Certified Information Systems Auditor (CISA) — Question 1307

Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?

Answer options

• A. Internal audit follow-up was completed without any findings.
• B. Lessons learned were documented and applied.
• C. Post-implementation review is a formal phase in the system development life cycle (SDLC).
• D. Business and IT stakeholders participated in the post-implementation review.

Correct answer: B

Explanation

Option B is correct because documenting and applying lessons learned demonstrates that management has effectively assessed the project's outcomes and is committed to continuous improvement. The other options, while indicative of certain positive aspects, do not directly reflect the effectiveness of the review process itself.