CISA Question #432: Real Exam Question with Answer & Explanation

Question

An IS auditor is reviewing an IT project and finds that an earned value analysis (EVA) is not regularly performed as part of project status reporting. Which of the following is the GREATEST risk resulting from this situation?

Options

• AResources might not be assigned and prioritized in a timely manner
• BTime and budget overruns might not be identified in a timely manner
• CThe project might not be compliant with project management standards
• DBusiness requirements may not be properly benchmarked

Explanation

Earned Value Analysis (EVA) integrates scope, schedule, and cost data to give an objective picture of project performance - without it, a project can silently drift over budget or past deadlines before anyone notices, making B the greatest risk.

• A is wrong because resource assignment and prioritization are managed through resource planning and project scheduling tools, not EVA specifically.
• C is wrong because non-compliance with PM standards is a procedural concern, not a direct business impact - it's a lesser risk compared to financial and schedule damage.
• D is wrong because benchmarking business requirements relates to requirements management and scope definition, which are separate from EVA's cost/schedule tracking purpose.

Memory tip: Think of EVA as a project's "health monitor" - if you skip regular checkups, you won't know the patient is sick until it's an emergency. The greatest risk is always the one with direct, measurable business harm: money wasted and deadlines missed (B), not procedural gaps or process issues.

No community discussion yet for this question.