CISA PRACTICE SET 2026 TESTED
QUESTIONS AND CORRECT
SOLUTIONS
◉ Source code. Answer: uncompiled, archive code
◉ Object code. Answer: compiled code that is distributed and put into
production; not able to be read by humans
◉ Inherent risk. Answer: the risk that an error could occur assuming no
compensating control exist
◉ Control risk. Answer: the risk that an error exists that would not be
prevented by internal controls
◉ Detection risk. Answer: the risk that an error exists, but is not
detected. The risk that an IS auditor may use an inadequate test
procedure and conclude that no material error exists when in fact errors
do exist.
◉ Audit risk. Answer: the overall level of risk; the level of risk the
auditor is prepared to accept.
◉ Compliance testing. Answer: determines if controls are being applied
in a manner that complies with mgmt's policies and procedures
,◉ Substantive testing. Answer: evaluates the integrity of individual
transactions, data, and other information.
◉ Regression testing. Answer: used to retest earlier program abends that
occurred during the initial testing phase.
◉ Sociability testing. Answer: to ensure the application works as
expected in the specified environment where other applications run
concurrently. Includes testing of interfaces with other systems.
◉ Parallel testing. Answer: Feeding test data into two systems and
comparing the results.
◉ White box testing. Answer: test the software's program logic.
◉ Black box testing. Answer: Testing the functional operating
effectiveness without regard to internal program structure.
◉ Redundancy check. Answer: detects transmission errors by appending
calculated bits onto the end of each segment of data.
◉ Variable sampling. Answer: used to estimate the average or total
value of a population.
,◉ Discovery sampling. Answer: used to determine the probability of
finding an attribute in a population.
◉ Attribute sampling. Answer: selecting items from a population based
on a common attribute. Used for compliance testing.
◉ Chapter 2. Answer:
◉ Steering Committee. Answer: Appointed by senior management.
Serves as a general review board for projects and acquisitions... not
involved in routine operations. The committee should include
representatives from senior management, user management, and the IS
department. Escalates issues to senior management.
◉ Request for Proposal (RFP). Answer: A document distributed to
software vendors requesting their submission of a proposal to develop or
provide a software product. RFP should include: Project Overview, Key
Requirements and Constraints, Scope Limitations, Vendor questionnaire,
customer references, demonstrations, etc.
◉ Quality Assurance. Answer: Check to verify policies are followed.
◉ Quality Control. Answer: Check to verify free from defects.
, ◉ Bottom-up approach for policy development. Answer: begins by
defining operational-level requirements and policies which are derived
and implemented as a result of a risk assessment.
◉ Chapter 3. Answer:
◉ OSI Model. Answer: All People Seem To Need Dominos Pizza
◉ Layer 7 - Application layer. Answer: The application layer interfaces
directly to and performs common application services for the application
processes.
◉ Layer 6 - Presentation layer. Answer: The presentation layer relieves
the Application layer of concern regarding syntactical differences in data
representation within the end-user systems. MIME encoding, data
compression, encryption, and similar manipulation of the presentation of
data is done at this layer.
◉ Layer 5 - Session layer. Answer: The session layer provides the
mechanism for managing the dialogue between end-user application
processes (By dialog we mean that whose turn is it to transmit). It
provides for either duplex or half-duplex operation. This layer is
responsible for setting up and tearing down TCP/IP sessions.
◉ Layer 4 - Transport layer. Answer: The transport layer is responsible
for reliable data delivery. The transport layer provides transparent
transfer of data between end users, thus relieving the upper layers from
QUESTIONS AND CORRECT
SOLUTIONS
◉ Source code. Answer: uncompiled, archive code
◉ Object code. Answer: compiled code that is distributed and put into
production; not able to be read by humans
◉ Inherent risk. Answer: the risk that an error could occur assuming no
compensating control exist
◉ Control risk. Answer: the risk that an error exists that would not be
prevented by internal controls
◉ Detection risk. Answer: the risk that an error exists, but is not
detected. The risk that an IS auditor may use an inadequate test
procedure and conclude that no material error exists when in fact errors
do exist.
◉ Audit risk. Answer: the overall level of risk; the level of risk the
auditor is prepared to accept.
◉ Compliance testing. Answer: determines if controls are being applied
in a manner that complies with mgmt's policies and procedures
,◉ Substantive testing. Answer: evaluates the integrity of individual
transactions, data, and other information.
◉ Regression testing. Answer: used to retest earlier program abends that
occurred during the initial testing phase.
◉ Sociability testing. Answer: to ensure the application works as
expected in the specified environment where other applications run
concurrently. Includes testing of interfaces with other systems.
◉ Parallel testing. Answer: Feeding test data into two systems and
comparing the results.
◉ White box testing. Answer: test the software's program logic.
◉ Black box testing. Answer: Testing the functional operating
effectiveness without regard to internal program structure.
◉ Redundancy check. Answer: detects transmission errors by appending
calculated bits onto the end of each segment of data.
◉ Variable sampling. Answer: used to estimate the average or total
value of a population.
,◉ Discovery sampling. Answer: used to determine the probability of
finding an attribute in a population.
◉ Attribute sampling. Answer: selecting items from a population based
on a common attribute. Used for compliance testing.
◉ Chapter 2. Answer:
◉ Steering Committee. Answer: Appointed by senior management.
Serves as a general review board for projects and acquisitions... not
involved in routine operations. The committee should include
representatives from senior management, user management, and the IS
department. Escalates issues to senior management.
◉ Request for Proposal (RFP). Answer: A document distributed to
software vendors requesting their submission of a proposal to develop or
provide a software product. RFP should include: Project Overview, Key
Requirements and Constraints, Scope Limitations, Vendor questionnaire,
customer references, demonstrations, etc.
◉ Quality Assurance. Answer: Check to verify policies are followed.
◉ Quality Control. Answer: Check to verify free from defects.
, ◉ Bottom-up approach for policy development. Answer: begins by
defining operational-level requirements and policies which are derived
and implemented as a result of a risk assessment.
◉ Chapter 3. Answer:
◉ OSI Model. Answer: All People Seem To Need Dominos Pizza
◉ Layer 7 - Application layer. Answer: The application layer interfaces
directly to and performs common application services for the application
processes.
◉ Layer 6 - Presentation layer. Answer: The presentation layer relieves
the Application layer of concern regarding syntactical differences in data
representation within the end-user systems. MIME encoding, data
compression, encryption, and similar manipulation of the presentation of
data is done at this layer.
◉ Layer 5 - Session layer. Answer: The session layer provides the
mechanism for managing the dialogue between end-user application
processes (By dialog we mean that whose turn is it to transmit). It
provides for either duplex or half-duplex operation. This layer is
responsible for setting up and tearing down TCP/IP sessions.
◉ Layer 4 - Transport layer. Answer: The transport layer is responsible
for reliable data delivery. The transport layer provides transparent
transfer of data between end users, thus relieving the upper layers from
