| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
System Development Methodologies (Part 2 of 2)
This episode continues the ISACA Certified Information Systems Auditor (CISA) exam prep series by examining the modern development methods, productivity tools, and acquisition practices that sit alongside the traditional life cycle. Most systems today are assembled from components and vendor packages rather than hand-coded, making knowledge of these approaches essential for auditors assessing what controls to expect and test.
What this episode covers
- Prototyping and rapid application development — building working models quickly to reduce risk, and the control gaps that can result.
- Agile development and Scrum — sprint-based iteration, its benefits for changing requirements, and separation-of-duties implications.
- Object-oriented and component-based development — grouping data and behavior into reusable objects and assembling applications from prebuilt pieces.
- DevOps and DevSecOps — merging development and operations pipelines, and why security must be built in from the start.
- Business process reengineering and benchmarking — redesigning processes to cut cost and how controls can inadvertently be removed.
- CASE tools, code generators, and fourth-generation languages — productivity aids that speed design but require strict version control and repository security.
- Hardware and software acquisition — from request for proposal through vendor evaluation, scripted demonstrations, and contract review including the right to audit.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What are the main risks of prototyping as a development approach?
Prototyping carries pressure to ship an unfinished prototype as the final product, and extra features tend to creep in beyond the original requirements. Controls such as backup, security, and audit trails are frequently overlooked, and change control becomes messy and undocumented. These risks make auditor oversight especially important when prototyping is used.
How does agile development differ from the traditional waterfall approach?
Agile assumes that requirements cannot be fully defined up front, so it works in small time-boxed iterations called sprints and replans after each one. It favors people’s knowledge over heavy documentation and keeps teams small, mixed in skill, and working closely together. The project manager acts as a facilitator rather than a controller, and Scrum is the best-known agile method.
What is the key audit concern when business process reengineering removes a control?
Business process reengineering often automates away manual steps, and in doing so it can reengineer key preventive controls out of the process entirely. The auditor’s job is to identify those controls and flag the impact to management. If a key preventive control is being removed, management must accept that risk knowingly and on the record.
What should an auditor verify before a software acquisition deal is signed?
The auditor should confirm that adequate security controls are in place before any deal is signed, because without them data integrity is difficult to assure. The request for proposal should cover the right items, and the chosen vendor’s documentation should match that request. Legal counsel must review the contract before signing, including provisions for source code escrow if needed.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in System Development Methodologies (Part 2 of 2).