Page 1 of 127
CISA (Certified Information Systems Auditor) Exam
ACTUAL QUESTIONS AND ANSWERS LATEST
UPDATE THIS YEAR
CISA (Certified Information Systems Auditor) Exam coverage in summarized point form, followed
by 250 MCQs with rationales in random order, based on the ISACA CISA Job Practice (domains 1–
5), CISA Review Manual 27th Edition, and official CISA exam content outlines.
EXAM COVERAGE (SUMMARIZED POINTS)
• Domain 1 – Information Systems Auditing Process (21%): Risk-based audit planning, internal
controls, audit evidence collection, audit sampling, data analytics, CAATs, audit reporting,
follow-up activities .
• Domain 2 – Governance & Management of IT (17%): IT strategy and governance framework, IT
policies and procedures, IT organizational structure, IT risk management, IT resource
management (HR), IT performance measurement (KPIs/KRIs), IT portfolio management .
• Domain 3 – Information Systems Acquisition, Development & Implementation (12%): Business
case evaluation, project management framework (PMO, SDLC), requirements analysis, risk
assessment for new systems, benefits realization, post-implementation review, configuration
management .
• Domain 4 – Information Systems Operations, Maintenance & Service Management (23%): IT
service management (ITIL), incident management, problem management, change and
configuration management, capacity management, disaster recovery and business continuity
planning (DRP/BCP), database management, IT operations (jobs, backup, patch management) .
• Domain 5 – Protection of Information Assets (27%): Information security framework (CIA triad),
access control (RBAC, MAC, DAC, ABAC), logical access management (IAM, SSO, MFA, privileged
accounts), network security (firewalls, IDS/IPS, VPN, zero trust), encryption (PKI,
symmetric/asymmetric), physical and environmental security, data classification, privacy
regulations (GDPR, CCPA), incident response, cybersecurity threats (social engineering, malware,
APT) .
• Cross-cutting Concepts: Risk management (inherent, residual, control risk, detection risk, audit
risk equation), COBIT 2019, NIST, ISO 27001, business continuity metrics (RTO, RPO), evidence
sufficiency/competence/relevance .
1. Which of the following is the PRIMARY objective of an information systems audit?
A) To ensure financial statements are accurate
B) To evaluate and provide assurance on the effectiveness of internal controls
, Page 2 of 127
C) To replace the IT security team
D) To design new IT systems
Rationale: The primary objective of an IS audit is to evaluate and provide assurance on the effectiveness
of internal controls, not to replace existing functions or design systems .
2. An IS auditor finds that a critical server‘s security patch installation has not been documented. What
should the auditor do FIRST?
A) Report a finding immediately
B) Test whether the patches are actually installed
C) Assume the patches are missing and issue a high-risk finding
D) Recommend termination of the system administrator
Rationale: The auditor should gather evidence before reporting. Testing whether patches are installed
provides objective evidence to support a finding .
3. Which of the following is the MOST important factor in determining the reliability of audit evidence?
A) The volume of evidence collected
B) The independence of the source of evidence
, Page 3 of 127
C) The cost of obtaining the evidence
D) The format of the evidence (paper vs. electronic)
Rationale: Evidence from an independent third party (e.g., external service auditor report) is more
reliable than evidence generated internally by the auditee .
4. During a risk assessment for an IT audit, the auditor should FIRST:
A) Identify threats and vulnerabilities
B) Determine the audit universe
C) Define the audit frequency
D) Select audit tests
Rationale: The audit universe is the list of all auditable entities within the organization. Identifying it is
the first step in risk-based planning .
5. Which IT governance framework is most closely aligned with COBIT 2019?
A) ITIL
B) ISO 27001
, Page 4 of 127
C) TOGAF
D) COSO
Rationale: COBIT 2019 provides an integrated framework for enterprise governance and management
of information and technology, aligning with COSO for internal control .
6. Which of the following is a preventive control?
A) Intrusion detection system (IDS)
B) Security awareness training
C) Fire suppression system
D) Audit log review
Rationale: Security awareness training is preventive because it deters users from unsafe behaviors. IDS
is detective; suppression is corrective; log review is detective .
7. The PRIMARY purpose of a post-implementation review is to:
A) Verify that the system meets user requirements and business objectives
B) Reject the system if any defects remain
CISA (Certified Information Systems Auditor) Exam
ACTUAL QUESTIONS AND ANSWERS LATEST
UPDATE THIS YEAR
CISA (Certified Information Systems Auditor) Exam coverage in summarized point form, followed
by 250 MCQs with rationales in random order, based on the ISACA CISA Job Practice (domains 1–
5), CISA Review Manual 27th Edition, and official CISA exam content outlines.
EXAM COVERAGE (SUMMARIZED POINTS)
• Domain 1 – Information Systems Auditing Process (21%): Risk-based audit planning, internal
controls, audit evidence collection, audit sampling, data analytics, CAATs, audit reporting,
follow-up activities .
• Domain 2 – Governance & Management of IT (17%): IT strategy and governance framework, IT
policies and procedures, IT organizational structure, IT risk management, IT resource
management (HR), IT performance measurement (KPIs/KRIs), IT portfolio management .
• Domain 3 – Information Systems Acquisition, Development & Implementation (12%): Business
case evaluation, project management framework (PMO, SDLC), requirements analysis, risk
assessment for new systems, benefits realization, post-implementation review, configuration
management .
• Domain 4 – Information Systems Operations, Maintenance & Service Management (23%): IT
service management (ITIL), incident management, problem management, change and
configuration management, capacity management, disaster recovery and business continuity
planning (DRP/BCP), database management, IT operations (jobs, backup, patch management) .
• Domain 5 – Protection of Information Assets (27%): Information security framework (CIA triad),
access control (RBAC, MAC, DAC, ABAC), logical access management (IAM, SSO, MFA, privileged
accounts), network security (firewalls, IDS/IPS, VPN, zero trust), encryption (PKI,
symmetric/asymmetric), physical and environmental security, data classification, privacy
regulations (GDPR, CCPA), incident response, cybersecurity threats (social engineering, malware,
APT) .
• Cross-cutting Concepts: Risk management (inherent, residual, control risk, detection risk, audit
risk equation), COBIT 2019, NIST, ISO 27001, business continuity metrics (RTO, RPO), evidence
sufficiency/competence/relevance .
1. Which of the following is the PRIMARY objective of an information systems audit?
A) To ensure financial statements are accurate
B) To evaluate and provide assurance on the effectiveness of internal controls
, Page 2 of 127
C) To replace the IT security team
D) To design new IT systems
Rationale: The primary objective of an IS audit is to evaluate and provide assurance on the effectiveness
of internal controls, not to replace existing functions or design systems .
2. An IS auditor finds that a critical server‘s security patch installation has not been documented. What
should the auditor do FIRST?
A) Report a finding immediately
B) Test whether the patches are actually installed
C) Assume the patches are missing and issue a high-risk finding
D) Recommend termination of the system administrator
Rationale: The auditor should gather evidence before reporting. Testing whether patches are installed
provides objective evidence to support a finding .
3. Which of the following is the MOST important factor in determining the reliability of audit evidence?
A) The volume of evidence collected
B) The independence of the source of evidence
, Page 3 of 127
C) The cost of obtaining the evidence
D) The format of the evidence (paper vs. electronic)
Rationale: Evidence from an independent third party (e.g., external service auditor report) is more
reliable than evidence generated internally by the auditee .
4. During a risk assessment for an IT audit, the auditor should FIRST:
A) Identify threats and vulnerabilities
B) Determine the audit universe
C) Define the audit frequency
D) Select audit tests
Rationale: The audit universe is the list of all auditable entities within the organization. Identifying it is
the first step in risk-based planning .
5. Which IT governance framework is most closely aligned with COBIT 2019?
A) ITIL
B) ISO 27001
, Page 4 of 127
C) TOGAF
D) COSO
Rationale: COBIT 2019 provides an integrated framework for enterprise governance and management
of information and technology, aligning with COSO for internal control .
6. Which of the following is a preventive control?
A) Intrusion detection system (IDS)
B) Security awareness training
C) Fire suppression system
D) Audit log review
Rationale: Security awareness training is preventive because it deters users from unsafe behaviors. IDS
is detective; suppression is corrective; log review is detective .
7. The PRIMARY purpose of a post-implementation review is to:
A) Verify that the system meets user requirements and business objectives
B) Reject the system if any defects remain
