Practice questions · Cybersecurity
CISA (ISACA): Practice Questions
Thirty original concept-check questions on core CISA ideas across the five domains. Choose an answer to reveal the explanation. Answer as an independent IS auditor - assess and report on controls, do not build or fix them.
Answered 0 · Correct 0
-
Compared with ISACA's CISM, CISA is most focused on:
Correct answer: B. CISA is the auditor's credential: you examine and assure controls from the outside. 'Building and running a security programme' is exactly CISM's manager-side focus, not CISA's. Configuring firewalls/servers and writing code are operational or engineering tasks an auditor evaluates but does not perform. -
An IS auditor is asked to audit a system they personally designed and configured last year. The auditor should:
Correct answer: D. Auditing your own work impairs independence and objectivity, so the auditor must decline or formally disclose the conflict and have someone else perform that work. 'Proceed, since they know the system best' confuses familiarity with objectivity. 'Skip the access-control tests' leaves a key risk untested and still does not restore independence. 'Audit only the parts built by others' ignores that the conflict taints the engagement, not just specific tests. -
When planning an audit, the IS auditor should determine the scope and depth of testing PRIMARILY based on:
Correct answer: A. CISA expects risk-based auditing: effort follows where the impact of control failure is greatest. 'Personal preference' is not an objective basis and undermines defensibility. 'Number of staff' is unrelated to control risk. Choosing 'whichever systems are easiest' optimises for convenience, leaving high-risk areas under-tested. -
Which of the following is the BEST (most reliable) audit evidence that a control is operating effectively?
Correct answer: C. Evidence the auditor obtains directly - re-performing the control and observing it - is the most reliable, because it does not depend on someone's assertion. A verbal assurance is the weakest, being unverified and self-reported. A policy shows the control is intended, not that it actually operates. A vendor brochure describes capability, not whether the control is configured and working here. -
An auditor selects a subset of transactions to test rather than examining every record. This technique is called:
Correct answer: D. Testing a representative subset instead of the whole population is sampling. Materiality is about whether a finding is significant enough to matter, not how items are selected. Re-performance is independently executing a control, not choosing which items to test. Continuous monitoring uses automated, ongoing checks rather than a one-time selected subset. -
The PRIMARY purpose of IT governance is to:
Correct answer: A. IT governance exists to direct and control IT so it delivers value aligned to business strategy. 'No incidents ever occur' is impossible - governance manages risk, it does not eliminate it. Maximising budget is a resource grab, not a governance goal. Buying the newest technology is a procurement choice, not the purpose of governance. -
An IS auditor reviewing IT strategy finds it was created with no reference to the organisation's business plan. The auditor should be MOST concerned that:
Correct answer: B. Strategy disconnected from the business plan risks misallocated IT spend that delivers no business value - the core governance concern. Document length is a formatting issue, not a governance risk. Who physically wrote it is irrelevant if it aligns. Encryption is a confidentiality control and has nothing to do with strategic alignment. -
In governance documents, a policy differs from a procedure in that a policy:
Correct answer: C. A policy sets high-level management intent and direction; a procedure spells out the steps to carry it out. 'Exact keystrokes for a task' describes a procedure, not a policy. 'Optional guidance only' understates a policy's authority. 'Identical to a procedure' erases the distinction the question is testing. -
When auditing IT-related risk management, the auditor would expect the organisation to FIRST:
Correct answer: D. Risk must be identified and assessed before any treatment is chosen; otherwise responses are not driven by actual exposure. Buying insurance, installing tools, or outsourcing are all treatment options that only make sense after the risk is understood - selecting any of them first is treating before assessing. -
A RACI chart is used in IT governance primarily to clarify:
Correct answer: A. RACI defines roles and accountability across activities. Recovery time is an RTO concept from business resilience, not a roles model. Encryption strength is a technical control attribute. Annual loss expectancy is a quantitative-risk figure. None of those three describe what a RACI chart conveys. -
During systems development, the BEST time to involve the IS auditor is:
Correct answer: B. Involving audit early lets control weaknesses be caught when they are cheap to fix, while preserving independence through an advisory role. Waiting until go-live means design flaws are already baked in. 'Never' is wrong because auditors legitimately review development controls. Waiting for an incident is reactive and misses the chance to prevent it. -
The PRIMARY purpose of a post-implementation review of a new system is to:
Correct answer: C. A post-implementation review checks that the system met its objectives and that its controls operate as designed. Assigning blame is not its purpose and discourages honest review. Increasing the budget is unrelated. Help-desk training is an operational task, not the objective of the review. -
An auditor reviews a project's business case and finds expected benefits were never quantified. The MAIN risk is that:
Correct answer: D. Without quantified benefits, there is no yardstick to decide if the spend is worthwhile or to measure success later - the central concern. Finishing early is not a consequence of an unquantified business case. Code quality is unrelated to benefit quantification. Vendor pricing is not driven by the business case's rigour. -
Before a new application replaces an old one, data migration controls should ensure that:
Correct answer: A. Migration controls exist to verify completeness and accuracy so no data is lost or corrupted in the move. A modern interface is a usability feature, not a migration control. Promoting the project manager and selling old hardware are unrelated to data integrity and would not be tested as migration controls. -
An IS auditor reviewing a software development project finds that users were not involved in defining requirements. The MAIN risk is that:
Correct answer: A. Without user involvement in requirements, the system risks being built to the wrong specification and failing to meet real business needs - the core development-control concern. Running 'faster than required' is not a harm caused by missing requirements. Disk usage is unrelated to requirements gathering. Vendor payment is governed by the contract, not by user participation in requirements. -
An IS auditor testing change management would consider it a control WEAKNESS if:
Correct answer: B. Allowing untested, unapproved changes straight into production is the weakness - it bypasses the control entirely and risks outages or unauthorised code. Logging and approving every change, reviewing documented emergency changes after the fact, and having a separate reviewer are all signs of a sound change-management control, not weaknesses. -
In a business continuity context, a Business Impact Analysis (BIA) is performed mainly to:
Correct answer: C. A BIA identifies which functions are critical and what disruption would cost, which then drives recovery priorities (RTO/RPO). Paint colour and staff bonuses are irrelevant to continuity. Counting servers is an inventory task; it does not tell you the business impact of losing a function. -
The Recovery Time Objective (RTO) defines:
Correct answer: D. RTO is the target time to bring a process back after disruption. The acceptable amount of data loss is the RPO, a different objective. Encryption-key strength is a security-control attribute, not a recovery metric. The total cost of an incident is an impact figure, not the RTO. -
An organisation has a detailed disaster recovery plan that has never been tested. The IS auditor should report that:
Correct answer: B. An untested plan offers false assurance: gaps surface only under test, so regular testing is essential. 'Fully reliable because it is detailed' confuses documentation with proven capability. 'Testing is unnecessary if the document is long' makes the same error. Waiting to test until 'after a real disaster' defeats the entire purpose of having a plan. -
Reviewing a backup process, the auditor's strongest evidence that backups are usable is:
Correct answer: B. A successful test restore proves the backup can actually recover data - the outcome that matters. A completion log shows the job ran, not that the data restores. Tape size says nothing about usability. A vendor statement is an assertion about the product, not evidence that this organisation's backups work. -
In operations, segregation of duties primarily reduces the risk of:
Correct answer: C. Splitting a sensitive process across people means no single individual can both carry out and hide a fraud or error. Network performance, electricity costs and interface design are operational or technical concerns unrelated to the control purpose of segregation of duties. -
The principle of least privilege means a user should be granted:
Correct answer: A. Least privilege limits access to exactly what the role requires, shrinking the damage from misuse or compromise. Granting admin rights 'for convenience' is the opposite and is over-privileged. Copying a manager's access ignores the user's actual needs. Default access to all systems removes the control entirely. -
An auditor finds that terminated employees' system accounts remain active for weeks after they leave. The MAIN risk is:
Correct answer: B. Active accounts for people who have left are a classic access-control gap that can be exploited for unauthorised access - the primary security risk. Licensing fees are a minor cost issue. Help-desk workload and password-reset speed are operational annoyances, not the core confidentiality and integrity risk of orphaned accounts. -
Encryption protects the confidentiality of data, but its protection fails if:
Correct answer: C. Encryption is only as strong as its key management; if keys are exposed or lost, the protection collapses regardless of the algorithm. Disk speed, compression and file-name length have no bearing on whether the encryption keeps data confidential. -
A control that identifies a security breach after it has occurred (for example, reviewing system logs or an intrusion detection system) is a:
Correct answer: C. Detective controls reveal events after they happen, which is what log review and an IDS do. A preventive control stops the event before it occurs. A corrective control fixes or restores after the event. A directive control instructs behaviour (e.g., a policy) rather than detecting anything. -
The MAIN purpose of data classification is to:
Correct answer: D. Classification labels data by sensitivity so controls match the level of protection it needs. Cheaper storage and faster networks are not its goal. Sorting alphabetically is mere organisation and ignores sensitivity, which is the whole point of classifying data for protection. -
When auditing physical access to a data centre, an effective control the auditor would expect is:
Correct answer: B. Restricting, logging and periodically reviewing data-centre access enforces and evidences who may enter - a sound physical control. Unlocked doors remove the control. Letting anyone with a badge into any room ignores least privilege. Keeping no visitor logs destroys the accountability trail the auditor relies on. -
Multi-factor authentication strengthens access control because it requires:
Correct answer: B. MFA combines independent factors (knowledge, possession, inherence), so stealing one factor is not enough. A longer username is not an authentication factor. Entering the same password twice is still a single factor. Restricting access to business hours is a time-based control, not multi-factor authentication. -
After identifying a control weakness, the IS auditor's appropriate role is to:
Correct answer: A. Auditors report findings and recommend action; management owns and implements the fix - this preserves independence. Personally implementing the fix or taking over the control makes the auditor a control operator, destroying objectivity for future audits. Hiding the finding is an ethics violation that defeats the purpose of the audit. -
An auditor cannot fully test a primary control but finds another control that covers the same risk. This second control is best described as a:
Correct answer: D. A compensating control mitigates a risk when the primary control is missing or impractical, which is exactly the situation described. 'Preventive', 'detective' and 'directive' name what a control does by timing or method; they do not capture the idea of standing in for a primary control, which is the specific term being tested here.
Practice questions FAQ
- Are these real CISA exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.