CISA Exam

CISA IS Acquisition, Development & Implementation Cheat Sheet (2026): Key Formulas, Rules, and Mnemonics

cisa cisa3 cheat sheet

The CISA exam has a <50% pass rate.

VoraPrep's AI finds your weak spots before the exam does — adaptive practice that actually moves your score.

Try Free →

You're diving into CISA Domain 3, and if you're like most candidates, you're quickly realizing it's not just about memorizing SDLC phases. The real challenge, and where most people stumble, is understanding the auditor's perspective on project management, system development, and infrastructure changes. It's about risk, control, and assurance, not just technical implementation.

This cheat sheet distills the critical knowledge for CISA Domain 3: IS Acquisition, Development & Implementation (2026). It covers the essential formulas, rules, and frameworks you need to not only recall but also apply to scenario-based questions, ensuring you think like an examiner and identify the most appropriate control or audit action.

IS Acquisition, Development & Implementation at a Glance

Domain 3 is all about ensuring that new or modified information systems (IS) and related infrastructure are acquired, developed, tested, and implemented in a controlled, secure, and efficient manner. As a CISA, you're not building the systems; you're providing assurance that the organization is following proper processes, managing risks, and implementing adequate controls throughout the entire lifecycle. This includes everything from initial business case analysis to post-implementation review.

The highest-weight areas typically revolve around project management controls, software development lifecycle (SDLC) methodologies (and their associated risks), change management processes, and testing strategies. You need to understand the purpose of each stage and the controls an auditor would expect to see. Don't just memorize definitions; understand why a control is important at a given stage and what audit evidence you'd look for. This domain makes up approximately 19% of your CISA exam, so a solid grasp is crucial.

If you're looking for an adaptive learning engine that targets your weak areas in Domain 3 and across all CISA domains, try VoraPrep's free CISA practice questions.

Must-Know Formulas, Rules, and Frameworks for Audit Judgment

To ace Domain 3, you need a playbook for evaluating project health, system changes, and vendor performance. Here are the core concepts, presented with an auditor's eye.

Project Management Metrics (Earned Value Management - EVM)

As an auditor, you'll assess project health. EVM helps measure project performance against scope, schedule, and budget. You won't need to do complex calculations, but understanding the meaning of the ratios is critical for audit findings.

  • Planned Value (PV): The authorized budget assigned to scheduled work. (What we planned to spend by now).
  • Earned Value (EV): The value of the work actually performed. (What we actually accomplished in terms of value).
  • Actual Cost (AC): The total cost incurred for the work performed. (What we actually spent).
Key Performance Indicators (KPIs):
  • Cost Performance Index (CPI) = EV / AC
  • Rule: If CPI < 1, the project is over budget. (Bad)
  • Rule: If CPI = 1, the project is on budget.
  • Rule: If CPI > 1, the project is under budget. (Good)
  • Schedule Performance Index (SPI) = EV / PV
  • Rule: If SPI < 1, the project is behind schedule. (Bad)
  • Rule: If SPI = 1, the project is on schedule.
  • Rule: If SPI > 1, the project is ahead of schedule. (Good)
Worked Example: Evaluating a Troubled Project

Let's say IS Auditor Alex is reviewing a critical system migration project.

  • Planned Value (PV): $250,000 (By this point, $250k worth of work should have been completed).
  • Actual Cost (AC): $200,000 (The project has actually spent $200k so far).
  • Earned Value (EV): $180,000 (Only $180k worth of work has actually been completed).
Auditor Alex's Analysis:
  • Calculate CPI: CPI = EV / AC = $180,000 / $200,000 = 0.90
  • Conclusion: Since CPI (0.90) is less than 1, the project is over budget. For every dollar spent, only 90 cents of value has been earned.
  • Calculate SPI: SPI = EV / PV = $180,000 / $250,000 = 0.72
  • Conclusion: Since SPI (0.72) is less than 1, the project is behind schedule. Only 72% of the planned work has been completed by this point.
Auditor Action: Alex would report these findings, highlight the significant cost and schedule variances, and recommend an in-depth review of project management practices, scope creep, and resource allocation. This is a classic audit finding scenario.

Software Development Lifecycle (SDLC) Methodologies & Audit Focus

You must understand the key characteristics, strengths, weaknesses, and auditor's concerns for common methodologies. Your audit approach will adapt to the chosen methodology.

MethodologyKey CharacteristicsAuditor's Focus / Concerns
WaterfallLinear, sequential phases; well-documented; rigid.Controls around phase gates, thorough documentation, strict sign-offs. Risk of requirements being outdated by deployment.
Agile (Scrum)Iterative, incremental, flexible; customer collaboration.Controls around frequent testing, continuous integration, user story validation, stakeholder engagement, rapid change control.
DevOpsIntegrates development & operations; automation, CI/CD.Controls over automated deployment pipelines, security by design (SecDevOps), continuous monitoring, robust rollback plans.
PrototypingEarly working model; user feedback drives refinement.Controls over scope creep, proper documentation of final requirements, ensuring prototypes don't become production systems.
RAD (Rapid Application Development)Time-boxed, iterative, heavy user involvement.Similar to prototyping/agile: focus on user sign-off, documentation, control over rapid changes.
Auditor's Rule: Regardless of methodology, the core audit objectives remain: Are risks identified and mitigated? Are controls adequate and effective? Is the system meeting business needs securely and efficiently?

Change Management Process: An Auditor's Decision Tree

This is a critical control domain. Any change to an IS must follow a formal process. As an auditor, you'll be evaluating the effectiveness of this process.

Decision Tree: The Formal Change Management Process
  • Is a change needed? (Identify problem/opportunity)
  • Auditor's Expectation: A formal Change Request (CR) is submitted, documenting the need and initial scope.
  • What's the impact? (Risk, resources, systems affected)
  • Auditor's Expectation: A thorough Impact Analysis (technical, business, security) is performed and documented.
  • Should we proceed? (Cost/benefit, risk acceptance)
  • Auditor's Expectation: Formal Approval/Rejection by a Change Advisory Board (CAB) or authorized personnel, based on the impact analysis.
  • How do we do it securely? (Development/testing environment)
  • Auditor's Expectation: Development/Testing of the change occurs in an isolated, non-production environment.
  • Is it ready for production? (Functionality, security, performance)
  • Auditor's Expectation: Comprehensive testing, including User Acceptance Testing (UAT) and other relevant testing, is completed and signed off.
  • Move to live environment? (Timing, coordination, rollback)
  • Auditor's Expectation: The Implementation of the change in production follows documented procedures, with a clear rollback plan.
  • Did it work as expected? (Post-implementation verification)
  • Auditor's Expectation: A Post-Implementation Review (PIR) is conducted to confirm the change achieved its objectives without adverse effects.
  • Keep records?
  • Auditor's Expectation: All steps, approvals, and test results are documented to create a complete audit trail.
Auditor's Trap: A common wrong answer involves approving changes directly in the production environment or bypassing testing. Always look for separation of duties and thorough testing in non-production environments. Even emergency changes require retrospective review and documentation.

System and Application Testing Types

Knowing when and why each test is performed is key to evaluating an organization's control over system quality and security.

Testing TypePurposeAuditor's Role
Unit TestingVerifies individual software components (modules, functions) work correctly in isolation.Assure developers are using proper unit testing tools and documenting results.
Integration TestingVerifies interactions between integrated modules/components work correctly.Assure interfaces and data flow between systems are tested, especially for critical integrations.
System TestingVerifies the complete integrated system meets specified requirements. Tests end-to-end functionality, performance, security.Assure comprehensive test plans exist, cover all requirements (functional/non-functional), and results are documented/reviewed.
User Acceptance Testing (UAT)Verifies the system meets the end-users' business requirements and is acceptable for deployment.Assure business owners are involved, test cases reflect real-world scenarios, and formal sign-off occurs.
Performance TestingMeasures system responsiveness, stability, scalability under various workloads (e.g., stress, load, volume).Assure non-functional requirements (response time, throughput) are met and documented.
Regression TestingEnsures new changes or bug fixes haven't negatively impacted existing functionality.Assure that a library of existing test cases is maintained and executed after every significant change.
Security TestingIdentifies vulnerabilities (e.g., penetration testing, vulnerability scanning).Assure security requirements are tested and findings are addressed before deployment.

Common Traps and Test-Day Reminders

The CISA exam isn't just about knowing facts; it's about applying them in complex scenarios.

  • The "Developer's Hat" vs. "Auditor's Hat": The biggest trap. You are not a developer, project manager, or sysadmin. Your primary role is to provide independent assurance that controls are in place and working effectively, and that risks are being managed.
  • Tempting Wrong Answer: "The auditor should re-code the problematic module." (Auditor doesn't code!)
  • Right Approach: "The auditor should review the change management process, testing documentation, and developer credentials."
  • Focus on Controls, Not Just Features: Many questions describe a system's functionality. Your job is to identify the control implications or risks associated with those features, not to validate the features themselves.
  • Example: A new system automatically generates reports.
  • Auditor's Focus: Are the reports accurate? Is access to the reporting module restricted? Is the data integrity maintained? Are the calculations validated?
  • Ignoring the "Best" or "First" Step: CISA questions often have multiple plausible answers. Always select the one that is most foundational, addresses the root cause, or provides the most comprehensive assurance from an auditor's perspective. Often, the first step is to gather more information or review documentation.
  • Misinterpreting EVM Metrics: Remember: CPI and SPI < 1 are bad. CPI > 1 and SPI > 1 are good. Don't mix them up under pressure.
  • Bypassing Formal Processes: Any answer that suggests skipping formal approval, documentation, or testing processes (especially for critical systems) is almost always wrong. This applies to emergency changes as well – they still need some level of retrospective approval and documentation.
  • Vendor Management: When dealing with third-party acquisitions, focus on contractual agreements (SLAs), escrow arrangements for source code, right-to-audit clauses, and due diligence before selection.
  • Tempting Wrong Answer: "The auditor should perform daily oversight of the vendor's development team." (Too operational, loss of independence).
  • Right Approach: "The auditor should review the contract terms, ongoing SLA performance reports, and the organization's vendor risk management framework."

For a deeper dive into common pitfalls and how to avoid them, check out our Complete CISA IS Acquisition, Development & Implementation Study Guide 2026.

Mnemonics and Memory Aids

These can be lifesavers for quickly recalling sequences or lists under exam pressure.

  • Project Constraints (The "Iron Triangle" expanded): STC QRR
  • Scope
  • Time
  • Cost
  • Quality
  • Resources
  • Risk
  • Think: You need "STC QRR" to manage any project successfully. As an auditor, you're looking for controls around how these are managed.
  • SDLC Phases (Audit-centric simplified): PIR DIT-PM
  • Planning (Feasibility, requirements)
  • Initiation (Business case, project charter)
  • Requirements (Gathering, analysis)
  • Design (System architecture, modules)
  • Implementation (Coding, building)
  • Testing (Unit, Integration, System, UAT)
  • Post-Implementation Review (PIR)
  • Maintenance (Ongoing support, enhancements)
  • This focuses on the phases an auditor would critically examine.
  • Key Audit Deliverables in System Acquisition: RFS
  • Requirements (Functional/Non-functional)
  • Feasibility (Technical, economic, operational)
  • Sign-off (Formal approval at critical stages)
  • Remember: No acquisition without clear RFS.
How to Build Your Own Memory Hooks:
  • Link new to old: Associate a new concept with something you already know.
  • Visual aids: Draw flowcharts or mind maps of processes.
  • Acronyms/Acrostics: Create phrases where the first letter of each word stands for a key term (like STC QRR).
  • Practice: The more you use your mnemonics, the stronger they become. Don't just create them; actively test yourself.

What's worth memorizing? The names of frameworks (e.g., COBIT, ITIL where they touch project/acquisition), the sequence of critical processes (like change management), and the purpose of different testing types. Don't try to memorize every single detail of every methodology, but know their core philosophy and associated risks.

How to Use This Cheat Sheet in Your Study Routine

This isn't a replacement for comprehensive study; it's a force multiplier for your efforts.

  • Before You Start Domain 3: Read through this cheat sheet once. It will give you a mental framework and highlight the critical areas to pay attention to as you go through your study materials. This front-loads your brain with the "auditor mindset."
  • Weekly Review: Dedicate 15-20 minutes each week to review this cheat sheet. Active recall is key: try to explain each concept without looking, then check your answers. This spaced repetition reinforces learning.
  • Pair with MCQs: After you've studied a section, tackle practice questions. If you get a question wrong, or even if you get it right but felt unsure, come back to this cheat sheet. Identify which rule, formula, or concept you missed. This is how you close knowledge gaps. VoraPrep offers Free CISA Information Systems Acquisition and Development Practice Questions (2026) with AI-written explanations that can help you understand why an answer is correct.
  • Turn it into Flashcards: Take each key rule, formula, or mnemonic from this sheet and create physical or digital flashcards.
  • Front: "CPI < 1 means?" / "Purpose of UAT?" / "STC QRR stands for?"
  • Back: The answer.
  • Test yourself daily. This active recall is far more effective than just passively re-reading notes.
  • Pre-Exam Cram: In the final days before your exam, this cheat sheet should be one of your primary review tools. It consolidates high-yield information, allowing you to quickly refresh critical concepts and decision-making frameworks.

More CISA IS Acquisition, Development & Implementation Help

To truly master Domain 3, you need depth beyond a cheat sheet.

Frequently asked questions

What percentage of the CISA exam is Domain 3?

Domain 3, IS Acquisition, Development & Implementation, accounts for approximately 19% of the CISA exam. A strong understanding of its concepts, especially from an auditor's perspective, is crucial for passing.

What is the most important concept in CISA Domain 3?

While many concepts are vital, understanding the auditor's role in the change management process is arguably the most critical. This includes evaluating the formal steps for changes, testing, approvals, and documentation to ensure system integrity and security.

How do auditors evaluate project performance in Domain 3?

Auditors evaluate project performance primarily by reviewing project management controls and metrics. Earned Value Management (EVM) indicators like Cost Performance Index (CPI) and Schedule Performance Index (SPI) are key tools to assess if a project is on budget and on schedule.

What's the difference between System Testing and User Acceptance Testing (UAT)?

System Testing verifies that the complete integrated system meets specified technical and functional requirements. User Acceptance Testing (UAT), on the other hand, confirms that the system meets the end-users' business requirements and is acceptable for deployment, often involving actual business users.

---

Ready to Pass Your CISA Exam? VoraPrep offers 2,500+ practice questions with AI-written explanations, an adaptive learning engine that targets your weak areas, and an AI tutor (Vory) available 24/7 to guide you. Stop guessing and start learning how to think like the examiner.

Visit voraprep.com to get started and experience the difference.

Start Your Free 7-Day Trial at voraprep.com →

Related VoraPrep resources

Official resources and references

Studying for the CISA?

Stop guessing which topics to review. VoraPrep's adaptive engine diagnoses exactly where you're losing points and rebuilds those areas. 10 minutes a day, measurable score improvement.

Start your free trial → voraprep.com

Don't let this be why you retake the CISA.

Most candidates fail because they study the wrong things, not because they don't study enough. VoraPrep's AI identifies your actual weak spots and targets them — so you walk in knowing exactly where you're strong.

Start Free — No Credit Card →

Keep reading