CISA STUDY GUIDE 2026 COMPLETE
QUESTIONS AND VERIFIED
ANSWERS
◉ IS Audit Strategy - Domains. Answer: -Define IS/IT audit universe
-Governance
-Operations
-Mobile
-IoT
-Data Management
-Projects
-Ranking by Criticality
-Business by Impact
◉ IS Audit Strategy - Deliverables. Answer: -Audit Deliverables
-Standards
-Tools
-Staff Requirements
-Numbers/profiles/training/certification
-Annual audit plan
-Metrics
◉ IS Audit Strategy - Audience. Answer: -Senior Management
,-Audit Committee
-External Audit
-CIO
◉ IS Audit Strategy - Participants. Answer: -CAE
-Members of audit committee
-IS/IT Internal Auditors
-Consultants if/as required
◉ IS Audit Strategy - Suppliers. Answer: -CIO
-ERM Function
-System Owners
-Business Process Owners
-External Providers
-Legal and Procurement
◉ Role of IS internal audit. Answer: Should be established by an audit
charter or approved by the board of directors and the audit committee (or
senior mgmt if these entities do not exist)
◉ Audit Charter. Answer: Provides a clear mandate to perform the IS
audit and includes mgmt responsibilities and objectives, as well as
delegation of authority to the audit function. Authority and
accountability of IS audit function.
,◉ Controls. Answer: are measures implemented to treat risks within an
organization.
Controls should be designed, developed, implemented and monitored
through policies, procedures, practices and organization structures to
address risk.
◉ Control Objective. Answer: an objective or one or more operational
areas or roles to be achieved in order to contribute to the fulfillment of
strategic goals of the company.
◉ Administrative Control. Answer: -Development of policies, standards
and procedures
-Screening personnel, security awareness training, monitoring system
and network activity, and change control
◉ Technical Control. Answer: -Logical mechanisms that provide
password and resource management, identification and authentication,
and software configurations
◉ Physical Control. Answer: -Protecting individual systems, the
network, employees, and the facility from physical damage
◉ Preventative Control (Function). Answer: Controls used to STOP the
undesirable events from taking place
, Ex: Role-Based Access Controls, In SAP preventing users from having
both create vendor and approve payment access.
◉ Detective Control (Function). Answer: Controls used to identify
undesirable events that have occurred
Ex: Security event monitoring (SIEM) that generates alerts when there
are multiple failed login attempts.
◉ Corrective Control (Function). Answer: Controls used to correct the
effects of undesirable events
Ex: Incident response process that disables a compromised user account
after a suspicious login is identified.
Malware on a system found. Remove the malware.
◉ Deterrent Control (Function). Answer: Controls used to
DISCOURAGE security violations
Ex: Login banners stating that system activity is monitored and
violations may result in disciplinary action.
QUESTIONS AND VERIFIED
ANSWERS
◉ IS Audit Strategy - Domains. Answer: -Define IS/IT audit universe
-Governance
-Operations
-Mobile
-IoT
-Data Management
-Projects
-Ranking by Criticality
-Business by Impact
◉ IS Audit Strategy - Deliverables. Answer: -Audit Deliverables
-Standards
-Tools
-Staff Requirements
-Numbers/profiles/training/certification
-Annual audit plan
-Metrics
◉ IS Audit Strategy - Audience. Answer: -Senior Management
,-Audit Committee
-External Audit
-CIO
◉ IS Audit Strategy - Participants. Answer: -CAE
-Members of audit committee
-IS/IT Internal Auditors
-Consultants if/as required
◉ IS Audit Strategy - Suppliers. Answer: -CIO
-ERM Function
-System Owners
-Business Process Owners
-External Providers
-Legal and Procurement
◉ Role of IS internal audit. Answer: Should be established by an audit
charter or approved by the board of directors and the audit committee (or
senior mgmt if these entities do not exist)
◉ Audit Charter. Answer: Provides a clear mandate to perform the IS
audit and includes mgmt responsibilities and objectives, as well as
delegation of authority to the audit function. Authority and
accountability of IS audit function.
,◉ Controls. Answer: are measures implemented to treat risks within an
organization.
Controls should be designed, developed, implemented and monitored
through policies, procedures, practices and organization structures to
address risk.
◉ Control Objective. Answer: an objective or one or more operational
areas or roles to be achieved in order to contribute to the fulfillment of
strategic goals of the company.
◉ Administrative Control. Answer: -Development of policies, standards
and procedures
-Screening personnel, security awareness training, monitoring system
and network activity, and change control
◉ Technical Control. Answer: -Logical mechanisms that provide
password and resource management, identification and authentication,
and software configurations
◉ Physical Control. Answer: -Protecting individual systems, the
network, employees, and the facility from physical damage
◉ Preventative Control (Function). Answer: Controls used to STOP the
undesirable events from taking place
, Ex: Role-Based Access Controls, In SAP preventing users from having
both create vendor and approve payment access.
◉ Detective Control (Function). Answer: Controls used to identify
undesirable events that have occurred
Ex: Security event monitoring (SIEM) that generates alerts when there
are multiple failed login attempts.
◉ Corrective Control (Function). Answer: Controls used to correct the
effects of undesirable events
Ex: Incident response process that disables a compromised user account
after a suspicious login is identified.
Malware on a system found. Remove the malware.
◉ Deterrent Control (Function). Answer: Controls used to
DISCOURAGE security violations
Ex: Login banners stating that system activity is monitored and
violations may result in disciplinary action.
