquiring a new financial system. The contract includes a clause that allows the organization to audit the vendor's controls. Which type of report would most efficiently provide assurance over the vendor's internal controls?

A.Financial audit report
B.SOC 2 report
C.Penetration test report
D.ISO 27001 certificate
AnswerB

SOC 2 reports on controls relevant to security and processing integrity.

Why this answer

A SOC 2 report is specifically designed to provide assurance over a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy, which directly addresses the need to audit the vendor's internal controls for a financial system. It is more efficient than other options because it is a standardized, independent assessment that covers the control environment relevant to financial data processing.

Exam trap

The trap here is that candidates may confuse a SOC 2 report with a financial audit report (Option A) because both involve auditors, but SOC 2 is specifically for service organization controls, not financial statement accuracy.

How to eliminate wrong answers

Option A is wrong because a financial audit report focuses on the accuracy of financial statements, not on the operational or security controls of the vendor's systems. Option C is wrong because a penetration test report only provides a point-in-time assessment of security vulnerabilities, not a comprehensive evaluation of ongoing internal controls. Option D is wrong because an ISO 27001 certificate confirms that a vendor has an information security management system (ISMS) in place, but it does not provide a detailed, auditable report of control effectiveness or specific control activities like a SOC 2 report does.

46
MCQmedium

An IS auditor is reviewing a contract for a new software solution. Which of the following contract types poses the HIGHEST risk to the buyer if requirements are not well-defined?

A.Time-and-materials contract
B.Fixed-price contract
C.Cost-plus contract
D.Outcome-based contract
AnswerB

If requirements change, the vendor may demand extra fees, leading to cost overruns and disputes.

Why this answer

Fixed-price contracts are risky when requirements are unclear because the vendor may understate effort or charge high change orders. Time-and-materials contracts are safer for undefined requirements.

47
MCQhard

During a spiral model SDLC project, an IS auditor is reviewing risk assessment documentation. Which of the following would be the GREATEST concern?

A.Key risks identified in the first iteration are not reassessed in later iterations
B.Risk mitigation plans are not documented
C.The project uses a combination of waterfall and prototyping
D.Risk analysis is performed by the project manager alone
AnswerA

Risk reassessment is crucial in spiral model; risks can change.

Why this answer

The spiral model is risk-driven; failure to identify critical risks undermines the methodology and could lead to project failure.

48
MCQmedium

An IS auditor is reviewing a systems acquisition project that involves purchasing an ERP system. Which of the following is the MOST significant risk related to data migration during implementation?

A.Inadequate security controls in the new system
B.Insufficient training of end users on the new system
C.Incomplete or inaccurate data conversion from legacy systems
D.Lack of integration testing between modules
AnswerC

Data conversion errors can corrupt the new system's data, leading to financial and operational issues.

Why this answer

Data migration is a critical risk in ERP implementations. Poor data quality from legacy systems can lead to errors, inconsistencies, and business disruption. Ensuring data integrity is paramount.

49
MCQhard

In a spiral model SDLC, risk analysis is performed at the beginning of each iteration. What is the PRIMARY benefit of this approach?

A.It reduces the number of deliverables
B.It eliminates the need for user acceptance testing
C.It ensures all requirements are gathered upfront
D.It allows for early detection and mitigation of project risks
AnswerD

Risk analysis each iteration helps manage risks proactively.

Why this answer

By identifying and mitigating risks early in each cycle, the spiral model reduces the likelihood of major problems later.

50
MCQmedium

An IS auditor is reviewing an agile project that uses Scrum. Which event provides the best opportunity for the auditor to assess whether completed user stories meet the defined acceptance criteria?

A.Sprint review
B.Daily standup
C.Retrospective
D.Sprint planning
AnswerA

Sprint review is the correct event to inspect completed work and validate against acceptance criteria.

Why this answer

The sprint review is a formal meeting where the development team demonstrates completed work to stakeholders. The auditor can observe validation of acceptance criteria and gather evidence of user acceptance.

51
Multi-Selecthard

Which THREE of the following are essential elements of an emergency change request? (Select three.)

Select 3 answers
A.Test plan
B.Impact analysis
C.Pre-approval from CAB
D.Rollback plan
E.Justification for emergency
AnswersA, D, E

Even emergency changes should have minimal testing.

Why this answer

Emergency changes require justification, a documented test plan (even if abbreviated), and a rollback plan to restore service if needed.

52
Multi-Selecthard

An organization is implementing a large ERP system. The project manager is concerned about segregation of duties conflicts. Which THREE controls should the IS auditor recommend to mitigate segregation of duties risks during implementation? (Select THREE)

Select 3 answers
A.Use automated segregation of duties monitoring tools
B.Delay deployment until all segregation conflicts are resolved
C.Implement role-based access controls (RBAC) aligned with job functions
D.Conduct a single user acceptance test (UAT) at the end of the project
E.Require dual approval for sensitive transactions
AnswersA, C, E

Automated tools can detect and report conflicting access assignments.

Why this answer

Segregation of duties conflicts can be mitigated by enforcing access controls based on roles, using automated tools to detect conflicting access, and establishing compensating controls (e.g., dual approval) where segregation is not possible.

53
MCQmedium

An IS auditor is reviewing an agile software development project. Which of the following would be the BEST evidence that adequate controls are in place for user acceptance?

A.The product backlog is managed by the product owner
B.Daily standup meetings are held to track progress
C.Retrospectives are conducted after each sprint
D.Each sprint concludes with a sprint review attended by stakeholders
AnswerD

Sprint review provides real-time user feedback and acceptance.

Why this answer

In agile, the sprint review is a ceremony where stakeholders inspect the increment and provide feedback, serving as a control for user acceptance.

54
MCQhard

During a spiral SDLC project, the IS auditor should focus on which aspect as the primary risk?

A.Scope creep
B.Lack of documentation
C.Inadequate user involvement
D.Incomplete risk assessment
AnswerD

Correct. The spiral model's effectiveness depends on thorough risk assessment at each iteration.

Why this answer

The spiral model is risk-driven, so the primary risk is that risk assessment may be incomplete, leading to unaddressed issues.

55
MCQeasy

Which of the following is a key advantage of using an iterative SDLC model over a waterfall model?

A.Reduces the need for user involvement
B.Better suited for projects with stable requirements
C.Easier to manage project costs
D.Provides more flexibility to adapt to changing requirements
AnswerD

Iterative models embrace change.

Why this answer

Iterative models allow for adjustments based on feedback and changing requirements, which is a key advantage.

56
Multi-Selectmedium

An IS auditor is reviewing an agile software development project. Which TWO controls should the auditor expect to see in place?

Select 2 answers
A.Formal phase-gate approvals between design and development
B.Detailed requirements documentation approved before coding
C.Pair programming for all critical code
D.Sprint retrospective meetings
E.Sprint reviews with stakeholder participation
AnswersD, E

Sprint retrospectives are a key agile practice for continuous improvement and control.

Why this answer

In agile projects, sprint retrospectives help identify improvements, and sprint reviews demonstrate working functionality to stakeholders, serving as a control point. Pair programming is a development practice but not a universal agile control. Detailed requirements documentation and formal phase-gate approvals are characteristic of waterfall, not agile.

57
MCQmedium

During a system development project, the IS auditor notes that code reviews are performed only after the code is unit tested. Which of the following is the MOST significant risk associated with this practice?

A.Code reviews may be less effective because developers are reluctant to critique tested code
B.Defects may be discovered later in the development lifecycle, increasing rework costs
C.Unit tests may mask code quality issues
D.The code review process may overlook security vulnerabilities
AnswerB

Detecting defects later is more expensive and time-consuming.

Why this answer

Code reviews should be performed before unit testing to catch defects early. Delaying reviews until after testing may lead to rework if issues are found, increasing costs and time.

58
MCQhard

An organization is considering acquiring a commercial off-the-shelf (COTS) ERP system. Which of the following risks is most effectively mitigated by including a contractual clause for audit rights?

A.Incompatibility with existing infrastructure
B.Inadequate vendor security controls
C.Vendor lock-in due to proprietary data formats
D.Cost overruns from customization
AnswerB

Audit rights enable the organization to assess the vendor's security posture and ensure controls are adequate.

Why this answer

Audit rights allow the organization to verify that the vendor's controls are operating effectively. This directly addresses the risk of inadequate vendor security controls, which could expose the organization to data breaches or compliance violations.

59
MCQmedium

During a post-implementation review of a new customer relationship management (CRM) system, the IS auditor finds that the system is processing transactions slower than anticipated. What is the BEST initial course of action for the auditor?

A.Recommend immediate performance tuning to resolve the issue
B.Report the issue to senior management immediately
C.Conduct a load test to identify bottlenecks
D.Compare actual performance to the performance criteria in the business case
AnswerD

This is the standard approach for a post-implementation review.

Why this answer

The auditor should first verify actual performance against the criteria defined in the business case to determine if objectives were met.

60
Multi-Selecteasy

Which TWO of the following are characteristics of the iterative SDLC model?

Select 2 answers
A.The final product is delivered only at the end of the project
B.User feedback is incorporated after each iteration
C.Requirements are defined in detail at the start of the project
D.The system is developed and refined through multiple cycles
E.Risk analysis is performed only at the beginning
AnswersB, D

Feedback drives improvements.

Why this answer

Iterative models develop systems through repeated cycles (iterations) that incorporate user feedback, unlike waterfall where requirements are fixed upfront.

61
Multi-Selecthard

During a post-implementation review of a new ERP system, the IS auditor identified that the project was delivered within budget but user satisfaction scores are low. Which THREE areas should the auditor examine further?

Select 3 answers
A.Extent of integration testing performed
B.Whether all predefined user requirements were met
C.Accuracy and completeness of data migration
D.Compliance with the original project budget
E.Adequacy of user training provided
AnswersB, C, E

Unmet requirements are a direct cause of low satisfaction.

Why this answer

Low user satisfaction may stem from inadequate training, unmet requirements, or data migration issues affecting business processes. While budget and timeline were met, these operational aspects often drive satisfaction. Integration testing completeness is important but more technical; vendor SLA compliance is contractual and less directly tied to user satisfaction.

62
MCQeasy

During an agile software development project, which of the following events provides the best opportunity for the IS auditor to assess the effectiveness of controls implemented in the current sprint?

A.Sprint planning meeting
B.Sprint review
C.Daily standup meeting
D.Sprint retrospective
AnswerB

The sprint review allows the auditor to see working functionality and verify controls.

Why this answer

The sprint review is a demonstration of working software where controls can be observed. The retrospective is about process improvement, not control assessment.

63
MCQmedium

During a vendor evaluation for a critical system, the IS auditor notes that the vendor's SOC 2 report includes an adverse opinion. What should be the auditor's PRIMARY recommendation?

A.Negotiate a lower price to offset the risk
B.Evaluate compensating controls or seek an alternative vendor
C.Accept the risk because the vendor is well-known
D.Request a customized SOC 2 report
AnswerB

Compensating controls may reduce risk, but alternative vendor might be safer.

Why this answer

An adverse SOC 2 opinion indicates material weaknesses in controls; the organization should seek compensating controls or consider alternative vendors.

64
MCQmedium

An organization is considering whether to build a custom application or purchase a commercial off-the-shelf (COTS) product. Which of the following factors is MOST important when deciding to build rather than buy?

A.Reduced need for ongoing maintenance
B.Faster time to market
C.Lower initial cost
D.Need for highly specialized functionality not available in the market
AnswerD

Unique requirements may justify building.

Why this answer

When an organization requires highly specialized functionality that is not available in any commercial off-the-shelf (COTS) product, building a custom application becomes the only viable option. COTS products are designed for broad market needs and often lack the unique features or compliance requirements that a custom solution can provide. This factor overrides cost, time, and maintenance considerations because no amount of configuration or customization of a COTS product can meet the specific functional gap.

Exam trap

The trap here is that candidates often prioritize lower initial cost or faster time to market, failing to recognize that if the required functionality does not exist in the market, those benefits are irrelevant because the COTS product cannot fulfill the core business need.

How to eliminate wrong answers

Option A is wrong because custom applications typically require more ongoing maintenance, not less, due to the need for in-house support, updates, and bug fixes, whereas COTS products include vendor-provided maintenance and patches. Option B is wrong because building a custom application generally takes longer to develop and deploy than purchasing a ready-made COTS product, which can be implemented immediately. Option C is wrong because custom development usually has a higher initial cost due to design, coding, testing, and deployment efforts, while COTS products have a fixed license fee that is often lower than bespoke development.

65
Multi-Selectmedium

An organization is implementing a new payroll system using an agile methodology. Which TWO of the following are the MOST important controls for the IS auditor to assess?

Select 2 answers
A.Comprehensive documentation of all design decisions
B.A formal change control board to approve all changes
C.A detailed project plan with all tasks upfront
D.The product backlog is prioritized and includes security requirements
E.Sprint reviews are conducted with stakeholders to demonstrate working software
AnswersD, E

This ensures requirements are managed and security is addressed.

Why this answer

In agile, the product backlog is the primary control for requirements, and sprint reviews provide stakeholder validation.

66
Multi-Selecthard

An IS auditor is reviewing an agile project. Which THREE of the following are controls the auditor should evaluate?

Select 3 answers
A.Sprint review
B.Burndown charts
C.Retrospective actions
D.Daily standup
E.Product backlog prioritization
AnswersA, C, E

Correct. Sprint review validates completed work with stakeholders.

Why this answer

In agile, sprint reviews, product backlog prioritization, and retrospective actions are key controls to ensure quality and continuous improvement.

67
MCQmedium

During an SDLC audit, the IS auditor finds that security requirements were not formally documented during the requirements phase. Which of the following is the BEST recommendation to mitigate the associated risk?

A.Perform a penetration test after go-live
B.Conduct a vulnerability scan after deployment to identify security gaps
D.Include security requirements in the design phase and obtain sign-off
AnswerD

Adding security requirements during design is better than later, but ideally they should be in requirements. However, this is the best option given the context.

Why this answer

Security requirements should be defined early to ensure controls are designed in, not bolted on. The best practice is to include security requirements in the requirements phase and have them reviewed by security experts.

68
MCQeasy

Which of the following is a primary advantage of fixed-price contracts in systems acquisition?

A.Vendor has incentive to complete quickly
B.Greater flexibility to change requirements
C.Lower total cost compared to time-and-materials
D.Predictable cost for the buyer
AnswerD

The price is agreed upfront, reducing financial risk.

Why this answer

Fixed-price contracts provide cost certainty for the buyer, as the vendor bears the risk of cost overruns.

69
MCQmedium

During a post-implementation review of a system, an IS auditor finds that the actual transaction processing time is 30% slower than projected. What should the auditor recommend FIRST?

A.Upgrade the server hardware immediately
B.Reject the system and revert to the legacy system
C.Conduct a performance analysis to identify bottlenecks
D.Adjust user expectations to match actual performance
AnswerC

Diagnosis is the first step.

Why this answer

The root cause should be identified before recommending specific actions. Performance testing or analysis will reveal the cause.

70
MCQeasy

An organization is implementing a new financial system using the waterfall SDLC model. Which of the following is the MOST critical control to ensure that business requirements are met?

A.Automated unit testing results
B.Code reviews by the development team
C.Detailed technical design documents
D.Formal user acceptance testing (UAT) sign-off
AnswerD

UAT is the phase where end users validate that the system meets their requirements, and formal sign-off provides documented acceptance.

Why this answer

In the waterfall model, requirements are defined upfront and formal sign-off at each phase is critical. Formal user acceptance testing (UAT) is the key control to ensure the system meets business needs before deployment.

71
MCQmedium

Which of the following BEST describes the role of threat modeling in the design phase of the SDLC?

A.To define functional requirements for the system
B.To analyze the system architecture for potential security threats
C.To test the application's resilience to attacks
D.To identify and mitigate security vulnerabilities in the code
AnswerB

This is the main purpose of threat modeling.

Why this answer

Threat modeling proactively identifies potential security threats and vulnerabilities in the system architecture to design appropriate controls.

72
MCQhard

An organization is deploying a major system upgrade. The change request has been approved by CAB, but the deployment plan does not include a rollback procedure. As an IS auditor, what should you recommend?

A.Perform the deployment during off-peak hours to minimize impact
B.Document the decision to skip rollback in the change record
C.Proceed with deployment as CAB approval is sufficient
D.Delay the deployment until a rollback plan is created and tested
AnswerD

A rollback plan is essential for high-risk changes; deployment should be deferred.

Why this answer

Without a rollback plan, if the deployment fails, the system may be unavailable for an extended period, impacting business operations.

73
MCQeasy

In a waterfall SDLC, when should user acceptance testing (UAT) typically occur?

A.After deployment
B.After coding but before unit testing
C.After system testing and before deployment
D.During the requirements phase
AnswerC

This is the correct sequence in waterfall.

Why this answer

UAT is performed after system testing is complete and before deployment to ensure the system meets user requirements.

74
MCQeasy

Which of the following is a key objective of the design phase in the SDLC?

A.To conduct user acceptance testing
B.To define system architecture and integrate security controls
C.To develop code
D.To gather business requirements
AnswerB

Design phase is where architecture and security-by-design are addressed.

Why this answer

The design phase defines the system architecture and ensures security controls are incorporated rather than added later.

75
MCQmedium

During a change management audit, the IS auditor notes that an emergency change was implemented to fix a critical security vulnerability. Which of the following should the auditor expect to find in the change documentation?

A.A post-implementation review scheduled six months later
B.A formal change request approved by the Change Advisory Board (CAB) before implementation
C.A rollback plan
D.A complete test plan executed before deployment
AnswerC

A rollback plan is critical for emergency changes to mitigate risk.

Why this answer

Emergency changes require a rollback plan to ensure the system can be restored if the change fails. A full test plan may be abbreviated.

Page 1 of 2 · 108 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cisa Systems Development questions.

CCNA Cisa Systems Development Questions — Page 1 of 2 | Courseiva