ISACA CISA Practice Exam

What the ISACA CISA exam covers

• Information Systems Auditing Process54 questions
• Governance and Management of IT52 questions
• Acquisition, Development and Implementation55 questions
• Operations and Business Resilience69 questions
• Protection of Information Assets70 questions

Free ISACA CISA sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 300.

1. Question 1Information Systems Auditing Process

   What is the primary purpose of risk-based audit planning?

   • ATo audit every system equally regardless of risk
   • BTo avoid documenting findings
   • CTo focus audit resources on the areas of highest risk to the organizationCorrect
   • DTo replace management's controls
   ✓ Correct answer: C

   Risk-based audit planning is a methodology where the IS auditor identifies and evaluates the inherent and residual risks across the organization's systems, processes, and assets, then directs audit effort toward areas where the potential impact and likelihood of control failures are greatest. This approach ensures that limited audit resources produce the most value by concentrating on what matters most.

   Why the other options are wrong

   • ARather than treating all systems equally regardless of their risk profile, the auditor prioritizes those with high business impact, complex processes, or known control weaknesses. Risk-based planning also results in an audit scope and schedule that can be justified to management and the audit committee based on objective risk criteria. To audit every system equally regardless of risk is incorrect because treating all systems identically ignores differences in impact, likelihood, and control maturity, leading to wasted effort on low-risk areas while high-risk areas receive insufficient scrutiny.
   • BTo avoid documenting findings is incorrect because documentation of findings is a fundamental auditing responsibility, and no audit methodology is designed to suppress evidence or reporting.
   • DTo replace management's controls is incorrect because the auditor's role is to evaluate the effectiveness of controls, not to assume management's responsibilities or substitute audit activity for actual operational controls.
2. Question 2Acquisition, Development and ImplementationSelect all that apply

   Which TWO controls help ensure only authorized, tested changes reach production? (Choose TWO)

   • AFormal change management with approvalsCorrect
   • BSeparation of development, test, and production environmentsCorrect
   • CDevelopers deploying directly to prod with no review
   • DSharing production credentials widely
   ✓ Correct answer: A, B

   Authorized, tested changes are protected from unauthorized deployment through two complementary controls. Formal change management with approvals requires that every proposed change to production be documented, reviewed for risk, tested, and approved by designated authorities before deployment, creating an audit trail and ensuring oversight. Separating development, test, and production environments prevents developers from making untested or ad-hoc changes directly to live systems; code must pass through the development and testing environments before being promoted to production by authorized operations staff, not by developers themselves. Together these controls ensure that what reaches production has been reviewed, approved, and validated.

   Why the other options are wrong

   • CDevelopers deploying directly to production with no review is incorrect because this eliminates segregation of duties and bypasses change management; developers could introduce untested or malicious code without oversight.
   • DSharing production credentials widely is incorrect because broad knowledge of production credentials eliminates access control and makes it impossible to trace unauthorized changes to a responsible individual, directly undermining accountability and change control.
3. Question 3Operations and Business Resilience

   An IS auditor finds production servers sized for peak load but idle 80% of the time. Which approach BEST controls cost without harming resilience?

   • ADisable monitoring to cut overhead
   • BPermanently power off half the servers
   • CImplement autoscaling to match capacity to demandCorrect
   • DDelete redundant backups
   ✓ Correct answer: C

   When servers are consistently idle at 80% of the time but must be sized for peak load, the problem is a mismatch between static provisioning and dynamic demand patterns. Autoscaling dynamically adjusts the number of running instances in response to actual load metrics such as CPU utilization, request queue depth, or transaction volume. During peak periods, additional instances are launched automatically; during idle periods, instances are terminated, so the organization pays only for what it uses. This approach maintains the ability to handle peak load (preserving resilience) while dramatically reducing cost during low-utilization periods. IS auditors evaluating cloud architecture should verify that autoscaling policies are properly configured with appropriate minimum and maximum instance counts and tested scaling thresholds.

   Why the other options are wrong

   • ADisable monitoring to cut overhead is incorrect because monitoring is necessary to detect performance degradation, security events, and compliance violations; eliminating it to save marginal cost removes the visibility needed to manage the environment and respond to incidents.
   • BPermanently power off half the servers is incorrect because permanently removing half the compute capacity without a dynamic replacement strategy would eliminate the ability to handle peak load, converting a cost problem into an availability and resilience risk.
   • DDelete redundant backups is incorrect because reducing backup copies to save cost increases recovery risk; eliminating redundancy from backup strategies leaves the organization without fallback options if the remaining backup media fails or is corrupted.
4. Question 4Protection of Information Assets

   On a Linux host, which command sets a file's permissions so the owner can read/write/execute and group and others have no access?

   • Achmod 700 fileCorrect
   • Bchmod 777 file
   • Cchmod 000 file
   • Dchmod 644 file
   ✓ Correct answer: A

   Linux file permissions use an octal notation where three digits represent the permissions for the owner, group, and others respectively. Each digit is the sum of read (4), write (2), and execute (1) permissions for that class. The value 7 means read + write + execute (4+2+1=7), and 0 means no permissions. Therefore, chmod 700 sets owner permissions to read/write/execute and both group and others to no permissions, which precisely matches the requirement of allowing only the owner full access while denying group and others. This is commonly used for private key files, personal scripts, and sensitive configuration files.

   Why the other options are wrong

   • Bchmod 777 file is incorrect because 777 grants read, write, and execute permissions to the owner, group, and all other users simultaneously; this is the most permissive setting and gives every user on the system full access to the file.
   • Cchmod 000 file is incorrect because 000 removes all permissions from all users including the owner, making the file unreadable, unwritable, and unexecutable by anyone including the file's owner; this is not what the requirement describes.
   • Dchmod 644 file is incorrect because 644 grants read and write to the owner and read-only to both group and others; this is appropriate for public documentation but not for a file that should be exclusively accessible by its owner.
5. Question 5Governance and Management of IT

   An organization is choosing between a centralized and a federated IT operating model. Which is the PRIMARY design tradeoff the auditor should highlight?

   • ACentralized models cannot enforce any standards
   • BThere is no governance difference between the two
   • CFederated models always cost less than centralized ones
   • DCentralization improves standardization and control but can reduce business-unit agility, while federation increases agility at the cost of consistencyCorrect
   ✓ Correct answer: D

   The choice between centralized and federated IT operating models involves a fundamental tradeoff between standardization and autonomy. A centralized model concentrates IT decisions, procurement, and operations under a single function, enabling consistent standards, economies of scale, and strong governance controls with clear accountability. However, it can create bottlenecks and slow response to business-unit-specific needs because all requests must be processed through the central function. A federated model distributes IT decision-making authority to business units, enabling faster responses to local needs and more customized solutions, but at the cost of consistency, security standard enforcement, and the ability to achieve enterprise-wide economies of scale. The IS auditor's role is to ensure that governance structures, control standards, and accountability mechanisms are clearly defined regardless of which model is chosen.

   Why the other options are wrong

   • ACentralized models cannot enforce any standards is incorrect because enforcing consistent standards is precisely one of the primary advantages of a centralized IT operating model; central governance bodies can mandate and audit adherence to enterprise standards.
   • BThere is no governance difference between the two is incorrect because the two models have fundamentally different governance structures, accountability mechanisms, and risk profiles; understanding these differences is central to an IS auditor's architecture review.
   • CFederated models always cost less than centralized ones is incorrect because federated models often result in duplicated capabilities, tools, and licenses across business units, which can increase total cost of ownership compared to centralized procurement and shared services.
6. Question 6Information Systems Auditing Process

   During substantive testing, an auditor relies on a system-generated exception report. What must be verified FIRST for the report to be reliable evidence?

   • AThat the report is printed in color
   • BThe completeness and accuracy of the report (and the controls over the report-generation logic)Correct
   • CThat the report is stored offsite
   • DThat the report was reviewed by marketing
   ✓ Correct answer: B

   When an IS auditor relies on system-generated reports as substantive evidence, the reliability of that evidence depends entirely on whether the underlying system produced a complete and accurate output. Before drawing any conclusions from an exception report, the auditor must verify that the report includes all relevant transactions (completeness) and that the logic used to generate it is correct and has not been altered (accuracy). This is commonly accomplished by reviewing IT general controls over the application—specifically change management and access controls that govern the report-generation module—and by independently re-running or tracing the report parameters. Without this verification, the auditor cannot rule out that the report was filtered, truncated, or manipulated.

   Why the other options are wrong

   • AThat the report is printed in color is incorrect because the print format has no bearing on the completeness or accuracy of the data the report contains.
   • CThat the report is stored offsite is incorrect because offsite storage is a continuity control unrelated to whether the report accurately reflects all in-scope transactions.
   • DThat the report was reviewed by marketing is incorrect because review by a non-accountable department with no systems expertise provides no assurance about the technical completeness or accuracy of a system-generated report.
7. Question 7Protection of Information Assets

   What is the PRIMARY reason to synchronize clocks across systems that forward logs to a central collector?

   • ATo encrypt the log files automatically
   • BTo increase available disk space on log servers
   • CTo reduce the number of log entries generated
   • DTo enable accurate correlation and sequencing of events across systemsCorrect
   ✓ Correct answer: D

   When investigating a security incident or auditing control effectiveness over a period, the sequence in which events occurred across different systems is often critical evidence. If servers, firewalls, applications, and endpoints each maintain their own local clocks without synchronization, timestamps in their respective logs may differ by seconds, minutes, or hours. This makes it impossible to accurately reconstruct the timeline of an attack, determine whether a login on system A preceded or followed an action on system B, or match related events across different log sources. Network Time Protocol (NTP) synchronization ensures all systems reference a common authoritative time source, making cross-system event correlation reliable and legally defensible.

   Why the other options are wrong

   • ATo encrypt the log files automatically is incorrect because time synchronization and encryption are entirely separate functions; NTP provides clock accuracy, not data protection, and encrypting logs requires a separate cryptographic solution.
   • BTo increase available disk space on log servers is incorrect because NTP synchronization has no effect on storage capacity; log retention policies and tiered storage address disk space requirements.
   • CTo reduce the number of log entries generated is incorrect because clock synchronization does not affect logging frequency or volume; the number of log entries is determined by system activity and logging configuration settings.
8. Question 8Acquisition, Development and Implementation

   During a data migration project, which control BEST ensures that all source records were transferred to the target system without loss?

   • ADocumenting the migration runbook
   • BScheduling the migration during a maintenance window
   • CEncrypting the migration data in transit
   • DReconciliation of record counts and control totals between source and targetCorrect
   ✓ Correct answer: D

   Data migration integrity depends on being able to mathematically prove that the set of records in the target system is identical to the set in the source system. Reconciliation involves comparing the total count of records in each data entity or table, as well as key financial totals (such as the sum of all account balances) and hash totals (such as the sum of all account numbers), between source and target after the migration completes. Any discrepancy signals that records were dropped, duplicated, or incorrectly transformed during the migration process. This technique provides complete population coverage for integrity verification and is far more reliable than spot-checks or UI-level validation.

   Why the other options are wrong

   • ADocumenting the migration runbook is incorrect because runbook documentation describes the process steps for executing the migration; it establishes a procedure but does not verify that the data actually transferred correctly—documentation and execution are distinct.
   • BScheduling the migration during a maintenance window is incorrect because timing is an operational consideration that minimizes the risk of data changes during migration; it does not verify that the data which was migrated is complete and accurate.
   • CEncrypting the migration data in transit is incorrect because in-transit encryption is a confidentiality control that prevents unauthorized interception of the data during transfer; it does not validate that all source records arrived at the target without loss or corruption.
9. Question 9Information Systems Auditing Process

   During fieldwork an auditee tells you a critical reconciliation control 'always runs,' but you find no evidence it executed last quarter. What should the auditor do NEXT?

   • ARemove the control from scope to save time
   • BAccept the verbal statement and mark the control effective
   • CGather corroborating evidence (logs, output reports) before concluding on the controlCorrect
   • DImmediately report fraud to the board
   ✓ Correct answer: C

   Inquiry and verbal statements from auditees are the weakest form of audit evidence; they reflect the respondent's understanding or assertion but cannot independently confirm what actually occurred. When a control owner asserts that a reconciliation control 'always runs' but no evidence of execution exists for the prior quarter, the discrepancy between the claim and the available evidence creates a significant unresolved question. Professional auditing standards require the auditor to obtain sufficient appropriate evidence before drawing conclusions. In this case, the auditor should request system logs, job execution records, reconciliation output files, or exception reports from the period in question. Only if such evidence is found and reviewed can the auditor conclude on whether the control operated.

   Why the other options are wrong

   • ARemove the control from scope to save time is incorrect because removing a control from scope when evidence of its operation is absent is contrary to the auditor's objective; this is precisely the situation that warrants investigation, not avoidance.
   • BAccept the verbal statement and mark the control effective is incorrect because accepting an unsubstantiated verbal claim in the face of contradicting evidence would result in an unsupported audit conclusion and potentially mislead report readers about the actual control environment.
   • DImmediately report fraud to the board is incorrect because the absence of execution evidence establishes a control gap but does not establish intent to deceive or fraudulent conduct; escalating to a fraud allegation without additional investigation would be premature and professionally inappropriate.
10. Question 10Protection of Information Assets

    Which encryption approach allows two parties to securely establish a shared secret over an untrusted network without transmitting the secret itself?

    • AA hash of the message
    • BA static WEP key
    • CDiffie-Hellman key exchangeCorrect
    • DA symmetric key emailed in plaintext
    ✓ Correct answer: C

    Diffie-Hellman is a cryptographic protocol that enables two parties to establish a shared secret key over an insecure communication channel without ever transmitting the secret itself. Each party generates a private value, computes a public value from it using modular arithmetic, and exchanges only the public values. Each party then combines their own private value with the received public value to independently derive the same shared secret. An eavesdropper observing the exchanged public values cannot feasibly compute the shared secret due to the computational difficulty of the discrete logarithm problem.

    Why the other options are wrong

    • AA hash of the message is incorrect because hashing is a one-way function that produces a fixed-length digest for integrity verification, not a key exchange mechanism that establishes a shared secret between parties.
    • BA static WEP key is incorrect because WEP uses a pre-shared static key that must be configured on both parties in advance, meaning the key itself must be transmitted or communicated through some other channel, directly violating the requirement of not transmitting the secret.
    • DA symmetric key emailed in plaintext is incorrect because sending a key in plaintext over email exposes it to interception by anyone who can access the email in transit or at rest, completely defeating the purpose of secure key establishment.

ISACA CISA practice exam FAQ