CCNA Is Acquisition Dev Questions

71 of 146 questions · Page 2/2 · Is Acquisition Dev topic · Answers revealed

76
MCQeasy

A company is in the process of acquiring a new customer relationship management (CRM) system. During which phase of the systems development life cycle (SDLC) should the business requirements be formally documented?

A.Implementation phase
B.Requirements phase (Planning)
C.Design phase
D.Maintenance phase
AnswerB

This phase involves gathering and documenting business requirements.

Why this answer

The business requirements for a new CRM system must be formally documented during the Requirements phase (Planning) of the SDLC. This phase establishes the functional and non-functional needs that the system must satisfy, serving as the foundation for all subsequent design, development, and testing activities. Without a formal requirements document, the project risks scope creep, misalignment with business objectives, and costly rework during later phases.

Exam trap

The trap here is that candidates often confuse the Requirements phase with the Design phase, mistakenly thinking that requirements are documented during design, but in reality, design assumes requirements are already formally approved and focuses on how to implement them, not what to implement.

How to eliminate wrong answers

Option A is wrong because the Implementation phase focuses on deploying the system into production, including installation, configuration, and user training; documenting business requirements at this stage would be too late, as the system has already been built based on earlier decisions. Option C is wrong because the Design phase translates documented requirements into technical specifications (e.g., data models, interface designs); it assumes requirements are already finalized and formalized. Option D is wrong because the Maintenance phase involves post-deployment support, patches, and enhancements; formal business requirements for the initial system must be captured long before this phase to avoid reactive changes that increase cost and risk.

77
MCQmedium

A project team is using a prototyping approach for a new system. Which of the following is the BEST control to ensure the prototype accurately reflects user needs?

A.Conduct a post-implementation review.
B.Involve users in each iteration and obtain formal sign-off.
C.Require the project sponsor to approve the final design.
D.Perform regression testing after each prototype iteration.
AnswerB

User involvement and sign-off ensures prototype aligns with requirements.

Why this answer

Option C is correct because iterative feedback and formal sign-offs ensure the prototype evolves to meet true requirements. Option A is after the fact. Option B does not involve users directly.

Option D occurs too late.

78
Multi-Selecthard

An IS auditor is reviewing the system development life cycle (SDLC) for a custom application. The project manager has decided to skip the design phase and proceed directly from requirements to coding. Which of the following risks are MOST likely to increase as a result? (Choose two.)

Select 2 answers
A.Delays in project schedule.
B.Increased cost due to rework.
C.Increased number of defects during unit testing.
D.Inadequate security controls.
E.The system may not meet user requirements.
AnswersD, E

Security controls are often defined in the design phase.

Why this answer

Skipping the design phase means that security requirements are never formally defined or integrated into the system architecture. Without a security design, controls such as authentication, authorization, encryption, and input validation are likely to be omitted or implemented ad hoc, leading to inadequate security controls. This directly increases the risk of vulnerabilities that could be exploited in production.

Exam trap

The trap here is that candidates focus on project management risks (schedule, cost, defects) rather than the specific security and requirements risks that are most directly amplified when the design phase is omitted, as the design phase is where both functional and non-functional requirements (including security) are translated into a technical blueprint.

79
MCQeasy

In a traditional waterfall SDLC, when should the test plan be developed?

A.During the implementation phase
B.During the coding phase
C.During the requirements phase
D.During the design phase
AnswerD

Allows integration with design.

Why this answer

In a traditional waterfall SDLC, the test plan should be developed during the design phase because testing activities must be planned in parallel with system design to ensure that test cases, test data, and acceptance criteria are aligned with the design specifications. This allows for early identification of testability issues and ensures that the test plan is ready before coding begins, enabling a structured and efficient testing process.

Exam trap

The trap here is that candidates often confuse the timing of test plan development with the start of actual testing, mistakenly thinking the test plan can be deferred to the implementation or coding phase, but CISA emphasizes that test planning must begin during design to align with the V-model and ensure testability is built into the system.

How to eliminate wrong answers

Option A is wrong because the implementation phase is when the system is actually built or coded, and developing the test plan at this late stage would delay testing and miss the opportunity to design tests in alignment with the design specifications. Option B is wrong because the coding phase focuses on writing the actual program code, and creating the test plan here would be reactive rather than proactive, increasing the risk of incomplete test coverage and rework. Option C is wrong because the requirements phase is too early for detailed test planning; while high-level test objectives may be identified, the specific test cases, test data, and test environment requirements cannot be finalized until the design is complete.

80
MCQeasy

A nonprofit organization develops a small online donation platform using a third-party payment gateway. The project team skips formal security testing because of budget constraints. After launch, a security researcher discovers that the application fails to validate input on the donation amount field, allowing manipulation. The nonprofit loses several thousand dollars before the issue is patched. The IS auditor is asked to review the system development process. Which of the following is the PRIMARY finding?

A.The donation amount field was not validated.
B.The organization lost money due to the exploit.
C.Security testing was not performed during development.
D.The payment gateway was not properly integrated.
AnswerC

Testing would have identified the input validation issue.

Why this answer

Option C is correct because the primary finding for an IS auditor reviewing the system development process is the absence of security testing during development. Skipping formal security testing (e.g., static application security testing, dynamic application security testing, or penetration testing) violates the secure development lifecycle (SDLC) best practices and directly led to the input validation vulnerability. The IS auditor's focus is on process deficiencies, not the specific exploit or financial loss.

Exam trap

The trap here is that candidates focus on the immediate technical flaw (unvalidated input) or the financial loss, rather than recognizing that the IS auditor's role is to identify the systemic process failure (lack of security testing) that allowed the vulnerability to be introduced.

How to eliminate wrong answers

Option A is wrong because the unvalidated donation amount field is a symptom (a technical vulnerability), not the root cause in the development process; the IS auditor's primary finding should address the process gap that allowed the vulnerability to exist. Option B is wrong because the financial loss is an impact or consequence, not a process finding; the IS auditor evaluates controls and processes, not the monetary outcome. Option D is wrong because the payment gateway integration may be functional; the issue is the lack of input validation on the application side, not a misconfiguration or improper integration of the third-party gateway (e.g., incorrect API endpoint or missing signature verification).

81
MCQmedium

A hospital is implementing a new electronic health record (EHR) system. The project team includes clinicians and IT staff. During integration testing, the system fails to exchange lab results with the existing legacy system due to format mismatches. The IT team suggests developing a custom interface. The clinical team is concerned that any custom solution may not comply with health data privacy regulations. The project sponsor pressures the team to quickly fix the issue to avoid delays. The IS auditor is reviewing this situation. What is the MOST appropriate action for the auditor to recommend?

A.Conduct a privacy impact assessment on the custom interface and ensure controls are in place before deployment.
B.Proceed with the custom interface to meet the project deadline.
C.Reject the custom interface and delay the project until a standard solution is found.
D.Replace the legacy system with a new one that is compatible.
AnswerA

Balances speed with compliance.

Why this answer

The custom interface introduces a new data exchange path between the EHR and legacy system. Without a privacy impact assessment (PIA), the auditor cannot verify that the interface will enforce encryption, access controls, and audit logging required by HIPAA or similar regulations. A PIA identifies risks like unauthorized disclosure of protected health information (PHI) during format translation, ensuring controls are implemented before deployment.

This aligns with the IS auditor's role to safeguard data privacy, not just meet deadlines.

Exam trap

The trap here is that candidates may prioritize speed (Option B) or absolute standardization (Option C) over the auditor's core responsibility to assess and mitigate privacy risks before any new data processing component goes live.

How to eliminate wrong answers

Option B is wrong because proceeding without assessing privacy risks violates the auditor's duty to ensure compliance with health data privacy regulations (e.g., HIPAA), and a rushed custom interface may introduce vulnerabilities like unencrypted PHI in transit. Option C is wrong because rejecting the custom interface outright is overly rigid; a properly assessed and controlled custom interface can be compliant, and delaying the project unnecessarily ignores a viable solution. Option D is wrong because replacing the entire legacy system is disproportionate, costly, and introduces far greater project risk and disruption than addressing the format mismatch with a controlled interface.

82
Multi-Selecteasy

Which TWO of the following are essential components of a business case for a new system?

Select 2 answers
A.Implementation schedule.
B.Detailed system architecture.
C.Alignment with business strategy.
D.Risk assessment for all identified risks.
E.Cost-benefit analysis.
AnswersC, E

Ensures project supports organizational goals.

Why this answer

A business case must justify the investment in a new system by demonstrating how it supports the organization's strategic goals and provides net financial benefit. Alignment with business strategy (C) ensures the system directly enables key objectives, while cost-benefit analysis (E) quantifies the expected return on investment, making both essential for approval.

Exam trap

The trap here is that candidates confuse project management deliverables (like schedules and detailed architectures) with the strategic and financial justification required in a business case, leading them to select implementation schedule or detailed system architecture instead of the correct options.

83
MCQeasy

An organization is developing a new customer portal. The development team wants to use an agile methodology. Which of the following is a key benefit of using agile for this project?

A.Continuous stakeholder feedback is incorporated
B.Detailed requirements are defined upfront
C.Documentation is minimized to save time
D.The entire system is delivered at once
AnswerA

Agile emphasizes ongoing collaboration.

Why this answer

Agile methodologies emphasize iterative development with continuous stakeholder feedback, which is critical for a customer portal where user needs evolve. This ensures the final product aligns with actual requirements, reducing rework and increasing satisfaction. Option A directly captures this core benefit.

Exam trap

The trap here is that candidates often confuse agile's reduced documentation overhead (Option C) as a primary benefit, but the key advantage is continuous stakeholder feedback, not just saving time on documentation.

How to eliminate wrong answers

Option B is wrong because agile deliberately avoids defining detailed requirements upfront; instead, it embraces changing requirements through the project lifecycle. Option C is wrong because while agile values working software over comprehensive documentation, it does not minimize documentation to save time—it produces just enough documentation for the team and stakeholders. Option D is wrong because agile delivers the system incrementally in small, functional releases, not all at once, enabling early value delivery and feedback.

84
MCQhard

In an agile development environment, an IS auditor reviews the backlog and finds that security requirements are not explicitly included. What is the best recommendation?

A.Engage external security auditors to define requirements
B.Allocate a separate sprint dedicated solely to security
C.Perform comprehensive security testing during the final sprint
D.Include security stories in the product backlog
AnswerD

Integrating security into the backlog ensures it is addressed incrementally.

Why this answer

In agile development, security should be integrated continuously rather than treated as an afterthought. Including security stories in the product backlog ensures that security requirements are prioritized, estimated, and implemented incrementally within each sprint, aligning with the agile principle of delivering value early and often. This approach embeds security into the development lifecycle from the start, reducing technical debt and vulnerabilities.

Exam trap

The trap here is that candidates often choose a dedicated security sprint (Option B) or final testing (Option C) because they resemble traditional security review phases, but the CISA exam emphasizes integrating security into every sprint to align with agile's continuous delivery and risk management principles.

How to eliminate wrong answers

Option A is wrong because engaging external security auditors to define requirements creates a dependency on outside parties and delays security integration, contradicting agile's self-organizing team model and continuous feedback loops. Option B is wrong because allocating a separate sprint dedicated solely to security violates agile's iterative delivery principle and can lead to security being treated as a separate phase, increasing risk of integration issues and rework. Option C is wrong because performing comprehensive security testing only during the final sprint is a waterfall-like approach that misses the opportunity to detect and fix vulnerabilities early, often resulting in costly late-stage remediation and potential release delays.

85
MCQhard

A security review of the above Apache configuration identifies a critical vulnerability. Which of the following is the MOST significant issue?

A.Default DocumentRoot path is used
B.Directory listing is enabled (Indexes option)
C.AllowOverride All allows .htaccess overrides
D.Require all granted permits all access
AnswerB

The Indexes option allows attackers to browse directory contents, potentially exposing sensitive files.

Why this answer

The Indexes option in Apache enables directory listing, which exposes the entire contents of a directory when no index file (e.g., index.html) is present. This can reveal sensitive files, configuration backups, or source code, making it a critical information disclosure vulnerability. Unlike other options, Indexes directly leads to unauthorized data exposure without requiring any additional conditions.

Exam trap

The trap here is that candidates often focus on access control (Require all granted) or override permissions (AllowOverride All) as the most critical issue, but the immediate and direct information disclosure from directory listing (Indexes) is typically the most severe in a standard web server configuration.

How to eliminate wrong answers

Option A is wrong because using the default DocumentRoot path (e.g., /var/www/html) is a common configuration and not inherently a vulnerability; it only becomes a risk if combined with other misconfigurations. Option C is wrong because AllowOverride All allows .htaccess overrides, which can be a security concern if not properly managed, but it is not as immediately exploitable as directory listing and can be mitigated with proper .htaccess controls. Option D is wrong because 'Require all granted' permits all access, but this is often the intended default for public web content; the vulnerability arises only when combined with other issues like Indexes or weak authentication, and by itself it does not directly expose directory contents.

86
MCQhard

Refer to the exhibit. An administrator applied this ACL to a VLAN interface. The server at 10.0.0.100 hosts a web application. What is the effect of this ACL?

A.Allows HTTPS, but HTTP is allowed as well due to the permit ip any any
B.Allows HTTPS, blocks HTTP, and blocks all other traffic
C.Blocks both HTTP and HTTPS
D.Only allows HTTP and blocks HTTPS
AnswerA

The permit ip any any overrides the deny.

Why this answer

The ACL shown permits HTTPS (TCP port 443) from any source to the server at 10.0.0.100, and then has a 'permit ip any any' statement at the end. Because ACLs are processed top-down, the first match wins; HTTPS traffic matches the first line and is permitted, while HTTP (TCP port 80) is not explicitly denied, so it matches the 'permit ip any any' line and is also allowed. Thus, both HTTP and HTTPS are permitted, making option A correct.

Exam trap

The trap here is that candidates often overlook the 'permit ip any any' at the end of the ACL and incorrectly assume that only the explicitly permitted HTTPS traffic is allowed, missing that this catch-all statement permits all other traffic, including HTTP.

How to eliminate wrong answers

Option B is wrong because it claims HTTP is blocked, but the 'permit ip any any' at the end of the ACL permits all traffic not explicitly denied, including HTTP. Option C is wrong because it states both HTTP and HTTPS are blocked, but the ACL explicitly permits HTTPS and the 'permit ip any any' permits HTTP. Option D is wrong because it says only HTTP is allowed and HTTPS is blocked, but the ACL explicitly permits HTTPS and the 'permit ip any any' permits HTTP as well, so both are allowed.

87
MCQmedium

An organization is implementing a new identity management system. Which testing approach is MOST effective for verifying access controls?

A.Regression testing
B.Unit testing
C.User acceptance testing including role-based test cases
D.System integration testing
AnswerC

Role-based UAT scenarios simulate real user tasks and validate that access controls are correctly implemented.

Why this answer

User acceptance testing (UAT) with role-based test cases is the most effective approach because it directly validates that the identity management system enforces the correct access controls for each user role in real-world scenarios. Unlike lower-level tests, UAT involves actual users executing role-specific transactions to confirm that permissions, segregation of duties, and policy rules are properly implemented. This ensures that the system behaves as intended from an end-user and auditor perspective, which is critical for compliance and security.

Exam trap

The trap here is that candidates confuse 'system integration testing' with 'user acceptance testing' and assume that verifying system-to-system communication is sufficient to validate access controls, when in fact only role-based UAT confirms that the correct policies are enforced for actual users.

How to eliminate wrong answers

Option A is wrong because regression testing focuses on verifying that existing functionality still works after changes, not on validating the correctness of new access control rules. Option B is wrong because unit testing examines individual components or code modules in isolation, which cannot verify role-based permissions or end-to-end access control enforcement. Option D is wrong because system integration testing checks the interaction between systems (e.g., SSO with LDAP or SAML) but does not specifically validate that role-based access policies are correctly applied to user actions.

88
Multi-Selecthard

Which THREE of the following are common risks associated with the prototyping methodology?

Select 3 answers
A.Incomplete requirements specification
B.Lack of adequate documentation
C.Prototype being accepted as the final production version
D.User misunderstanding of prototype limitations
E.Scope creep due to frequent changes
AnswersB, C, E

Documentation is often overlooked in prototyping.

Why this answer

Option B is correct because prototyping often prioritizes rapid iteration over formal documentation, leading to incomplete or outdated records of system specifications, design decisions, and user agreements. This lack of adequate documentation creates risks for maintenance, knowledge transfer, and auditability, as the final system may lack the necessary artifacts for ongoing support and compliance.

Exam trap

The trap here is that candidates may confuse 'incomplete requirements specification' (a general risk) with a prototyping-specific risk, but the exam expects recognition that prototyping actually reduces this risk through iterative user feedback, while the three correct answers (B, C, E) are directly tied to the methodology's iterative and informal nature.

89
Multi-Selectmedium

Which TWO of the following are common risks in the procurement of custom-developed software?

Select 2 answers
A.Poor user acceptance
B.Excessive customization
C.Lack of documentation
D.Vendor lock-in
E.Inadequate service level agreements
AnswersC, D

Custom development often lacks thorough documentation.

Why this answer

Lack of documentation (C) is a common risk in custom-developed software because without comprehensive technical and user documentation, the organization faces challenges in maintenance, troubleshooting, and knowledge transfer. This risk is especially acute when the original developers leave, leaving the system opaque and difficult to support. Proper documentation is essential for ongoing operations, audits, and future enhancements.

Exam trap

The trap here is that candidates often confuse 'excessive customization' (a scope/design risk) with a procurement risk, when in fact the procurement risk is about the vendor's control over the software's future (vendor lock-in) and the lack of maintainability (lack of documentation).

90
Multi-Selecthard

An organization is implementing a new cloud-based HR system. The project sponsor wants to skip regular project status meetings to speed up delivery. Which THREE of the following are the MOST significant risks of eliminating these meetings?

Select 3 answers
A.Security requirements may be overlooked.
B.Stakeholders may be unaware of critical project issues.
C.Budget overruns may go unnoticed until the end.
D.Important decisions may not be documented or communicated.
E.Dependencies between project tasks may not be properly managed.
AnswersB, D, E

Meetings are key for issue communication.

Why this answer

Option B is correct because eliminating regular project status meetings removes a key communication channel for escalating critical project issues to stakeholders. Without these meetings, stakeholders may not receive timely updates on security vulnerabilities, integration failures, or compliance gaps in the cloud-based HR system, leading to delayed remediation and potential data breaches.

Exam trap

The trap here is that candidates confuse the purpose of status meetings with other project management artifacts, assuming that documentation alone (e.g., project plans, risk registers) can substitute for the real-time communication and decision-making that occurs in these meetings.

91
MCQeasy

An IS auditor is reviewing the system development life cycle (SDLC) methodology. Which phase should include the development of detailed test plans?

A.Requirements definition.
B.System design.
C.Coding and unit testing.
D.User acceptance testing.
AnswerB

Design phase specifies how the system will work, enabling detailed test plans.

Why this answer

Detailed test plans should be developed during the system design phase because this is when the system's architecture, interfaces, and data flows are fully specified. Creating test plans at this stage ensures that tests are aligned with the design specifications and can validate that the implemented system meets the intended technical requirements, rather than waiting until after coding.

Exam trap

The trap here is that candidates confuse the creation of test plans with the execution of tests, incorrectly assuming that test plans are written during user acceptance testing or coding, when in fact they are a design-phase deliverable that drives all subsequent testing activities.

How to eliminate wrong answers

Option A is wrong because the requirements definition phase focuses on gathering and documenting business and functional requirements, not on the technical design details needed to create specific test cases. Option C is wrong because coding and unit testing occur after the test plans are developed; unit tests are typically created by developers during coding, not as part of a formal detailed test plan. Option D is wrong because user acceptance testing is the final validation phase where users execute pre-defined test scripts, not the phase where detailed test plans are originally authored.

92
MCQhard

A government agency is developing a case management system for law enforcement. The project follows an agile approach, releasing iterations every two weeks. During a sprint demo, users discover that the system does not redact personally identifiable information (PII) in documents shared with external parties, violating privacy laws. The development team says they planned to add redaction in a future sprint. The product owner wants to prioritize PII redaction immediately. The project manager is concerned that this will disrupt the release schedule. The IS auditor is assessing the project's risk management. Which of the following is the BEST recommendation?

A.Implement network-level restrictions to prevent external sharing.
B.Provide users with training on manual redaction as a workaround.
C.Re-estimate the sprint and include PII redaction as a top priority, adjusting the schedule accordingly.
D.Document the risk and accept the compliance exposure until the planned sprint.
AnswerC

Balances compliance and schedule.

Why this answer

Option C is correct because it aligns with agile risk management principles: when a critical compliance vulnerability (PII exposure) is discovered, the highest-priority user story must be re-estimated and inserted into the current sprint backlog, even if it means adjusting the release schedule. The IS auditor’s focus is on ensuring that the risk is actively mitigated, not deferred, and re-prioritization is the standard agile response to newly identified high-severity risks.

Exam trap

The trap here is that candidates may confuse risk acceptance (Option D) with a valid agile practice, but the IS auditor must prioritize compliance over schedule, and deferring a legal violation is not acceptable risk management when a feasible mitigation exists.

How to eliminate wrong answers

Option A is wrong because network-level restrictions (e.g., firewall rules or DLP policies) do not address the core requirement of redacting PII within documents; they only block external sharing at the transport layer, which is an incomplete and overly restrictive workaround that could hinder legitimate law enforcement data sharing. Option B is wrong because training users on manual redaction introduces human error, is not scalable, and does not provide an auditable, automated control for PII protection, which is required for compliance with privacy laws. Option D is wrong because accepting compliance exposure by deferring the fix to a future sprint violates the principle of timely risk mitigation; an IS auditor would not recommend accepting a known legal violation without a compensating control, especially when the risk is high and the fix is feasible.

93
MCQeasy

An organization is planning to replace its legacy accounting system with a commercial off-the-shelf (COTS) software package. Which of the following is the PRIMARY risk of using a COTS solution?

A.The total cost of ownership is likely to be higher than custom development
B.The software may not fully align with the organization's business processes
C.The software may have inherent security vulnerabilities
D.Vendor support may be discontinued after a few years
AnswerB

COTS is generic; customization may be limited or costly.

Why this answer

The primary risk of a COTS solution is that it is designed for a broad market and may not fully align with the organization's specific business processes. This misalignment can force the organization to change its workflows or perform costly customizations, which can negate the benefits of a packaged solution and introduce project delays or failures.

Exam trap

The trap here is that candidates often focus on security or vendor support as the primary risk, but the CISA exam emphasizes that the most immediate and impactful risk in COTS acquisition is the mismatch between the software's capabilities and the organization's business processes.

How to eliminate wrong answers

Option A is wrong because COTS solutions typically have a lower total cost of ownership than custom development, as development, testing, and maintenance costs are shared across many customers. Option C is wrong while security vulnerabilities are a concern, they are not the primary risk; COTS vendors often have dedicated security teams and patch cycles, whereas custom code may have more undetected flaws. Option D is wrong because vendor support discontinuation is a risk, but it is a secondary, longer-term risk that can be mitigated through escrow agreements or transition plans, whereas business process misalignment directly threatens project success from the start.

94
MCQeasy

Refer to the exhibit. A developer is inserting a new employee record. What is the cause of this error?

A.The column 'email' does not exist
B.The email 'john.doe@example.com' already exists in the table
C.The table is full
D.The employee_id 101 already exists
AnswerB

Unique constraint violation.

Why this answer

The error message indicates a violation of a UNIQUE constraint on the 'email' column. The INSERT statement attempts to add 'john.doe@example.com', but that value already exists in the table. The database rejects the operation because the constraint ensures no duplicate email addresses are allowed.

Exam trap

The trap here is that candidates may misread the error message and assume it refers to a primary key violation (employee_id) rather than recognizing the specific wording of a UNIQUE constraint violation on the email column.

How to eliminate wrong answers

Option A is wrong because the error message explicitly references a UNIQUE constraint violation, not a missing column; if the column did not exist, the error would be 'column not found' or similar. Option C is wrong because a full table would produce a 'table is full' or disk-full error, not a constraint violation. Option D is wrong because the error message does not mention a primary key or unique constraint on employee_id; the violation is specifically on the email column, not the employee_id.

95
MCQhard

A company has been developing a custom inventory management system using Scrum. In the current sprint, the team discovered that the integration module with the legacy ERP system has severe performance issues: under peak load, transactions time out and fail. The product owner is concerned because the release is scheduled in two weeks. The development team estimates that a proper fix will take three weeks. A similar issue occurred in a previous sprint and was temporarily resolved by reducing the number of concurrent transactions, which lowered performance but kept the system operational. The stakeholders are anxious about the deadline because the legacy ERP will be retired shortly after the planned go-live. What is the BEST action for the team to take?

A.Reduce the scope of the release to exclude the ERP integration feature entirely
B.Delay the release by one week to complete the proper fix (three weeks total)
C.Add two additional developers to the team to complete the fix within the original two-week timeline
D.Apply the same workaround for the go-live and plan a permanent fix in a later release
AnswerB

A one-week delay allows a proper fix, ensuring system reliability.

Why this answer

Option B is correct because delaying the release by one week allows the team to implement a proper, permanent fix for the ERP integration module's performance issue, which is critical given that the legacy ERP will be retired shortly after go-live. A temporary workaround would risk system instability and transaction failures under peak load, potentially causing data loss or corruption during the transition. The three-week estimate for a proper fix addresses the root cause, ensuring the system can handle peak loads reliably before the legacy system is decommissioned.

Exam trap

The trap here is that candidates may choose Option D (workaround) because it seems pragmatic and avoids delaying the release, but they fail to recognize that the legacy ERP's imminent retirement makes a later permanent fix impossible, leaving the system with a critical, unresolved performance flaw.

How to eliminate wrong answers

Option A is wrong because completely excluding the ERP integration feature would render the inventory management system unable to communicate with the legacy ERP, breaking core business functionality and likely making the release unusable. Option C is wrong because adding two developers to a Scrum team mid-sprint typically disrupts velocity, introduces ramp-up time, and does not linearly reduce development time for a complex performance fix; Brooks' law suggests this could delay rather than accelerate the fix. Option D is wrong because applying the same workaround (reducing concurrent transactions) would lower system performance and risk transaction timeouts under peak load, and with the legacy ERP being retired soon, there would be no opportunity for a later permanent fix, leaving the system vulnerable to failure.

96
MCQmedium

An IS auditor is reviewing a system development project and notices that user acceptance testing (UAT) is being conducted in the production environment due to lack of a separate test environment. What is the primary risk?

A.System availability issues
B.Performance degradation
C.Security breaches due to unauthorized access
D.Data integrity violations
AnswerC

UAT in production exposes sensitive data and may lead to breaches.

Why this answer

Conducting UAT in production exposes sensitive production data and live systems to test scripts and users who may not have proper authorization, creating a direct path for security breaches. Production environments typically have broader access controls and audit trails that are not designed to isolate test activities, increasing the risk of unauthorized data exposure or modification. This violates the principle of segregation of duties and can lead to compliance issues with standards like PCI DSS or HIPAA.

Exam trap

The trap here is that candidates focus on operational impacts like performance or availability, but the CISA exam emphasizes that the highest risk from using production for testing is the compromise of sensitive data and unauthorized access, not just system slowdowns.

How to eliminate wrong answers

Option A is wrong because system availability issues are a secondary concern; the primary risk is not that the system becomes unavailable but that unauthorized access or data leakage occurs. Option B is wrong because performance degradation is a potential side effect but not the primary risk; the core issue is the security and integrity of production data. Option D is wrong because while data integrity violations could occur, they are a consequence of unauthorized access or modification, not the primary risk itself; the root cause is the lack of a separate test environment leading to security breaches.

97
Multi-Selecteasy

Which TWO of the following are essential elements of a business continuity plan (BCP) for a newly developed system?

Select 2 answers
A.Testing schedule for the BCP
B.List of incident response team members
C.Detailed system architecture
D.Recovery time objectives (RTOs)
E.Backup and recovery procedures
AnswersD, E

RTOs define maximum acceptable downtime.

Why this answer

Recovery time objectives (RTOs) are essential because they define the maximum acceptable downtime for the system, directly driving the design of backup and recovery strategies. Without RTOs, the BCP cannot prioritize recovery actions or allocate resources effectively, making them a foundational element for any newly developed system.

Exam trap

The trap here is confusing operational components (testing schedule, incident response team) with the core strategic elements (RTOs and recovery procedures) that must be defined before a BCP can be considered complete for a new system.

98
MCQmedium

Refer to the exhibit. A cloud load balancer uses this JSON configuration. A request arrives from source IP 10.0.1.100 to port 80. Which backend pool will receive the request?

A.The request is dropped
B.backend-pool-1
C.The request is sent to both pools
D.backend-pool-2
AnswerA

No matching rule and no default.

Why this answer

The JSON configuration shows a load balancer rule that only forwards requests to backend-pool-1 when the source IP matches 10.0.1.0/24 AND the destination port is 80. The request from source IP 10.0.1.100 to port 80 satisfies both conditions, so it should be forwarded to backend-pool-1. However, the exhibit (not fully shown) likely includes a default deny or a missing rule for this specific combination, causing the request to be dropped.

Option A is correct because the configuration explicitly drops unmatched traffic.

Exam trap

ISACA often tests the misconception that a matching rule automatically forwards traffic, ignoring that a default deny or missing listener action can override the rule and drop the request.

How to eliminate wrong answers

Option B is wrong because backend-pool-1 is the intended target for this request based on the rule, but the exhibit's configuration (e.g., a missing listener or a default action) causes the request to be dropped instead. Option C is wrong because load balancers do not send a single request to multiple pools unless configured for multicast or anycast, which is not shown here; the rule specifies a single pool. Option D is wrong because backend-pool-2 is not matched by the source IP or port condition in the rule; it would only receive traffic from different source ranges or ports.

99
MCQmedium

An organization is acquiring a third-party SaaS application. Which of the following should be included in the contract to ensure data protection?

A.Right to audit the vendor's security practices
B.Service level agreement (SLA) for uptime
C.Data ownership and location specification
D.Data encryption clause for data at rest and in transit
AnswerA

Right to audit enables verification of data protection controls.

Why this answer

A right to audit the vendor's security practices is essential in a SaaS contract because it allows the organization to independently verify that the vendor's controls (e.g., access management, patch management, incident response) meet contractual and regulatory requirements. Without this clause, the organization must rely solely on the vendor's self-assessments or third-party reports like SOC 2, which may not cover all relevant risks or may be outdated. This right is a key mechanism for ensuring ongoing data protection in a shared responsibility model.

Exam trap

The trap here is that candidates often choose a specific technical control like encryption (Option D) because it seems directly related to data protection, but they overlook that the right to audit is the overarching governance mechanism that ensures all controls, including encryption, are actually implemented and effective.

How to eliminate wrong answers

Option B is wrong because an SLA for uptime addresses service availability, not data protection; it does not cover confidentiality, integrity, or security controls. Option C is wrong because data ownership and location specification, while important for compliance (e.g., GDPR), does not by itself ensure that the vendor implements adequate security measures to protect the data. Option D is wrong because a data encryption clause for data at rest and in transit is a necessary security requirement but is insufficient on its own; it does not provide the organization with a mechanism to verify that encryption is properly implemented or that other critical controls (e.g., key management, access controls) are in place.

100
MCQmedium

Refer to the exhibit. A tester executes test case TC-101 and records the result shown. What is the NEXT appropriate step in the testing process?

A.Re-run the test case after the defect is fixed
B.Create a new test case to cover the error
C.Update the requirements to reflect the actual behavior
D.Log a defect in the defect tracking system
AnswerD

The discrepancy indicates a defect that should be logged for resolution.

Why this answer

The tester executed TC-101 and observed a result that deviates from the expected behavior, indicating a defect. The immediate next step in the structured testing process is to log the defect in the defect tracking system to formally document the issue, assign severity, and initiate the resolution workflow. This aligns with the CISA testing lifecycle, where defects are captured before any re-testing or requirement changes.

Exam trap

The trap here is that candidates may think re-running the test (Option A) is the logical next step, but CISA emphasizes that defects must be formally logged before any remediation actions to maintain audit trail and process integrity.

How to eliminate wrong answers

Option A is wrong because re-running the test case after a fix is premature; the defect must first be logged and triaged before any fix is applied. Option B is wrong because creating a new test case to cover the error is not the immediate next step; the existing test case already exposes the defect, and additional coverage is handled after defect logging. Option C is wrong because updating requirements to reflect actual behavior would incorrectly treat a defect as a feature, violating the principle that requirements drive expected outcomes, not the other way around.

101
MCQeasy

When implementing a commercial off-the-shelf (COTS) software package, which of the following is the MOST important activity to ensure the software meets business requirements?

A.Conducting a vendor demonstration
B.Developing a project plan with milestones
C.Performing a gap analysis between requirements and software features
D.Reviewing the software's technical architecture
AnswerC

Directly addresses requirements coverage.

Why this answer

Performing a gap analysis is the most important activity because it systematically maps each business requirement against the COTS software's delivered features, identifying any shortfalls that must be addressed through configuration, customization, or process adaptation. Without this structured comparison, the organization risks deploying software that fails to support critical business processes, leading to costly rework or project failure.

Exam trap

The trap here is that candidates often confuse vendor demonstrations with functional validation, assuming a demo proves the software fits all requirements, when in reality demos are scripted and omit edge cases that a gap analysis would expose.

How to eliminate wrong answers

Option A is wrong because a vendor demonstration is a marketing tool that showcases the software under ideal conditions, not a rigorous method to verify that every specific business requirement is met; it cannot uncover gaps in functionality or data handling. Option B is wrong because developing a project plan with milestones is a project management activity that ensures tasks are scheduled and tracked, but it does not directly assess whether the software's features align with business needs. Option D is wrong because reviewing the software's technical architecture focuses on infrastructure, scalability, and security design, not on functional fit; a technically sound system can still completely miss key business requirements.

102
MCQhard

An IS auditor is reviewing the change management process for a financial institution. The auditor finds that emergency changes bypass normal approval but are documented and reviewed within 48 hours. Which of the following is the BEST recommendation?

A.Require a second administrator to approve during the emergency.
B.Implement a risk classification for changes and apply controls accordingly.
C.Increase the frequency of post-implementation reviews to every 24 hours.
D.Require all emergency changes to be approved by the change advisory board (CAB) before implementation.
AnswerB

Risk classification allows appropriate control for each change type.

Why this answer

Option B is correct because implementing a risk classification for changes allows the organization to apply appropriate controls based on the change's impact and urgency. Emergency changes inherently require speed, but a risk-based approach ensures that high-risk emergency changes receive more stringent controls (e.g., mandatory peer review) while low-risk changes can proceed with lighter oversight. This balances security with operational agility, which is critical in a financial institution where system availability and data integrity are paramount.

Exam trap

The trap here is that candidates assume all emergency changes must be treated equally and thus focus on adding more approval steps (A or D) or increasing review frequency (C), rather than recognizing that a risk-based classification is the most effective and efficient control to address varying levels of risk in emergency changes.

How to eliminate wrong answers

Option A is wrong because requiring a second administrator to approve during the emergency introduces a bottleneck that defeats the purpose of an emergency change process, which is to rapidly address critical incidents; it also does not address the root issue of varying risk levels across changes. Option C is wrong because increasing post-implementation reviews to every 24 hours does not solve the lack of pre-implementation controls for emergency changes; it only adds administrative overhead without ensuring that high-risk changes are properly vetted before deployment. Option D is wrong because requiring all emergency changes to be approved by the CAB before implementation is impractical for true emergencies, as CAB meetings are typically scheduled and cannot convene instantly; this would delay critical fixes and potentially cause service outages or security breaches.

103
MCQmedium

During system development, the project team discovers that the original requirements are incomplete. What is the BEST course of action?

A.Formally document the new requirements and follow the change management process
B.Inform the steering committee and continue as planned
C.Proceed with development and address changes during maintenance
D.Halt the project until all requirements are finalized
AnswerA

Change management ensures proper evaluation and approval of new requirements.

Why this answer

Option A is correct because formally documenting new requirements and following the change management process ensures that all changes are controlled, assessed for impact on scope, budget, and schedule, and approved by stakeholders. This aligns with the systems development lifecycle (SDLC) best practices and the ISACA standard for managing requirements changes, preventing scope creep and maintaining project integrity.

Exam trap

The trap here is that candidates often choose Option D (halting the project) because they assume all requirements must be fully finalized before development, but the CISA exam emphasizes that change management is the appropriate mechanism to handle evolving requirements without stopping the project entirely.

How to eliminate wrong answers

Option B is wrong because simply informing the steering committee without formally documenting and processing the new requirements through change management bypasses the necessary impact analysis and approval controls, risking unauthorized scope changes. Option C is wrong because deferring requirement changes to maintenance violates the principle of early defect detection and correction; addressing changes during maintenance is significantly more costly and can introduce technical debt and security vulnerabilities. Option D is wrong because halting the project entirely is an overreaction; incomplete requirements are common, and the proper response is to manage them through a structured change control process, not to stop all progress.

104
MCQeasy

A company is implementing a new customer relationship management (CRM) system. The project team is currently defining user roles and permissions. Which of the following is the PRIMARY reason to enforce segregation of duties (SoD) within the CRM?

A.To reduce the risk of fraud and errors
B.To ensure data accuracy and completeness
C.To comply with regulatory requirements
D.To improve system performance and efficiency
AnswerA

SoD ensures no single individual has control over two or more phases of a transaction, reducing fraud and error risk.

Why this answer

Segregation of duties (SoD) in a CRM system is primarily enforced to prevent a single user from having conflicting capabilities, such as creating a customer record and also approving credit limits or processing refunds. Without SoD, an employee could both initiate and approve a fraudulent transaction, directly increasing the risk of fraud and undetected errors. While SoD can indirectly support data accuracy and compliance, the primary control objective is risk reduction through separation of conflicting functions.

Exam trap

The trap here is that candidates often choose 'compliance' (Option C) because SoD is a common regulatory requirement, but the question asks for the PRIMARY reason, which is the fundamental control objective of reducing fraud and error risk, not the secondary benefit of meeting external mandates.

How to eliminate wrong answers

Option B is wrong because ensuring data accuracy and completeness is a goal of input validation, data quality controls, and reconciliation processes, not the primary reason for enforcing SoD. Option C is wrong because while SoD may help meet regulatory requirements (e.g., SOX, GDPR), compliance is a secondary benefit; the primary reason is to reduce the risk of fraud and errors inherent in the system's design. Option D is wrong because SoD typically adds process steps and approval workflows, which can reduce system performance and efficiency, not improve them.

105
MCQhard

Refer to the exhibit. An IS auditor is reviewing the architecture. Which of the following is the MOST critical security weakness?

A.Application servers can initiate outbound internet connections.
B.The use of TLS between tiers.
C.Centralized logging to a SIEM.
D.Lack of encryption on the database server.
AnswerA

This bypasses security controls and can be exploited.

Why this answer

Option C is correct because allowing application servers to initiate outbound connections to the internet is a common attack vector (e.g., for command and control). Option A is acceptable; B is not a weakness; D is not mentioned or required.

106
MCQmedium

A company is implementing a new ERP system. The project team plans to use a parallel conversion strategy. What is the PRIMARY advantage of this approach?

A.Immediate realization of benefits from the new system.
B.Risk mitigation by allowing fallback to the old system.
C.Lower total cost due to reduced training requirements.
D.Faster implementation compared to phased approach.
AnswerB

The main benefit is risk reduction via fallback capability.

Why this answer

The primary advantage of a parallel conversion strategy is risk mitigation. By running the new ERP system alongside the old system for a period, the organization can validate the new system's functionality and data integrity while retaining the ability to immediately fall back to the legacy system if critical failures occur. This approach ensures business continuity and reduces the impact of unforeseen issues during the transition.

Exam trap

The trap here is that candidates often confuse parallel conversion with phased conversion, mistakenly believing that parallel conversion is faster or cheaper, when in fact its primary value is risk reduction through fallback capability.

How to eliminate wrong answers

Option A is wrong because immediate realization of benefits is not a characteristic of parallel conversion; benefits are delayed until the new system is fully validated and the old system is decommissioned. Option C is wrong because parallel conversion typically increases total cost due to the need to operate and maintain both systems simultaneously, and training requirements are not reduced—staff must learn the new system while still using the old one. Option D is wrong because parallel conversion is generally slower than a phased approach, as it requires a full cutover after a parallel run, whereas a phased approach rolls out functionality incrementally.

107
MCQeasy

What is the PRIMARY purpose of conducting a feasibility study before acquiring a new information system?

A.To define detailed system requirements
B.To select a vendor through a bidding process
C.To assess the technical, operational, and economic viability
D.To determine the total cost of ownership
AnswerC

The primary purpose is to evaluate viability.

Why this answer

The primary purpose of a feasibility study is to evaluate whether a proposed information system is technically achievable, operationally compatible with existing processes, and economically justified before committing resources. This upfront assessment prevents investment in systems that cannot be successfully implemented or sustained, directly addressing risk management in the acquisition lifecycle.

Exam trap

The trap here is that candidates confuse the feasibility study with later phases like requirements gathering or vendor selection, leading them to pick A or B, when the core CISA focus is on the study's role as a go/no-go decision gate based on viability assessment.

How to eliminate wrong answers

Option A is wrong because defining detailed system requirements occurs after the feasibility study, typically during the requirements analysis phase, not as the primary purpose of the feasibility study. Option B is wrong because vendor selection through a bidding process happens later in the procurement cycle, after the feasibility study confirms the project is viable and requirements are defined. Option D is wrong because determining total cost of ownership is a component of the economic viability assessment within the feasibility study, not the primary purpose; the study must also evaluate technical and operational factors.

108
MCQmedium

An organization is developing a web application using an Agile methodology. The security team wants to integrate security testing early in the development lifecycle. Which of the following is the BEST approach to achieve this?

A.Implement static application security testing (SAST) in the continuous integration pipeline
B.Conduct a penetration test after each sprint
C.Schedule an annual vulnerability scan of the production environment
D.Perform dynamic application security testing (DAST) on deployed builds
AnswerA

SAST scans source code and can be integrated into CI to find vulnerabilities early.

Why this answer

Integrating SAST into the CI pipeline allows automated scanning of source code for vulnerabilities (e.g., SQL injection, XSS) as code is committed, aligning with Agile's iterative development. This shift-left approach catches flaws early, reducing remediation cost and effort compared to later stages.

Exam trap

The trap here is confusing 'early testing' with any security test performed during development, but only SAST in the CI pipeline provides automated, continuous analysis at the code level before builds are deployed.

How to eliminate wrong answers

Option B is wrong because penetration testing after each sprint is too late for early integration; it occurs after code is built and deployed, missing the opportunity to find issues during development. Option C is wrong because an annual vulnerability scan of production is far too infrequent and occurs post-deployment, violating the goal of early lifecycle testing. Option D is wrong because DAST on deployed builds tests the running application, which is still a later-stage activity and does not provide the same early feedback as source-level analysis.

109
Matchingmedium

Match each type of access control to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner determines access permissions

System-enforced based on labels

Roles assigned to users

Attributes used to grant access

Why these pairings

Access control models are tested frequently.

110
Multi-Selecteasy

During a data migration from a legacy system to a new ERP, the following log entries were generated. Which TWO issues should the IS auditor flag as high risk?

Select 2 answers
A.Source system downtime
B.Rapid growth of rollback segment
C.Constraint violation due to missing parent records
D.Duplicate key violation
E.Data type mismatch between source and target
AnswersC, D

This error indicates a foreign key violation where a parent record is missing, compromising referential integrity.

Why this answer

Option C is correct because a constraint violation due to missing parent records indicates a referential integrity failure. In a data migration, this means child records are being inserted without their corresponding parent records, which can cause orphaned data and application logic errors. This is a high-risk issue as it compromises data consistency and may require complex reconciliation or rollback.

Exam trap

The trap here is that candidates often confuse operational issues (downtime, performance) with data integrity issues, or they underestimate the severity of referential integrity and duplicate key violations during migration.

111
MCQmedium

A company is migrating its on-premises data center to a public cloud provider. Which of the following is the MOST important control to implement before migration to ensure data security?

A.Enable multi-factor authentication (MFA) for all cloud accounts
B.Deploy a cloud access security broker (CASB)
C.Establish a virtual private network (VPN) between on-premises and cloud
D.Implement data encryption at rest and in transit
AnswerD

Encryption ensures data confidentiality and integrity during and after migration.

Why this answer

Data encryption at rest and in transit is the most important control before migration because it protects sensitive data from exposure during the transfer process and after it is stored in the cloud. Without encryption, data could be intercepted over the network or accessed by unauthorized parties in the cloud provider's infrastructure. This control directly addresses the core risk of data leakage during and after migration, which is a fundamental security requirement.

Exam trap

The trap here is that candidates often choose a VPN (Option C) thinking it fully secures data during migration, but they overlook that encryption at rest is equally critical and that a VPN only protects data in transit, not after it is stored in the cloud.

How to eliminate wrong answers

Option A is wrong because enabling MFA for cloud accounts is an important identity and access management control, but it does not protect data during the migration process itself or while at rest in the cloud. Option B is wrong because deploying a CASB is a monitoring and policy enforcement tool for cloud usage, but it is not a prerequisite for securing data during migration and does not provide the foundational encryption needed. Option C is wrong because establishing a VPN between on-premises and cloud secures the network channel during transit, but it does not address data at rest in the cloud, nor does it protect against threats within the cloud environment.

112
MCQhard

A project uses a waterfall model. After design, the team discovers that the requirements have changed significantly. What is the BEST action?

A.Cancel the project and start over
B.Update the requirements and proceed with the design revision
C.Continue with original requirements as planned
D.Switch to an agile methodology for the remainder of the project
AnswerB

Updating requirements and adjusting design is necessary to ensure the final product aligns with current needs.

Why this answer

Option B is correct because in a waterfall model, the most practical approach is to update the requirements and proceed to incorporate the changes, accepting some rework. Continuing with outdated requirements (A) leads to an irrelevant product; switching to agile mid-project (C) may cause process disruption; canceling (D) is drastic unless changes are infeasible.

113
MCQmedium

During the acquisition of a new software package, the procurement team evaluates two vendors. Vendor A offers a lower upfront cost but higher annual maintenance fees. Vendor B has a higher upfront cost but includes three years of maintenance. What is the MOST important factor for the IS auditor to consider?

A.The upfront cost of each vendor.
B.The vendor's market reputation.
C.The total cost of ownership over the expected life of the system.
D.The organization's budget constraints.
AnswerC

TCO gives a comprehensive cost comparison.

Why this answer

Option D is correct because total cost of ownership (TCO) captures all costs over the system's life, providing a true comparison. Option A is wrong because upfront cost alone is misleading. Option B is wrong because vendor references are important but not the most critical for cost comparison.

Option C is wrong because the auditor should not make the decision; they should advise on cost analysis.

114
MCQmedium

During the implementation of a new ERP system, the project team discovers that the legacy system data cannot be directly migrated due to incompatible data formats. The project manager proposes building a custom script to extract, transform, and load (ETL) data. Which of the following is the BEST course of action?

A.Manually re-enter all legacy data into the new system.
B.Delay the implementation until a commercial migration tool is available.
C.Proceed with the custom ETL script after thorough testing and validation.
D.Abandon the legacy data and start fresh in the new system.
AnswerC

Custom ETL is appropriate with proper validation.

Why this answer

Option C is correct because building a custom ETL script is a common and acceptable approach when legacy data formats are incompatible with a new ERP system. The key is that the script must undergo thorough testing and validation to ensure data integrity, completeness, and accuracy before migration. This balances the need for timely implementation with the risk of data corruption, which can be mitigated through rigorous quality assurance processes.

Exam trap

The trap here is that candidates may assume custom scripts are inherently risky and choose to delay or abandon data, failing to recognize that with proper testing and validation, custom ETL is a standard and effective solution for incompatible data formats.

How to eliminate wrong answers

Option A is wrong because manual re-entry is error-prone, time-consuming, and impractical for large datasets, violating the principle of data integrity and efficiency in system implementation. Option B is wrong because delaying the implementation for a commercial migration tool is unnecessary when a custom ETL script can be developed and validated in a shorter timeframe, and commercial tools may still require customization for unique legacy formats. Option D is wrong because abandoning legacy data can lead to loss of critical historical records, operational continuity issues, and potential compliance violations, making it a high-risk and generally unacceptable approach.

115
MCQmedium

An IS auditor is reviewing the configuration for a web application. Which of the following is the MOST significant security weakness?

A.The authentication method is Basic
B.Session timeout is set to 600 seconds (10 minutes)
C.The base URL uses HTTPS
D.Encryption uses SSL instead of TLS
AnswerA

Basic authentication sends credentials in plain text if not over TLS; even with TLS, it's weaker than digest or certificate-based.

Why this answer

Basic authentication transmits credentials in Base64-encoded plaintext over the network, which is trivially decoded and captured by any attacker with access to the traffic. Even when used over HTTPS, the credentials are exposed in the browser's cache and server logs, making this the most significant weakness among the options.

Exam trap

The trap here is that candidates often focus on the deprecated SSL protocol (Option D) as the most significant weakness, overlooking that Basic authentication exposes credentials in a trivially reversible format regardless of the transport layer security.

How to eliminate wrong answers

Option B is wrong because a 600-second (10-minute) session timeout is within acceptable limits for many web applications and does not represent a critical security weakness. Option C is wrong because using HTTPS for the base URL is a security best practice, not a weakness. Option D is wrong because while SSL is deprecated and TLS is preferred, using SSL instead of TLS is a configuration weakness but is less severe than transmitting credentials in plaintext via Basic authentication.

116
MCQmedium

During user acceptance testing (UAT) of a new financial system, users report that the system fails to enforce a segregation of duties rule where the same user should not be able to create a purchase order and approve it. The requirement was documented in the functional specifications. Which of the following is the MOST likely cause of this issue?

A.Performance testing was prioritized over functional testing.
B.The functional requirements were incomplete.
C.The requirements were ambiguous and misinterpreted by developers.
D.The system was not configured to enforce the control.
AnswerD

The system likely has the capability but was not properly configured.

Why this answer

Option D is correct because the segregation of duties (SoD) rule is a functional control that must be explicitly configured in the system's authorization or workflow engine. Since the requirement was documented in the functional specifications, the most likely cause is that the system was not configured to enforce the control, meaning the access control list (ACL) or role-based access control (RBAC) settings did not prevent the same user from both creating and approving a purchase order.

Exam trap

The trap here is that candidates may assume the issue is due to incomplete or ambiguous requirements (options B or C) when the requirement was clearly documented, but the real cause is a failure to configure the control in the system's security settings.

How to eliminate wrong answers

Option A is wrong because performance testing focuses on system responsiveness and throughput, not on functional controls like segregation of duties; prioritizing performance testing over functional testing would not directly cause a missing SoD enforcement. Option B is wrong because the requirement was documented in the functional specifications, so the functional requirements were complete; the issue is not incompleteness but a failure in implementation or configuration. Option C is wrong because the requirement to prevent the same user from creating and approving a purchase order is unambiguous and not open to misinterpretation; the developers likely understood the requirement but did not configure the system to enforce it.

117
MCQeasy

An organization is replacing its legacy customer relationship management (CRM) system. Which of the following is the MOST important control to ensure data integrity during the data conversion process?

A.Perform reconciliation of total record counts and key field sums before and after conversion.
B.Implement encryption for data in transit during migration.
C.Conduct user acceptance testing on the new system.
D.Ensure data mapping documents are approved by business owners.
AnswerA

Reconciliation verifies accuracy and completeness of data conversion.

Why this answer

Option A is correct because reconciliation and validation ensures all records are accurately transferred. Option B focuses on completeness but not accuracy. Option C is security, not integrity.

Option D is about functionality, not conversion accuracy.

118
MCQhard

During data conversion from a legacy system to a new ERP, the project team decides to clean data during extraction but not during loading. What is the PRIMARY risk associated with this approach?

A.Data integrity issues may remain undetected in the target system.
B.The legacy system performance may degrade.
C.The project may exceed its budget due to rework.
D.The conversion process will be significantly slower.
AnswerA

Errors can be introduced after extraction, so cleaning only at source is insufficient.

Why this answer

Cleaning data only during extraction and not during loading means that any data quality issues introduced during the extraction process or that become apparent only after mapping to the target schema will not be caught. This creates a primary risk that data integrity issues—such as referential integrity violations, duplicate keys, or format mismatches—will remain undetected in the new ERP system, potentially corrupting business operations and reporting.

Exam trap

The trap here is that candidates focus on operational concerns like speed or cost, rather than the core IS audit principle that data integrity is the paramount risk when data is not validated at the final point of entry into the target system.

How to eliminate wrong answers

Option B is wrong because legacy system performance degradation is not a primary risk of the data cleaning approach; it is more related to the extraction method (e.g., full table scans) rather than the cleaning phase. Option C is wrong because while rework could occur, the primary risk is not budget overrun but undetected data integrity issues that could cause systemic failures. Option D is wrong because cleaning during extraction can actually slow the extraction process, but the question asks about the primary risk, and performance speed is secondary to data integrity.

119
MCQhard

An IS auditor is evaluating a system development project that uses an outsourced team. The contract allows the vendor to reuse some of the developed code in other projects. What is the auditor's PRIMARY concern?

A.The vendor might not deliver on time.
B.The organization may lose control of intellectual property.
C.The vendor may not maintain the code after the project ends.
D.The vendor may use substandard development practices.
AnswerB

Reuse rights could dilute exclusivity and security control.

Why this answer

The contract clause allowing the vendor to reuse developed code in other projects directly transfers ownership or licensing rights of the intellectual property (IP) to the vendor. This means the organization may lose exclusive control over the code, potentially allowing competitors to access proprietary logic or algorithms. The IS auditor's primary concern is safeguarding the organization's IP assets, as this loss can have long-term strategic and competitive implications.

Exam trap

The trap here is that candidates focus on operational risks (delays, maintenance, quality) rather than the contractual and legal risk of losing intellectual property rights, which is the auditor's primary concern when the vendor is explicitly allowed to reuse code.

How to eliminate wrong answers

Option A is wrong because delivery timelines are a project management risk, not the primary audit concern when IP reuse rights are granted; the contract clause directly addresses IP, not schedule. Option C is wrong because post-project maintenance is a separate contractual issue (e.g., SLA for support) and is not inherently tied to the vendor's right to reuse code; the auditor's focus is on ownership, not ongoing maintenance. Option D is wrong because substandard development practices are a quality risk that can be mitigated through code reviews and testing, but the explicit permission to reuse code is a direct IP concern, not a quality concern.

120
MCQeasy

When implementing a commercial off-the-shelf (COTS) system, what is the MOST important factor?

A.Customization to fit all requirements
B.Lowest total cost
C.Vendor reputation
D.Alignment with business processes with minimal modification
AnswerD

Minimal modification reduces risk and cost.

Why this answer

When implementing a commercial off-the-shelf (COTS) system, the most important factor is alignment with business processes with minimal modification. COTS systems are designed to provide standardized functionality; extensive customization undermines the core benefits of reduced cost, faster deployment, and easier vendor support. Modifying the COTS codebase creates a 'forked' version that complicates patch management, increases testing overhead, and risks incompatibility with future vendor updates, directly contradicting the acquisition rationale.

Exam trap

The trap here is that candidates confuse 'customization' (modifying source code) with 'configuration' (using built-in parameters), and mistakenly believe that tailoring the software to every requirement is the goal, when in fact minimizing modification is the key to preserving the COTS benefits of low cost and easy maintenance.

How to eliminate wrong answers

Option A is wrong because extensive customization of a COTS system negates its primary advantages—lower total cost of ownership, faster time-to-market, and simplified maintenance—by creating a unique codebase that requires custom testing, documentation, and support, often leading to vendor lock-in and upgrade failures. Option B is wrong because while total cost is a consideration, prioritizing the lowest initial cost can lead to hidden expenses from necessary modifications, integration work, or poor vendor support; the most important factor is ensuring the COTS product fits business processes to avoid costly rework. Option C is wrong because vendor reputation is secondary to functional fit; a reputable vendor's product that requires heavy customization will still incur significant long-term costs and risks, whereas a less-known vendor with a product that aligns closely with business needs can deliver greater value.

121
MCQhard

What is the primary security concern in this architecture?

A.Traffic between application and database servers is not encrypted
B.Web servers are directly accessible from the internet
C.Database port is exposed to application servers
D.Lack of intrusion detection
AnswerA

Sensitive data in transit should be encrypted.

Why this answer

The primary security concern is that traffic between the application and database servers is not encrypted. In a typical three-tier web architecture, sensitive data such as authentication credentials, SQL queries, and result sets are transmitted in cleartext if TLS/SSL is not enforced between the application layer and the database layer. This exposes the data to eavesdropping or man-in-the-middle attacks on the internal network, which is a direct violation of the principle of defense in depth and common compliance requirements like PCI DSS or HIPAA.

Exam trap

The trap here is that candidates often focus on perimeter defenses (like web server exposure) or operational controls (like intrusion detection) instead of recognizing that unencrypted internal traffic between trusted tiers is a critical and often overlooked vulnerability in application architecture.

How to eliminate wrong answers

Option B is wrong because web servers being directly accessible from the internet is a standard and expected design in a three-tier architecture; they are placed in a DMZ and are meant to serve public traffic, so this is not a primary security concern. Option C is wrong because exposing the database port (e.g., TCP 3306 for MySQL or 1433 for MSSQL) to application servers is necessary for the application to function; the risk is mitigated by firewall rules and network segmentation, not by hiding the port. Option D is wrong because lack of intrusion detection is a monitoring deficiency, not the primary security concern; while important, it is a detective control, whereas the unencrypted traffic is a direct exposure of data in transit.

122
Multi-Selectmedium

Which THREE of the following are best practices for managing system testing in an IS development project?

Select 3 answers
A.Create test data that mirrors production data.
B.Perform testing in a environment identical to production.
C.Implement automated regression tests for critical functions.
D.Use an independent test team separate from developers.
E.Developers should test their own code thoroughly.
AnswersA, C, D

Realistic test data uncovers more issues.

Why this answer

Creating test data that mirrors production data is a best practice because it ensures that the test environment closely reflects real-world data volumes, distributions, and edge cases. This approach helps uncover defects that might only appear under production-like data conditions, such as performance bottlenecks, data integrity issues, or boundary value errors. It also validates that the system handles the actual data formats and constraints it will encounter in production.

Exam trap

The trap here is that candidates may assume a production-identical environment is always a best practice, but the CISA exam emphasizes cost-benefit analysis and practical constraints, making 'identical' too absolute; instead, the focus is on using a representative environment and independent testing to ensure quality.

123
Multi-Selecteasy

Which TWO of the following are benefits of using a version control system in software development?

Select 2 answers
A.Generate test cases
B.Eliminate all bugs
C.Automate deployment
D.Rollback to previous versions
E.Track changes made by developers
AnswersD, E

Core feature.

Why this answer

Option D is correct because version control systems (e.g., Git, SVN) allow developers to revert code to a previous commit or tag, enabling recovery from bugs or regressions. This rollback capability is a core feature that preserves the history of the codebase and supports safe experimentation.

Exam trap

The trap here is that candidates confuse version control with CI/CD or testing tools, mistakenly thinking VCS can automate deployment or generate test cases, when its primary purpose is change tracking and history management.

124
Multi-Selecteasy

Which THREE of the following are typical phases in the system development life cycle (SDLC)?

Select 3 answers
A.Unit testing.
B.Implementation.
C.Patch management.
D.Requirements analysis.
E.Design.
AnswersB, D, E

Implementation phase involves coding, testing, and deployment.

Why this answer

Implementation is a standard phase in the SDLC where the designed system is built, coded, and deployed into the production environment. This phase follows design and precedes testing and maintenance, ensuring the solution is operational and meets the specified requirements.

Exam trap

The trap here is confusing operational activities like patch management or specific testing techniques with the high-level phases of the SDLC, leading candidates to select activities that occur post-deployment or are sub-steps of a phase.

125
Multi-Selectmedium

An IS auditor is evaluating the controls over program changes. Which TWO of the following are essential controls?

Select 2 answers
A.Management authorization for the change
B.Documented change request
C.Automated deployment scripts
D.Regression testing of all changes
E.Post-change review by independent party
AnswersA, B

Authorization ensures changes are approved by appropriate parties.

Why this answer

Options A and B are correct because documented change requests and management authorization are fundamental to ensure changes are controlled and approved. Option C is not essential as automation is a tool, not a control. Option D is a good practice but not essential for authorization.

Option E is a testing control, not directly an authorization control.

126
MCQhard

You are the IT audit manager for a multinational corporation. The company recently implemented a new enterprise resource planning (ERP) system using a phased rollout approach. The first phase (finance module) was deployed to three regional offices six months ago. During a post-implementation review, you discovered that the user acceptance testing (UAT) for the finance module was completed in only two days instead of the planned two weeks. The UAT was performed by a small group of power users selected by the project manager, and they reported no critical issues. However, after go-live, several finance staff in one region found that the system does not support a statutory reporting requirement specific to that country, which was not tested. The project manager argues that the requirement was never documented in the business requirements specification. The system has been live for six months, and the missing functionality requires a significant customization that will take three months and cost $200,000. Management is reluctant to fund the customization because the budget is exhausted. As the IT auditor, what is the BEST course of action?

A.Report the project manager to senior management for failing to include the requirement
B.Recommend that the organization accept the risk and proceed without the customization
C.Advise the project manager to retroactively document the requirement and request a change order for the customization
D.Recommend that management implement a formal UAT process with representatives from all regions and include a checklist of statutory requirements for future rollouts
AnswerD

This addresses the root cause—inadequate UAT—and prevents similar issues in future phases.

Why this answer

Option D is correct because the root cause is a deficient UAT process, not just a missing requirement. A formal UAT process with representatives from all regions and a statutory requirements checklist would have caught the country-specific reporting need before go-live. As an IT auditor, recommending process improvements for future rollouts addresses the systemic control weakness, which is more effective than blaming individuals or accepting risk without remediation.

Exam trap

The trap here is that candidates focus on the missing requirement or blame the project manager, rather than recognizing that the core issue is a weak UAT process that failed to include all regional stakeholders and statutory requirements, which is a systemic control weakness the auditor should address.

How to eliminate wrong answers

Option A is wrong because the project manager correctly notes the requirement was never documented in the business requirements specification; reporting him without addressing the process gap does not fix the underlying UAT deficiency. Option B is wrong because accepting the risk of non-compliance with a statutory reporting requirement could lead to regulatory penalties, which is not a prudent recommendation for an auditor. Option C is wrong because retroactively documenting a requirement and requesting a change order after six months of live operation is a project management action, not an audit recommendation; it does not prevent recurrence and may not be feasible given budget exhaustion.

127
MCQeasy

During the feasibility study for a new inventory system, the project team identifies that the expected benefits are significantly lower than the initial estimates. What is the MOST appropriate action for the IS auditor to recommend?

A.Proceed with the project as planned, focusing on cost reduction.
B.Cancel the project immediately and document lessons learned.
C.Continue with the project but postpone the benefits realization.
D.Re-evaluate the feasibility study and update the business case.
AnswerD

Re-evaluation ensures accurate decision-making based on current data.

Why this answer

When expected benefits fall significantly below initial estimates, the IS auditor should recommend re-evaluating the feasibility study and updating the business case. This ensures that the project's justification is based on current, accurate data before proceeding, which is a key control in the systems development lifecycle (SDLC) to prevent investment in a project that may no longer deliver adequate value.

Exam trap

The trap here is that candidates may confuse the need for immediate project cancellation (Option B) with proper project governance, but the correct approach is to first re-evaluate the feasibility study to determine if the project can be salvaged with a revised business case.

How to eliminate wrong answers

Option A is wrong because proceeding as planned while focusing on cost reduction ignores the fundamental issue that the benefits no longer justify the investment, which could lead to a failed project. Option B is wrong because canceling the project immediately is premature without first reassessing the feasibility study and exploring whether the business case can be revised to reflect realistic benefits. Option C is wrong because continuing the project while postponing benefits realization does not address the root cause of the benefit shortfall and may result in wasted resources on a project that cannot achieve its intended objectives.

128
MCQmedium

Which of the following is the BEST method to ensure that a system development project is completed on time?

A.Regular status meetings
B.A realistic project schedule with milestones
C.Frequent scope changes
D.Use of a project management software
AnswerB

A realistic schedule with milestones provides a clear plan and tracking.

Why this answer

A realistic project schedule with milestones (Option B) is the best method because it establishes a time-phased plan with measurable checkpoints, enabling early detection of delays and facilitating proactive corrective actions. Without a realistic baseline, even the best tracking tools or meetings cannot prevent schedule overruns, as the schedule itself is the foundation for monitoring and controlling project progress.

Exam trap

The trap here is that candidates often confuse project management tools or meetings with the fundamental planning artifact (the schedule) that actually drives on-time delivery, leading them to select a supporting activity (like status meetings or software) instead of the core control mechanism.

How to eliminate wrong answers

Option A is wrong because regular status meetings are a communication tool, not a method to ensure on-time completion; they can identify issues but do not prevent schedule overruns without a realistic schedule to compare against. Option C is wrong because frequent scope changes directly increase project risk and often lead to schedule delays, scope creep, and resource reallocation, making on-time delivery less likely. Option D is wrong because project management software is an enabling tool that can help track progress but does not guarantee on-time completion; its effectiveness depends entirely on having a realistic schedule and disciplined change control.

129
MCQhard

An organization is developing a mobile app that will handle personal health information (PHI). The security team mandates that data must be encrypted both in transit and at rest. Which of the following implementation strategies BEST ensures compliance?

A.Use HTTPS for all network communication and store data in plaintext
B.Use SSL and encrypt all data with a simple XOR cipher
C.Rely on platform-level encryption provided by the mobile OS
D.Implement TLS for data in transit and AES-256 encryption for data at rest
AnswerD

Covers both requirements.

Why this answer

Option D is correct because it uses TLS (the modern, secure successor to SSL) to encrypt data in transit, ensuring confidentiality and integrity during network communication, and AES-256, a strong symmetric encryption standard, to encrypt data at rest. This combination directly satisfies the mandate for encryption both in transit and at rest, as TLS protects against eavesdropping and tampering on the wire, while AES-256 protects stored PHI from unauthorized access if the device is lost or compromised.

Exam trap

The trap here is that candidates may confuse 'platform-level encryption' (Option C) as sufficient, but the CISA exam tests the understanding that platform encryption does not cover data in transit and may not meet specific regulatory requirements for application-layer encryption at rest.

How to eliminate wrong answers

Option A is wrong because storing data in plaintext violates the mandate for encryption at rest, leaving PHI exposed if the device is lost or the storage is accessed. Option B is wrong because SSL (deprecated in favor of TLS) is insecure, and a simple XOR cipher is trivially breakable with known-plaintext attacks, providing no real cryptographic protection. Option C is wrong because relying solely on platform-level encryption (e.g., iOS Data Protection or Android File-Based Encryption) does not guarantee the app's data is encrypted in transit, and the platform may not encrypt app-specific data at rest with sufficient granularity or key management for PHI compliance.

130
Multi-Selecthard

Which THREE of the following are common risks associated with outsourcing software development?

Select 3 answers
A.Quality issues due to lack of oversight
B.Loss of intellectual property
C.Communication barriers
D.Faster time to market
E.Increased internal control
AnswersA, B, C

Common risk.

Why this answer

Option A is correct because outsourcing software development often results in quality issues due to the client's limited visibility into the vendor's development processes, testing rigor, and adherence to coding standards. Without direct oversight, defects may go undetected until later stages, increasing rework costs and project delays.

Exam trap

The trap here is that candidates confuse potential benefits (faster time to market, increased internal control) with risks, failing to distinguish between advantages and the inherent vulnerabilities of outsourcing.

131
MCQhard

In a DevOps environment, which practice BEST supports auditability?

A.Use of configuration management tools
B.Manual approval gates
C.Separate development and production environments
D.Automated logging of all code changes
AnswerD

Automated logging provides a complete and verifiable audit trail.

Why this answer

Automated logging of all code changes (D) best supports auditability in a DevOps environment because it provides an immutable, timestamped record of every change made to the codebase, including who made the change, what was changed, and when. This aligns with the principle of continuous audit, where every deployment artifact is traceable through the CI/CD pipeline, enabling compliance with standards like SOC 2 or ISO 27001. Unlike manual processes, automated logging ensures no change goes unrecorded, which is critical for forensic analysis and regulatory audits.

Exam trap

The trap here is that candidates confuse 'configuration management' (Option A) with 'change management' or 'audit logging,' assuming that tools like Chef or Terraform inherently provide auditability, when in fact they only track infrastructure state, not the full code change lifecycle including commits, approvals, and deployments.

How to eliminate wrong answers

Option A is wrong because configuration management tools (e.g., Ansible, Puppet) focus on maintaining desired state and consistency across environments, but they do not inherently provide a complete, auditable log of all code changes—they track infrastructure changes, not the code commits or pipeline events themselves. Option B is wrong because manual approval gates introduce human delay and potential for bypass, undermining the continuous audit trail; they are a control, not a logging mechanism, and can be overridden or forgotten, breaking auditability. Option C is wrong because separate development and production environments are a security best practice to prevent accidental changes to production, but they do not directly support auditability—auditability requires recording changes across all environments, not just separating them.

132
MCQhard

During the design phase of a waterfall project, the development team discovers that a key security requirement was omitted from the functional specification. The design has already been partially completed based on the flawed specification. What is the MOST appropriate action?

A.Proceed with design and add the requirement as an enhancement in the next release
B.Continue design and incorporate the security requirement during testing
C.Implement the security requirement as a change request through the formal change control process
D.Halt design activities and revisit the requirements phase to add the security requirement
AnswerD

Waterfall requires revisiting the earlier phase to correct the specification.

Why this answer

Option B is correct because in waterfall, each phase should be completed before moving on; missing requirements require returning to the earlier phase. Option A is wrong because continuing design ignores the gap. Option C is wrong because change requests are for scope changes after baselines, but the requirement was omitted, not changed.

Option D is wrong because deferring a critical security requirement is unacceptable.

133
MCQhard

During system implementation, a critical defect is found in the production environment. The project manager wants to apply an emergency patch without full testing. Which of the following is the BEST course of action?

A.Apply the patch immediately without testing
B.Delay deployment until full testing can be completed
C.Revert to the previous version of the system
D.Conduct a risk assessment and obtain approval from the change control board
AnswerD

A risk-based approach ensures that the urgency is balanced with proper oversight, allowing a controlled emergency change.

Why this answer

Option A is correct because a risk assessment should be performed to evaluate the potential impact of the patch versus the risk of not applying it, and then obtain proper change approval. Applying the patch without testing (D) bypasses controls; reverting (B) may not address the defect; delaying (C) may not be feasible for critical defects.

134
MCQhard

During a system development project, the project manager notices that the actual cost is significantly higher than the planned cost at the 50% completion point. The earned value (EV) is $500,000, the actual cost (AC) is $600,000, and the planned value (PV) is $550,000. Which of the following is the MOST appropriate action?

A.Request additional budget from senior management
B.Reduce the project scope to align with the budget
C.Conduct a root cause analysis to identify the reasons for cost overrun
D.Crash the project schedule to make up for lost time
AnswerC

Understanding the cause is the first step before taking corrective action.

Why this answer

Option C is correct because the project is over budget (EV $500K vs AC $600K) and behind schedule (EV $500K vs PV $550K). Before taking corrective action, the project manager must first perform a root cause analysis to understand why costs are exceeding planned values. This aligns with the CISA’s emphasis on identifying the underlying cause of variances before implementing changes to scope, budget, or schedule.

Exam trap

The trap here is that candidates often jump to a corrective action (like crashing or requesting more budget) without first diagnosing the root cause, but the CISA exam emphasizes that analysis must precede action in project management.

How to eliminate wrong answers

Option A is wrong because requesting additional budget without understanding the root cause of the cost overrun is premature and could mask systemic issues such as poor estimation or scope creep. Option B is wrong because reducing project scope without first analyzing the cause of the variance may eliminate necessary functionality and does not address whether the overrun is due to inefficiency, rework, or external factors. Option D is wrong because crashing the schedule (adding resources to compress time) typically increases costs further and does not solve the existing cost overrun; it may even worsen the budget variance.

135
MCQeasy

Which of the following is the MOST important objective of system testing?

A.Verify that the system meets specified requirements
B.Confirm that end users are satisfied
C.Ensure the code is free of defects
D.Validate system performance under load
AnswerA

System testing checks the overall system against requirements.

Why this answer

System testing is a formal, structured process that validates the entire integrated system against its specified requirements. The primary goal is to confirm that the system behaves as defined in the functional and technical specifications, ensuring that all requirements are correctly implemented before user acceptance testing. While user satisfaction and defect removal are important, they are secondary to verifying requirement compliance, which is the core objective of system testing.

Exam trap

The trap here is confusing the objective of system testing with that of user acceptance testing (UAT) or unit testing, leading candidates to select user satisfaction or defect-free code as the primary goal.

How to eliminate wrong answers

Option B is wrong because end-user satisfaction is validated during User Acceptance Testing (UAT), not system testing; system testing focuses on technical compliance, not subjective user feedback. Option C is wrong because ensuring code is free of defects is the primary objective of unit testing and code reviews, not system testing, which tests integrated functionality against requirements. Option D is wrong because validating system performance under load is a specific type of non-functional testing (performance/load testing), not the overarching objective of system testing, which covers both functional and non-functional requirements.

136
Multi-Selecteasy

Which THREE of the following are essential components of a change management process?

Select 3 answers
A.Immediate implementation without review
B.Impact analysis
C.Rollback plan
D.Bypassing testing for urgent changes
E.Change request approval
AnswersB, C, E

Impact analysis identifies potential effects on systems and processes.

Why this answer

Impact analysis (B) is essential because it evaluates the potential effects of a proposed change on system functionality, security, and performance before implementation. This ensures that risks are identified and mitigated, preventing unintended disruptions to production environments. Without impact analysis, changes could introduce vulnerabilities or cause system outages, violating IT governance principles.

Exam trap

The trap here is that candidates confuse 'urgent change' with 'no testing,' but even emergency changes require a documented risk assessment and a rollback plan, not a complete bypass of testing and review.

137
MCQmedium

An IT auditor is reviewing the system development life cycle (SDLC) process for a critical application. Which of the following findings would be of MOST concern?

A.Test data is refreshed from production monthly
B.Developers use local development environments
C.Developers have production database access
D.Code reviews are performed by senior developers
AnswerC

Violates segregation of duties.

Why this answer

Developers having direct production database access violates the principle of segregation of duties and poses a significant risk of unauthorized data modification, deletion, or exfiltration. In a well-controlled SDLC, production access should be restricted to operations or DBA teams, with changes promoted through automated deployment pipelines. This finding directly undermines data integrity and confidentiality controls.

Exam trap

The trap here is that candidates may dismiss local development environments or monthly test data refreshes as risky, while overlooking the critical segregation of duties violation inherent in granting developers direct production database access.

How to eliminate wrong answers

Option A is wrong because refreshing test data from production monthly is a common practice to ensure test environments reflect realistic data, though it requires proper masking to protect sensitive information. Option B is wrong because developers using local development environments is standard for coding and unit testing, as long as code is version-controlled and integrated into a shared repository. Option D is wrong because code reviews performed by senior developers are a positive control that helps identify defects and security vulnerabilities before deployment.

138
MCQhard

During a nightly batch job, the above error appears in the application logs. The transaction table ACCT_TRANS has a unique constraint on the REF_NUM column. Which of the following is the MOST likely root cause?

A.The batch job lacks sufficient privileges to insert into the ACCT_TRANS table
B.There is a mismatch between the number of columns in the INSERT statement and the table definition
C.The batch job is missing an index on the REF_NUM column
D.The batch job is not idempotent and is re-processing previously successful transactions
AnswerD

Duplicate REF_NUM suggests reprocessing of already inserted records.

Why this answer

The unique constraint violation on REF_NUM indicates that the batch job is attempting to insert a row with a REF_NUM value that already exists in the ACCT_TRANS table. This occurs when the job is not idempotent—meaning it does not check for or handle previously processed transactions—and re-processes the same data, leading to duplicate key errors.

Exam trap

The trap here is that candidates often confuse a unique constraint violation with a permissions or schema mismatch error, but the specific error message (unique constraint on REF_NUM) directly points to duplicate data from non-idempotent processing, not structural or privilege issues.

How to eliminate wrong answers

Option A is wrong because insufficient privileges would typically result in an 'access denied' or 'insufficient privileges' error, not a unique constraint violation. Option B is wrong because a column mismatch would cause a syntax or data type error (e.g., 'column count doesn't match value count'), not a constraint violation on a specific column. Option C is wrong because missing an index does not prevent inserts; indexes improve query performance but do not enforce uniqueness or cause constraint violations—the unique constraint itself is enforced by the database regardless of index existence.

139
MCQeasy

A small manufacturing company decides to acquire an off-the-shelf inventory management system. The purchasing manager selects a vendor based solely on the lowest price, ignoring the vendor's financial stability and support history. After purchase, the vendor declares bankruptcy, leaving the company without support. The system has a critical bug that halts inventory tracking. The IT manager considers hiring a consultant to fix the bug. As an IS auditor, what should the auditor's PRIMARY concern be?

A.There is no backup system for inventory management.
B.The company may have legal recourse against the vendor.
C.The critical bug disrupts inventory tracking.
D.The vendor selection process lacked due diligence.
AnswerD

Root cause is process failure.

Why this answer

The primary concern for an IS auditor is that the vendor selection process lacked due diligence, as this directly violates the principle of proper acquisition governance. By selecting a vendor based solely on lowest price without evaluating financial stability and support history, the company exposed itself to significant operational risk, which materialized when the vendor declared bankruptcy. This oversight is a root cause failure in the information systems acquisition and implementation process, making it the most critical audit finding.

Exam trap

The trap here is that candidates focus on the immediate operational impact (the bug or lack of backup) rather than the root cause governance failure in the acquisition process, which is the auditor's primary concern per CISA's emphasis on preventive controls.

How to eliminate wrong answers

Option A is wrong because while having no backup system is a risk, it is a secondary operational concern; the auditor's primary focus should be on the flawed acquisition process that led to the current situation. Option B is wrong because legal recourse against a bankrupt vendor is typically impractical and unlikely to recover costs or restore support, so it is not a primary audit concern. Option C is wrong because the critical bug disrupting inventory tracking is a symptom of the underlying problem, not the root cause; the auditor must address the systemic failure in vendor selection.

140
Multi-Selecthard

Which THREE of the following are key considerations when selecting a software development methodology for a project?

Select 3 answers
A.Availability of project management software
B.Regulatory compliance requirements
C.Project size and complexity
D.Level of stakeholder involvement
E.Programming language preferences
AnswersB, C, D

May dictate waterfall.

Why this answer

Regulatory compliance requirements (Option B) are a key consideration because the chosen methodology must support necessary audit trails, documentation, and control frameworks (e.g., SOX, HIPAA, PCI DSS). A methodology like Waterfall provides rigid phase-gate documentation, while Agile may require adaptation (e.g., SAFe) to satisfy compliance evidence demands. Failure to align methodology with regulatory needs can lead to non-compliance findings during a CISA audit.

Exam trap

The trap here is that candidates confuse operational preferences (like tooling or language) with structural project characteristics (size, complexity, stakeholder involvement, and compliance) that truly constrain methodology choice.

141
MCQhard

During a systems audit, the auditor finds that the project did not follow the organization's systems development methodology. What should the auditor do FIRST?

A.Accept if the project is on schedule
B.Recommend that the project be stopped
C.Report the deviation and assess the impact on controls
D.Interview the project team to understand why
AnswerC

The auditor must report and evaluate the risk.

Why this answer

The auditor's first responsibility upon discovering a deviation from the organization's systems development methodology is to report the finding and assess the impact on internal controls. This aligns with ISACA's audit standards, which require auditors to evaluate whether the deviation introduces risks to data integrity, security, or project governance. Without this assessment, the auditor cannot determine the severity of the non-compliance or recommend appropriate corrective actions.

Exam trap

The trap here is that candidates confuse the auditor's investigative curiosity (interviewing the team) with the required procedural first step (reporting and assessing control impact), leading them to select Option D instead of the correct audit response.

How to eliminate wrong answers

Option A is wrong because accepting a deviation solely because the project is on schedule ignores the potential for compromised controls, security vulnerabilities, or regulatory non-compliance that could arise from skipping methodology steps. Option B is wrong because recommending the project be stopped is a premature, high-impact action that should only be considered after assessing the control impact and discussing with management; the auditor's role is to evaluate, not unilaterally halt operations. Option D is wrong because while interviewing the project team may provide context, it is not the first step—the auditor must first formally document the deviation and evaluate its effect on controls to maintain audit trail integrity and objectivity.

142
MCQeasy

An organization is selecting a vendor for a new enterprise resource planning (ERP) system. Which of the following is the MOST critical factor in the vendor selection process?

A.Negotiate service level agreements (SLAs) in the contract.
B.Check vendor references for similar projects.
C.Clearly define business requirements before issuing the request for proposal (RFP).
D.Evaluate vendor financial stability.
AnswerC

Defining requirements ensures the RFP elicits relevant vendor responses.

Why this answer

Clearly defining business requirements before issuing the RFP is the most critical factor because it ensures that the ERP system will align with the organization's operational needs, processes, and data flows. Without a precise requirements definition, the RFP will lack the necessary evaluation criteria, leading to mismatched vendor proposals, scope creep, and potential project failure. This step directly impacts the success of the acquisition, as it forms the foundation for all subsequent vendor evaluation and contract negotiations.

Exam trap

The trap here is that candidates often prioritize contractual or due diligence activities (like SLAs or financial checks) over the foundational step of requirements definition, mistakenly believing that vendor evaluation can proceed without a clear, documented baseline of what the system must accomplish.

How to eliminate wrong answers

Option A is wrong because negotiating SLAs is a contractual activity that occurs after vendor selection; while important for performance monitoring, it is not the most critical factor in the selection process itself. Option B is wrong because checking vendor references, though useful for validating past performance, is a secondary validation step that cannot compensate for a poorly defined requirements baseline. Option D is wrong because evaluating vendor financial stability, while relevant for long-term viability, is a risk assessment factor that should be considered after ensuring the vendor can meet the defined business needs; it does not address the core alignment of the ERP system with organizational requirements.

143
MCQhard

A financial services company is developing a new customer-facing web application for account management. The project is using a waterfall methodology. The initial requirements were gathered six months ago, and the coding phase is nearly complete. The business sponsor now requests a new feature that allows customers to view transaction receipts online. The project manager is concerned that this change will delay the project by two months and exceed the budget. The sponsor insists that the feature is critical for customer satisfaction and that the project must adapt. The development team estimates it will take 200 hours to implement. The steering committee is divided. As an IS auditor, what would be the BEST recommendation to resolve this?

A.Formally submit a change request, assess the impact on cost and schedule, and obtain approval from the change control board before proceeding.
B.Terminate the current project and launch a new project incorporating the new feature.
C.Advise the sponsor to postpone the feature until the next release and continue as planned.
D.Instruct the development team to implement the feature immediately to satisfy the sponsor.
AnswerA

Change control manages scope creep.

Why this answer

In a waterfall methodology, changes after the coding phase require a formal change control process to assess impact on cost, schedule, and scope. The correct answer is A because submitting a change request to the change control board (CCB) ensures that the 200-hour effort, two-month delay, and budget overrun are evaluated against business priorities, maintaining project governance and auditability. This aligns with ISACA’s guidance on managing scope creep in systems development.

Exam trap

The trap here is that candidates may choose Option C (postpone) thinking it avoids delay, but the question explicitly states the sponsor insists the feature is critical, so ignoring it fails to address the business need and can lead to project failure despite staying on schedule.

How to eliminate wrong answers

Option B is wrong because terminating the current project and launching a new one is an extreme, inefficient response that wastes completed coding work and introduces unnecessary risk, failing to leverage the existing investment. Option C is wrong because it unilaterally overrides the sponsor’s business-critical requirement without formal evaluation, which can lead to stakeholder dissatisfaction and missed market needs, violating the principle of balanced governance. Option D is wrong because instructing the team to implement immediately bypasses change control, budget approval, and impact analysis, creating uncontrolled scope creep and potential audit findings for unauthorized changes.

144
MCQhard

An organization is implementing a COTS application. The project team plans to heavily customize the application to meet unique business processes. Which of the following is the most significant risk?

A.Vendor lock-in
B.Incompatibility with future releases
C.Difficulties in applying future vendor upgrades
D.High implementation cost
AnswerC

Customizations break compatibility with standard upgrades, jeopardizing future support.

Why this answer

Option B is correct because heavy customization makes it difficult to apply vendor upgrades, potentially leading to unsupported software. Option A is incorrect while vendor lock-in is a risk, upgrade difficulties are more direct. Option C is incorrect because incompatibility is a symptom of upgrade difficulties.

Option D is incorrect because high cost is a secondary concern.

145
MCQhard

A company plans to implement a commercial off-the-shelf (COTS) application and requires significant customization to match its unique business processes. The vendor advises against extensive customization because it may complicate future upgrades. What is the BEST course of action?

A.Use the vendor's customization module to minimize upgrade risks
B.Customize but maintain detailed documentation for upgrade impact analysis
C.Proceed with extensive customization to meet business needs
D.Avoid customization and re-engineer business processes to match the COTS application
AnswerD

Minimizing customization is best practice to ensure smooth upgrades.

Why this answer

The best course of action is to avoid customization and re-engineer business processes to match the COTS application. This approach preserves the integrity of the vendor's standard codebase, ensuring that future upgrades and patches can be applied with minimal friction. Extensive customization creates a fork from the vendor's baseline, leading to costly regression testing, potential security gaps, and upgrade incompatibilities that undermine the long-term value of the COTS investment.

Exam trap

The trap here is that candidates often choose 'customize but document' (Option B) because it sounds like a balanced, pragmatic approach, but the CISA exam emphasizes that any customization that deviates from the vendor's standard configuration introduces unacceptable upgrade and maintenance risks, making process re-engineering the only truly sustainable choice.

How to eliminate wrong answers

Option A is wrong because using a vendor's customization module does not eliminate upgrade risks; it only provides a structured way to apply customizations, but those customizations still create dependencies on specific API versions or hooks that can break during major version upgrades. Option B is wrong because maintaining detailed documentation for upgrade impact analysis is a mitigation tactic, not a solution—it does not prevent the underlying technical debt, code conflicts, or the need for extensive rework when the vendor releases a new version. Option C is wrong because proceeding with extensive customization directly contradicts the vendor's guidance and industry best practices, leading to a 'customized fork' that makes future upgrades prohibitively expensive or impossible without re-implementing all custom logic.

146
Multi-Selectmedium

Which TWO of the following are key benefits of using a system development life cycle (SDLC) methodology? (Select exactly two.)

Select 2 answers
A.It provides a structured approach to system development
B.It ensures user requirements are captured and validated
C.It prevents any scope changes during development
D.It eliminates the need for security testing
E.It reduces the overall cost of development
AnswersA, B

SDLC defines phases and deliverables.

Why this answer

Options A and C are correct. A: SDLC provides structure and phases. C: SDLC includes user involvement.

B is wrong because SDLC does not guarantee reduced cost; it may increase upfront cost. D is wrong because SDLC is not primarily for security testing. E is wrong because SDLC may not eliminate scope creep, but helps manage it.

← PreviousPage 2 of 2 · 146 questions total

Ready to test yourself?

Try a timed practice session using only Is Acquisition Dev questions.