Chapter 3

SteadyCert

Beautiful graphics for every concept in the CISA Review Manual

Domain 3: IS Acquisition, Development & Implementation 12%
👩‍💼

Week 3 — Alex Audits a CRM Go-Live

It's Week 3. Alex's manager assigns her to audit Meridian Corp's biggest active project: a new CRM system going live in 6 weeks. The project manager, Dave, is confident. "We're on track," he says. Alex asks to see the project plan, the testing documentation, and the change log. Dave hesitates. "We've been moving fast," he says. "Agile, you know?" Alex opens her notebook. She has 6 weeks to find out whether this system is ready to go live — or whether she needs to stop it.

Part A Section 3.1

Project Management

Scene 1 — The Missing Charter

Project Governance & the Charter

👩‍💼
Alex's Story

Alex asks for the project charter. Dave hands her a PowerPoint deck. There's no scope document, no project sponsor formally signed, and the go-live date was set before requirements were agreed. "Who authorised this project?" Alex asks. Dave points to a two-line email from the VP of Sales. Alex writes her first finding: no formal project charter.

A project management war room with Gantt charts, a project charter on the wall, and a project manager presenting to stakeholders

The Project Charter

The formal document that authorises a project and defines its boundaries. Without a charter, there is no formal project — only activity.

Must Include:

  • Business objectives & scope
  • Project sponsor (executive owner)
  • Budget & timeline
  • Key milestones & deliverables

Auditor's Checklist:

  • Is the sponsor identified & active?
  • Were requirements agreed BEFORE go-live date?
  • Is there a formal change control process?
  • Are roles & responsibilities documented?
📐

Project Governance Structure

  • Steering Committee: Strategic oversight
  • Project Sponsor: Accountable for business case
  • Project Manager: Day-to-day delivery
  • IS Auditor: Independent advisor
📊

Key PM Tools

  • Gantt chart: Timeline & dependencies
  • PERT: Optimistic/pessimistic/expected time
  • Critical Path: Longest sequence = minimum duration
  • Earned Value: Budget vs. actual progress
Key Exam Tip

The project sponsor (NOT the project manager) is accountable for the business case. ISACA frequently asks "who is MOST responsible for project success?" — the answer is the sponsor. The PM manages delivery; the sponsor owns the business outcome. Also: the auditor's greatest concern is a project without a formal charter — no charter means no defined scope, no accountability, and no basis for change control.

📰 Real World

The FBI's Sentinel case management system was originally budgeted at $425 million. After years of poor project governance — no formal charter, unclear ownership, scope creep — it was cancelled and restarted, ultimately costing $451 million and taking 6 years longer than planned.

Test Yourself — Project Management
Q1. An IS auditor discovers a major development project has no formal project charter. What is the GREATEST risk?
A. The project will exceed its budget
B. Scope, authority, and accountability are undefined
C. The project manager lacks the right skills
D. Testing will not be completed on time
Reveal Answer
Correct: B
Without a charter, there is no formally defined scope, no authorised budget, and no accountable sponsor. A, C, and D are potential consequences of poor governance, but B is the root cause — the charter is the foundation of all project control.
Q2. Who is MOST accountable for the success of a system development project?
A. The project manager
B. The IS auditor
C. The project sponsor
D. The development lead
Reveal Answer
Correct: C
The project sponsor is the executive who owns the business case and is accountable for project success. The PM (A) manages day-to-day delivery. The auditor (B) provides independent assurance. The dev lead (D) handles technical execution. ISACA consistently tests this distinction.
Q3. A project's go-live date was set before requirements were defined. What should the IS auditor recommend FIRST?
A. Postpone the go-live date immediately
B. Complete a risk assessment of the current timeline
C. Replace the project manager
D. Increase the testing budget
Reveal Answer
Correct: B
The auditor should first assess the risk — not make management decisions. A (postpone) is a management action, not an audit recommendation. The auditor's role is to evaluate risk and report to management, who then decide whether to adjust the timeline.

Alex now knows the project has no charter. But she needs to understand what they actually built — and whether they followed any process at all.

Part A Section 3.2

SDLC Phases

Scene 2 — The Skyscraper Under Construction

The System Development Life Cycle

👩‍💼
Alex's Story

Alex maps what Meridian actually did against what they should have done. They skipped formal requirements sign-off, went straight from concept to coding, and are now doing design while simultaneously testing. It's like building a skyscraper where one team is still pouring the foundation while another is already painting the top floor. "When was the design approved?" she asks. Dave stares at her blankly.

A construction site where different workers are doing different phases simultaneously and out of order — one team is still laying foundations while another is already painting the top floor
SDLC Phases — The Correct Sequence
8 Maintain — Monitor, patch, enhance, retire
7 Post-Implementation Review — PIR against business case
6 Implement — Deploy, train users, go-live
5 Test — Unit, Integration, System, UAT
4 Build (Develop) — Write code, configure systems
3 Design — Logical & physical architecture
2 Analyze — Gather & document requirements
1 Plan — Feasibility study, project initiation

Auditor Involvement in SDLC

The IS auditor should be involved in every phase of the SDLC — from planning through maintenance. Early involvement reduces the cost of fixing issues later. The auditor acts as an independent advisor, not a project team member.

Key Exam Tip

The auditor should participate in every SDLC phase but must never become part of the development team (independence). The cost of fixing defects increases exponentially the later they are found — this is why early auditor involvement is critical. If the exam asks "when should the auditor first get involved?" the answer is always the EARLIEST phase — planning/feasibility.

📰 Real World

The Healthcare.gov launch failure (2013) resulted from skipping critical SDLC phases — integration testing between 33+ vendor systems was never properly completed before launch. The site failed under real load on Day 1, affecting 600,000 users.

Test Yourself — SDLC Phases
Q1. At which SDLC phase should the IS auditor FIRST become involved?
A. Testing
B. Design
C. Planning / Feasibility
D. Implementation
Reveal Answer
Correct: C
The auditor should be involved from the very beginning — the planning/feasibility phase. Early involvement allows the auditor to identify control requirements before they become expensive to add later. The trap is B (design) — by design, key decisions have already been made.
Q2. Why does the cost of fixing defects increase in later SDLC phases?
A. More staff are involved
B. Dependencies, integrations, and deployed systems must all be updated
C. The auditor has more findings to report
D. Management attention decreases
Reveal Answer
Correct: B
Later phases mean more components are built on top of earlier decisions. A requirements error caught in design is cheap to fix. The same error caught in production requires rework across design, code, tests, data, training, and documentation — exponentially more costly.
Q3. An IS auditor finds that a team is performing design and testing simultaneously. What is the PRIMARY concern?
A. The project will exceed budget
B. Tests may not validate actual design decisions
C. The project manager is incompetent
D. Documentation will be incomplete
Reveal Answer
Correct: B
If design is still changing while testing is occurring, the tests cannot be reliable — they may validate a design that hasn't been finalised. This means test results don't prove the final system works. SDLC phases exist to ensure each stage is complete before the next begins.

Alex has mapped the timeline. Now she needs to understand what methodology — if any — the team was following.

Part A Section 3.3

Development Methodologies

Scene 3 — Three Rivers

Waterfall vs. Agile vs. Spiral

👩‍💼
Alex's Story

Dave says they're doing Agile. Alex asks to see the sprint backlog, sprint reviews, and retrospectives. There are none. They're doing something. It isn't Agile. It isn't Waterfall either. Alex writes in her notebook: "Ad hoc development. No defined methodology. No sprint cadence. No documented iterations." She underlines it twice.

Three contrasting river scenes: a rigid stepped waterfall, a fast agile kayaker in rapids, and a spiraling river through a canyon
Methodology Comparison
Attribute
Waterfall
Agile
Spiral
Approach
Sequential, linear
Iterative sprints
Risk-driven iterations
Requirements
Fixed upfront
Evolve each sprint
Refined per cycle
Documentation
Heavy, formal
Minimal, working SW
Moderate
Change Tolerance
Low — costly
High — embraced
Moderate
Risk Handling
Late discovery
Early feedback
Built-in risk analysis
Best For
Stable, known scope
Evolving requirements
Large, risky projects

Waterfall Audit Focus

  • Are phase gates enforced?
  • Is sign-off required before moving to next phase?
  • Complete documentation at each stage?

Agile Audit Focus

  • Are user stories traced?
  • Is there a product backlog?
  • Are sprint reviews documented?

Spiral Audit Focus

  • Is risk analysis done each cycle?
  • Are prototypes validated?
  • Is progress measurable?
Key Exam Tip

Agile prioritises working software OVER comprehensive documentation — but NOT instead of it. Critical controls, security requirements, and audit trails are still required in Agile environments. The exam will try to trick you with "Agile doesn't need documentation" — that's always wrong. Also: match the methodology to the scenario. Stable requirements = Waterfall. Evolving requirements = Agile. High-risk, large project = Spiral.

📰 Real World

Many organisations claim to "do Agile" without sprints, backlogs, or retrospectives — what researchers call "Dark Scrum" or "Scrumbut." A 2022 survey found 58% of teams claiming Agile had no sprint reviews. Claiming a methodology without following its practices provides no audit assurance.

Test Yourself — Development Methodologies
Q1. A team claims to follow Agile but has no sprint backlog, no sprint reviews, and no retrospectives. What should the IS auditor conclude?
A. The team is following a hybrid methodology
B. Agile does not require these artifacts
C. The team is not following a defined development methodology
D. The auditor should recommend switching to Waterfall
Reveal Answer
Correct: C
Agile has defined practices — sprints, backlogs, reviews, retrospectives. Without these core elements, the team is not following Agile (or any methodology). A is generous — "hybrid" implies intentional design. B is wrong — these ARE core Agile artifacts. D is a management decision, not an audit conclusion.
Q2. Which development methodology is BEST suited for a project with well-defined, stable requirements?
A. Agile
B. Spiral
C. Waterfall
D. Prototype
Reveal Answer
Correct: C
Waterfall works best when requirements are stable and well-understood upfront. Its sequential, phase-gated approach provides maximum documentation and control. Agile (A) is for evolving requirements. Spiral (B) is for high-risk projects. Prototyping (D) is for unclear user needs.
Q3 (TRAP). In an Agile project, which of the following is the auditor's GREATEST concern?
A. Lack of formal phase gates
B. Insufficient documentation of security controls and audit trails
C. Frequent changes to requirements
D. Short development cycles
Reveal Answer
Correct: B
Agile by design has no phase gates (A) and embraces frequent changes (C) and short cycles (D) — those are features, not bugs. The auditor's concern is that Agile's "just enough documentation" culture may skip critical security controls and audit trails. That's the real risk.

No methodology. No charter. Alex now digs deeper — was there even a proper business case for this CRM?

Part A Section 3.4

Business Case & Feasibility

Scene 4 — The Court of Feasibility

The Four Tests of Feasibility

👩‍💼
Alex's Story

The CRM was approved based on a two-paragraph email from the Sales Director. No economic feasibility analysis. No technical feasibility review. No assessment of whether Meridian's infrastructure could support it. "Where's the business case?" Alex asks. Dave says, "The Sales Director wanted it. That was enough." Alex writes: "No formal feasibility study conducted for any of the four dimensions."

A medieval courtroom with four stained glass windows representing economic, technical, operational, and legal feasibility
🧠 Mnemonic
E · T · O · L
"Every Thing Operates Legally" — the 4 feasibility tests
💰

Economic Feasibility

Can we afford it? Will it generate ROI?

  • Cost-benefit analysis (CBA)
  • ROI, NPV, IRR calculations
  • TCO (Total Cost of Ownership)
  • Payback period
⚙️

Technical Feasibility

Can we build it with available technology?

  • Technology readiness
  • Staff skills available
  • Infrastructure capacity
  • Integration complexity
👥

Operational Feasibility

Will users adopt and operate it?

  • User acceptance likelihood
  • Process change impact
  • Training requirements
  • Organizational readiness
⚖️

Legal Feasibility

Does it comply with laws & regulations?

  • Regulatory compliance
  • Licensing requirements
  • Privacy & data protection
  • Contractual obligations
Key Business Case Formula
ROI = (Benefits − Costs) ÷ Costs × 100%
Key Exam Tip

A feasibility study should be completed BEFORE the project begins. All four types must be assessed — economic feasibility alone is not sufficient. A project can be economically attractive but technically impossible or legally prohibited. When the exam asks "which feasibility type is MOST important?" — it's a trick. The answer is: all four are required; no single type is sufficient.

📰 Real World

Kodak's digital camera technology was invented internally in 1975. The business case for investing in digital was rejected because it would cannibalise film revenue. The failure to conduct honest feasibility analysis contributed to Kodak's 2012 bankruptcy.

Test Yourself — Business Case & Feasibility
Q1. A project has a positive ROI but requires technology the organisation doesn't currently possess. Which feasibility dimension flags this risk?
A. Economic
B. Technical
C. Operational
D. Legal
Reveal Answer
Correct: B
Technical feasibility assesses whether the organisation has (or can acquire) the technology, skills, and infrastructure to build the system. A positive ROI (economic) doesn't help if you can't technically deliver it.
Q2. Who is MOST responsible for developing the business case?
A. The project manager
B. The IS auditor
C. The project sponsor / business owner
D. The development team
Reveal Answer
Correct: C
The project sponsor (business owner) is responsible for the business case — it justifies the business investment. The PM (A) manages delivery. The auditor (B) reviews the business case for adequacy. The dev team (D) builds what's specified.
Q3. An IS auditor finds that a project was approved with only an economic analysis. What should the auditor recommend?
A. The project should be stopped
B. Technical, operational, and legal feasibility assessments should also be completed
C. The economic analysis should be redone
D. The project sponsor should be replaced
Reveal Answer
Correct: B
All four feasibility dimensions must be assessed. The auditor's role is to identify the gap and recommend that the missing assessments be completed — not to stop the project (management decision) or redo what was done (the economic analysis may be fine).

No business case, no feasibility analysis. Alex turns to the next question: did anyone actually document what this CRM is supposed to do?

Part A Section 3.5

Requirements Management

Scene 5 — The Cartographers

Requirements & Traceability

👩‍💼
Alex's Story

Alex asks for the requirements document. Dave produces a 200-page spreadsheet. She asks which requirements have been signed off by the business. Dave points to an email thread. From 8 months ago. With people who have since left the company. "So nobody currently at Meridian has formally approved these requirements?" Alex asks. The silence tells her everything.

A cartographers workshop with two teams drawing functional and non-functional requirement maps, connected by golden traceability threads
📐

Functional Requirements

"What the system does"

  • Business rules & logic
  • Data processing operations
  • User interactions & workflows
  • Reports & outputs
🌤️

Non-Functional Requirements

"How the system performs"

  • Performance & speed
  • Security & access
  • Availability & uptime
  • Scalability & capacity

Traceability Matrix

A traceability matrix maps each requirement to its corresponding design element, test case, and implementation. It ensures nothing is missed and provides an audit trail from requirement to delivery.

Requirement Design Code Test Case Deployment
Key Exam Tip

The traceability matrix is the auditor's best friend — it provides evidence that every requirement was designed, built, and tested. If the exam asks what an auditor should review to ensure completeness, the traceability matrix is usually the answer. Also: requirements must be signed off by BUSINESS USERS, not just the development team.

📰 Real World

The Denver International Airport baggage system (1995) famously failed because requirements were added and changed throughout development without formal sign-off. The $186 million system was 16 months late and still malfunctioned on opening day.

Test Yourself — Requirements Management
Q1. During a post-implementation review, an IS auditor discovers that several business requirements documented in the project charter were never implemented. The project team claims all requirements were delivered. What evidence should the auditor request FIRST?
A. User acceptance testing sign-off documents
B. The requirements traceability matrix
C. The project budget and timeline reports
D. Source code review results
Reveal Answer
Correct: B
The requirements traceability matrix (RTM) maps each requirement through design, build, and test phases. It directly shows whether every requirement was implemented and tested. UAT sign-off (A) confirms testing but doesn't map requirement-by-requirement coverage. Budget reports (C) track cost, not requirements. Source code (D) is too granular for this verification.
Q2. Requirements were signed off by a manager who has since left the organisation. What is the auditor's concern?
A. The sign-off is invalid because the person left
B. No current business owner has verified the requirements still reflect business needs
C. The requirements document must be rewritten
D. The project should be cancelled
Reveal Answer
Correct: B
The original sign-off was valid at the time (A is wrong), but business needs may have changed. The concern is that no one currently accountable has verified these requirements. The auditor should recommend that current business owners review and reconfirm the requirements.
Q3. Which type of requirement specifies that the system must respond within 2 seconds?
A. Functional requirement
B. Non-functional requirement
C. Technical requirement
D. Business rule
Reveal Answer
Correct: B
Performance requirements (response time, throughput, availability) are non-functional requirements — they describe HOW the system performs, not WHAT it does. Functional requirements describe business logic and data processing. This is a frequently tested distinction.

Requirements without sign-off. Alex turns to the design — if there even is one.

Part B Section 3.6

System Design

Scene 6 — The Architect's Studio

Logical vs. Physical Design

👩‍💼
Alex's Story

The logical design exists — Alex finds data flow diagrams and entity-relationship models. But the physical design — how it actually maps to Meridian's infrastructure, databases, and network — was never formally documented. The developers are building from memory. "Where's the physical architecture document?" Alex asks. Dave shrugs. "It's in their heads." Alex writes: "No formal physical design. Single point of knowledge failure."

An architect's studio split in two: glowing abstract blueprints for logical design on the left, physical hardware and servers on the right
💭

Logical Design

"What the system does — abstractly"

  • Data flow diagrams (DFDs)
  • Entity-Relationship diagrams (ERDs)
  • Process models
  • Technology-independent
🔩

Physical Design

"How the system is built — concretely"

  • Hardware specifications
  • Network architecture
  • Database schema
  • Technology-specific
Key Design Artifacts

Data Flow Diagram (DFD)

Shows how data moves through a system. Uses processes, data stores, external entities, and data flows.

Entity-Relationship Diagram (ERD)

Models data entities and their relationships. Foundation for database design.

Decision Table / Tree

Maps complex business rules to outcomes. Ensures all conditions are covered.

Key Exam Tip

Logical design comes BEFORE physical design. An IS auditor should verify that the logical design is approved by users before physical design begins. DFDs show data flow, not control flow — know the difference. And remember: if the physical design only exists "in people's heads," that's a key-person dependency and a critical risk.

📰 Real World

The Ariane 5 rocket explosion (1996) was caused by reusing software from Ariane 4 without verifying it against the new physical design parameters. A 64-bit number was converted to a 16-bit integer, causing overflow. The $370 million rocket exploded 37 seconds after launch.

Test Yourself — System Design
Q1. Which design phase should be completed and approved by users FIRST?
A. Physical design
B. Database schema design
C. Logical design
D. Network architecture
Reveal Answer
Correct: C
Logical design describes WHAT the system does in technology-independent terms that business users can review and approve. Physical design (A), database schema (B), and network architecture (D) are all physical design elements that follow after logical design is approved.
Q2. A Data Flow Diagram (DFD) shows which of the following?
A. The sequence of program execution
B. How data moves between processes, data stores, and external entities
C. The physical network topology
D. The project timeline
Reveal Answer
Correct: B
DFDs show data flow — how data enters, is processed, stored, and output. They do NOT show control flow or program execution sequence (A). C is a network diagram. D is a Gantt/PERT chart.
Q3. The physical design exists only in the minds of two developers. What is the PRIMARY risk?
A. The system cannot be audited
B. Key-person dependency — knowledge loss if developers leave
C. The design cannot be changed
D. Testing cannot be performed
Reveal Answer
Correct: B
Undocumented design creates key-person dependency. If those developers leave, the organisation loses the ability to maintain, troubleshoot, or enhance the system. A is partly true but the system CAN be audited — just poorly. C and D are overstated.

Logical design exists, physical design doesn't. Alex moves to the question that keeps her up at night: has this CRM been properly tested?

Part B Section 3.7

Testing Types

Scene 7 — The QC Factory

The Six Testing Stations

👩‍💼
Alex's Story

Alex asks for the test plan. Unit testing was done. Integration testing... "mostly." System testing is scheduled for next week. UAT hasn't been planned yet. There's no regression test plan. The go-live is in 6 weeks. Alex stares at the whiteboard. Four of six testing stations haven't been completed, and the team thinks they're on track. She circles "UAT: NOT PLANNED" in red.

A quality control factory floor with 6 testing stations: Unit, Integration, System, UAT, Stress, and Regression testing
🧠 Mnemonic — Testing Order
U · I · S · U · R · S
"Unit → Integration → System → UAT → Regression → Stress"
🔬

Unit Testing

Who: Developers

Tests individual modules or functions in isolation. Smallest testable part.

🧩

Integration Testing

Who: Developers

Tests how modules work together. Verifies interfaces between components.

🖥️

System Testing

Who: QA Team

Tests the complete, integrated system against requirements. End-to-end validation.

👤

UAT (User Acceptance)

Who: End Users

Final validation by actual users. Confirms the system meets business needs.

🔄

Regression Testing

Who: QA Team

Re-tests after changes to ensure existing functionality still works correctly.

💪

Stress / Load Testing

Who: Performance Team

Tests system under extreme conditions — peak load, volume, concurrency.

Testing Progression: Small → Large

Unit Integration System UAT
Key Exam Tip

UAT is performed by END USERS, not developers or QA. It is the FINAL test before go-live and must be signed off by the business owner. A system that passes unit testing is NOT ready for go-live — all testing stages are required. Also: UAT is MANAGEMENT's responsibility — the auditor verifies it was done adequately, not plans or executes it.

📰 Real World

The Boeing 737 MAX MCAS system underwent limited system testing and no real-world failure mode testing. Two crashes killed 346 people. Post-investigation, it emerged that testing had not covered scenarios where a single sensor failed.

Test Yourself — Testing Types
Q1. A system has passed unit testing. A project manager says it is ready for production. What is the auditor's BEST response?
A. Agree — unit testing validates the system
B. Recommend integration, system, and user acceptance testing before go-live
C. Recommend additional unit tests
D. Approve the go-live if time is limited
Reveal Answer
Correct: B
Unit testing only validates individual components. Integration testing verifies interfaces. System testing validates end-to-end. UAT confirms business needs. ALL are required before go-live. The trap is A — unit testing alone is never sufficient.
Q2. Who should perform User Acceptance Testing (UAT)?
A. The development team
B. The IS auditor
C. The end users / business representatives
D. The QA team
Reveal Answer
Correct: C
UAT is performed by actual end users or their business representatives. Developers (A) wrote the code and shouldn't validate their own work. The auditor (B) reviews the process, not performs it. QA (D) performs system testing, not UAT.
Q3. When should regression testing be performed?
A. Only before the initial go-live
B. After every change to the system
C. Only when bugs are discovered
D. During the annual audit
Reveal Answer
Correct: B
Regression testing must occur after every change to ensure existing functionality still works. It's not a one-time event (A) or triggered only by bugs (C). Changes can introduce unintended side effects — regression testing catches them.

Testing is incomplete. But there's something even more alarming in the project log — changes that nobody approved.

Part B Section 3.8

Change Management

Scene 8 — The Castle Gatehouse

The Change Control Process

👩‍💼
Alex's Story

Alex finds 47 change requests in the project log. Twelve have been implemented. None went through the change advisory board. Two changed the core data model without anyone updating the system design documents. "Who approved these changes?" Alex asks. Dave says, "We just did them. The developers know what they're doing." Alex's pen stops. Uncontrolled changes are the single fastest way to kill a system.

A medieval castle gatehouse with a controlled drawbridge system: messenger with change request, council reviewing approval, sandbox testing area, and a rollback lever
Change Management Process
1
Request

Submit formal change request with justification

2
Assess

Impact analysis: risk, cost, schedule, dependencies

3
Approve

CAB (Change Advisory Board) reviews & approves

4
Test

Test in non-production environment first

5
Deploy

Implement change with rollback plan ready

6
Review

Post-implementation verification & close

Emergency Changes

  • Bypass normal approval (pre-authorized)
  • Must be documented retroactively
  • Reviewed by CAB after implementation
  • High audit risk — watch for abuse

Rollback Plan

  • Must exist BEFORE deployment
  • Tested and validated
  • Defines criteria for triggering rollback
  • Includes data restoration procedures
Key Exam Tip

ALL changes must go through change management — including emergency changes (documented after the fact). In IS audit, change management means the formal process for requesting, approving, testing, and implementing system changes — NOT change psychology or organisational change management. The auditor's greatest concern is unauthorized changes that bypass the process entirely.

📰 Real World

The Knight Capital $440 million trading loss (2012) was triggered by a change management failure — a software deployment activated legacy code that should have been disabled. There was no rollback plan, no change advisory board review, and no post-deployment verification. The company lost $440 million in 45 minutes.

Test Yourself — Change Management
Q1. Twelve changes were implemented without CAB approval. What is the auditor's GREATEST concern?
A. The changes may have exceeded the budget
B. Unauthorized changes may have introduced defects or security vulnerabilities
C. The CAB should meet more frequently
D. The project manager should be disciplined
Reveal Answer
Correct: B
Unapproved changes bypass impact analysis, testing, and review — meaning they could introduce bugs, break existing functionality, or create security holes. The auditor's concern is always about risk to the system, not budget or personnel issues.
Q2. An emergency change was made to a production system without prior CAB approval. Is this acceptable?
A. No — all changes require prior approval
B. Yes — if the change is documented and reviewed by the CAB after implementation
C. Yes — emergency changes don't need any approval
D. No — only the CIO can authorize emergency changes
Reveal Answer
Correct: B
Emergency changes may bypass the normal process but MUST be documented retroactively and reviewed by the CAB post-implementation. A is too strict — emergencies require flexibility. C is too lax — some oversight is always required. D is wrong — CAB (not CIO alone) provides the review.
Q3. What must exist BEFORE any production deployment?
A. A performance benchmark
B. A rollback plan
C. User training materials
D. A post-implementation review schedule
Reveal Answer
Correct: B
A rollback plan is mandatory before any production deployment — it ensures you can revert if something goes wrong. A, C, and D are good practices but not the critical safety net that a rollback plan provides.

47 changes, no approvals. Alex wonders: does Meridian ever look back at what went wrong? She checks for post-implementation reviews.

Part B Section 3.9

Post-Implementation Review

Scene 9 — The War Room Debrief

Post-Implementation Review (PIR)

👩‍💼
Alex's Story

The last system Meridian launched — a billing platform, 18 months ago — has no PIR. Alex asks why. "Once it went live, we moved on," says Dave. Alex pulls up the billing system's incident log. Fourteen critical bugs in the first three months. Three data integrity issues still unresolved. "These are the same types of problems you're about to repeat with the CRM," she says. No lessons captured, same mistakes repeated.

An after-action review in a cozy war room with officers reviewing maps, a lessons learned board, and actual vs planned outcome graphs
PIR Objectives
🎯

Were Objectives Met?

Compare actual outcomes against the original business case and project charter goals.

📊

Cost & Schedule Review

Compare actual costs and timelines against estimates. Identify variances and root causes.

📝

Lessons Learned

Document what went well and what didn't. Feed improvements into future projects.

User Satisfaction

Survey end users. Are they using the system? Does it solve their problems? Any workarounds?

PIR Timing

Typically conducted 3-6 months after go-live — enough time for the system to stabilise and for meaningful data to be collected. Conducting it too early misses long-term issues; too late and the lessons are forgotten.

Key Exam Tip

A PIR should compare actual results to the ORIGINAL business case, not to revised expectations. PIR should happen after a stabilisation period (typically 3-6 months) — too early and you can't see real operational performance. The IS auditor should verify that a PIR was conducted AND that lessons learned were documented and communicated for future projects.

📰 Real World

NASA conducts post-implementation reviews after every mission. The Columbia disaster (2003) investigation revealed that lessons from the Challenger disaster (1986) had not been institutionalised — a PIR without action is a PIR without value.

Test Yourself — Post-Implementation Review
Q1. When should a post-implementation review be conducted?
A. Immediately after go-live
B. 3-6 months after go-live, once the system has stabilised
C. Only if problems are reported
D. During the next annual audit
Reveal Answer
Correct: B
PIR should occur after a stabilisation period so real operational data is available. Too early (A) and you only see teething problems. C and D are reactive — PIR should be planned and mandatory for every project.
Q2. A PIR compares actual results against what baseline?
A. The revised project plan
B. Industry benchmarks
C. The original business case and project charter
D. The previous system's performance
Reveal Answer
Correct: C
The PIR must compare against the ORIGINAL business case — not revised expectations (A), which may have been adjusted to hide overruns. The original charter defines what was promised; the PIR determines what was delivered.
Q3. A PIR was conducted but the lessons learned were never distributed. What is the PRIMARY concern?
A. The PIR was a waste of time
B. Future projects will repeat the same mistakes
C. The auditor should redo the PIR
D. The project manager should be held accountable
Reveal Answer
Correct: B
The value of a PIR is in preventing future mistakes. If lessons aren't distributed and acted upon, the organisation gains no benefit. This is exactly what Alex found at Meridian — no PIR on the billing system, same mistakes recurring on the CRM.

No lessons learned. Alex turns to a different question: how did Meridian even select this CRM software in the first place?

Part C Section 3.10

Acquisition & Procurement

Scene 10 — The Marketplace

Procurement & Vendor Selection

👩‍💼
Alex's Story

The CRM software was selected by Dave after a single vendor demo. No RFP. No vendor comparison. No contract review by legal. Alex pulls up the licence agreement — and finds an auto-renewal clause nobody noticed. The contract renews automatically in 90 days at a 15% price increase. "Did legal review this?" she asks. Dave says, "We didn't think we needed to." Alex adds three more findings to her growing list.

A medieval marketplace bazaar with a herald reading an RFP scroll, vendor booths with evaluation scorecards, a notary signing contracts, and a locked treasure chest for software escrow
Procurement Process
1
Define Needs

Requirements & evaluation criteria

2
RFI / RFP

Request information or formal proposals

3
Evaluate

Score vendors using weighted criteria

4
Select

Choose vendor & negotiate contract

5
Contract

SLA, penalties, escrow, IP rights

RFI vs. RFP vs. RFQ

  • RFI — Request for Information: exploratory, learning about vendors
  • RFP — Request for Proposal: detailed requirements, formal bid
  • RFQ — Request for Quotation: price-focused, specs are known

Software Escrow

  • Source code held by neutral third party
  • Released if vendor goes bankrupt
  • Protects buyer's investment
  • Critical for custom / proprietary software

Key Contract Elements to Audit

  • SLAs & performance metrics
  • Penalty clauses
  • IP ownership & licensing
  • Right-to-audit clause
  • Data protection & privacy
  • Exit / termination terms
Key Exam Tip

Always verify that vendor evaluation uses predefined, weighted criteria — not just the lowest price or a single demo. A signed contract is necessary but NOT sufficient — SLAs must be monitored, performance reviewed, and penalties enforceable. The contract should include a right-to-audit clause giving the organisation access to the vendor's controls.

📰 Real World

The UK's NHS IT programme (2003-2011) selected vendors without competitive RFP processes in some cases. The £10 billion programme was eventually abandoned after massive cost overruns and failed deliveries.

Test Yourself — Procurement & Acquisition
Q1. A vendor was selected after a single product demo with no RFP. What is the auditor's PRIMARY concern?
A. The demo may not have been impressive enough
B. No competitive evaluation ensures the best value or fit
C. The vendor may go bankrupt
D. The contract price may be too high
Reveal Answer
Correct: B
Without an RFP and competitive evaluation, there's no assurance the organisation selected the best vendor for its needs. A single demo provides no basis for comparison on features, pricing, support, or long-term viability.
Q2. An IS auditor discovers that a critical ERP system is supported by a small vendor with only 15 employees and no escrow agreement exists. The vendor has been experiencing financial difficulties. What should the auditor recommend FIRST?
A. Immediately begin migrating to an alternative ERP vendor
B. Negotiate a software escrow agreement to protect source code access
C. Request a copy of the source code from the vendor
D. Accept the risk since the system is currently functioning
Reveal Answer
Correct: B
A software escrow agreement ensures source code is held by a neutral third party and released if the vendor fails — this directly mitigates vendor viability risk. Immediate migration (A) is costly and premature. Requesting source code directly (C) is unlikely to be granted and raises IP concerns. Accepting the risk (D) ignores a significant business continuity threat.
Q3. Which contract clause is MOST important for the IS auditor to verify exists?
A. Auto-renewal terms
B. Right-to-audit clause
C. Payment schedule
D. Marketing co-operation clause
Reveal Answer
Correct: B
The right-to-audit clause gives the organisation (and its auditor) the ability to examine the vendor's controls, security practices, and service delivery. Without it, the auditor cannot verify the vendor's operations — a critical gap in third-party risk management.

No RFP, no legal review, an auto-renewal trap. Alex decides to test the CRM herself — and what she finds is alarming.

Part C Section 3.11

Application Controls

Scene 11 — The Potion Laboratory

Input, Processing & Output Controls

👩‍💼
Alex's Story

Alex runs three test transactions through the CRM. One allows a negative invoice amount. One accepts a customer name field with SQL injection characters. The third creates a duplicate customer record with no warning. Input validation: failing on all three tests. "Has anyone tested the input controls?" she asks. The answer is written on every developer's face: no.

A magical potion laboratory with three stations: input controls filtering ingredients, processing controls monitoring the cauldron, and output controls inspecting finished potions
📥

Input Controls

Garbage in = garbage out

  • Field validation (type, range, format)
  • Check digits (e.g., Luhn algorithm)
  • Sequence checks
  • Duplicate detection
  • Authorization of data entry
⚙️

Processing Controls

Ensure accurate transformation

  • Run-to-run totals
  • Reasonableness checks
  • Limit checks
  • Reconciliation of control totals
  • Exception reporting
📤

Output Controls

Right data to right people

  • Report distribution lists
  • Output reconciliation
  • Retention & disposal rules
  • Spooling controls
  • Print queue security
The Golden Rule of Application Controls
Input → Processing → Output (IPO)

Edit Controls — The Input Gatekeepers

  • Validity check — Is the value in the allowed set?
  • Range check — Is the value within limits?
  • Reasonableness check — Does it make sense?
  • Check digit — Is the number valid?
  • Completeness check — Are all fields filled?
  • Duplicate check — Already entered?
Key Exam Tip

Input controls are the MOST important application controls — preventing bad data from entering is more effective than catching errors during processing. Know the edit control types: validity, range, reasonableness, check digit, completeness, and duplicate checks. If the exam asks "which control would BEST prevent [bad data scenario]?" — look for the matching input control type.

📰 Real World

The 2012 Knight Capital loss was partly enabled by missing application controls — the system had no hard limits on trade volume that would have stopped the runaway algorithm. Input controls exist to prevent exactly this kind of catastrophic error.

Test Yourself — Application Controls
Q1. A system accepts a negative invoice amount. Which control has failed?
A. Output reconciliation
B. Range/reasonableness check (input control)
C. Run-to-run total
D. Sequence check
Reveal Answer
Correct: B
A negative invoice amount should be caught by a range check (value must be ≥ 0) or a reasonableness check (negative invoices don't make business sense). These are input controls — the first line of defense. A is an output control. C is a processing control. D checks sequence order.
Q2. A customer name field accepts SQL injection characters (' OR 1=1 --). Which control type should prevent this?
A. Processing control
B. Output control
C. Input validation / field format check
D. Access control
Reveal Answer
Correct: C
Input validation should reject special characters in name fields that could be used for injection attacks. This is a field format check — a type of input control. While access controls (D) are important, the specific failure here is at the input validation layer.
Q3. Which type of application control is MOST effective at preventing data errors?
A. Output controls
B. Processing controls
C. Input controls
D. Detective controls
Reveal Answer
Correct: C
Input controls are PREVENTIVE — they stop bad data from entering the system in the first place. Processing controls (B) catch errors during transformation. Output controls (A) catch errors at the end. Prevention is always more effective than detection.

Failing input controls. But there's one more critical concern: Meridian is about to migrate 50,000 customer records into this broken system.

Part C Section 3.12

Data Conversion & Migration

Scene 12 — The Great Library Move

Data Migration & Integrity

👩‍💼
Alex's Story

50,000 customer records are being migrated from the old system. The migration script has been run twice in testing. Both times, 340 records failed silently — no error log, no alert. Nobody knew. Alex asks, "How do you know all the records migrated correctly?" Dave says, "We checked the total count." Alex pulls up the data. The count matches. But 340 records have corrupted phone numbers, 12 have truncated addresses, and 3 customer records point to the wrong account. "Counts match" doesn't mean "data is correct."

A moving truck transferring boxes from an old building to a new one, with a checker verifying every box for integrity
Migration Process
1
Plan

Define scope, mapping rules, timeline

2
Extract

Pull data from old system

3
Transform

Cleanse, map, convert formats

4
Load

Import into new system

5
Verify

Reconcile & validate integrity

Data Integrity Checks

  • Record counts — Same number of records before and after
  • Control totals — Sum of key fields matches
  • Hash totals — Meaningless sums that must match
  • Sampling — Spot-check individual records

Common Migration Risks

  • Data loss during extraction
  • Format incompatibilities
  • Truncation of field values
  • Referential integrity violations
  • Missing or corrupted records

Parallel Run Strategy

Running both old and new systems simultaneously for a period. Outputs are compared to verify the new system produces the same results. This is the safest but most expensive implementation approach.

Implementation Approaches

Parallel

Safest, most costly

Phased

Gradual rollout

Pilot

Test group first

Big Bang

All at once, highest risk

Key Exam Tip

Data integrity is the auditor's #1 concern during migration. Record counts alone are NOT sufficient — you must also verify control totals, hash totals, and spot-check individual records. Parallel running is the safest implementation approach; big bang is the riskiest. Data migration is complete when all records are transferred AND verified for completeness, accuracy, and integrity — silent failures are the most dangerous.

📰 Real World

During the TSB Bank migration (2018), 1.3 billion records were migrated from Lloyds Banking Group's platform to a new system. Due to data integrity failures during migration, 1.9 million customers were locked out of their accounts for weeks.

Test Yourself — Data Migration
Q1. After a data migration, the record count matches between source and target. Is the migration verified?
A. Yes — matching counts confirm successful migration
B. No — record counts alone do not verify data accuracy or integrity
C. Yes — if the counts match and no errors were logged
D. No — only a full record-by-record comparison is sufficient
Reveal Answer
Correct: B
Record counts only confirm quantity, not quality. Data could be truncated, corrupted, or mapped to the wrong fields while still maintaining the correct count. Control totals, hash totals, and sampling are also needed. D is too extreme — sampling is acceptable; full comparison is rarely practical.
Q2. Which implementation approach carries the LEAST risk?
A. Big bang
B. Pilot
C. Parallel
D. Phased
Reveal Answer
Correct: C
Parallel running is the safest — both systems run simultaneously, and outputs are compared. If the new system fails, the old system is still operational. It's also the most expensive. Big bang (A) is the riskiest. Pilot (B) and phased (D) are moderate.
Q3. A migration script fails silently — 340 records are corrupted but no error is generated. What control would have caught this?
A. Record count verification
B. Hash total or control total reconciliation
C. A faster migration script
D. Running the migration during off-hours
Reveal Answer
Correct: B
Hash totals and control totals would detect data corruption because the sums of key fields would not match between source and target. Record counts (A) wouldn't catch corruption if the records still exist but with wrong values. C and D are operational choices, not controls.
📋

Alex recommends: delay the go-live.

Six weeks. Twelve sections of her audit workpaper. Seventeen findings, four of them critical. No charter. No methodology. No feasibility study. Unsigned requirements. Undocumented design. Incomplete testing. Uncontrolled changes. No PIR history. No competitive procurement. Failing input controls. Silent data migration failures. Alex presents her findings to the steering committee. Dave is quiet. The CIO nods. "We'll delay the go-live until these are addressed." Alex didn't make the decision — but her evidence made the decision inevitable.

✓ Project Governance ✓ SDLC Phases ✓ Methodologies ✓ Business Case ✓ Requirements ✓ System Design ✓ Testing ✓ Change Management ✓ PIR ✓ Procurement ✓ Application Controls ✓ Data Migration
Continue to Domain 4 →

Top 10 Exam Traps — Domain 3

1
❌ "Agile development doesn't need documentation"
✓ Agile prioritises working software OVER comprehensive documentation — not instead of it. Critical controls documentation is still required.
2
❌ "The project manager is responsible for the business case"
✓ The project sponsor (business owner) is accountable for the business case — the PM manages delivery.
3
❌ "UAT is the auditor's responsibility to plan"
✓ UAT is MANAGEMENT's responsibility — the auditor verifies that it was done adequately, not plans or executes it.
4
❌ "A system that passes unit testing is ready for go-live"
✓ Unit testing only validates individual components. Integration, system, and UAT testing are all required before go-live.
5
❌ "Change management is about managing resistance to change"
✓ In IS audit, change management means the formal process for requesting, approving, testing, and implementing system changes — not change psychology.
6
❌ "Outsourcing development transfers project risk"
✓ Outsourcing transfers execution — management retains accountability for project success and deliverable quality.
7
❌ "A signed contract means the vendor relationship is controlled"
✓ Contract existence is necessary but not sufficient — SLAs must be monitored, performance reviewed, and penalties enforceable.
8
❌ "The best feasibility analysis is economic (ROI)"
✓ All four feasibility types matter: Economic, Technical, Operational, AND Legal. A project can be economically attractive but technically impossible.
9
❌ "Post-implementation review should happen right after go-live"
✓ PIR should happen after a stabilisation period (typically 3-6 months) — too early and you can't see real operational performance.
10
❌ "Data migration is complete when all records are transferred"
✓ Data migration is complete when all records are transferred AND verified for completeness, accuracy, and integrity — silent failures are the most dangerous.