CCNA Is Acquisition Dev Questions

75 of 146 questions · Page 1/2 · Is Acquisition Dev topic · Answers revealed

1
MCQmedium

A company is using an agile development methodology for a critical business application. The IS auditor is concerned about the lack of formal documentation. What is the BEST approach to mitigate this risk?

A.Require the project to switch to a waterfall methodology.
B.Accept the lack of documentation because agile emphasizes working software.
C.Perform a detailed code review to compensate for missing documentation.
D.Ask the team to maintain a lightweight document of important decisions and changes.
AnswerD

This balances agile flexibility with audit requirements.

Why this answer

Option D is the best approach because it balances agile principles with the need for auditability. In agile, lightweight documentation (e.g., architecture decision records, user story acceptance criteria) captures key decisions and changes without the overhead of full waterfall documentation. This mitigates the risk of knowledge loss while preserving the team's velocity.

Exam trap

The trap here is that candidates may confuse agile's 'working software over comprehensive documentation' with 'no documentation at all,' leading them to choose Option B, while the correct answer recognizes that lightweight documentation is both agile-compliant and risk-mitigating.

How to eliminate wrong answers

Option A is wrong because forcing a switch to waterfall would disrupt the existing agile workflow, likely causing delays and team resistance, and is not a proportionate response to a documentation gap. Option B is wrong because accepting the lack of documentation ignores the auditor's responsibility to ensure that critical business applications have sufficient records for maintenance, compliance, and knowledge transfer; agile emphasizes working software but does not prohibit necessary documentation. Option C is wrong because code review, while valuable for quality, does not capture design decisions, rationale, or change history that documentation provides; it is a complementary practice, not a substitute for documentation.

2
MCQmedium

A large organization is implementing a new HR management system to handle payroll and employee data. The project is currently in the build phase with a planned go-live in three months. Recently, the vendor notified the project team that a critical security patch will be released in two months that addresses a data leakage vulnerability present in the current version. The patch includes new features that are not in the contract. The project manager estimates that integrating the patch and re-testing will delay the project by at least four months. Business stakeholders insist on meeting the original go-live date because the legacy system is being decommissioned. The organization has a strict policy that all systems processing sensitive data must have the latest security patches within 30 days of release. What should the project team do?

A.Proceed with go-live but apply a compensating control to mitigate the vulnerability until the patch is applied
B.Continue with the current version, go live as planned, and schedule the security patch installation after go-live within the 30-day window
C.Delay the go-live and integrate the security patch before going live
D.Negotiate with the vendor to obtain an early fix for the vulnerability without the new features to minimize delay
AnswerC

This ensures compliance with the patching policy and protects sensitive data from the vulnerability.

Why this answer

Option D is correct because the organization's policy requires the patch within 30 days; going live without the patch would violate policy. Delaying go-live ensures compliance and avoids risk of data leakage. Option A is wrong even if compensating control is applied, the policy requires patching, and the vulnerability remains.

Option B is wrong negotiations may not succeed and would still cause delay. Option C is wrong even if patch is applied after go-live, the system would be vulnerable for up to 30 days, violating policy.

3
MCQeasy

A company is developing a mobile banking application. Which test phase is MOST critical to ensure that the application functions correctly from the end user's perspective?

A.System testing.
B.User acceptance testing (UAT).
C.Unit testing.
D.Integration testing.
AnswerB

UAT ensures the system meets user needs.

Why this answer

User acceptance testing (UAT) is the most critical phase for verifying that the mobile banking application meets end-user requirements and functions correctly from their perspective. Unlike other testing phases that focus on technical correctness, UAT involves real users performing actual banking transactions (e.g., fund transfers, balance inquiries) in a production-like environment to validate usability, workflow accuracy, and compliance with business rules. This ensures the application is ready for deployment and will be accepted by its intended audience.

Exam trap

The trap here is that candidates often confuse system testing with user acceptance testing, mistakenly thinking that verifying all system functions technically is equivalent to ensuring the application works correctly from the end user's perspective.

How to eliminate wrong answers

Option A is wrong because system testing validates the complete integrated system against functional and non-functional requirements but does not involve end users; it focuses on technical correctness rather than user perspective. Option C is wrong because unit testing verifies individual components or modules in isolation, typically by developers, and cannot assess end-to-end user workflows or usability. Option D is wrong because integration testing checks the interactions between integrated modules or external systems (e.g., APIs, databases) but does not evaluate the application from an end user's viewpoint or validate business processes.

4
MCQmedium

An IS auditor is evaluating the security of the architecture. Which of the following is the MOST critical finding?

A.The web server has a public IP address
B.SQL traffic from the web server to the database server is allowed
C.No encryption for SQL traffic between web and database servers
D.The database server is not placed in the DMZ
AnswerC

Unencrypted SQL can be intercepted, compromising data confidentiality.

Why this answer

Option C is the most critical finding because unencrypted SQL traffic between the web and database servers exposes sensitive data to interception via man-in-the-middle attacks. Even if the traffic is confined to an internal network, an attacker who compromises the web server can sniff credentials or query results in plaintext. Encrypting SQL traffic with TLS or IPSec is a fundamental security control to protect data in transit.

Exam trap

The trap here is that candidates often focus on network placement (DMZ vs. internal) or the mere existence of SQL traffic, rather than recognizing that unencrypted data in transit is a far more critical vulnerability than architectural placement issues.

How to eliminate wrong answers

Option A is wrong because a web server typically requires a public IP address to serve external clients; this is a design choice, not a security finding. Option B is wrong because SQL traffic from the web server to the database server is expected and necessary for application functionality; the issue is not the existence of the traffic but its lack of encryption. Option D is wrong because placing the database server in the DMZ would expose it directly to external threats; best practice is to place the database server on a separate internal network segment behind the DMZ, not inside it.

5
MCQhard

Refer to the exhibit. A security administrator is troubleshooting why external users cannot reach the web server at 203.0.113.10 from the internet. Based on the configuration, what is the MOST likely issue?

A.No NAT rule is configured for the web server
B.The 'no-proxy-arp' option prevents the ASA from responding to ARP requests for the public IP
C.The source address is not translated
D.The access list denies incoming web traffic
AnswerB

Without proxy ARP, the ASA does not claim the public IP, so traffic is not received.

Why this answer

The 'no-proxy-arp' command disables proxy ARP on the ASA interface for the public IP address 203.0.113.10. Without proxy ARP, the ASA will not respond to ARP requests from upstream routers for that IP, so traffic destined to the web server is never delivered to the ASA for NAT processing. This is the most likely cause because the NAT rule exists but the ASA cannot intercept the traffic at Layer 2.

Exam trap

The trap here is that candidates assume a NAT rule alone is sufficient for inbound traffic, overlooking the Layer 2 requirement that the ASA must respond to ARP for the public IP via proxy ARP.

How to eliminate wrong answers

Option A is wrong because a NAT rule is shown in the exhibit (static NAT from 203.0.113.10 to the internal server), so the issue is not a missing NAT rule. Option B is correct as explained. Option C is wrong because the source address translation (PAT) is configured via the 'global' and 'nat' commands, and the problem is with destination reachability, not source translation.

Option D is wrong because the access list (ACL) shown permits inbound HTTP traffic to 203.0.113.10, so it does not deny web traffic.

6
MCQmedium

During the requirements gathering phase for a new financial system, stakeholders disagree on the priority of security controls versus user convenience. Which of the following is the BEST approach?

A.Postpone security decisions to later phases
B.Let the project team decide based on development ease
C.Conduct a risk assessment to balance security and usability
D.Implement all security controls regardless of convenience
AnswerC

A risk assessment identifies and evaluates threats, allowing the organization to make a balanced decision that aligns security controls with business needs.

Why this answer

Option C is correct because a risk assessment provides a structured, evidence-based framework for balancing security controls against user convenience during requirements gathering. By evaluating the likelihood and impact of threats specific to financial systems (e.g., transaction fraud, data breaches) against usability needs, the organization can prioritize controls that mitigate high-risk exposures without unnecessarily impeding legitimate business processes. This aligns with the COBIT 5 principle of balancing benefits, risk, and resource optimization.

Exam trap

The trap here is that candidates may choose Option A, mistakenly believing that security can be 'bolted on' later, but CISA emphasizes that security must be integrated from the requirements phase to avoid costly redesigns and compliance violations.

How to eliminate wrong answers

Option A is wrong because postponing security decisions to later phases introduces significant rework costs and integration challenges, as security requirements must be baked into system architecture from the start (e.g., secure coding practices, access control design). Option B is wrong because letting the project team decide based on development ease ignores stakeholder priorities and regulatory compliance (e.g., PCI DSS, SOX), leading to potential audit failures and security gaps. Option D is wrong because implementing all security controls regardless of convenience can cripple user productivity and lead to shadow IT, where users bypass controls (e.g., using unapproved cloud storage), increasing overall risk.

7
MCQmedium

A hospital is implementing a new electronic health records (EHR) system. The system will be used by doctors, nurses, and administrative staff. During the user acceptance testing (UAT) phase, the nursing staff reports that the interface for entering patient vitals is too slow and requires many clicks, which slows down their workflow. The project team has already completed system testing and is preparing for go-live in two weeks. The development team can make a quick fix to streamline the vital signs entry by adding a shortcut, but this change has not been tested. The IT director is concerned about patient safety and wants to ensure the system is usable. What is the BEST course of action?

A.Implement the quick fix immediately and go live as scheduled
B.Proceed with go-live as planned and address usability issues in a future release
C.Assess the risk, develop the fix, fast-track testing, and if successful, include it in the go-live
D.Delay go-live by one month to fully test the fix
AnswerC

Enables safe improvement.

Why this answer

Option C is correct because it balances patient safety with project timelines by formally assessing the risk of the untested fix, developing it, and then fast-tracking a targeted regression test. This approach ensures the usability issue is resolved without bypassing necessary quality controls, which is critical for a clinical system where data entry errors could directly impact patient care. The IT director's concern about patient safety is addressed by the risk assessment and focused testing, while the go-live date is preserved if the fix passes.

Exam trap

The trap here is that candidates may choose Option B (defer usability) thinking it is safer, but they fail to recognize that a usability issue in a clinical workflow directly threatens patient safety by increasing the likelihood of data entry errors, making risk assessment and targeted remediation the correct approach.

How to eliminate wrong answers

Option A is wrong because implementing an untested change immediately before go-live violates change management best practices and could introduce critical defects that compromise patient safety, such as data corruption or loss of vital signs. Option B is wrong because proceeding with a known usability flaw that slows down vital signs entry increases the risk of data entry errors or omissions, which in a clinical setting can lead to incorrect treatment decisions and patient harm. Option D is wrong because delaying go-live by a full month is unnecessarily conservative for a targeted fix that can be validated through fast-tracked regression testing, and it introduces project delays and costs without proportional risk reduction.

8
MCQeasy

A systems analyst is gathering requirements for a new customer relationship management (CRM) system. Which of the following is the MOST important activity to ensure that the final system meets user needs?

A.Creating a prototype and asking for feedback after development.
B.Conducting a joint requirements validation session with stakeholders.
C.Developing a detailed technical specification before user sign-off.
D.Documenting all requirements in a formal specification.
AnswerB

Direct stakeholder involvement ensures alignment.

Why this answer

Conducting a joint requirements validation session with stakeholders (Option B) is the most important activity because it ensures that the requirements are accurate, complete, and agreed upon before development begins. This collaborative review process directly involves end users and business owners, allowing for immediate clarification and correction of misunderstandings, which is critical for aligning the CRM system with actual business processes. Without this validation, even a perfectly built system may fail to meet user needs, leading to costly rework.

Exam trap

The trap here is that candidates often confuse 'documenting requirements' (Option D) with 'validating requirements,' assuming that formal documentation alone is sufficient to ensure user needs are met, whereas the CISA exam emphasizes that validation through stakeholder interaction is the critical step to prevent costly rework.

How to eliminate wrong answers

Option A is wrong because creating a prototype and asking for feedback after development violates the iterative validation principle; feedback should be gathered during development, not after, to avoid rework and misalignment with user expectations. Option C is wrong because developing a detailed technical specification before user sign-off assumes that technical details can be finalized without user validation, which often leads to a system that meets technical specs but fails to satisfy business requirements. Option D is wrong because documenting all requirements in a formal specification alone does not ensure that the requirements are correct or understood by stakeholders; it is a passive activity that lacks the interactive validation needed to confirm user needs.

9
Drag & Dropmedium

Arrange the steps to implement a password policy in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password policy implementation: define requirements, set expiration, lockout, communicate, and enforce.

10
MCQhard

During a third-party software vendor audit, the IS auditor discovers that the vendor uses a common shared database for multiple clients and relies on application-level access controls. Which of the following is the GREATEST concern?

A.Data from different clients may be commingled and accessible.
B.The database does not encrypt data at rest.
C.The vendor does not perform regular penetration testing.
D.The vendor lacks segregation of duties among administrators.
AnswerA

Application-level access controls can be circumvented, causing data leakage between clients.

Why this answer

Option D is correct because application-level controls can be bypassed if there are vulnerabilities, leading to data exposure. Option A is less critical as segregation of duties can be managed. Option B is not a direct control issue.

Option C is not the primary concern.

11
MCQmedium

A company is implementing a new procurement system. The project team is considering using a rapid application development (RAD) methodology. Which of the following is a potential risk of using RAD?

A.Inadequate documentation
B.Reduced stakeholder involvement
C.Longer development time
D.Difficulty in prototyping
AnswerA

Speed can compromise documentation.

Why this answer

RAD prioritizes speed and iterative prototyping over formal documentation. Because the focus is on quickly delivering working software through user feedback and short development cycles, comprehensive documentation is often neglected or produced after the fact, leading to inadequate records for maintenance, auditing, and compliance.

Exam trap

The trap here is that candidates may assume RAD reduces stakeholder involvement due to its fast pace, but in reality RAD demands more frequent and active stakeholder participation to validate prototypes and provide feedback.

How to eliminate wrong answers

Option B is wrong because RAD actually increases stakeholder involvement through continuous user feedback and prototyping, not reduces it. Option C is wrong because RAD is specifically designed to shorten development time through iterative cycles and time-boxed delivery, not lengthen it. Option D is wrong because prototyping is a core strength of RAD, not a difficulty; RAD relies on rapid prototyping to refine requirements and validate functionality.

12
Matchingmedium

Match each encryption key type to its usage.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encrypt and decrypt

Public/private key pair

Temporary key for a session

Kept secret by owner

Why these pairings

Key types are central to cryptography.

13
MCQmedium

A company is integrating a third-party payment gateway into its e-commerce platform. Which of the following is the MOST important security control to implement?

A.Implement role-based access control
B.Log all transactions
C.Validate all input from the payment gateway
D.Encrypt all data with SSL
AnswerC

Prevents injection and data corruption.

Why this answer

Option C is correct because input validation from the payment gateway is the most critical security control. The payment gateway returns data (e.g., transaction status, amount, token) that is consumed by the e-commerce platform. Without strict validation, an attacker could inject malicious payloads (e.g., SQL injection, XSS) via manipulated gateway responses, leading to data breaches or unauthorized transactions.

This control directly prevents injection attacks at the integration boundary.

Exam trap

The trap here is that candidates often choose encryption (SSL/TLS) as the most important control because it is a well-known security measure, but they overlook that encryption does not validate the trustworthiness of the decrypted data, which is the primary risk when integrating with an external system.

How to eliminate wrong answers

Option A is wrong because role-based access control (RBAC) manages internal user permissions but does not protect against malicious data arriving from the external payment gateway. Option B is wrong because logging transactions is a detective control that records events after they occur; it does not prevent an attack from exploiting unvalidated input. Option D is wrong because encrypting data with SSL/TLS protects data in transit between the e-commerce platform and the payment gateway, but it does not validate the content of the data received; an encrypted malicious payload is still malicious.

14
MCQmedium

Refer to the exhibit. An IS auditor finds this bucket policy attached to an S3 bucket storing sensitive customer data. What should the auditor recommend?

A.Change the Resource to a different bucket.
B.Remove the Action "s3:GetObject and add "s3:PutObject".
C.Encrypt the bucket at rest.
D.Restrict the principal to specific IAM roles or users.
AnswerD

The policy grants public read access; principal should be limited.

Why this answer

The bucket policy grants access to any principal ("Principal": "*"), meaning any AWS user or anonymous user can perform the allowed actions on the bucket. For a bucket storing sensitive customer data, this is a critical security risk. Restricting the principal to specific IAM roles or users (Option D) ensures only authorized identities can access the bucket, aligning with the principle of least privilege.

Exam trap

The trap here is that candidates often focus on the actions or resource fields, overlooking the fact that the "Principal": "*" is the most critical security flaw, as it allows any entity to invoke the permitted actions.

How to eliminate wrong answers

Option A is wrong because changing the Resource to a different bucket does not address the overly permissive principal; it merely moves the vulnerability to another bucket. Option B is wrong because removing 's3:GetObject' and adding 's3:PutObject' would still leave the bucket open to any principal, and it would also remove read access while introducing write access, which could lead to data corruption or unauthorized uploads. Option C is wrong because encrypting the bucket at rest protects data confidentiality if the data is accessed, but it does not prevent unauthorized access; encryption is a defense-in-depth measure, not a substitute for access control.

15
MCQeasy

A project manager is selecting a development methodology for a project with well-defined requirements and low uncertainty. Which methodology is most appropriate?

A.Waterfall
B.Agile
C.Rapid Application Development (RAD)
D.Spiral
AnswerA

Waterfall works well with well-defined, stable requirements and low uncertainty.

Why this answer

Waterfall is the most appropriate methodology for projects with well-defined requirements and low uncertainty because it follows a linear, sequential approach where each phase (requirements, design, implementation, verification, maintenance) must be completed before the next begins. This structure minimizes risk when requirements are stable and unlikely to change, ensuring thorough documentation and predictable outcomes. In contrast, iterative or adaptive methods would introduce unnecessary complexity and overhead for such a deterministic project.

Exam trap

The trap here is that candidates often assume Agile is always the 'modern' or 'best' choice, but the CISA exam tests the principle that methodology selection must match project characteristics—specifically, Waterfall is optimal when requirements are fixed and uncertainty is low, not when adaptability is needed.

How to eliminate wrong answers

Option B (Agile) is wrong because Agile is designed for projects with high uncertainty and evolving requirements, emphasizing iterative development and customer collaboration, which would be inefficient and over-engineered for well-defined, low-uncertainty projects. Option C (Rapid Application Development) is wrong because RAD relies on prototyping and iterative user feedback, which is suited for projects with unclear requirements or high user involvement, not for those with already stable and clear specifications. Option D (Spiral) is wrong because Spiral is a risk-driven model that incorporates iterative prototyping and risk analysis, making it ideal for large, complex, or high-risk projects, but unnecessary and overly complex for low-uncertainty, well-defined projects.

16
MCQmedium

An organization is implementing a custom ERP system. During user acceptance testing (UAT), critical bugs are found that affect core financial processing. The project sponsor suggests deploying the system on schedule and fixing bugs after go-live. What is the BEST course of action?

A.Delay go-live until all critical bugs are resolved and UAT is successfully completed
B.Go live as planned and fix bugs post-implementation
C.Accept the bugs with documented risk acceptance from management
D.Go live but include a rollback plan and deploy fixes immediately
AnswerA

UAT must be successfully completed before go-live for critical systems.

Why this answer

The correct answer is A because deploying an ERP system with unresolved critical bugs in core financial processing violates the fundamental principle of system integrity and accuracy. UAT must be successfully completed to validate that the system meets business requirements and processes financial transactions correctly; going live with known critical defects introduces unacceptable risk of financial misstatement, regulatory non-compliance, and data corruption. Delaying go-live ensures that all critical bugs are resolved and retested, preserving the reliability of financial data and audit trails.

Exam trap

The trap here is that candidates may confuse 'risk acceptance' (Option C) as a valid management decision, but in the context of critical financial processing bugs, ISACA standards require resolution before go-live because accepted risks cannot ensure the integrity of financial data and auditability.

How to eliminate wrong answers

Option B is wrong because going live as planned with known critical bugs in core financial processing directly contradicts the ISACA requirement that UAT must be successfully completed before production deployment; post-implementation fixes cannot guarantee data integrity for transactions processed in the interim. Option C is wrong because risk acceptance from management does not override the technical necessity of resolving critical bugs that affect financial processing accuracy; accepted risks still expose the organization to potential financial loss, audit failures, and regulatory penalties. Option D is wrong because including a rollback plan and deploying fixes immediately does not address the fact that critical bugs will corrupt financial data from the moment of go-live; rollback only restores the previous state, it does not prevent the initial corruption, and immediate fixes cannot retroactively correct already-processed transactions.

17
MCQmedium

During a system deployment, the above error occurs. What is the MOST likely cause?

A.Incorrect server name in connection string
B.Invalid password
C.Database service not running on the server
D.Firewall blocking the database port
AnswerD

A firewall may be blocking the default SQL Server port (1433), preventing the connection.

Why this answer

The error message (not shown but implied from context) typically indicates a network-level connectivity failure, such as 'cannot connect to server' or 'connection timed out'. A firewall blocking the database port (e.g., TCP 1433 for SQL Server, 3306 for MySQL, 1521 for Oracle) is the most likely cause because it prevents the application from establishing a TCP handshake with the database server, even if the server name, password, and database service are all correct.

Exam trap

The trap here is that candidates confuse a 'connection refused' error (service not running) with a 'timeout' error (firewall block), but CISA expects you to recognize that a firewall block produces no response, leading to a timeout, whereas a stopped service produces an immediate RST.

How to eliminate wrong answers

Option A is wrong because an incorrect server name in the connection string would produce a 'hostname not found' or 'unknown server' error, not a generic connectivity failure. Option B is wrong because an invalid password would result in an 'authentication failed' or 'login failed' error after the TCP connection is successfully established. Option C is wrong because if the database service is not running, the client would receive a 'connection refused' (RST) response from the server's TCP stack, which is a distinct error from a firewall block (no response or timeout).

18
MCQmedium

An organization is evaluating a vendor for a custom application development. The vendor states they are assessed at CMMI Level 2 (Managed). Which of the following best describes the implication of this rating?

A.The vendor's processes are defined and tailored from organization-wide standards.
B.The vendor's processes are continuously improved through quantitative feedback.
C.The vendor has a quantitatively managed process with statistical control.
D.The vendor's projects have a basic project management process that is planned and executed.
AnswerD

CMMI Level 2 (Managed) indicates that projects have established basic project management processes that are planned, performed, measured, and controlled.

Why this answer

CMMI Level 2 (Managed) indicates that the vendor has established basic project management processes to plan, execute, monitor, and control projects. This means projects are managed according to documented plans, with defined requirements, project planning, and configuration management, but processes are not yet standardized across the organization. Option D correctly captures this foundational level of process maturity.

Exam trap

The trap here is confusing CMMI Level 2 (Managed) with Level 3 (Defined) or Level 4 (Quantitatively Managed), leading candidates to select options that describe higher maturity levels where processes are standardized or statistically controlled.

How to eliminate wrong answers

Option A is wrong because it describes CMMI Level 3 (Defined), where processes are standardized and tailored from organization-wide standards, not Level 2. Option B is wrong because it describes CMMI Level 5 (Optimizing), where processes are continuously improved through quantitative feedback and innovation. Option C is wrong because it describes CMMI Level 4 (Quantitatively Managed), where processes are measured and controlled using statistical and quantitative techniques.

19
MCQhard

An organization is adopting agile development methodology. Which control is MOST critical to ensure security is integrated?

A.Penetration testing before release
B.Including security stories in the product backlog
C.Code reviews after each sprint
D.Security requirements defined at project initiation
AnswerB

Security stories ensure security is addressed in each iteration.

Why this answer

In agile development, security must be continuously integrated into each iteration. Including security stories in the product backlog ensures that security tasks are prioritized, estimated, and addressed during each sprint, making security an inherent part of the development lifecycle rather than an afterthought. This aligns with the principle of 'shifting left' on security, where controls are applied as early as possible.

Exam trap

The trap here is that candidates often choose 'Security requirements defined at project initiation' (Option D) because it sounds like early planning, but in agile, requirements must be continuously refined and added to the backlog, not locked in at the start.

How to eliminate wrong answers

Option A is wrong because penetration testing before release is a point-in-time validation that occurs late in the cycle and does not ensure security is integrated throughout development; it can miss vulnerabilities introduced after the test. Option C is wrong because code reviews after each sprint, while valuable for quality, are reactive and may not cover all security aspects (e.g., architecture, threat modeling) that need to be planned as backlog items. Option D is wrong because security requirements defined only at project initiation are static and do not adapt to evolving threats or changes in agile iterations; they must be continuously refined and added as backlog items.

20
MCQeasy

A company is developing a custom application. During the requirements phase, the project manager documents that the system must encrypt all sensitive data at rest. Which of the following is the BEST control to ensure this requirement is met throughout the development lifecycle?

A.Perform static code analysis on the final code.
B.Create a requirements traceability matrix (RTM).
C.Conduct a post-implementation security review.
D.Deploy a database activity monitoring tool.
AnswerB

RTM ensures encryption requirement is addressed in design, testing, and deployment.

Why this answer

A requirements traceability matrix (RTM) links each requirement to corresponding design, development, and testing artifacts. By mapping the encryption-at-rest requirement to specific code modules, configuration settings, and test cases, the RTM ensures that the control is implemented and verified at every stage of the lifecycle, not just at the end. This makes it the best proactive control for continuous compliance throughout development.

Exam trap

The trap here is that candidates often choose static code analysis (A) because it seems technical and security-focused, but they overlook that it only checks the final code and cannot enforce lifecycle-wide traceability of requirements.

How to eliminate wrong answers

Option A is wrong because static code analysis only checks the final source code for vulnerabilities, but it cannot verify that the encryption requirement was consistently addressed during design, implementation, and testing phases; it is a point-in-time check. Option C is wrong because a post-implementation security review occurs after deployment, which is too late to ensure the requirement was met throughout the development lifecycle; it is reactive, not preventive. Option D is wrong because a database activity monitoring tool monitors runtime access and queries, but it does not enforce or verify that encryption-at-rest is implemented correctly in the application code or database schema during development.

21
MCQeasy

Which of the following is the BEST control to ensure that system changes are authorized?

A.Change advisory board approval
B.Audit trail of all changes
C.Segregation of duties between developers and operators
D.Version control system
AnswerA

The CAB formally authorizes changes based on impact assessment.

Why this answer

The change advisory board (CAB) is the primary control for authorizing system changes because it provides a formal, documented approval process before any change is implemented. This ensures that changes are reviewed by stakeholders with appropriate authority, reducing the risk of unauthorized or poorly planned modifications. Without CAB approval, there is no definitive authorization step, making it the best control for ensuring authorization.

Exam trap

The trap here is that candidates often confuse detective controls (audit trails) or technical controls (version control) with the governance-based authorization control (CAB approval), leading them to select a control that records or manages changes rather than one that formally authorizes them.

How to eliminate wrong answers

Option B is wrong because an audit trail of all changes is a detective control that records changes after they occur, not a preventive control that ensures authorization beforehand. Option C is wrong because segregation of duties between developers and operators is a control to prevent unauthorized changes from being implemented without oversight, but it does not directly ensure that changes are authorized by a governing body. Option D is wrong because a version control system is a technical tool for managing code versions and tracking changes, but it does not enforce or verify that a change has been formally authorized by a decision-making group like the CAB.

22
MCQeasy

During a security audit, which rule poses the greatest risk?

A.Rule 20
B.Rule 30
C.None of the rules pose a risk
D.Rule 10
AnswerB

Rule 30 allows SSH from any source, posing a high risk.

Why this answer

Rule 30 is the correct answer because it is a default Cisco IOS access control list (ACL) entry that implicitly denies all IP traffic. In a security audit, an implicit deny rule at the end of an ACL poses the greatest risk if it is not explicitly configured, as it can block legitimate traffic without the administrator's awareness, leading to unintended network outages or security gaps. This risk is highest when the ACL is applied to a critical interface without a preceding permit statement for required services.

Exam trap

The trap here is that candidates often focus on the explicit rules (Rule 10 or Rule 20) and overlook the hidden implicit deny rule, which is the most dangerous because it can silently block all traffic if not accounted for.

How to eliminate wrong answers

Option A is wrong because Rule 20, if it exists in the ACL, is typically a permit or deny statement for a specific protocol or host; while it could be misconfigured, it does not inherently pose the greatest risk as it is explicit and can be reviewed. Option C is wrong because ACL rules, especially implicit deny, always pose a risk if not properly managed; stating 'none pose a risk' ignores the fundamental security principle of least privilege and the potential for blocking critical traffic. Option D is wrong because Rule 10, like Rule 20, is an explicit entry; its risk is limited to its specific match criteria and does not represent the systemic risk of an unmonitored implicit deny at the end of the ACL.

23
Multi-Selecthard

A company is developing a new financial application. Which THREE of the following are valid reasons to involve internal audit during the development phase?

Select 3 answers
A.To ensure compliance with regulatory requirements
B.To design the application architecture
C.To validate that security controls are built in
D.To approve all user requirements
E.To provide guidance on internal controls
AnswersA, C, E

Audit can review regulatory requirements and confirm they are addressed.

Why this answer

Options A, C, and E are correct because internal audit can provide assurance on compliance, internal controls, and security. Option B is incorrect because designing architecture is not an audit function. Option D is incorrect because approving requirements is a management responsibility.

24
Multi-Selecteasy

During the system development life cycle (SDLC), which THREE of the following are recognized benefits of involving internal audit early in the process?

Select 3 answers
A.Reduced need for future independent audits.
B.Lower cost of implementing controls due to early design changes.
C.Reduction in the number of system tests required.
D.Identification of potential control weaknesses before they are ingrained.
E.Enhanced assurance that controls are embedded in the system design.
AnswersB, D, E

Early changes are cheaper.

Why this answer

Option B is correct because involving internal audit early in the SDLC allows control requirements to be identified and designed into the system from the start, avoiding costly retrofits. Implementing controls during the design phase is significantly cheaper than adding them after development or deployment, as changes to code, architecture, or configuration are less disruptive and require less rework.

Exam trap

The trap here is that candidates may confuse 'reduced need for future audits' (a false benefit) with 'enhanced assurance' (a real benefit), or assume that early audit involvement reduces testing effort, when in fact it may increase the scope of validation to ensure controls are properly designed and implemented.

25
Multi-Selectmedium

Which TWO of the following are key activities in the system design phase of the SDLC?

Select 2 answers
A.Defining system architecture
B.Writing unit tests
C.Performing user acceptance testing
D.Developing data flow diagrams
E.Gathering business requirements
AnswersA, D

A design activity.

Why this answer

Defining system architecture is a key activity in the system design phase because it establishes the high-level structure of the system, including hardware, software, network components, and their interactions. This blueprint guides subsequent detailed design and implementation, ensuring alignment with functional and non-functional requirements. Without a defined architecture, the system risks integration failures and scalability issues.

Exam trap

The trap here is that candidates often confuse the system design phase with later phases like testing or earlier phases like requirements gathering, leading them to select activities such as writing unit tests or gathering business requirements as design-phase tasks.

26
MCQmedium

A company decides to outsource the development of a customer portal. Which of the following is the MOST critical control to include in the contract?

A.Service level agreements
B.Fixed price clause
C.Non-disclosure agreement
D.Termination for convenience clause
AnswerA

SLAs specify measurable performance targets and remedies for non-compliance, directly impacting business operations.

Why this answer

Service level agreements (SLAs) are the most critical control because they define measurable performance targets (e.g., uptime, response time, throughput) for the outsourced customer portal. Without enforceable SLAs, the company has no contractual mechanism to ensure the portal meets availability and responsiveness requirements, directly impacting customer experience and business operations.

Exam trap

The trap here is that candidates often choose the non-disclosure agreement (NDA) thinking data protection is paramount, but the question asks for the MOST critical control in a development contract, where performance and availability (via SLAs) are more directly tied to project success.

How to eliminate wrong answers

Option B (Fixed price clause) is wrong because it only controls cost, not quality, security, or performance; a fixed price can incentivize the vendor to cut corners on development and testing. Option C (Non-disclosure agreement) is wrong because while it protects confidential information, it does not address the operational performance or delivery of the portal itself. Option D (Termination for convenience clause) is wrong because it allows the company to exit the contract but does not ensure the portal is built correctly or meets requirements during the development lifecycle.

27
MCQmedium

A company is replacing its legacy on-premises ERP system with a cloud-based SaaS solution. The project manager is concerned about data migration risks. Which of the following is the BEST approach to mitigate data integrity issues during migration?

A.Perform data validation after migration
B.Use data transformation tools to convert formats
C.Implement data reconciliation reports post-migration
D.Run parallel processing and compare outputs
AnswerD

Enables side-by-side verification.

Why this answer

Option D is correct because running parallel processing allows the legacy and new SaaS systems to operate simultaneously, enabling real-time comparison of outputs. This approach directly validates data integrity by detecting discrepancies during migration, not after, which is critical for ERP systems where transactional accuracy is paramount.

Exam trap

The trap here is that candidates often choose post-migration validation or reconciliation (options A or C) because they seem practical, but the CISA exam emphasizes proactive controls during migration (parallel processing) over detective controls after the fact.

How to eliminate wrong answers

Option A is wrong because performing data validation only after migration introduces a delay in detecting errors, potentially allowing corrupted data to propagate into the new system without immediate correction. Option B is wrong because data transformation tools address format conversion but do not inherently verify that the transformed data retains its original meaning, relationships, or business rules, which is the core of integrity. Option C is wrong because reconciliation reports generated post-migration are reactive; they identify discrepancies after the fact but do not prevent or catch errors during the migration process itself, unlike parallel processing which provides continuous validation.

28
Multi-Selectmedium

Which TWO of the following are key controls for ensuring data privacy during system development?

Select 2 answers
A.Using real customer data for testing
B.Encrypting stored data
C.Disabling audit logs during development
D.Allowing developers unlimited access to production data
E.Data masking in test environments
AnswersB, E

Encryption provides a strong control to protect sensitive data at rest.

Why this answer

Encrypting stored data (Option B) is a key control for ensuring data privacy because it renders the data unreadable without the correct decryption key, protecting it from unauthorized access even if the storage medium is compromised. This aligns with data-at-rest protection requirements under regulations like GDPR and PCI DSS, and is a fundamental security control during system development to prevent exposure of sensitive information.

Exam trap

The trap here is that candidates may confuse 'data masking' with 'anonymization' and overlook its role as a key privacy control, or mistakenly think that using real data in test environments is acceptable if it is 'just for testing,' ignoring regulatory and ethical requirements.

29
MCQeasy

During user acceptance testing, a user with the above permission set cannot execute a fund transfer. What is the MOST likely reason?

A.Incorrect username
B.Missing Write permission for transfers
C.Network connectivity issue
D.Database connection error
AnswerB

The policy grants ReadOnly on transfers, which is insufficient to execute a transfer.

Why this answer

The user can authenticate and access the system (since they are in user acceptance testing with the given permission set), but cannot execute a fund transfer. This indicates that the user lacks the necessary Write permission for the transfer operation, which is required to modify the database record or initiate the transaction. Without Write access, the application can read data but cannot commit the transfer, causing the operation to fail.

Exam trap

The trap here is that candidates often confuse authentication (username/password) with authorization (permissions), assuming any failure to execute a function must be a network or database issue, rather than recognizing that the user is already authenticated and the problem is a missing Write permission for the specific transaction.

How to eliminate wrong answers

Option A is wrong because an incorrect username would prevent authentication entirely, not just block the transfer execution after login. Option C is wrong because a network connectivity issue would cause a broader failure (e.g., timeout or inability to load pages), not a specific permission error on a single function. Option D is wrong because a database connection error would affect all database-dependent operations, not just the transfer, and would typically produce a connection timeout or server error message.

30
MCQhard

A large financial institution is developing a new online banking platform using an Agile methodology. The development team has implemented continuous integration and continuous deployment (CI/CD) pipeline. During a routine security scan, the IS auditor discovers that a developer accidentally committed a configuration file containing database credentials into the public-facing code repository. The credentials were exposed for 48 hours before being detected. Which of the following is the most critical control failure that allowed this incident to occur?

A.The code review process did not catch the sensitive data in the commit
B.The CI/CD pipeline lacked automated secrets scanning and static application security testing (SAST)
C.The repository access permissions were too permissive
D.The security awareness training for developers was inadequate
AnswerB

Automated scanning would have detected the credentials immediately and blocked the commit or alerted the team.

Why this answer

The most critical failure is the absence of automated secret scanning and SAST in the CI/CD pipeline. Such tools would have detected the credentials immediately upon commit and prevented their exposure. While code review, training, and access controls are important, automated scanning is a preventive detective control that operates at the speed of development.

Without it, human errors can go unnoticed. Option A (code review) is a manual process that can miss subtle commits. Option C (training) is a soft control and does not prevent the act.

Option D (permissions) might reduce the scope but does not catch the initial mistake.

31
MCQhard

An organization is developing a critical application using an agile methodology. The project sponsor demands frequent deliveries but the development team is concerned about insufficient testing. Which of the following BEST mitigates this risk?

A.Deploy with known defects and fix them in the next sprint
B.Increase manual testing effort at the end of each sprint
C.Extend the release cycle to allow more time for testing
D.Implement continuous integration and automated testing
AnswerD

CI and automated testing enable fast feedback and maintain quality, supporting frequent releases.

Why this answer

Option D is correct because continuous integration (CI) and automated testing enable frequent, reliable code integration and immediate feedback on defects, directly addressing the tension between rapid delivery and insufficient testing. Automated tests run on every commit, catching regressions early without manual overhead, which is essential for agile sprints where manual testing alone cannot scale to match delivery velocity.

Exam trap

The trap here is that candidates may choose Option B (increase manual testing) because they equate 'more testing' with 'better quality,' failing to recognize that manual testing cannot keep pace with agile's rapid delivery cycles and that automation is the only scalable solution to integrate testing into every iteration.

How to eliminate wrong answers

Option A is wrong because deploying known defects increases technical debt and risk in production, violating the principle of maintaining a shippable increment in agile and potentially causing cascading failures. Option B is wrong because increasing manual testing at the end of each sprint creates a bottleneck, contradicts the agile goal of continuous testing, and does not scale with frequent deliveries, leading to delayed feedback and incomplete coverage. Option C is wrong because extending the release cycle undermines the project sponsor's demand for frequent deliveries and does not solve the root cause of insufficient testing; it merely postpones risk rather than mitigating it through automation.

32
MCQmedium

An IT auditor is evaluating the change management process for a financial trading system. Which of the following is the BEST indicator of a mature change management process?

A.Changes are documented after deployment
B.All changes are logged and require automated approval workflows
C.Developers can deploy changes directly to production if urgent
D.Changes are approved verbally by the IT manager
AnswerB

Provides control and traceability.

Why this answer

Option B is correct because a mature change management process requires that all changes be formally logged and subjected to automated approval workflows. This ensures traceability, segregation of duties, and auditability, which are critical for a financial trading system where unauthorized or untracked changes could lead to financial loss or regulatory non-compliance.

Exam trap

The trap here is that candidates may confuse 'efficiency' (e.g., allowing direct deployment for urgent changes) with 'maturity,' but mature processes prioritize control and auditability over speed, especially in high-risk systems like financial trading platforms.

How to eliminate wrong answers

Option A is wrong because documenting changes after deployment violates the principle of proactive control; changes should be approved and documented before deployment to prevent unauthorized or untested modifications. Option C is wrong because allowing developers to deploy changes directly to production bypasses all change control gates, increasing the risk of introducing errors or security vulnerabilities without review. Option D is wrong because verbal approvals lack an audit trail and are not verifiable, making them unsuitable for a regulated financial environment where every change must be recorded and traceable.

33
MCQmedium

An organization is transitioning from a waterfall to an agile development methodology. Which of the following is a key risk that the IS auditor should highlight?

A.User requirements may be incomplete at the start.
B.Testing is deferred until the end of the project.
C.Stakeholder involvement may decrease.
D.Scope creep may increase without proper controls.
AnswerD

Agile's iterative nature can lead to uncontrolled scope expansion if not managed.

Why this answer

In agile development, iterative cycles and continuous feedback can lead to scope creep if changes are not managed through a disciplined backlog prioritization process. Unlike waterfall, where scope is fixed early, agile's flexibility requires robust controls (e.g., sprint boundaries, product owner authority) to prevent uncontrolled expansion. An IS auditor should highlight this risk because without proper governance, the project may exceed budget and timeline despite agile's adaptive nature.

Exam trap

The trap here is that candidates mistakenly think agile eliminates scope creep entirely, when in fact its flexibility requires even stronger controls to prevent uncontrolled expansion, especially during the transition from waterfall.

How to eliminate wrong answers

Option A is wrong because incomplete user requirements at the start are an accepted characteristic of agile, not a key risk; agile embraces evolving requirements through iterative refinement. Option B is wrong because agile integrates testing continuously throughout each sprint (e.g., test-driven development), not deferred to the end. Option C is wrong because agile explicitly requires high stakeholder involvement (e.g., daily stand-ups, sprint reviews, product owner role), so decreased involvement would violate core agile principles.

34
MCQmedium

A company is outsourcing software development. What is the IS auditor's PRIMARY concern?

A.The vendor's development methodology
B.Protection of intellectual property and data
C.The vendor's financial stability
D.Compliance with service level agreements
AnswerB

Data protection is the highest risk in outsourcing.

Why this answer

Option D is correct because protection of intellectual property and data is a critical risk when outsourcing. Financial stability, methodology, and SLA compliance are important but secondary to data protection.

35
MCQmedium

What is the primary control weakness in this IAM policy?

A.Over-privileged access
B.No encryption requirement
C.MFA not required
D.Lack of logging
AnswerA

The role has broad access to all objects without conditions.

Why this answer

The IAM policy grants broad permissions (e.g., `"Effect": "Allow", "Action": "*", "Resource": "*"`) without scoping to specific actions or resources, violating the principle of least privilege. This over-privileged access allows any authenticated principal to perform any operation (including destructive actions like `iam:DeleteRole` or `s3:DeleteBucket`) across all resources, creating a severe security risk. The primary weakness is the lack of fine-grained access control, not the absence of encryption, MFA, or logging.

Exam trap

The trap here is that candidates often focus on missing security features like encryption or MFA, but the CISA exam emphasizes that the most critical IAM weakness is granting excessive permissions (over-privileged access) rather than missing optional controls.

How to eliminate wrong answers

Option B is wrong because encryption requirements (e.g., `s3:x-amz-server-side-encryption` condition key) are data protection controls, not identity-based access controls; the policy's core flaw is excessive permissions, not missing encryption. Option C is wrong because MFA (multi-factor authentication) is an additional authentication layer enforced via `aws:MultiFactorAuthPresent` condition keys, but the policy's primary weakness is the overly permissive `Action: *` and `Resource: *`, not the lack of MFA. Option D is wrong because logging (e.g., AWS CloudTrail) is an audit control that records actions after they occur, but it does not prevent the underlying over-privileged access; the policy itself lacks proper authorization boundaries.

36
MCQmedium

An organization is considering outsourcing its IT infrastructure management. Which of the following is the MOST important factor to include in the service level agreement (SLA)?

A.Definition of key performance indicators (KPIs) and reporting frequency.
B.List of hardware and software to be managed.
C.Staffing levels and qualifications of vendor personnel.
D.Price reduction clauses for non-compliance.
AnswerA

KPIs provide objective measures for performance evaluation.

Why this answer

Option B is correct because clear metrics and reporting are essential to measure vendor performance. Option A is important but not the most critical; C and D are operational details that can be addressed separately.

37
MCQhard

A large financial institution is implementing a new core banking system to replace a legacy system. The project has been underway for 18 months and is behind schedule. User acceptance testing (UAT) has revealed significant data integrity issues, including missing customer records and incorrect interest calculations. The project manager, under pressure from senior management to meet a regulatory deadline, proposes going live with a promise to fix the issues in a post-implementation phase. The development team has been making ad hoc code changes directly in the test environment without version control or proper testing. Additionally, the IS auditor discovers that the business requirements were never formally signed off by the user community; only verbal approvals were obtained. The project has consumed 90% of the budget but only 60% of the functionality is tested. Which of the following is the BEST course of action for the IS auditor to recommend?

A.Allow the go-live with a formal post-implementation support plan and a dedicated team to address defects.
B.Recommend halting the go-live until the business requirements are formally signed off and UAT is completed successfully with all critical defects resolved.
C.Suggest a phased go-live, releasing the tested modules to production while continuing development on the remaining modules.
D.Escalate the issues to the board of directors and recommend immediate termination of the project.
AnswerB

This addresses root causes: lack of formal sign-off and unresolved defects, ensuring a controlled implementation.

Why this answer

Option B is correct because the project lacks formal sign-off on business requirements, has unresolved critical data integrity issues, and has been making uncontrolled code changes without version control. Going live under these conditions would violate ISACA's IS acquisition and implementation standards, which require that all critical defects be resolved and UAT be successfully completed before production deployment. The regulatory deadline does not justify bypassing these fundamental controls, as post-implementation fixes cannot guarantee data integrity and could lead to regulatory penalties.

Exam trap

The trap here is that candidates may choose Option A because they think a post-implementation support plan is a pragmatic compromise, but the CISA exam emphasizes that going live with unresolved critical defects and uncontrolled code changes violates fundamental SDLC controls and ISACA's IS acquisition and implementation standards.

How to eliminate wrong answers

Option A is wrong because allowing go-live with a post-implementation support plan ignores the fact that the project has already consumed 90% of the budget with only 60% functionality tested, and the ad hoc code changes without version control indicate a lack of configuration management that would likely cause more defects in production. Option C is wrong because a phased go-live assumes that some modules are fully tested and stable, but the UAT has revealed systemic data integrity issues (missing records, incorrect interest calculations) that affect the entire system, not just untested modules, and the lack of formal requirements sign-off means even tested modules may not meet user needs. Option D is wrong because immediate termination is too drastic given that the project is 60% tested and the regulatory deadline is a real constraint; the auditor should first recommend corrective actions (formal sign-off, controlled testing, defect resolution) before considering termination.

38
Multi-Selecthard

Which TWO of the following are indicators of poor project governance that an IS auditor should identify?

Select 2 answers
A.Scope changes are frequently requested and approved verbally.
B.Project progress reports are inconsistent and lack key metrics.
C.Project team uses an agile methodology.
D.Project status meetings are held weekly.
E.The project budget is reallocated across phases.
AnswersA, B

Lack of formal change control leads to scope creep.

Why this answer

Option A is correct because verbal approval of scope changes bypasses formal change control processes, leading to undocumented scope creep, loss of audit trail, and increased risk of project failure. An IS auditor should identify this as a governance weakness because it violates the principle of documented authorization and traceability required for effective project oversight.

Exam trap

The trap here is that candidates may confuse agile methodology with poor governance, but agile includes its own governance mechanisms (e.g., sprint reviews, backlog grooming, definition of done) that, when followed, do not indicate weak oversight.

39
MCQmedium

Refer to the exhibit. An application log shows an error. What is the MOST likely cause of this error?

A.The database server is offline
B.The user does not have insert privileges
C.The data type of the username field is incorrect
D.A duplicate username was inserted into the USERS table
AnswerD

Unique constraint violation indicates duplicate value.

Why this answer

The error message 'Duplicate entry 'admin' for key 'PRIMARY'' indicates a violation of the PRIMARY KEY constraint on the USERS table. Since the username field is the primary key, inserting a second row with the same username (e.g., 'admin') causes MySQL to reject the INSERT operation with error code 1062. This is a unique constraint violation, not a connectivity or privilege issue.

Exam trap

The trap here is that candidates may confuse a duplicate key error with a privilege or connectivity issue, but the specific error code 1062 and the phrase 'Duplicate entry' directly point to a unique constraint violation, not a server or permission problem.

How to eliminate wrong answers

Option A is wrong because a database server being offline would produce a connection timeout or 'Can't connect to MySQL server' error (e.g., error 2003), not a duplicate key error. Option B is wrong because insufficient INSERT privileges would generate an 'Access denied for user' error (e.g., error 1142), not a duplicate entry error. Option C is wrong because an incorrect data type for the username field would cause a type mismatch or truncation error (e.g., error 1366 or 1406), not a duplicate key violation.

40
MCQmedium

A company is developing a mobile application that processes credit card payments. During the testing phase, which of the following types of testing is MOST critical to ensure security?

A.Interface testing.
B.Usability testing.
C.Penetration testing.
D.Regression testing.
AnswerC

Penetration testing identifies exploitable security weaknesses.

Why this answer

Penetration testing is the most critical testing type for a mobile application processing credit card payments because it simulates real-world attacks to identify exploitable vulnerabilities in the payment data flow, authentication mechanisms, and API endpoints. This directly addresses PCI DSS requirements for security testing of cardholder data environments, unlike other testing types that focus on functionality or user experience.

Exam trap

The trap here is that candidates confuse 'regression testing' or 'interface testing' with security validation, overlooking that only penetration testing actively attempts to exploit vulnerabilities in the payment processing logic and data handling.

How to eliminate wrong answers

Option A is wrong because interface testing verifies correct data exchange between system components (e.g., API request/response formats) but does not actively probe for security weaknesses like SQL injection or insecure direct object references. Option B is wrong because usability testing evaluates user experience and workflow efficiency, not the security of payment data transmission or storage. Option D is wrong because regression testing ensures new code changes do not break existing functionality, but it does not include adversarial testing to uncover new vulnerabilities introduced in the payment processing logic.

41
MCQhard

During a post-implementation review, an IS auditor identifies that the system's actual transaction processing time is significantly higher than the benchmark specified in the service level agreement (SLA). The vendor claims it is due to inadequate network bandwidth provided by the client. What should the auditor do first?

A.Review the SLA to determine responsibility for network performance
B.Recommend increasing network bandwidth
C.Escalate the issue to senior management
D.Perform independent performance testing
AnswerA

The SLA should specify who is responsible for network bandwidth.

Why this answer

Option C is correct because the auditor should review the SLA terms to determine responsibility for network bandwidth and clarify performance expectations. Option A is incorrect because recommending bandwidth increase without analysis is premature. Option B is incorrect (but it's D in list? Actually options: A Review SLA, B Recommend bandwidth increase, C Escalate to management, D Perform independent tests.

I set A as Review SLA, correct. So explanation: Option A is correct because the SLA defines responsibilities. Option B is incorrect because it assumes vendor claim is correct.

Option C is incorrect but escalation is not first step. Option D is incorrect because independent testing may be unnecessary if SLA clarifies responsibility.

42
MCQhard

A multinational corporation is implementing a new enterprise resource planning (ERP) system across multiple regions. The project uses a phased roll-out. After the first phase in Asia, the system experiences intermittent synchronization errors between the central database and regional servers. The IT team suspects network latency but cannot reproduce the issue consistently. The project sponsor wants to proceed with the next phase in Europe to avoid further delays. The IS auditor is performing a post-implementation review. What is the MOST appropriate recommendation?

A.Proceed with the European roll-out and monitor for similar issues.
B.Switch to a different ERP vendor that offers better cloud capabilities.
C.Conduct a thorough root cause analysis of the synchronization issue before any further roll-out.
D.Document the synchronization error as a known issue and accept the operational risk.
AnswerC

Prevent recurrence and identify systemic issues.

Why this answer

Option C is correct because the intermittent synchronization errors indicate a potential data integrity or consistency issue that must be fully understood before expanding the system's footprint. Proceeding without root cause analysis risks propagating the defect to the European phase, which could lead to widespread data corruption, increased remediation costs, and regulatory non-compliance. A thorough root cause analysis (e.g., examining network latency, transaction log replication, or database conflict resolution) is essential to ensure the ERP's distributed architecture is reliable.

Exam trap

The trap here is that candidates may choose Option A (proceed and monitor) because it seems pragmatic and avoids project delays, but the CISA exam emphasizes that unresolved control weaknesses in a post-implementation review must be addressed before expanding the system to prevent cascading failures.

How to eliminate wrong answers

Option A is wrong because proceeding with the European roll-out while only monitoring for similar issues ignores the fundamental need to resolve the existing synchronization defect; it assumes the problem is isolated to Asia, but the same network latency or configuration flaw could affect Europe. Option B is wrong because switching to a different ERP vendor is a drastic, costly, and premature response that does not address the specific technical root cause (e.g., network latency, replication protocol misconfiguration, or timeout settings) and introduces new integration risks. Option D is wrong because documenting the error as a known issue and accepting operational risk violates the principle of preventing data integrity failures; synchronization errors can cause inconsistent data across regions, leading to financial reporting errors or transaction failures, which are unacceptable in a post-implementation review.

43
MCQhard

During the user acceptance testing (UAT) phase of a new financial application, the business users report that the system calculates interest incorrectly for certain loan types. The project manager wants to fix this quickly. Which of the following is the BEST course of action?

A.Instruct the business to work around the issue until the next release
B.Authorize the development team to fix the bug immediately and re-deploy
C.Roll back to the previous version of the application
D.Log the defect and perform impact analysis before approving a fix
AnswerD

Ensures proper change management.

Why this answer

Option D is correct because in the UAT phase, any defect must be formally logged and subjected to impact analysis before a fix is approved. This ensures that the proposed change does not introduce new risks, break other functionality, or violate regulatory compliance—critical for a financial application handling interest calculations. Skipping this process could lead to cascading failures or audit findings.

Exam trap

The trap here is that candidates often choose Option B (immediate fix) because it seems efficient, but CISA emphasizes that any change during UAT must follow a controlled process to avoid introducing new risks, especially in financial systems where accuracy and auditability are paramount.

How to eliminate wrong answers

Option A is wrong because instructing business users to work around a calculation error in a financial application is unacceptable; it risks financial misstatements and violates internal control requirements. Option B is wrong because authorizing an immediate fix without impact analysis bypasses change management controls, potentially destabilizing the application and introducing new defects. Option C is wrong because rolling back to a previous version may not resolve the interest calculation issue (it could have existed before) and would discard any other validated changes, causing regression without proper analysis.

44
MCQeasy

What is the PRIMARY purpose of a post-implementation review?

A.To close the project budget and finalize costs
B.To evaluate the performance of the project team
C.To document lessons learned for future projects
D.To assess whether expected benefits were achieved
AnswerD

The post-implementation review determines if the system delivers the intended business value and helps identify areas for improvement.

Why this answer

The primary purpose of a post-implementation review (PIR) is to determine whether the system or project has delivered the expected business benefits, such as improved efficiency, cost savings, or enhanced functionality. This aligns with the IS auditor's focus on value realization and governance, ensuring that the investment achieved its intended objectives before the project is formally closed.

Exam trap

The trap here is that candidates confuse the PIR's primary purpose with the project closure process (Option A) or the team's performance evaluation (Option B), but CISA emphasizes that the review's core objective is to confirm that the system delivers the expected business value, not just to complete administrative tasks.

How to eliminate wrong answers

Option A is wrong because closing the project budget and finalizing costs is a financial closure activity that occurs during project closeout, not the primary goal of a PIR, which focuses on benefits realization. Option B is wrong because evaluating the performance of the project team is a human resource or project management task, often done during or immediately after project execution, whereas the PIR assesses the system's outcomes against business case criteria. Option C is wrong because documenting lessons learned is a secondary output of a PIR, but the primary purpose is to verify that expected benefits were achieved; lessons learned support future projects but do not validate the current investment's success.

45
MCQeasy

Which testing phase is MOST effective for validating that the system meets business needs?

A.User acceptance testing
B.Regression testing
C.Unit testing
D.Integration testing
AnswerA

UAT is performed by users to validate business requirements.

Why this answer

User acceptance testing (UAT) is the final phase of testing where actual end-users validate the system against real-world business requirements and workflows. It confirms that the system meets the agreed-upon business needs, functional specifications, and operational criteria before production deployment. Unlike technical testing phases, UAT focuses on business process alignment and user satisfaction.

Exam trap

ISACA often tests the misconception that integration testing or system testing validates business needs, but only UAT directly involves end-users and business stakeholders to confirm the system meets their operational requirements.

How to eliminate wrong answers

Option B (Regression testing) is wrong because it focuses on verifying that recent code changes have not broken existing functionality, not on validating business needs. Option C (Unit testing) is wrong because it tests individual components or modules in isolation at the developer level, ensuring code correctness but not business requirement alignment. Option D (Integration testing) is wrong because it validates that combined modules or systems work together correctly, but it does not assess whether the overall system satisfies business objectives or user expectations.

46
MCQeasy

An organization is implementing a new financial system. Which of the following is the MOST important control to ensure data integrity during the data migration phase?

A.Conducting a post-implementation review
B.Implementing reconciliation controls between source and target
C.Encrypting data in transit
D.Performing user acceptance testing
AnswerB

Reconciliation ensures data completeness and accuracy.

Why this answer

Reconciliation controls between source and target systems are the most critical control for ensuring data integrity during migration because they provide a systematic method to verify that every record has been accurately transferred without loss, duplication, or corruption. This typically involves comparing record counts, hash totals, or checksums (e.g., using MD5 or SHA-256) between the legacy and new databases, and flagging any discrepancies for correction before the system goes live.

Exam trap

The trap here is that candidates often confuse data integrity controls with security controls (like encryption) or validation activities (like UAT), failing to recognize that reconciliation is the only option that directly verifies the accuracy and completeness of the migrated data itself.

How to eliminate wrong answers

Option A is wrong because a post-implementation review occurs after the migration is complete and cannot prevent or detect data integrity issues during the migration process itself; it is a retrospective evaluation, not a real-time control. Option C is wrong because encrypting data in transit (e.g., using TLS 1.3 or IPsec) protects confidentiality and prevents unauthorized interception, but it does not ensure that the data being transferred is accurate, complete, or uncorrupted. Option D is wrong because user acceptance testing (UAT) focuses on validating that the system meets functional requirements and user expectations, not on verifying the completeness and accuracy of migrated data at the record level.

47
MCQmedium

An IS auditor finds that a project failed to meet its objectives because key stakeholders were not involved in the requirements definition phase. Which phase of the SDLC was most neglected?

A.Requirements analysis
B.Development
C.Design
D.Testing
AnswerA

Stakeholder involvement is essential to define complete and accurate requirements.

Why this answer

The requirements analysis phase is where stakeholder needs are formally captured and documented. Without key stakeholder involvement, the project lacks a validated baseline of what must be built, leading to misaligned objectives and scope creep. The IS auditor’s finding directly points to a failure in this phase, as it is the only SDLC phase that defines the project’s success criteria from the user’s perspective.

Exam trap

The trap here is that candidates confuse the symptoms of failure (e.g., poor design or failed tests) with the root cause, which is always the phase where the input was missing—requirements analysis.

How to eliminate wrong answers

Option B is wrong because the development phase focuses on coding and building the system based on already-defined requirements; neglecting stakeholder input here would not cause the initial objective failure. Option C is wrong because the design phase translates requirements into technical specifications and architecture; if requirements were incomplete, design would be flawed, but the root cause remains the earlier phase. Option D is wrong because testing verifies that the system meets the documented requirements; it cannot compensate for missing or incorrect requirements that were never captured.

48
Multi-Selectmedium

An IS auditor is reviewing the design phase of a new procurement system. Which TWO of the following controls are MOST critical to include in the system design to prevent unauthorized purchases?

Select 2 answers
A.Mandatory approval workflows for purchase orders above a threshold.
B.Automated performance reports on purchase cycle times.
C.Segregation of duties between requisition and approval.
D.Real-time audit logging of all purchase transactions.
E.Encryption of purchase order data in transit.
AnswersA, C

Prevents unauthorized high-value purchases.

Why this answer

Mandatory approval workflows for purchase orders above a threshold are critical because they enforce a policy-based control that prevents unauthorized high-value purchases by requiring explicit authorization from a designated approver. This control is designed into the system to intercept transactions that exceed a predefined limit, ensuring that no single user can bypass financial authority limits.

Exam trap

The trap here is that candidates often confuse detective controls (like audit logging) or security controls (like encryption) with preventive controls that directly stop unauthorized actions, failing to recognize that only preventive controls like approval workflows and segregation of duties address the root cause of unauthorized purchases.

49
Drag & Dropmedium

Order the steps for conducting an audit engagement from start to finish.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Audit engagement follows: planning (scope, program), fieldwork, analysis, and reporting with management review.

50
Multi-Selecteasy

An IS auditor is reviewing a request for proposal (RFP) for a new system. Which TWO elements should be included in the RFP?

Select 2 answers
A.Confidentiality agreement
B.Vendor's financial stability information
C.Sample contract terms
D.Employee resumes for the proposed team
E.Detailed technical specifications
AnswersB, E

Financial stability helps assess vendor viability.

Why this answer

In an RFP for a new system, including the vendor's financial stability information (B) is critical to assess the vendor's long-term viability and ability to support the system over its lifecycle. This helps mitigate the risk of vendor failure or bankruptcy, which could disrupt operations and leave the organization with an unsupported system.

Exam trap

The trap here is that candidates may confuse the RFP's purpose with later procurement stages, incorrectly including contract terms or personnel details that are better suited for the proposal evaluation or negotiation phase.

51
MCQeasy

During a post-implementation review of a financial system, an IS auditor finds that several critical reports are not being generated correctly. Which of the following should the auditor recommend FIRST?

A.Conduct a new round of user acceptance testing.
B.Review the system configuration and compare with user requirements.
C.Disable the incorrect reports and create manual workarounds.
D.Immediately patch the system to fix the report generation.
AnswerB

This directly addresses the root cause of incorrect reports.

Why this answer

Option A is correct because verifying the system configuration against user requirements is the logical first step. Option B may be needed later; C is premature; D is incorrect as acceptance testing should have been done earlier.

52
MCQmedium

An organization is implementing a new financial system and has completed user acceptance testing (UAT). The project manager reports that all critical defects have been fixed and retested, but several low-severity issues remain unresolved. What is the BEST course of action?

A.Document the unresolved defects as known issues in a risk acceptance form with a remediation plan, then proceed with go-live
B.Re-run all UAT test cases to ensure no regression occurs
C.Delay go-live until all defects are resolved
D.Obtain sign-off from business stakeholders acknowledging the risks and proceed with go-live
AnswerA

Best practice: formally track and accept residual risk.

Why this answer

Option A is correct because in a financial system implementation, low-severity issues that do not impair core financial processing or controls can be accepted as known risks. Documenting them with a remediation plan and proceeding with go-live aligns with ISACA’s guidance that UAT sign-off does not require zero defects, only that critical and high-severity defects are resolved. This approach balances business needs with risk management, avoiding unnecessary delays while ensuring accountability through formal risk acceptance.

Exam trap

The trap here is that candidates confuse 'all defects must be fixed before go-live' with proper risk management, failing to recognize that ISACA allows go-live with documented, accepted low-severity issues as long as critical defects are resolved and a remediation plan exists.

How to eliminate wrong answers

Option B is wrong because re-running all UAT test cases to check for regression is unnecessary and inefficient when only low-severity issues remain; regression testing should be targeted to affected areas, not a full re-execution. Option C is wrong because delaying go-live until all defects are resolved ignores the principle of risk-based decision-making—low-severity issues that do not affect critical functionality or compliance can be deferred without jeopardizing the system. Option D is wrong because obtaining sign-off from business stakeholders without a documented remediation plan or formal risk acceptance form leaves the organization without a clear accountability trail for tracking and resolving the known issues post-go-live.

53
MCQhard

An organization is adopting an agile development methodology for a new financial application. During a sprint review, the product owner expresses concern that the system does not enforce segregation of duties (SoD). The development team argues that SoD will be addressed in a future sprint. As the IS auditor, what is the BEST recommendation?

A.Suggest that the product owner accept the residual risk.
B.Insist that SoD be implemented in the next sprint.
C.Accept the team's plan and document the risk.
D.Require immediate implementation of SoD in this sprint.
AnswerB

SoD should be addressed as soon as possible.

Why this answer

In agile development, security and compliance requirements like segregation of duties (SoD) must be addressed as early as possible, especially for a financial application where regulatory compliance is critical. Delaying SoD to a future sprint introduces significant risk and violates the principle of 'secure by design.' The IS auditor's best recommendation is to insist that SoD be implemented in the next sprint, ensuring that the control is prioritized and integrated into the development lifecycle without waiting for an indefinite future iteration.

Exam trap

The trap here is that candidates may confuse 'accepting the risk' (Option A) with a valid risk management approach, but in this context, the auditor must advocate for timely implementation of a critical control rather than deferring to the product owner's risk appetite.

How to eliminate wrong answers

Option A is wrong because suggesting the product owner accept residual risk abdicates the auditor's responsibility to enforce critical controls; SoD is a fundamental internal control for financial systems, not a discretionary risk. Option C is wrong because accepting the team's plan and documenting the risk without escalation allows a high-severity control deficiency to persist, which could lead to fraud or regulatory non-compliance. Option D is wrong because requiring immediate implementation in the current sprint may be impractical if the sprint is already committed to other user stories, and it ignores the agile principle of prioritizing work in the next sprint planning session.

54
MCQeasy

Refer to the exhibit. The IS auditor reviews the router's version output during an audit. What is the MOST significant finding?

A.The router was returned to ROM by power-on.
B.The router has been running for over two years without a reboot.
C.The system image is stored in flash memory.
D.The IOS version is outdated and may contain security vulnerabilities.
AnswerD

Outdated software is a critical finding.

Why this answer

The most significant finding is that the IOS version is outdated and may contain security vulnerabilities. An outdated IOS version can have known exploits that compromise the router's security, which is a critical risk for the organization. While other options describe operational states, they do not present the same level of immediate security threat as running unsupported or vulnerable firmware.

Exam trap

The trap here is that candidates focus on operational details like uptime or boot process (options A and B) instead of recognizing that an outdated IOS version is a direct security risk, which is the most significant finding in an audit context.

How to eliminate wrong answers

Option A is wrong because 'returned to ROM by power-on' is a normal boot process message indicating the router loaded the IOS from ROM after a power cycle, not a security finding. Option B is wrong because a router running for over two years without a reboot is not inherently a security issue; uptime alone does not indicate vulnerabilities or misconfigurations. Option C is wrong because storing the system image in flash memory is standard practice for Cisco routers and is not a finding; it is the expected location for the IOS image.

55
Multi-Selectmedium

Which TWO of the following are key controls that an IS auditor should expect to find in a well-managed system development life cycle (SDLC)?

Select 2 answers
A.Segregation of duties between development and testing.
B.Vendor due diligence reports.
C.Formal change control process for code changes.
D.Automated unit testing scripts.
E.Gantt chart for project scheduling.
AnswersA, C

Ensures independent verification and reduces risk of errors.

Why this answer

Segregation of duties between development and testing is a key control because it ensures that code is independently verified before release, preventing developers from approving their own changes and reducing the risk of undetected defects or malicious code. In a well-managed SDLC, this separation enforces an independent testing phase, which is critical for maintaining code integrity and security.

Exam trap

The trap here is that candidates confuse project management artifacts (like Gantt charts) or development tools (like unit test scripts) with actual controls, but the CISA exam focuses on controls that enforce separation of duties and formal change management, not on the tools or schedules used to manage the project.

56
MCQhard

A multinational corporation is implementing a global HR system. The project team decides to use a pilot implementation in one region before rolling out to others. What is the PRIMARY risk if the pilot region is not representative of the entire organization?

A.The pilot team may become overly confident.
B.The pilot may run over budget due to unexpected challenges.
C.Issues relevant to other regions may remain undetected.
D.The implementation schedule will be delayed.
AnswerC

Pilot should reveal all potential issues; a non-representative pilot misses them.

Why this answer

The primary risk of a non-representative pilot is that region-specific variations in regulatory, cultural, or technical infrastructure (e.g., data privacy laws like GDPR, local labor regulations, or network latency) will not be exercised. This means defects or integration failures that are unique to other regions remain hidden until full rollout, undermining the pilot's purpose as a risk-reduction mechanism. Option C directly captures this core risk of undetected issues.

Exam trap

The trap here is that candidates confuse a secondary consequence (like budget overruns or delays) with the primary risk, which is the failure to detect region-specific issues that could cause catastrophic failures during full rollout.

How to eliminate wrong answers

Option A is wrong because pilot team overconfidence is a secondary human-factor risk, not the primary technical risk of a non-representative sample; the pilot could still surface issues even if the team is overconfident. Option B is wrong because unexpected challenges in a non-representative pilot are less likely to cause budget overruns (the pilot may actually be too easy), and the primary risk is about undetected issues, not cost. Option D is wrong because schedule delays are a possible consequence of undetected issues, but the primary risk is the failure to detect those issues in the first place, not the delay itself.

57
MCQhard

An IS auditor reviews the change request. Which of the following is the most significant risk?

A.The description is too vague
B.The approval is still pending close to the scheduled date
C.The impact assessment is incorrect
D.The change affects a financial module
AnswerC

Interest calculation is a critical financial function; labeling it as low impact may lead to insufficient testing and controls.

Why this answer

An incorrect impact assessment (Option C) is the most significant risk because it directly undermines the change management process. If the impact is misjudged, the change may introduce unanticipated failures, data corruption, or security vulnerabilities into the production environment. Unlike vague descriptions or pending approvals, an incorrect impact assessment can lead to catastrophic system outages or compliance violations that are difficult to reverse.

Exam trap

The trap here is that candidates often focus on the obvious procedural flaw (pending approval) or the high-profile module (financial), rather than recognizing that an incorrect impact assessment is the root cause that can make any change disastrous regardless of other factors.

How to eliminate wrong answers

Option A is wrong because a vague description, while undesirable, is a documentation issue that can often be clarified during implementation or testing; it does not inherently introduce technical risk to the system. Option B is wrong because pending approval close to the scheduled date is a process timing risk that can be mitigated by rescheduling or expediting approval; it does not directly threaten system integrity or security. Option D is wrong because the change affecting a financial module is a contextual factor, not a risk itself—the risk lies in how the change is assessed and implemented, not in which module it touches.

58
MCQmedium

A university is implementing a new student information system. The project team uses an iterative development approach. During user acceptance testing, students report that the online course registration portal crashes when more than 100 users register simultaneously. The development team identifies a database connection pooling issue and estimates a fix will take three weeks. The project deadline is in two weeks. The project manager suggests deploying the system as is and fixing the issue after go-live, as the crash is rare. The IS auditor is consulted. What should the auditor recommend?

A.Delay the go-live until the defect is fixed and user acceptance testing is passed.
B.Document the risk and proceed with the go-live, planning to fix later.
C.Deploy on time but restrict registration to fewer than 100 students per session.
D.Implement a temporary increase in server capacity to handle the load.
AnswerA

Critical defect must be resolved before deployment.

Why this answer

Option A is correct because deploying a system with a known critical defect that fails under expected load conditions violates the principle of delivering a reliable and secure system. The database connection pooling issue causes the portal to crash under concurrent user load, which is a functional failure that directly impacts business operations. Delaying go-live ensures the defect is fixed and user acceptance testing (UAT) is fully passed, aligning with the IS auditor's responsibility to recommend risk mitigation over acceptance of a preventable failure.

Exam trap

The trap here is that candidates may assume a 'rare' crash can be accepted as a post-go-live fix, but the IS auditor must recognize that the crash occurs under a specific, predictable load threshold that is likely to be exceeded during normal operations, making it a high-risk defect that requires pre-deployment resolution.

How to eliminate wrong answers

Option B is wrong because documenting the risk and proceeding without fixing the defect ignores the fact that the crash is not 'rare'—it occurs under a predictable load of 100 concurrent users, which is a realistic scenario for a university registration portal. Option C is wrong because restricting registration to fewer than 100 students per session is a manual workaround that does not address the underlying database connection pooling issue; it introduces operational complexity and still risks failure if the limit is accidentally exceeded. Option D is wrong because a temporary increase in server capacity (e.g., adding more CPU or memory) does not fix a database connection pooling defect—the crash is caused by connection exhaustion or misconfiguration in the connection pool library, not by insufficient hardware resources.

59
Multi-Selectmedium

Which TWO of the following are key objectives of a post-implementation review of a new system?

Select 2 answers
A.Update the disaster recovery plan
B.Assess the project budget variance
C.Identify lessons learned for future projects
D.Evaluate vendor performance
E.Verify that the system meets user requirements
AnswersC, E

Lessons learned are a key output.

Why this answer

Option C is correct because a key objective of a post-implementation review (PIR) is to capture lessons learned from the project, which helps improve future system development and acquisition processes. This involves documenting what went well, what went wrong, and how processes can be refined, directly supporting continuous improvement in IT governance and project management.

Exam trap

The trap here is that candidates often confuse the PIR with project closure activities, mistakenly selecting budget variance or vendor evaluation as key objectives, when the PIR is specifically focused on verifying system effectiveness and capturing lessons learned for future projects.

60
MCQeasy

A company is migrating from a legacy system to a cloud-based ERP. Which of the following is the MOST important control to ensure data integrity during data conversion?

A.Automated backup
B.User acceptance testing
C.Parallel running
D.Reconciliation of control totals
AnswerD

Control totals provide a simple but effective way to verify that data quantities and key figures match between source and target systems.

Why this answer

Reconciliation of control totals is the most important control because it directly verifies that the sum of key fields (e.g., total account balances, record counts) in the source system matches the target cloud-based ERP after conversion. This ensures no data is lost, duplicated, or corrupted during the extraction, transformation, and loading (ETL) process, which is critical for maintaining data integrity in a migration from a legacy system.

Exam trap

The trap here is that candidates often confuse 'parallel running' (a system validation technique) with a data integrity control, but parallel running validates operational consistency over time, not the precise completeness and accuracy of the converted data set itself.

How to eliminate wrong answers

Option A is wrong because automated backup protects against data loss due to failures but does not validate the accuracy or completeness of converted data during migration. Option B is wrong because user acceptance testing (UAT) focuses on verifying that the new system meets functional requirements and business processes, not on detecting data integrity issues like missing or misaligned records in the converted dataset. Option C is wrong because parallel running compares outputs of the old and new systems over time to validate operational consistency, but it does not provide a precise, field-level check of data conversion completeness and accuracy like control totals do.

61
MCQeasy

In an Agile software development project, who is primarily responsible for prioritizing the product backlog?

A.Scrum Master
B.Development Team
C.Project Manager
D.Product Owner
AnswerD

The Product Owner is responsible for prioritizing the product backlog.

Why this answer

Option D is correct because the Product Owner owns the backlog and prioritizes items based on business value. Option A is wrong because Scrum Master facilitates but does not prioritize. Option B is wrong because the team estimates effort but does not set priority.

Option C is wrong because Agile projects typically do not have a traditional project manager.

62
MCQhard

During a post-implementation review of a new HR system, the auditor finds that the system's disaster recovery plan (DRP) was not tested before go-live. Which of the following is the BEST recommendation?

A.Accept the risk because the system is new
B.Implement a backup procedure for the system
C.Conduct a DRP test immediately and document results
D.Schedule a DRP test within the next six months
AnswerC

Addresses the gap promptly.

Why this answer

The DRP should be tested as part of the implementation. Option B is a temporary fix; Option C is not proactive; Option D is not sufficient.

63
Multi-Selectmedium

Which TWO of the following are key controls in the system development life cycle?

Select 2 answers
A.Post-implementation review
B.Use of agile methodology
C.Segregation of duties between development and operations
D.Formal approval of business requirements
E.Automated deployment tools
AnswersA, C

Ensures system meets objectives and provides feedback.

Why this answer

Options A and E are correct. Segregation of duties between development and operations is a key control to prevent unauthorized changes. A post-implementation review ensures the system meets objectives and provides lessons learned.

Agile methodology (B) is a framework, not a control. Automated deployment (D) is a practice, not a control. Formal approval of business requirements (C) is a control, but in this question we need exactly two – A and E are broader key controls.

64
MCQhard

An organization is developing a custom application. The project manager reports that the development team has implemented 80% of the features but only 50% of the budget is used. What is the MOST significant risk from an IS audit perspective?

A.The project may be completed ahead of schedule.
B.The application may not meet user requirements.
C.The remaining budget may be insufficient for testing and deployment.
D.The project may exceed the total budget due to scope growth.
AnswerD

The mismatch indicates potential cost overrun if remaining features require more budget.

Why this answer

Option D is correct because the project has consumed only 50% of the budget while delivering 80% of the features, indicating a high probability of scope growth or feature creep. From an IS audit perspective, this imbalance suggests that additional features may be added without corresponding budget increases, leading to total budget overrun. The risk is that the remaining 20% of features will require more than the remaining 50% of the budget, especially if testing and deployment costs are underestimated.

Exam trap

The trap here is that candidates focus on the immediate budget concern (Option C) rather than recognizing that the 80% features with 50% budget indicates scope growth is the root cause of potential budget overrun, which is the most significant audit risk.

How to eliminate wrong answers

Option A is wrong because completing ahead of schedule is not a risk from an IS audit perspective; it is a positive outcome, and the data does not support it since 80% features with 50% budget suggests slower-than-planned spending, not faster completion. Option B is wrong because the application may still meet user requirements; the risk is not about unmet requirements but about budget and scope control, and there is no evidence of requirement gaps. Option C is wrong because while insufficient budget for testing and deployment is a concern, the most significant risk is scope growth leading to total budget overrun, as the 80% features already consumed only 50% budget implies the remaining features may be underfunded, but the primary audit risk is uncontrolled scope expansion.

65
MCQmedium

A bank is converting data from its legacy core banking system to a new platform. Which control is MOST critical to ensure the completeness and accuracy of data conversion?

A.Parallel running of both systems
B.Reconciliation of converted data totals to source system totals
C.Data validation rules programmed in the conversion tool
D.User acceptance testing of the new system
AnswerB

Reconciliation directly verifies completeness and accuracy.

Why this answer

Reconciliation of converted data totals to source system totals is the most critical control because it directly verifies that every record from the legacy system has been accurately migrated without loss or duplication. This control compares aggregate values (e.g., account balances, transaction counts) between the source and target databases, providing a definitive check for completeness and accuracy that other controls cannot guarantee.

Exam trap

The trap here is that candidates confuse 'data validation rules' (which ensure individual field correctness) with 'reconciliation' (which ensures aggregate completeness and accuracy), leading them to choose Option C even though validation cannot detect missing records or totals.

How to eliminate wrong answers

Option A is wrong because parallel running tests business processes and system functionality, but it does not provide a systematic, record-level verification of data completeness and accuracy; discrepancies in data may be masked by compensating process flows. Option C is wrong because data validation rules in the conversion tool only check format and business rule compliance during transformation, but they cannot detect missing records or totals that were never extracted from the source. Option D is wrong because user acceptance testing focuses on whether the new system meets functional requirements, not on verifying that every data element from the legacy system has been accurately transferred.

66
Multi-Selecthard

Which THREE of the following are typical objectives of an IT governance framework for system acquisition?

Select 3 answers
A.Risk management
B.Strategic alignment
C.Value delivery
D.Resource management
E.Cost reduction
AnswersA, B, C

Manages risks associated with IT.

Why this answer

Risk management (A) is a core objective of an IT governance framework for system acquisition because it ensures that risks related to system procurement, such as vendor lock-in, security vulnerabilities, and compliance gaps, are identified, assessed, and mitigated before deployment. Strategic alignment (B) ensures that the acquired system supports the organization's business goals and IT strategy, preventing investment in technology that does not deliver business value. Value delivery (C) focuses on optimizing costs and benefits throughout the system lifecycle, ensuring that the acquisition provides measurable returns and meets performance targets.

Exam trap

The trap here is that candidates often confuse the broader IT governance objectives (which include resource management and cost reduction) with the specific objectives for system acquisition, leading them to select D or E instead of recognizing that the question explicitly asks for typical objectives of the acquisition phase.

67
MCQmedium

An IS auditor is reviewing a system development project to assess whether it is on schedule. Which of the following would provide the BEST evidence of project progress against the planned timeline?

A.Minutes from status review meetings
B.Approved requirements document
C.Successful unit test results
D.Updated project schedule with actual completion dates for milestones
AnswerD

The project schedule directly compares planned vs actual milestones.

Why this answer

The updated project schedule with actual completion dates for milestones (Option D) provides direct, objective evidence of progress against the planned timeline. It shows the baseline plan, the actual dates work was completed, and the variance, allowing the IS auditor to quantitatively assess schedule adherence. This is the primary artifact for schedule tracking in system development projects.

Exam trap

The trap here is that candidates often confuse evidence of technical progress (like passing unit tests) with evidence of schedule progress, failing to recognize that technical success does not equate to on-time delivery.

How to eliminate wrong answers

Option A is wrong because minutes from status review meetings are subjective summaries of discussions and opinions, not objective evidence of actual completion dates or schedule variance. Option B is wrong because an approved requirements document defines what the system should do, not when tasks were completed or how the project is tracking against the timeline. Option C is wrong because successful unit test results verify that individual code modules function correctly, but they do not provide any information about whether those tests were completed on schedule or how the project is performing against the planned timeline.

68
MCQmedium

During system development, which testing phase is performed by developers to verify that individual program units function correctly?

A.Integration testing
B.User acceptance testing
C.Unit testing
D.System testing
AnswerC

Unit testing verifies individual program units.

Why this answer

Unit testing is the phase where developers test individual program units or modules in isolation to verify they function correctly according to their design specifications. This is the lowest level of testing and is typically performed using stubs and drivers to simulate interfaces with other components.

Exam trap

The trap here is confusing the scope of testing phases: candidates often mistake integration testing (which tests module interactions) for unit testing (which tests individual modules in isolation), especially when the question emphasizes 'by developers' and 'individual program units'.

How to eliminate wrong answers

Option A is wrong because integration testing focuses on verifying the interactions and data flow between integrated modules, not individual units. Option B is wrong because user acceptance testing is performed by end users to validate that the system meets business requirements, not by developers to test code units. Option D is wrong because system testing validates the complete, integrated system against functional and non-functional requirements, not individual program units.

69
Multi-Selecthard

Which TWO of the following are indicators that a project is at risk of failure according to ISACA's project governance framework?

Select 2 answers
A.Regular status meetings with stakeholders.
B.Lack of clear communication channels among team members.
C.Adoption of iterative development.
D.Frequent changes to project scope without formal approval.
E.Use of a project management office (PMO).
AnswersB, D

Poor communication causes misunderstandings and delays.

Why this answer

Option B is correct because ISACA's project governance framework identifies lack of clear communication channels as a key risk indicator. Without defined communication paths, team members cannot effectively share status updates, escalate issues, or coordinate tasks, leading to misalignment and increased failure probability.

Exam trap

The trap here is that candidates may confuse a lack of communication channels with other common risk factors like scope creep, but ISACA specifically lists communication breakdowns as a distinct risk indicator separate from scope change management.

70
Multi-Selecthard

Which THREE of the following are common challenges when integrating a software package with existing legacy systems? (Select exactly three.)

Select 3 answers
A.Availability of modern integration middleware
B.Lack of documented application programming interfaces (APIs)
C.Performance constraints of the legacy environment
D.Data format and schema mismatches
E.Need for custom development to bridge the gap
AnswersB, C, D

Legacy systems may have undocumented or proprietary interfaces.

Why this answer

Legacy systems often lack well-documented or standardized APIs, making it difficult to establish reliable interfaces for integration. Without clear API documentation, developers must reverse-engineer communication protocols or rely on outdated methods like screen scraping, which increases integration risk and effort.

Exam trap

The trap here is confusing a solution (custom development or middleware) with the underlying challenge, leading candidates to select 'Need for custom development' as a challenge when it is actually a response to the real challenges of missing APIs, data mismatches, and performance constraints.

71
Multi-Selecthard

Which TWO of the following are BEST indicators that a system development project is at risk of failure?

Select 2 answers
A.Frequent scope changes
B.Clear communication
C.Robust testing
D.Unrealistic schedule
E.High team morale
AnswersA, D

Scope changes can lead to rework, budget overruns, and missed deadlines.

Why this answer

Frequent scope changes (A) are a classic risk indicator because they disrupt the project's baseline requirements, leading to rework, budget overruns, and schedule delays. In system development, uncontrolled scope creep often results in 'analysis paralysis' and can cause the final product to deviate from original objectives, increasing the likelihood of failure.

Exam trap

The trap here is that candidates confuse project risk indicators with project success factors, mistakenly selecting positive attributes like clear communication or high morale as signs of risk, when the question asks for indicators of failure.

72
MCQeasy

A mid-sized company is upgrading its legacy financial system to a new cloud-based ERP. The project manager has decided to use a big-bang cutover approach to minimize costs and time. During the first week post-go-live, users report that several critical reports are generating incorrect totals. An initial investigation reveals that the data mapping from the old system to the new system was not fully validated. Which of the following should the IS auditor recommend as the most appropriate corrective action?

A.Perform a data mapping review and remediation, then run parallel operations until accuracy is confirmed
B.Implement additional manual controls and have users double-check all reports
C.Increase the project budget and hire more consultants to fix the issues
D.Immediately revert to the legacy system and restart the project with a phased approach
AnswerA

This directly fixes the data mapping issue and validates correctness before relying solely on the new system.

Why this answer

A big-bang cutover with unvalidated data mapping introduces a high risk of data integrity issues, as seen with the incorrect report totals. Running parallel operations after a data mapping review and remediation allows the IS auditor to validate that the new ERP processes data correctly by comparing outputs with the legacy system, ensuring accuracy before full reliance. This aligns with ISACA's guidance on post-implementation verification and control testing for data conversion in cloud-based ERP migrations.

Exam trap

The trap here is that candidates may choose Option D (revert to legacy) because it seems safest, but the CISA exam emphasizes cost-effective, risk-based corrective actions that validate data integrity without abandoning the project, making parallel operations the preferred approach.

How to eliminate wrong answers

Option B is wrong because adding manual controls and user double-checks is a detective, not corrective, control that does not address the root cause of incorrect data mapping; it increases operational burden and error risk without fixing the underlying data transformation logic. Option C is wrong because increasing the budget and hiring more consultants is a reactive, non-technical solution that does not guarantee the data mapping errors are identified and corrected; it may accelerate work but does not provide a validation mechanism. Option D is wrong because immediately reverting to the legacy system and restarting with a phased approach is overly disruptive, costly, and time-consuming; it ignores the possibility of a targeted fix and parallel testing, which is more efficient and preserves project momentum.

73
MCQeasy

Which of the following is the PRIMARY benefit of using a prototype during system development?

A.Clarifying user requirements
B.Accelerating coding
C.Minimizing documentation
D.Reducing development cost
AnswerA

Prototyping provides a tangible model that users can interact with, leading to clearer and more accurate requirements.

Why this answer

Option B is correct because prototyping helps clarify and validate user requirements early, reducing the risk of misinterpretation. Reducing development cost (A) is not a primary benefit; prototyping can actually increase cost initially. Accelerating coding (C) and minimizing documentation (D) are not primary objectives.

74
Multi-Selectmedium

Which TWO of the following are essential controls to ensure data integrity during a cloud migration project?

Select 2 answers
A.Granting all migration team members full database access
B.Implementing encryption at rest and in transit
C.Using a phased migration approach without rollback capability
D.Running reconciliation checks comparing source and target data counts
E.Performing a single full data validation after migration
AnswersB, D

Encryption ensures data confidentiality and integrity during transfer and storage.

Why this answer

Encryption at rest and in transit (Option B) is essential for maintaining data integrity during cloud migration because it prevents unauthorized modification or corruption of data while stored in the source or target systems and while being transferred over networks. Without encryption, data is vulnerable to tampering, which directly undermines integrity. This control aligns with the principle of protecting data throughout its lifecycle, a key requirement in cloud migration projects.

Exam trap

The trap here is that candidates often confuse encryption with confidentiality and overlook its role in integrity, or they assume that a single post-migration validation (Option E) is sufficient, ignoring the need for ongoing reconciliation checks (Option D) to detect incremental data loss or corruption during the transfer process.

75
MCQhard

A multinational corporation is replacing its legacy on-premises customer relationship management (CRM) system with a new cloud-based CRM solution. The project involves migrating data from the old system, customizing the new system to match business processes, and integrating with an existing enterprise resource planning (ERP) system. The project has a tight deadline of six months. During the planning phase, the project team decides to use a waterfall methodology because the requirements are well-defined. However, three months into the project, the business users request significant changes to the customer data fields, which were not originally specified. The project manager is concerned that accommodating these changes will delay the project. The integration with the ERP system is also proving more complex than anticipated, with data mapping errors causing delays. The go-live date is fixed due to the end-of-support for the legacy system. What is the BEST course of action for the project manager?

A.Conduct a formal change impact assessment and prioritize the changes; implement only critical ones for go-live
B.Inform the business users that no changes can be made due to the fixed deadline
C.Delay the go-live date to accommodate all changes and integration issues
D.Switch to an agile methodology for the remaining three months
AnswerA

Balances changes with schedule.

Why this answer

Option A is correct because it follows the structured change management process required in a waterfall project with a fixed deadline. By conducting a formal change impact assessment, the project manager can objectively evaluate the cost, schedule, and resource implications of the requested changes. Prioritizing only critical changes for go-live ensures that the core CRM functionality is delivered on time, while non-critical enhancements can be deferred to a post-implementation phase.

This approach balances the need to meet the legacy system's end-of-support deadline with accommodating essential business requirements.

Exam trap

The trap here is that candidates may assume that switching to agile (Option D) is a flexible solution, but they overlook the fact that mid-project methodology changes are disruptive and rarely feasible within a fixed deadline, especially when the project has already invested heavily in waterfall artifacts and integration work.

How to eliminate wrong answers

Option B is wrong because it is an inflexible response that ignores the business value of the requested changes; outright rejection can lead to user dissatisfaction and a system that fails to meet critical business needs. Option C is wrong because delaying the go-live date is not feasible given the fixed deadline imposed by the legacy system's end-of-support, and it would likely cause significant operational risk. Option D is wrong because switching to an agile methodology mid-project is impractical; the project is already three months into a waterfall lifecycle with well-defined requirements, and a methodology shift would require retraining, rework, and disrupt the current integration and data migration work, likely causing further delays.

Page 1 of 2 · 146 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Is Acquisition Dev questions.