Systems Development Life Cycle (SDLC) Phases
Help Questions
CPA Information Systems and Controls (ISC) › Systems Development Life Cycle (SDLC) Phases
Which of the following correctly lists the phases of the traditional Systems Development Life Cycle (SDLC) in the proper sequence?
Implementation, Analysis, Design, Planning, Testing, Maintenance
Analysis, Planning, Testing, Design, Implementation, Maintenance
Design, Planning, Analysis, Testing, Implementation, Maintenance
Planning, Analysis, Design, Development, Testing, Implementation, Maintenance
Explanation
The traditional SDLC phases in sequence are: Planning, Analysis (requirements), Design, Development (coding), Testing, Implementation (deployment), and Maintenance. Answer C is correct. Answers A, B, and D sequence the phases incorrectly.
During the 'Analysis' phase of the SDLC, the primary deliverable is:
A completed and tested application ready for deployment.
A high-level project plan identifying timelines, resources, and costs.
A detailed requirements specification documenting what the system must do to meet business and user needs.
The system architecture and technical design specifications.
Explanation
The Analysis phase produces the requirements specification - a comprehensive document defining what the system must do, who will use it, and what business problems it solves. Answer A is correct. A completed application (B) is the Development phase deliverable. Project plans (C) are produced in Planning. System architecture (D) is the Design phase deliverable.
An auditor is evaluating controls over a system development project. Which of the following represents a key control during the 'Planning' phase?
Technical architecture documentation reviewed by the IT security team.
Post-implementation review confirming the system met its business objectives.
Completed user acceptance testing sign-offs from all business stakeholders.
A formal feasibility study and project charter approved by appropriate management, establishing scope, objectives, and authorization for the project.
Explanation
Planning phase controls establish project authorization and feasibility - ensuring management approves the project, understands its scope, and commits resources before development begins. Answer A is correct. UAT sign-offs (B) and PIR (D) occur after implementation. Security architecture review (C) occurs in Design.
In agile SDLC methodology, work is organized into short iterations called 'sprints.' From a controls perspective, which of the following is most important to ensure in an agile environment?
Testing, code review, and security validation are embedded within each sprint rather than deferred to a final phase, maintaining control quality despite rapid delivery cycles.
External auditors must review and approve each sprint before work begins.
Each sprint must produce a complete, deployable system with all features.
All requirements must be fully defined before any development begins.
Explanation
In agile, controls must be continuous rather than phase-based - quality gates (testing, review, security) embedded in each sprint prevent defects and unauthorized code from accumulating across many rapid releases. Answer D is correct. Upfront complete requirements (A) describes waterfall. Full system per sprint (B) is not the agile model. External auditor sprint approval (C) is impractical.
User acceptance testing (UAT) is performed in which SDLC phase, and by whom?
Planning phase, performed by project managers to assess feasibility.
Design phase, performed by IT architects to confirm technical specifications.
Testing phase, performed by business users and end users to confirm the system meets business requirements before go-live.
Maintenance phase, performed by IT operations to validate system stability.
Explanation
UAT is the final testing phase conducted by business users to confirm from their perspective that the system does what they need before it is deployed to production. Answer A is correct. Design (B), Planning (C), and Maintenance (D) are different phases with different activities.
Which of the following represents a segregation of duties control in the SDLC?
Conducting security testing before system deployment.
Ensuring that the individuals who develop code are different from those who test, approve, and deploy it to production.
Requiring developers to use a version control system for all code changes.
Documenting all system changes in the change management system.
Explanation
Segregation of duties in the SDLC separates development from testing, approval, and deployment - preventing any single individual from introducing and deploying unauthorized code without oversight. Answer C is correct. Version control (A), security testing (B), and change documentation (D) are important controls but not the segregation of duties principle.
Which of the following testing types is performed by developers to verify that individual code modules function correctly before integration?
Regression testing
User acceptance testing (UAT)
Integration testing
Unit testing
Explanation
Unit testing is performed by developers on individual code components in isolation - verifying that each module functions as designed before being combined with other modules. Answer B is correct. UAT (A) is performed by business users at system level. Regression testing (C) tests for unintended side effects of changes. Integration testing (D) tests how modules work together.
The 'Implementation' phase of the SDLC is also referred to as deployment. Which of the following controls is most important during this phase?
Developer code reviews confirming all modules compile without errors.
A formal go/no-go decision gate with documented management authorization confirming that all testing is complete, data migration is validated, and the organization is ready for production.
Completion of user interface wireframes approved by the UX team.
Business case approval confirming the project is financially justified.
Explanation
A go/no-go decision gate ensures that production deployment only occurs after confirmed readiness across all dimensions - testing, migration, training, and management authorization. Answer A is correct. UI wireframes (B) are Design artifacts. Code compilation checks (C) occur in Development. Business case approval (D) is a Planning activity.
Regression testing is performed when:
A system is first developed and deployed to the production environment.
New users are added to the system and need to test their access.
Changes or enhancements are made to an existing system to ensure previously working functions still operate correctly after the changes.
Business users perform UAT before system go-live.
Explanation
Regression testing verifies that new changes didn't break existing functionality - running previously validated test cases to confirm the system behaves as expected after modifications. Answer C is correct. User access testing (A) and UAT (D) have different purposes. Initial deployment (B) uses different test types.
In the context of the SDLC, what is the primary purpose of a 'feasibility study'?
To evaluate whether the proposed project is technically achievable, financially justified, and operationally viable before committing significant resources.
To train end users on the functionality of the new system.
To design the technical architecture and infrastructure for the new system.
To document the detailed functional requirements for the proposed system.
Explanation
A feasibility study answers the fundamental question of whether a project should proceed - assessing technical feasibility, cost-benefit analysis, legal constraints, and operational fit. Answer D is correct. Requirements documentation (A) is Analysis. Architecture design (B) is Design. User training (C) is Implementation.