Wednesday, April 1, 2026

CISA Domain 3 notes & question answer

 


Here are detailed, exam-focused notes on Domain 3 of the CISA (Certified Information Systems Auditor) certification:

📘 CISA Domain 3: Information Systems Acquisition, Development & Implementation (≈12%)

This domain focuses on how organizations build, acquire, test, and implement information systems while ensuring proper controls, governance, and risk management.

🔑 1. Project Governance & Management

🔹 Key Concepts:

  • Alignment of IT projects with business objectives
  • Use of project management frameworks
  • Monitoring project performance (time, cost, quality)

🔹 Important Points:

  • Projects must have:
    • Clear scope
    • Defined deliverables
    • Budget & timeline
  • Use tools like:
    • Gantt charts
    • Critical Path Method (CPM)

🔹 Risks:

  • Scope creep
  • Cost overrun
  • Poor stakeholder involvement

🔹 Controls:

  • Steering committee oversight
  • Periodic status reporting
  • Change approval process

🔹 Example:

A bank implementing a mobile app fails due to unclear scope → Auditor checks governance and finds no formal project charter.

🔑 2. Business Case & Feasibility Analysis

🔹 Types of Feasibility:

  • Technical feasibility – Can system be built?
  • Economic feasibility – Cost vs benefits
  • Operational feasibility – Will users accept it?
  • Legal feasibility – Compliance with laws

🔹 Important Metrics:

  • ROI (Return on Investment)
  • NPV (Net Present Value)
  • Payback Period

🔹 Example:

A company invests ₹50 lakh in ERP:

  • Expected savings ₹10 lakh/year
  • Payback period = 5 years

👉 Auditor checks whether assumptions are realistic.

🔑 3. System Development Life Cycle (SDLC)

🔹 Phases:

  1. Initiation
  2. Requirement Analysis
  3. Design
  4. Development
  5. Testing
  6. Implementation
  7. Maintenance

🔹 Key Exam Points:

  • Each phase must have:
    • Documentation
    • Approval
  • Errors fixed earlier → cheaper

🔹 Controls:

  • Phase-end reviews
  • User sign-offs
  • Documentation standards

🔹 Example:

Missing requirement documentation → leads to system not meeting user needs.

🔑 4. SDLC Models / Methodologies

🔹 Types:

  • Waterfall Model (sequential)
  • Agile Model (iterative & flexible)
  • Spiral Model (risk-driven)
  • RAD (Rapid Application Development)

🔹 Comparison:

Model Best For Risk
Waterfall Stable requirements Inflexible
Agile Changing requirements Less documentation
Spiral High-risk projects Complex

🔹 Example:

Startup uses Agile → frequent updates but weak documentation → audit issue.

🔑 5. Requirements Management

🔹 Types:

  • Functional requirements
  • Non-functional (security, performance)

🔹 Key Points:

  • Requirements must be:
    • Clear
    • Complete
    • Approved

🔹 Risks:

  • Ambiguous requirements
  • Frequent changes

🔹 Controls:

  • Requirement traceability matrix (RTM)
  • User validation

🔹 Example:

ATM system lacks security requirement → leads to fraud risk.

🔑 6. System Design & Development Controls

🔹 Key Concepts:

  • Input, processing, output controls
  • Secure coding practices

🔹 Important Controls:

  • Data validation checks
  • Error handling
  • Encryption

🔹 Risks:

  • Poor coding → vulnerabilities
  • Lack of testing

🔹 Example:

No input validation → user enters invalid data → system crash.

🔑 7. Testing Methodologies

🔹 Types of Testing:

  • Unit testing
  • Integration testing
  • System testing
  • User Acceptance Testing (UAT)

🔹 Key Points:

  • UAT must be done by users
  • Testing should be documented

🔹 Risks:

  • Incomplete testing
  • Lack of test data

🔹 Example:

Payroll system tested without real scenarios → wrong salary calculations.

🔑 8. Data Conversion & Migration

🔹 Key Points:

  • Accuracy and completeness of data
  • Data cleansing before migration

🔹 Risks:

  • Data loss
  • Data corruption

🔹 Controls:

  • Reconciliation checks
  • Backup before migration

🔹 Example:

Customer records lost during migration → business disruption.

🔑 9. System Implementation & Deployment

🔹 Methods:

  • Direct Cutover (risky)
  • Parallel Run (safe but costly)
  • Phased Implementation
  • Pilot Implementation

🔹 Example:

Bank uses parallel run → compares old & new system outputs.

🔑 10. Post-Implementation Review (PIR)

🔹 Purpose:

  • Evaluate system performance
  • Check if objectives achieved

🔹 Key Points:

  • Identify lessons learned
  • Improve future projects

🔹 Example:

ERP system implemented but users unhappy → PIR reveals lack of training.

🔑 11. Change Management

🔹 Key Concepts:

  • Managing system changes
  • Prevent unauthorized modifications

🔹 Controls:

  • Change requests
  • Approval process
  • Version control

🔹 Risks:

  • Unauthorized changes
  • System instability

🔹 Example:

Developer modifies code directly → causes system failure.

🔑 12. Segregation of Duties (SoD)

🔹 Key Principle:

No single person should:

  • Develop
  • Test
  • Deploy

🔹 Example:

Same person coding & approving → fraud risk.

🎯 MOST IMPORTANT EXAM HIGHLIGHTS

✔ Auditor focus areas:

  • SDLC controls
  • Testing completeness
  • Change management
  • Data migration accuracy

✔ Frequently tested concepts:

  • UAT responsibility (users, not IT)
  • Early error detection saves cost
  • Parallel run = safest implementation method
  • RTM ensures all requirements covered

🧠 Quick Revision Summary

  • SDLC must be controlled and documented
  • Testing is critical before implementation
  • Data migration requires validation
  • Change management prevents unauthorized access
  • Governance ensures project success

www.gmsisuccess.in

Here are 100 tricky, exam-oriented questions on CISA Domain 3 (MCQs, Assertion-Reason, Fill in the Blanks, Odd One Out, etc.) with answers. These are designed to test concept clarity, audit judgment, and traps commonly seen in CISA exams.

📘 SECTION A: MCQs (1–50)

1.

The MOST critical factor for project success is: A. Budget approval
B. User involvement
C. Technical feasibility
D. Vendor selection
Answer: B

2.

Which SDLC phase is MOST effective for detecting errors at lowest cost? A. Testing
B. Design
C. Requirement analysis
D. Implementation
Answer: C

3.

An auditor reviewing SDLC should FIRST check: A. Test results
B. Documentation
C. Business case
D. Coding standards
Answer: C

4.

The PRIMARY objective of UAT is: A. Identify coding errors
B. Validate user requirements
C. Test system integration
D. Verify database integrity
Answer: B

5.

Which implementation method has HIGHEST risk? A. Parallel
B. Phased
C. Pilot
D. Direct cutover
Answer: D

6.

Which control ensures all requirements are addressed? A. Change log
B. RTM
C. Test plan
D. Audit trail
Answer: B

7.

Agile methodology emphasizes: A. Documentation
B. Sequential phases
C. Iterative development
D. Fixed requirements
Answer: C

8.

Which is a key risk in Agile? A. Slow delivery
B. Excess documentation
C. Weak documentation
D. No testing
Answer: C

9.

MOST important control in data migration: A. Encryption
B. Backup
C. Reconciliation
D. Compression
Answer: C

10.

Which role should perform UAT? A. Developer
B. Auditor
C. End user
D. Tester
Answer: C

11.

Scope creep occurs due to: A. Strong controls
B. Poor requirement definition
C. Good governance
D. Fixed scope
Answer: B

12.

Which is NOT a feasibility type? A. Technical
B. Operational
C. Financial
D. Coding
Answer: D

13.

The BEST method for high-risk projects: A. Waterfall
B. Agile
C. Spiral
D. RAD
Answer: C

14.

Which control prevents unauthorized code changes? A. Testing
B. Version control
C. Documentation
D. Backup
Answer: B

15.

The PRIMARY purpose of PIR: A. Debug system
B. Evaluate success
C. Train users
D. Develop code
Answer: B

16.

Which is a preventive control? A. Audit logs
B. Error reports
C. Input validation
D. Reconciliation
Answer: C

17.

Which phase defines system architecture? A. Development
B. Design
C. Testing
D. Maintenance
Answer: B

18.

Which testing ensures modules work together? A. Unit
B. System
C. Integration
D. UAT
Answer: C

19.

MOST critical in change management: A. Speed
B. Approval
C. Coding
D. Testing
Answer: B

20.

Which is detective control? A. Encryption
B. Input validation
C. Logs review
D. Access control
Answer: C

21–50 (condensed but tricky)

  1. RTM links → Requirements to testing ✅
  2. Parallel run → Safest method ✅
  3. Agile best for → Changing requirements ✅
  4. Waterfall risk → Inflexibility ✅
  5. Missing UAT → User dissatisfaction ✅
  6. Data cleansing → Before migration ✅
  7. SoD violation → Same person dev + deploy ✅
  8. Critical path → Longest project duration path ✅
  9. Payback period → Time to recover investment ✅
  10. NPV considers → Time value of money ✅
  11. Lack of documentation → Audit risk ✅
  12. Pilot → Limited rollout ✅
  13. Phased → Step-by-step implementation ✅
  14. Direct cutover → No fallback ✅
  15. Change log → Tracks modifications ✅
  16. Test data → Must be realistic ✅
  17. Security requirement → Non-functional ✅
  18. Functional requirement → System behavior ✅
  19. Error handling → Development control ✅
  20. Encryption → Confidentiality control ✅
  21. Testing incomplete → High risk ✅
  22. Requirement ambiguity → Rework cost ↑ ✅
  23. Early detection → Cost ↓ ✅
  24. Audit trail → Accountability ✅
  25. System failure → Poor testing ✅
  26. Governance → Oversight role ✅
  27. Stakeholder involvement → Critical ✅
  28. Budget overrun → Poor planning ✅
  29. Change approval → Mandatory ✅
  30. Documentation → Evidence for audit ✅

📘 SECTION B: ASSERTION–REASON (51–70)

51.

Assertion: UAT is performed by users
Reason: Users validate business needs
A. Both true & reason correct
Answer: A

52.

Assertion: Agile requires heavy documentation
Reason: Agile focuses on flexibility
Answer: D (Assertion false, Reason true)

53.

Assertion: Parallel run reduces risk
Reason: Both systems run together
Answer: A

54.

Assertion: Direct cutover is safest
Reason: No overlap exists
Answer: D

55.

Assertion: RTM ensures requirement coverage
Reason: It maps requirements to tests
Answer: A

56–70 (pattern-based answers)

  1. Spiral reduces risk → True
  2. Missing documentation → Audit issue → True
  3. Testing after deployment → Wrong → False
  4. Change mgmt prevents unauthorized changes → True
  5. UAT by developers → False
  6. Data migration without backup → Risk → True
  7. Agile less documentation → True
  8. Waterfall flexible → False
  9. SoD reduces fraud → True
  10. PIR improves future → True
  11. Input validation prevents errors → True
  12. Encryption ensures integrity → False (confidentiality)
  13. Logs are preventive → False
  14. Testing optional → False
  15. Requirements must be approved → True

📘 SECTION C: FILL IN THE BLANKS (71–85)

  1. ______ ensures requirement coverage → RTM
  2. ______ is user-based testing → UAT
  3. ______ method runs two systems → Parallel
  4. ______ is highest risk implementation → Direct cutover
  5. ______ phase defines requirements → Analysis
  6. ______ feasibility checks cost-benefit → Economic
  7. ______ ensures data accuracy → Reconciliation
  8. ______ control prevents errors → Preventive
  9. ______ tracks system changes → Change log
  10. ______ ensures no single control → SoD
  11. ______ testing checks modules → Integration
  12. ______ review done after implementation → PIR
  13. ______ model is iterative → Agile
  14. ______ risk arises from unclear requirements → Scope creep
  15. ______ ensures secure coding → Development controls

📘 SECTION D: ODD ONE OUT (86–95)

  1. Waterfall, Agile, Spiral, Encryption
    Answer: Encryption
  1. UAT, System Testing, Integration Testing, Encryption
    Answer: Encryption
  1. RTM, Change log, Audit trail, Payroll
    Answer: Payroll
  1. Technical, Operational, Legal, Coding
    Answer: Coding
  1. Parallel, Pilot, Phased, Encryption
    Answer: Encryption
  1. Input validation, Logs, Encryption, Backup
    Answer: Logs (detective)
  1. Developer, Tester, Auditor, End user (UAT)
    Answer: Auditor
  1. ROI, NPV, Payback, Firewall
    Answer: Firewall
  1. Requirement, Design, Testing, Payroll
    Answer: Payroll
  1. Preventive, Detective, Corrective, Development
    Answer: Development

📘 SECTION E: CASE-BASED LOGIC (96–100)

96.

System failed due to missing requirements
👉 Root cause?
Answer: Poor requirement analysis

97.

Data mismatch after migration
👉 Best control missing?
Answer: Reconciliation

98.

Unauthorized code deployed
👉 Control failure?
Answer: Change management

99.

Users reject system
👉 Reason?
Answer: No UAT / poor requirement validation

100.

Project exceeds budget & time
👉 Root cause?
Answer: Poor project governance / scope creep

🎯 FINAL EXAM STRATEGY

✔ Focus on:

  • SDLC controls
  • UAT responsibility
  • Data migration risks
  • Change management
  • Implementation methods

✔ Golden rules:

  • Users validate, not developers
  • Earlier error detection = cheaper
  • Parallel = safest
  • RTM = coverage assurance

www.gmsisuccess.inCISA Domain 3 Notes




Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)