4.4 Common Traps in Information Systems Acquisition, Development, and Implementation

Trap 1: System Testing Is Not Acceptance

The exam repeatedly offers system testing as a tempting wrong answer when the question is really about acceptance. System testing (run by QA) proves the integrated system functions, performs, and is secure. User acceptance testing (UAT), owned and signed off by the business, proves the system meets stated business requirements and is the basis for go-live. If a question stresses business sign-off, requirements met, or ready to deploy, the answer is UAT — not system testing, not a developer's confidence.

Trap 2: Detective When Preventive Would Do

Application-control questions reward the earliest, preventive control. Validating data at input (range, limit, check digit, reasonableness, mandatory field) stops errors before they enter processing — cheaper than detecting them in output reconciliation afterward.

When options mix input and output controls, the preventive input control is usually the best answer for preventing bad data. A check digit specifically detects transposition (1234 → 1243) and transcription (1234 → 1235) errors in identifiers by appending a mathematically derived digit. A reasonableness check flags values that are individually valid but contextually implausible. The trap is to choose a detective output reconciliation when the question asks how to prevent the error — reconciliation finds the problem only after processing, by which point downstream data may already be corrupted.

Trap 3: Change vs. Configuration Management

These sound alike and CISA deliberately tests the difference.

• Change management is the formal, controlled process for requesting, approving, testing, and migrating changes into production — including emergency change procedures with after-the-fact approval and review. Its risk is unauthorized or untested changes reaching production.
• Configuration management maintains the baseline and inventory of system components (versions, builds, settings) so the organization always knows the authorized state. Its risk is an unknown or drifted configuration.

If a question is about who approved a change and whether it was tested, that is change management. If it is about knowing the authorized version/baseline of components, that is configuration management. The two work together: change management governs how a component moves between states, while configuration management records what the authorized state is at any moment, so an undocumented change becomes detectable by comparing the live environment against the baseline.

Trap 4: Library and Migration Controls

Programmers should not have access to production source or production data, and segregation of duties must separate development, testing, and the migration to production. A common wrong answer lets developers move their own code to production. The correct control routes promotion through an independent function (release/change management) so no single person can both write and deploy code unchecked.

CISA also expects you to know that emergency changes are legitimate but must still be controlled: they may be deployed quickly under an emergency ID, but they require after-the-fact review and formal approval, and the temporary elevated access must be revoked and logged. An emergency change with no subsequent documentation or review is a finding, even if the fix itself was correct, because the control over the process — not the technical outcome — is what the auditor assesses.

Trap 5: The Auditor's Boundary

Across Domain 3, watch for answers that quietly put the auditor in an ownership seat — designing controls, approving changes, performing UAT, or signing off go-live. These are wrong because they destroy the independence the auditor needs to later assess that work. The auditor's correct verbs are review, evaluate, assess, advise, recommend, and report — never design, approve, operate, or own.

A related trap is timing: getting involved only after go-live is suboptimal because controls are far cheaper to fix during requirements and design. The best-practice answer is early, advisory, independent involvement — present from requirements onward, advising on risk and control, but never taking ownership. Recognizing this single boundary resolves a large share of Domain 3 judgment questions, because the distractors are usually competent-sounding actions that an auditor specifically must not perform.

Trap 6: Acquisition and Conversion Distractors

In acquisition questions, a frequent wrong answer is selecting a vendor on price or relationship rather than on predefined, weighted evaluation criteria; another is signing without a right-to-audit clause, escrow, or exit/transition terms, leaving the organization exposed if the vendor fails or underperforms. The exam wants structured, documented, criteria-based selection.

In data-conversion questions, the tempting-but-wrong answers usually substitute activity for assurance: "the conversion program ran successfully" or "the team was experienced" does not prove integrity. Only reconciliation of source to target — matching record counts and control totals, resolving exceptions, and retaining the legacy data as a fallback — demonstrates that no records were lost or altered. A final recurring trap concerns benefits: assuming benefits at go-live rather than confirming them later in the PIR.

CISA consistently rewards the answer that measures and verifies over the answer that assumes, and that keeps evidence at the center of every judgment.