MCQ QUESTIONS... CISA certification
**1. Which of the following BEST demonstrates effective IT governance?**
A. IT budget approval by CIO
B. Alignment of IT strategy with business goals
C. Detailed IT procedures
D. Strong incident management process
**Answer:
### **2. The PRIMARY objective of an IT governance framework is to:**
A. Reduce IT risk
B. Ensure regulatory compliance
C. Enable value delivery through IT
D. Improve project management
**Answer:
### **3. Who is primarily responsible for ensuring IT supports business objectives?**
A. CIO
B. IT Steering Committee
C. Internal Audit
D. System Owner
**Answer:
### **4. A key responsibility of the CIO is:**
A. Approving audit reports
B. Aligning IT strategy with corporate strategy
C. Managing business operations
D. Monitoring financial statements
**Answer:
### **5. Which of the following BEST describes "Value Delivery"?**
A. Measuring IT ROI
B. Ensuring IT investments provide expected benefits
C. Ensuring compliance with IT policies
D. Optimizing hardware usage
**Answer:
### **6. COBIT’s “Plan and Organize” (PO) domain focuses on:**
A. Project management
B. Continuous improvement
C. Strategic alignment of IT
D. Incident response
**Answer:
### **7. The MOST important factor for successful IT governance implementation is:**
A. Detailed IT documentation
B. Strong executive support
C. Updated IT policies
D. Skilled IT staff
**Answer:
### **8. Which risk response strategy involves transferring risk to another entity?**
A. Mitigation
B. Avoidance
C. Acceptance
D. Outsourcing
**Answer:
### **9. The PRIMARY role of an IT policy is to:**
A. Provide detailed steps for IT operations
B. Define high-level IT principles
C. Describe system configurations
D. Outline audit procedures
**Answer:
### **10. An IT balanced scorecard is MOST useful for:**
A. Tracking patch management
B. Monitoring operational logs
C. Linking IT performance to business goals
D. Scheduling IT resources
**Answer:
### **11. Which practice BEST supports IT-business alignment?**
A. Quarterly IT risk assessments
B. Joint development of IT strategy with business leaders
C. Detailed SLAs
D. Increased IT security controls
**Answer:
### **12. Which of the following is MOST important in IT portfolio management?**
A. Availability of project resources
B. Categorization of IT investments
C. Approval from CIO
D. Status reporting
**Answer:
### **13. An IT metric that measures uptime of critical systems relates to:**
A. Efficiency
B. Effectiveness
C. Confidentiality
D. Integrity
**Answer:
### **14. Who owns data in an organization?**
A. CIO
B. Data Owner
C. DBA
D. Security Manager
**Answer:
### **15. Who is responsible for enforcing data access controls?**
A. Data Owner
B. Data Custodian
C. IT Auditor
D. Senior Management
**Answer:
### **16. A maturity model helps management:**
A. Reduce costs
B. Benchmark IT processes
C. Monitor daily operations
D. Train IT staff
**Answer:
### **17. The PRIMARY purpose of enterprise architecture (EA) is to:**
A. Reduce system downtime
B. Provide a blueprint for business-IT alignment
C. Support hardware upgrades
D. Monitor security threats
**Answer:
### **18. Separation of duties (SoD) in IT is designed to reduce:**
A. Service downtime
B. Unauthorized access
C. Fraud risks
D. Audit workload
**Answer:
### **19. Which is the MOST important element of IT strategy?**
A. Detailed procedures
B. Alignment with corporate objectives
C. Vendor contracts
D. IT asset management
**Answer:
### **20. The MOST critical success factor for a change management program is:**
A. Updated documentation
B. Stakeholder involvement
C. Automated tools
D. Training IT staff
**Answer:
### **21. Which document defines roles and responsibilities for IT controls?**
A. RACI matrix
B. Risk register
C. SLA
D. Policy
**Answer:
### **22. The PRIMARY objective of IT resource management is to:**
A. Reduce incidents
B. Optimize use of people, processes, and technology
C. Improve vendor contracts
D. Reduce audit findings
**Answer:
### **23. What is the PRIMARY purpose of the IS Steering Committee?**
A. Approve audit reports
B. Oversee major IT projects and priorities
C. Approve IT hiring
D. Monitor help desk performance
**Answer:
### **24. When an organization outsources IT operations, who retains accountability?**
A. Vendor
B. CIO
C. Internal Auditor
D. Project Manager
**Answer:
### **25. KPI stands for:**
A. Key Planning Indicator
B. Key Performance Indicator
C. Key Process Improvement
D. Key Priority Item
**Answer:
# **🔷 Domain 2 – Information Systems Auditing (25 MCQs)**
### **26. The PRIMARY objective of an IS audit is to:**
A. Detect fraud
B. Evaluate adequacy of controls
C. Improve IT efficiency
D. Reduce costs
**Answer:
### **27. The FIRST step in the IS audit process is:**
A. Testing controls
B. Preparing audit report
C. Audit planning
D. Risk assessment
**Answer:
### **28. The MOST important factor in audit planning is:**
A. Auditor experience
B. Availability of staff
C. Risk assessment results
D. Past audit results
**Answer:
### **29. Which of the following should be included in the audit charter?**
A. Audit budget
B. Audit methodology
C. Authority and responsibility of internal audit
D. Detailed audit procedures
**Answer:
### **30. Independence of the IS auditor is MOST threatened when:**
A. Auditor evaluates unfamiliar systems
B. Auditor reports to IT manager
C. Auditor requests documentation
D. Auditor interviews staff
**Answer:
### **31. During an audit, evidence must be:**
A. Complete, accurate, reliable
B. Technical in nature
C. Verified by management
D. Financial
**Answer:
### **32. The MOST reliable form of audit evidence is:**
A. Inquiry
B. Analytical procedures
C. Observation
D. Reperformance
**Answer:
### **33. Which sampling method gives every item an equal chance of selection?**
A. Haphazard
B. Attribute
C. Random
D. Stratified
**Answer:
### **34. A control deficiency should be reported when it:**
A. Results in financial loss
B. Increases risk above acceptable level
C. Is minor
D. Is expected by management
**Answer:
### **35. The PRIMARY purpose of walkthroughs is to:**
A. Evaluate training
B. Understand process flow and identify key controls
C. Detect fraud
D. Reduce sampling size
**Answer:
### **36. Which tool helps identify bottlenecks in a process?**
A. Gantt chart
B. Flowchart
C. Checklist
D. RACI
**Answer:
### **37. Materiality in IS audit refers to:**
A. Technical details
B. Significance of errors or control weaknesses
C. Auditor skills
D. Time spent
**Answer:
### **38. An IS auditor discovers conflicts of interest. The BEST action is to:**
A. Ignore
B. Report to audit management
C. Escalate to board directly
D. Discuss with IT staff
**Answer:
### **39. The MOST appropriate technique to test access control is:**
A. Observation
B. Password cracking
C. Review of access logs
D. Reperformance
**Answer:
### **40. A major risk in auditing a new system implementation is:**
A. Low user training
B. Lack of change control
C. Old documentation
D. Lack of antivirus software
**Answer:
### **41. The PRIMARY objective of audit documentation is to:**
A. Support audit conclusions
B. Reduce audit time
C. Train new auditors
D. Provide system details
**Answer:
### **42. The MOST appropriate control for data integrity testing is:**
A. Reconciliation
B. Encryption
C. Segregation of duties
D. Penetration testing
**Answer:
### **43. Dual control requires:**
A. Two people authorize the same transaction
B. Two passwords
C. Two systems verifying input
D. Two-factor authentication
**Answer:
### **44. When an auditor identifies fraud indicators, the FIRST step is to:**
A. Report to police
B. Collect additional evidence
C. Notify audit committee
D. Close the audit
**Answer:
### **45. Which is a detective control?**
A. Encryption
B. Audit trails
C. Access restrictions
D. Firewalls
**Answer:
### **46. A limitation of CAATs is:**
A. Faster testing
B. Large data access
C. Lack of technical skills by auditors
D. Reduced cost
**Answer:
### **47. The MOST important reason to review system logs:**
A. Lower operating costs
B. Detect unauthorized activities
C. Train users
D. Update documentation
**Answer:
### **48. A risk-based audit approach helps auditors:**
A. Reduce audit staff
B. Focus on high-risk areas
C. Increase scope
D. Complete faster
**Answer:
### **49. An IS auditor reviewing cloud environments should FIRST examine:**
A. SLA agreements
B. Network diagrams
C. Vendor financials
D. User complaints
**Answer:
### **50. Which is the BEST technique to verify completeness of transaction processing?**
A. Hash totals
B. Differential analysis
C. Data encryption
D. Exception testing
**Answer:
Below are 50 CISA-style MCQs (Domains 1 & 2: Information Systems Auditing Process and Governance & Management of IT). Since 100 questions with explanations would be extremely long,
CISA Domain 1 & 2 MCQs
1.
The PRIMARY purpose of an IS audit charter is to:
A. Define audit procedures
B. Establish audit authority and responsibility
C. Identify audit findings
D. Approve audit reports
Answer:
2.
An IS auditor should FIRST review:
A. Previous audit reports
B. Audit charter
C. Organizational chart
D. Risk register
Answer:
3.
Which audit evidence is MOST reliable?
A. Oral confirmation from management
B. Internal reports
C. Auditor's direct observation
D. User statements
Answer:
4.
The MOST important factor when planning an audit is:
A. Available budget
B. Auditor experience
C. Risk assessment results
D. Number of employees
Answer:
5.
Sampling risk refers to:
A. Auditor incompetence
B. Wrong conclusion based on sample testing
C. Lack of evidence
D. Fraud risk
Answer:
6.
An auditor discovers a material weakness. The FIRST action should be:
A. Report immediately to regulators
B. Gather sufficient evidence
C. Inform employees
D. Stop audit work
Answer:
7.
Which is a preventive control?
A. Exception report
B. Reconciliation
C. Segregation of duties
D. Audit trail review
Answer:
8.
Independence of IS auditors is BEST achieved by reporting to:
A. CIO
B. IT Manager
C. Audit Committee
D. Security Manager
Answer:
9.
The PRIMARY objective of audit evidence is to:
A. Support audit conclusions
B. Increase audit costs
C. Satisfy management
D. Reduce testing
Answer:
10.
An auditor using CAATs can MOST effectively:
A. Eliminate audit risk
B. Analyze large volumes of data
C. Replace audit judgment
D. Prevent fraud
Answer:
11.
Risk-based auditing focuses primarily on:
A. High-cost areas
B. High-risk areas
C. Large departments
D. Recent projects
Answer:
12.
Which control is detective?
A. Password policy
B. Fire suppression system
C. Log review
D. Segregation of duties
Answer:
13.
The BEST source of evidence regarding system configuration is:
A. Interviews
B. Observation
C. System-generated reports
D. User questionnaires
Answer:
14.
Audit scope should be determined during:
A. Reporting
B. Planning
C. Follow-up
D. Fieldwork completion
Answer:
15.
Which is MOST likely to impair auditor independence?
A. Prior audit experience
B. Reporting to audit committee
C. Designing controls being audited
D. Continuous training
Answer:
16.
The MAIN purpose of audit documentation is:
A. Reduce findings
B. Support audit conclusions
C. Eliminate risks
D. Increase efficiency
Answer:
17.
An auditor identifies excessive privileged accounts. This indicates weakness in:
A. Change management
B. Access management
C. Capacity planning
D. Backup procedures
Answer:
18.
The MOST effective way to verify disaster recovery readiness is:
A. Interview management
B. Review policy
C. Conduct recovery testing
D. Review budgets
Answer:
19.
A control objective describes:
A. How controls operate
B. Desired result of controls
C. Audit procedures
D. Audit evidence
Answer:
20.
Which type of evidence provides the HIGHEST assurance?
A. Inquiry
B. Observation
C. Recalculation
D. Written representation
Answer:
Domain 2 – Governance and Management of IT
21.
The PRIMARY responsibility for IT governance belongs to:
A. Internal audit
B. IT department
C. Board of directors
D. Security team
Answer:
22.
The main objective of IT governance is:
A. Increase technology spending
B. Align IT with business objectives
C. Reduce employee count
D. Eliminate all risks
Answer:
23.
Which framework is MOST associated with IT governance?
A. COBIT
B. ITIL
C. Agile
D. Six Sigma
Answer:
24.
A steering committee primarily ensures:
A. Network availability
B. Strategic alignment of IT initiatives
C. Software coding quality
D. Security monitoring
Answer:
25.
The BEST indicator of effective IT governance is:
A. Large IT budget
B. Business objectives achieved through IT
C. More employees
D. Increased audit findings
Answer:
26.
Who is ultimately accountable for enterprise risk management?
A. IT Manager
B. Security Officer
C. Board and senior management
D. Auditors
Answer:
27.
The purpose of an IT strategy is to:
A. Replace business strategy
B. Support business goals
C. Increase IT staff
D. Reduce governance activities
Answer:
28.
A balanced scorecard is used to:
A. Conduct penetration testing
B. Measure organizational performance
C. Create backups
D. Manage passwords
Answer:
29.
Which COBIT domain focuses on governance?
A. APO
B. BAI
C. DSS
D. EDM
Answer:
30.
The MOST important characteristic of IT governance metrics is:
A. Complexity
B. Relevance to objectives
C. Length
D. Costliness
Answer:
31.
Enterprise architecture primarily helps:
A. Align business and IT processes
B. Detect fraud
C. Conduct audits
D. Reduce backups
Answer:
32.
An IT steering committee should include:
A. Only IT staff
B. Only auditors
C. Business and IT representatives
D. Vendors only
Answer:
33.
The PRIMARY objective of portfolio management is:
A. Maximize project quantity
B. Optimize investment value and risk
C. Reduce documentation
D. Increase staffing
Answer:
34.
The MOST effective governance structure provides:
A. Clear accountability
B. More technology
C. Larger budgets
D. More reports
Answer:
35.
Which role should approve risk appetite?
A. Help Desk Manager
B. Project Manager
C. Board of Directors
D. Developer
Answer:
36.
The BEST measure of project success is:
A. Budget spent
B. Business benefits realized
C. Staff assigned
D. Number of reports
Answer:
37.
Which is MOST important for vendor governance?
A. Vendor size
B. Contract monitoring
C. Vendor location
D. Number of employees
Answer:
38.
The purpose of IT policies is to:
A. Provide strategic direction and control requirements
B. Replace procedures
C. Eliminate risks
D. Reduce accountability
Answer:
39.
Which governance practice BEST supports accountability?
A. Informal communication
B. Defined roles and responsibilities
C. Verbal agreements
D. Ad hoc reviews
Answer:
40.
A key objective of benefits realization is:
A. Increase project costs
B. Ensure expected value is achieved
C. Increase staffing
D. Reduce governance
Answer:
41.
The MOST important output of risk assessment is:
A. Risk ranking
B. Audit budget
C. Headcount report
D. Project schedule
Answer:
42.
An organization with mature governance will MOST likely have:
A. Undefined responsibilities
B. Ad hoc processes
C. Formalized decision-making structures
D. Minimal reporting
Answer:
43.
The PRIMARY reason for establishing KPIs is to:
A. Measure performance achievement
B. Increase spending
C. Replace audits
D. Reduce controls
Answer:
44.
Which is MOST critical when outsourcing IT services?
A. Vendor advertising
B. Service level agreements (SLAs)
C. Vendor office size
D. Vendor profits
Answer:
45.
IT governance maturity is BEST assessed through:
A. Staff interviews only
B. Governance framework assessment
C. Financial statement review only
D. Source code review
Answer:
46.
The PRIMARY objective of enterprise risk management is:
A. Eliminate risks
B. Manage risks within risk appetite
C. Avoid all technology projects
D. Reduce controls
Answer:
47.
Which governance activity ensures management follows board direction?
A. Monitoring and reporting
B. Programming
C. System testing
D. Coding standards
Answer:
48.
A business case should be approved BEFORE:
A. Benefits review
B. Project initiation
C. Project closure
D. Audit reporting
Answer:
49.
The MOST effective method to ensure IT supports business goals is:
A. Strong governance processes
B. More technology spending
C. Frequent audits only
D. Larger IT staff
Answer:
50.
Which stakeholder is MOST interested in strategic alignment of IT?
A. Data entry operator
B. Board of Directors
C. Help desk analyst
D. Network technician
Answer:
These questions follow the ISACA CISA exam style and focus on the first two domains:
1. Information Systems Auditing Process
2. Governance and Management of IT
For the CISA Certification Exam, the most heavily tested and high-scoring topics are:
1. Information Systems Auditing Process
Sample Question
An IS auditor discovers that audit evidence collected from interviews is inconsistent with system-generated reports. What should the auditor do FIRST?
A. Accept the system reports as accurate
B. Report the discrepancy immediately
C. Obtain additional evidence to resolve the inconsistency
D. Rely on management representations
Answer:
Explanation: Auditors must gather sufficient and appropriate evidence before reaching conclusions. Contradictory evidence requires further investigation.
2. IT Governance and Management
Sample Question
Who has the PRIMARY responsibility for ensuring that IT supports business objectives?
A. CIO
B. Internal Audit
C. Board of Directors and Senior Management
D. IT Steering Committee
Answer:
Explanation: The board and senior management are ultimately accountable for IT governance and strategic alignment.
3. Risk Management
Sample Question
Which of the following should be performed FIRST in a risk assessment process?
A. Select controls
B. Identify assets and risks
C. Conduct penetration testing
D. Develop recovery plans
Answer:
Explanation: Risks must be identified before they can be analyzed and treated.
4. Internal Controls
Sample Question
Which of the following is a preventive control?
A. Audit log review
B. Exception report
C. Segregation of duties
D. Reconciliation
Answer:
Explanation: Segregation of duties prevents unauthorized actions before they occur.
5. Business Continuity & Disaster Recovery
Sample Question
What provides the GREATEST assurance that a disaster recovery plan will work?
A. Management approval
B. Documentation review
C. Successful testing of the plan
D. Annual updates
Answer:
Explanation: Only testing demonstrates that recovery procedures can actually be executed successfully.
6. Access Controls
Sample Question
An employee transferred to another department but retained access to previous applications. This is a failure in:
A. Change management
B. Incident management
C. User access administration
D. Capacity management
Answer:
Explanation: User access rights should be reviewed and updated whenever job responsibilities change.
7. Change Management
Sample Question
What is the MOST important control over emergency program changes?
A. Developer approval
B. User approval
C. Post-implementation review and authorization
D. Source code documentation
Answer:
Explanation: Emergency changes may bypass normal controls but must undergo subsequent review and approval.
8. System Development Life Cycle (SDLC)
Sample Question
User involvement is MOST critical during which SDLC phase?
A. Programming
B. Requirements definition
C. Testing only
D. Maintenance
Answer:
Explanation: Incorrect requirements can cause project failure regardless of technical quality.
9. Outsourcing and Vendor Management
Sample Question
The MOST important element of an outsourcing agreement is:
A. Vendor size
B. Service Level Agreement (SLA)
C. Vendor profitability
D. Vendor location
Answer:
Explanation: SLAs define measurable performance expectations and responsibilities.
10. COBIT
Sample Question
Which COBIT domain is responsible for governance activities?
A. APO
B. BAI
C. DSS
D. EDM
Answer:
Explanation: Evaluate, Direct and Monitor (EDM) is the governance domain in COBIT.
11. Cybersecurity
Sample Question
Which security principle ensures information is not altered without authorization?
A. Confidentiality
B. Integrity
C. Availability
D. Nonrepudiation
Answer:
Explanation: Integrity protects data from unauthorized modification.
12. Incident Management
Sample Question
After a security breach is detected, the FIRST action should be to:
A. Notify the media
B. Preserve evidence and follow incident response procedures
C. Shut down all systems
D. Terminate employees
Answer:
Explanation: Evidence preservation is critical for investigation and legal purposes.
Top CISA Exam Topics by Importance
Priority
Topic
Exam Importance
1
Risk-Based Auditing
★★★★★
2
Internal Controls
★★★★★
3
IT Governance
★★★★★
4
Access Management
★★★★★
5
Change Management
★★★★★
6
Business Continuity & DRP
★★★★☆
7
SDLC & Project Management
★★★★☆
8
COBIT Framework
★★★★☆
9
Vendor Management
★★★★☆
10
Cybersecurity & Incident Response
★★★★☆
CISA Exam Tip
For many CISA questions:
· Board = Governance
· Management = Implementation
· Auditor = Independent Assessment
· Risk Assessment comes before Controls
· Preventive Controls are preferred over Detective Controls
· Business Objectives come before Technology Decisions
Mastering these concepts will help answer a large percentage of CISA exam questions correctly.
CISA Exam Style MCQs on System Development Life Cycle (SDLC)
1.
During which SDLC phase should user requirements be formally documented?
A. Testing
B. Design
C. Requirements Definition
D. Implementation
Answer:
Explanation: Business and user requirements must be clearly defined before design begins.
2.
The PRIMARY reason for user involvement during system development is to:
A. Reduce programming effort
B. Ensure business requirements are met
C. Increase system complexity
D. Reduce testing costs
Answer:
3.
An IS auditor reviewing a system development project should be MOST concerned if:
A. Project meetings are documented
B. User requirements have not been approved
C. Test plans exist
D. Project milestones are defined
Answer:
4.
Which document serves as the basis for system design?
A. Test Plan
B. Change Request
C. Requirements Specification
D. User Manual
Answer:
5.
The MOST important objective of feasibility analysis is to determine:
A. Programming standards
B. Project viability
C. User training needs
D. Audit scope
Answer:
6.
Which SDLC phase includes creation of program specifications?
A. Requirements Analysis
B. Design
C. Testing
D. Maintenance
Answer:
7.
The PRIMARY purpose of a system test is to verify:
A. Individual modules function properly
B. Entire system meets requirements
C. Source code quality
D. User documentation
Answer:
8.
User Acceptance Testing (UAT) is intended to confirm that:
A. Programmers approve the system
B. Auditors approve the system
C. Business requirements have been satisfied
D. Hardware specifications are adequate
Answer:
9.
An IS auditor finds that developers have unrestricted access to production programs. The GREATEST risk is:
A. Increased maintenance costs
B. Unauthorized changes to production systems
C. Delayed implementation
D. User dissatisfaction
Answer:
10.
Which testing phase is generally performed by end users?
A. Unit Testing
B. Integration Testing
C. User Acceptance Testing
D. Regression Testing
Answer:
11.
The PRIMARY objective of post-implementation review is to determine whether:
A. Programmers followed standards
B. The project met business objectives
C. Testing was completed
D. Hardware is functioning
Answer:
12.
Which SDLC methodology delivers software in small, incremental releases?
A. Waterfall
B. Agile
C. Spiral
D. V-Model
Answer:
13.
In Agile development, requirements are typically:
A. Fixed throughout the project
B. Defined only after implementation
C. Refined continuously during iterations
D. Ignored
Answer:
14.
The MOST significant risk of inadequate requirements gathering is:
A. Increased training costs
B. System fails to meet business needs
C. More hardware purchases
D. Audit findings
Answer:
15.
A project sponsor is responsible for:
A. Coding the application
B. Conducting penetration tests
C. Providing project oversight and support
D. Approving source code
Answer:
16.
Which control BEST ensures completeness of program changes?
A. Emergency changes
B. Version control procedures
C. User training
D. Network monitoring
Answer:
17.
An IS auditor reviewing project management should FIRST verify:
A. Programmer qualifications
B. Approved business case exists
C. Number of test cases
D. Training schedule
Answer:
18.
The MOST effective method to ensure application controls work correctly is:
A. Review policies
B. Conduct testing
C. Interview users
D. Observe operations
Answer:
19.
Which testing method verifies changes have not adversely affected existing functionality?
A. Unit Testing
B. Stress Testing
C. Regression Testing
D. Parallel Testing
Answer:
20.
The PRIMARY purpose of configuration management is to:
A. Increase development speed
B. Control changes to system components
C. Eliminate testing requirements
D. Reduce user involvement
Answer:
21.
A successful project should be measured primarily by:
A. Budget compliance only
B. Number of programmers assigned
C. Achievement of business objectives
D. Project duration
Answer:
22.
The BEST evidence that a system satisfies user requirements is:
A. Signed user acceptance documentation
B. Management representation
C. Project status reports
D. Training records
Answer:
23.
An auditor discovers that testing was performed using production data without masking sensitive information. The GREATEST concern is:
A. Increased storage costs
B. Privacy and confidentiality risk
C. Reduced performance
D. User dissatisfaction
Answer:
24.
Which SDLC model has the HIGHEST risk of discovering requirements errors late in the project?
A. Agile
B. Incremental
C. Waterfall
D. Scrum
Answer:
25.
The PRIMARY benefit of prototyping is:
A. Reduced documentation
B. Improved understanding of user requirements
C. Faster coding
D. Reduced audit effort
Answer:
Difficult CISA Case-Based Questions
26.
A company is developing a payroll application. During testing, users identify several calculation errors. What should the IS auditor recommend FIRST?
A. Implement the system immediately
B. Correct defects and retest the application
C. Conduct staff training
D. Update documentation only
Answer:
27.
Management wants to skip user acceptance testing because the project is behind schedule. The auditor should conclude that:
A. This is acceptable if system testing is completed
B. Risk increases that business requirements will not be met
C. Audit approval can replace UAT
D. Project costs will decrease
Answer:
28.
An organization allows developers to migrate code directly into production during emergencies. Which control is MOST important?
A. Developer training
B. Post-implementation review and management approval
C. Increased budget
D. Additional programmers
Answer:
29.
An auditor reviewing an Agile project should focus MOST on:
A. Extensive upfront documentation
B. Sprint reviews and product backlog management
C. Fixed requirements documents
D. Sequential phase approvals
Answer:
30.
A project was completed on time and within budget but failed to improve business operations. The project should be considered:
A. Successful
B. Technically successful but business unsuccessful
C. Failed only from an audit perspective
D. Fully compliant
Answer:
High-Yield SDLC Areas Frequently Tested in CISA
1. Requirements Definition
2. Feasibility Study
3. Project Governance
4. User Acceptance Testing (UAT)
5. Change Management
6. Segregation of Duties in Development
7. Agile vs Waterfall
8. Post-Implementation Review
9. Configuration Management
10. Migration to Production Controls
These topics appear regularly in CISA questions because they directly affect whether systems meet business
