CISA · topic practice

Information Systems Acquisition, Development, and Implementation practice questions

Practise Certified Information Systems Auditor CISA Information Systems Acquisition, Development, and Implementation practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Information Systems Acquisition, Development, and Implementation

What the exam tests

What to know about Information Systems Acquisition, Development, and Implementation

Information Systems Acquisition, Development, and Implementation questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Information Systems Acquisition, Development, and Implementation exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Information Systems Acquisition, Development, and Implementation questions

20 questions · select your answer, then reveal the explanation

During a post-implementation review of a new financial system, the IS auditor finds that user acceptance testing (UAT) was completed with only 60% of test cases passed. Which of the following is the MOST significant risk?

An organization is implementing an enterprise resource planning (ERP) system. The project team plans to migrate legacy data without performing a full reconciliation between source and target systems. As an IS auditor, which of the following should be your PRIMARY concern?

In a waterfall SDLC, which phase requires formal sign-off from the business owner before proceeding to the next phase?

An IS auditor is reviewing an agile software development project. Which of the following would be the BEST evidence that adequate controls are in place for user acceptance?

During a vendor evaluation for a critical system, the IS auditor notes that the vendor's SOC 2 report includes an adverse opinion. What should be the auditor's PRIMARY recommendation?

An organization is using a spiral model for a high-risk project. The IS auditor wants to ensure that risk assessment is performed at each iteration. Which of the following is the BEST evidence that this control is effective?

Which of the following is a primary advantage of fixed-price contracts in systems acquisition?

An IS auditor is reviewing change management procedures. Which of the following situations would be of GREATEST concern?

During a build vs. buy analysis, the IS auditor observes that the organization decided to build a custom application because no vendor solution met all requirements. Which of the following risks should the auditor emphasize?

An organization is deploying a major system upgrade. The change request has been approved by CAB, but the deployment plan does not include a rollback procedure. As an IS auditor, what should you recommend?

Which of the following is a key objective of the design phase in the SDLC?

An IS auditor is assessing an ERP implementation. Which of the following control concerns is MOST likely to arise from segregation of duties conflicts?

Which TWO of the following are typical controls in the testing phase of the SDLC? (Select two.)

Which THREE of the following are essential elements of an emergency change request? (Select three.)

Which TWO of the following are benefits of an iterative SDLC approach compared to waterfall? (Select two.)

During which phase of the SDLC should security requirements be formally documented and approved by the business owner?

An IS auditor is reviewing an agile software development project. Which of the following practices would BEST help ensure that security controls are adequately addressed?

An organization is implementing a large ERP system. The project team plans to migrate legacy data to the new system. Which of the following is the MOST significant risk associated with data migration?

An IS auditor is evaluating the change management process. Which of the following is the BEST indicator that emergency changes are being properly controlled?

In a waterfall SDLC, when should user acceptance testing (UAT) typically occur?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Information Systems Acquisition, Development, and Implementation sessions

Start a Information Systems Acquisition, Development, and Implementation only practice session

Every question in these sessions is drawn from the Information Systems Acquisition, Development, and Implementation domain — nothing else.

Related practice questions

Related CISA topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISA exam test about Information Systems Acquisition, Development, and Implementation?
Information Systems Acquisition, Development, and Implementation questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Information Systems Acquisition, Development, and Implementation questions in a focused session?
Yes — the session launcher on this page draws every question from the Information Systems Acquisition, Development, and Implementation domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISA topics?
Use the topic links above to move to related areas, or go back to the CISA question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISA exam covers. They are not copied from any real exam or dump site.