ISA Certified Information Systems Auditor Study Guide 2026/2027 | IS Audit, Governance, Risk, Incident Response & Business Continuity Review | ISACA 2026/2027 | Page 1 | Passing Score: 75%
ISACA / CISA
CISA Certified Information Systems Auditor Study Guide
2026/2027 | IS Audit, Governance, Risk, Incident Response
& Business Continuity Review | ISACA
2026/2027 Edition - Official Exam 2026/2027
75 75% N/A
QUESTIONS PASSING SCORE RECERTIFICATION
TABLE OF CONTENTS
Section 1 Information System Auditing Process Q1-15
Section 2 Governance and Management of IT Q16-30
Section 3 Information Systems Acquisition, Development, and Implementation Q31-45
Section 4 Information Systems Operations and Business Resilience Q46-60
Section 5 Protection of Information Assets Q61-75
Instructions: Select the single best answer for each question. This exam is designed for CISA Certified Information Systems
Auditor certification preparation. Passing score: 75% (56 questions correct).
CISA Information Systems Auditor -- 2026/2027 | Passing Score: 75% | Page 1 of 42
, SECTION 1 | Information System Auditing Process | Q1-Q15 | CISA Information Systems Auditor
2026/2027
Q1 Question 1 of 75
A 42-year-old IT auditor is reviewing the annual audit plan for a multinational financial institution and
discovers that risk assessments have not been updated in 18 months. The auditor needs to determine
the most appropriate immediate action to address this gap. What should the auditor recommend as the
priority corrective step?
A. Conduct a comprehensive risk reassessment to update the audit plan with current risk
profiles and exposures
B. Proceed with the existing audit plan since risk profiles in financial institutions remain relatively
stable over 18 months
C. Escalate the issue to the board of directors without performing any preliminary analysis of the
changed risk landscape
D. Reduce the scope of planned audits to compensate for the outdated risk information
Correct Answer: A
Rationale:
The most appropriate action is to conduct a comprehensive risk reassessment because audit plans must be
based on current risk profiles to ensure audit resources target the highest-risk areas. Proceeding with an
outdated plan fails to address the fundamental gap and may miss emerging risks, while escalation without
analysis and scope reduction both fail to resolve the core deficiency.
Q2 Question 2 of 75
During a compliance audit of a healthcare organization, a senior auditor observes that the internal audit
team has been using the same audit program for three consecutive years without modification. The
organization has since adopted cloud-based electronic health records and telehealth services. Which
action best addresses the auditor's concern about the audit program's adequacy?
A. Continue using the existing program but add supplemental testing procedures for the new cloud
and telehealth systems
B. Document the observation and recommend that the audit committee review the program in the next
fiscal year
C. Redesign the audit program from scratch to incorporate the current technology
environment and associated risk factors
D. Rely on external audit firms to cover the technology-specific areas while maintaining the existing
internal program
Correct Answer: C
Rationale:
Redesigning the audit program from scratch is necessary because the organization's technology landscape has
fundamentally changed, requiring audit objectives and procedures aligned with current risks. Simply
supplementing the old program
CISA leaves
Information gapsAuditor
Systems in audit coverage,| deferring
-- 2026/2027 the review
Passing Score: delays
75% | Page 2 ofcritical
42 updates, and
relying on external auditors does not address internal audit capability deficiencies.
, Q3 Question 3 of 75
An IS auditor is evaluating the adequacy of audit evidence collected during a review of a company's
change management process. The auditor found that only management sign-offs were obtained as
evidence of testing, with no independent verification records. How should the auditor classify the
sufficiency of this evidence?
A. Sufficient because management sign-offs represent authoritative confirmation that testing was
completed satisfactorily
B. Adequate provided the sign-offs are from senior management with direct oversight of the change
management process
C. Insufficient because audit evidence should include independent verification and objective
test results rather than relying solely on management assertions
D. Conditionally sufficient if the auditor can obtain additional oral confirmations from the testing team
members
Correct Answer: C
Rationale:
The evidence is insufficient because audit standards require objective, verifiable evidence rather than relying
solely on management assertions which may be biased. Management sign-offs alone do not demonstrate that
testing was actually performed or that results were accurate, whereas independent verification records provide
the corroborative evidence needed to support audit conclusions.
Q4 Question 4 of 75
A newly appointed chief audit executive at a mid-size manufacturing company is developing the annual
audit plan and needs to prioritize audit engagements. The organization has recently experienced a data
breach, is implementing a new ERP system, and faces increasing regulatory requirements. Which
factor should receive the highest weight in prioritization?
A. The implementation of the new ERP system because it represents the largest capital expenditure
and affects the most business processes
B. The increasing regulatory requirements because non-compliance penalties could threaten the
organization's operating license and financial viability
C. The recent data breach because it indicates actualized risk and potential control
weaknesses that require immediate assessment and remediation verification
D. A balanced approach distributing audit resources equally across all three areas to ensure
comprehensive coverage
Correct Answer: C
Rationale:
The recent data breach should receive the highest weight because it represents actualized risk with known
control failures that require immediate attention to prevent recurrence. While ERP implementation and regulatory
compliance are important, an actualized risk event signals immediate vulnerabilities that must be assessed
before the organization suffers further harm, making it the most critical priority for audit resources.
CISA Information Systems Auditor -- 2026/2027 | Passing Score: 75% | Page 3 of 42
, Q5 Question 5 of 75
An IS auditor has completed fieldwork for a network security audit and is preparing the audit report.
Several findings indicate that firewall rules have not been reviewed in over two years, and the network
team disputes these findings, claiming that an automated tool manages rule updates. The auditor
verified that the automated tool was implemented but found no evidence of periodic rule reviews. How
should the auditor handle this disagreement in the final report?
A. Omit the findings from the report since the network team has provided an alternative explanation
that could be valid
B. Delay issuing the report until the auditor and network team can reach full consensus on the severity
of the findings
C. Revise the findings to reflect a lower risk rating to accommodate the network team's concerns
about the automated tool implementation
D. Include the findings with objective evidence supporting the conclusion and document the
network team's response as a management comment in the report
Correct Answer: D
Rationale:
The auditor must include the findings with supporting evidence because audit reports must present factual,
objective conclusions regardless of auditee disagreement. Documenting management's response as a comment
preserves both the integrity of the audit conclusion and management's perspective, while omitting findings,
downgrading severity without evidence, or delaying for consensus would compromise audit independence and
objectivity.
Q6 Question 6 of 75
A regional bank's internal audit department is conducting a follow-up audit to verify that previously
reported findings from a business continuity audit have been remediated. The auditor discovers that
management accepted the risk of one critical finding instead of implementing the recommended
controls. What is the auditor's most appropriate course of action?
A. Close the finding because management has formally accepted the risk, which is within their
authority
B. Reopen the audit and conduct additional testing to force management to implement the original
recommendations
C. Override management's risk acceptance and insist on implementation of the recommended
controls to protect the organization
D. Verify that the risk acceptance was properly documented and approved by appropriate
authority, then report the current status to the audit committee
Correct Answer: D
Rationale:
The auditor should verify proper documentation and escalation of the risk acceptance because while
management can accept risk, critical findings typically require senior management or board-level approval.
Reporting the status CISA
to theInformation
audit committee ensures
Systems Auditor appropriate
-- 2026/2027 governance
| Passing oversight
Score: 75% | Pageof4 the
of 42risk acceptance
decision, whereas closing without verification, overriding management authority, or forcing implementation all
exceed or neglect the auditor's proper role.
ISACA / CISA
CISA Certified Information Systems Auditor Study Guide
2026/2027 | IS Audit, Governance, Risk, Incident Response
& Business Continuity Review | ISACA
2026/2027 Edition - Official Exam 2026/2027
75 75% N/A
QUESTIONS PASSING SCORE RECERTIFICATION
TABLE OF CONTENTS
Section 1 Information System Auditing Process Q1-15
Section 2 Governance and Management of IT Q16-30
Section 3 Information Systems Acquisition, Development, and Implementation Q31-45
Section 4 Information Systems Operations and Business Resilience Q46-60
Section 5 Protection of Information Assets Q61-75
Instructions: Select the single best answer for each question. This exam is designed for CISA Certified Information Systems
Auditor certification preparation. Passing score: 75% (56 questions correct).
CISA Information Systems Auditor -- 2026/2027 | Passing Score: 75% | Page 1 of 42
, SECTION 1 | Information System Auditing Process | Q1-Q15 | CISA Information Systems Auditor
2026/2027
Q1 Question 1 of 75
A 42-year-old IT auditor is reviewing the annual audit plan for a multinational financial institution and
discovers that risk assessments have not been updated in 18 months. The auditor needs to determine
the most appropriate immediate action to address this gap. What should the auditor recommend as the
priority corrective step?
A. Conduct a comprehensive risk reassessment to update the audit plan with current risk
profiles and exposures
B. Proceed with the existing audit plan since risk profiles in financial institutions remain relatively
stable over 18 months
C. Escalate the issue to the board of directors without performing any preliminary analysis of the
changed risk landscape
D. Reduce the scope of planned audits to compensate for the outdated risk information
Correct Answer: A
Rationale:
The most appropriate action is to conduct a comprehensive risk reassessment because audit plans must be
based on current risk profiles to ensure audit resources target the highest-risk areas. Proceeding with an
outdated plan fails to address the fundamental gap and may miss emerging risks, while escalation without
analysis and scope reduction both fail to resolve the core deficiency.
Q2 Question 2 of 75
During a compliance audit of a healthcare organization, a senior auditor observes that the internal audit
team has been using the same audit program for three consecutive years without modification. The
organization has since adopted cloud-based electronic health records and telehealth services. Which
action best addresses the auditor's concern about the audit program's adequacy?
A. Continue using the existing program but add supplemental testing procedures for the new cloud
and telehealth systems
B. Document the observation and recommend that the audit committee review the program in the next
fiscal year
C. Redesign the audit program from scratch to incorporate the current technology
environment and associated risk factors
D. Rely on external audit firms to cover the technology-specific areas while maintaining the existing
internal program
Correct Answer: C
Rationale:
Redesigning the audit program from scratch is necessary because the organization's technology landscape has
fundamentally changed, requiring audit objectives and procedures aligned with current risks. Simply
supplementing the old program
CISA leaves
Information gapsAuditor
Systems in audit coverage,| deferring
-- 2026/2027 the review
Passing Score: delays
75% | Page 2 ofcritical
42 updates, and
relying on external auditors does not address internal audit capability deficiencies.
, Q3 Question 3 of 75
An IS auditor is evaluating the adequacy of audit evidence collected during a review of a company's
change management process. The auditor found that only management sign-offs were obtained as
evidence of testing, with no independent verification records. How should the auditor classify the
sufficiency of this evidence?
A. Sufficient because management sign-offs represent authoritative confirmation that testing was
completed satisfactorily
B. Adequate provided the sign-offs are from senior management with direct oversight of the change
management process
C. Insufficient because audit evidence should include independent verification and objective
test results rather than relying solely on management assertions
D. Conditionally sufficient if the auditor can obtain additional oral confirmations from the testing team
members
Correct Answer: C
Rationale:
The evidence is insufficient because audit standards require objective, verifiable evidence rather than relying
solely on management assertions which may be biased. Management sign-offs alone do not demonstrate that
testing was actually performed or that results were accurate, whereas independent verification records provide
the corroborative evidence needed to support audit conclusions.
Q4 Question 4 of 75
A newly appointed chief audit executive at a mid-size manufacturing company is developing the annual
audit plan and needs to prioritize audit engagements. The organization has recently experienced a data
breach, is implementing a new ERP system, and faces increasing regulatory requirements. Which
factor should receive the highest weight in prioritization?
A. The implementation of the new ERP system because it represents the largest capital expenditure
and affects the most business processes
B. The increasing regulatory requirements because non-compliance penalties could threaten the
organization's operating license and financial viability
C. The recent data breach because it indicates actualized risk and potential control
weaknesses that require immediate assessment and remediation verification
D. A balanced approach distributing audit resources equally across all three areas to ensure
comprehensive coverage
Correct Answer: C
Rationale:
The recent data breach should receive the highest weight because it represents actualized risk with known
control failures that require immediate attention to prevent recurrence. While ERP implementation and regulatory
compliance are important, an actualized risk event signals immediate vulnerabilities that must be assessed
before the organization suffers further harm, making it the most critical priority for audit resources.
CISA Information Systems Auditor -- 2026/2027 | Passing Score: 75% | Page 3 of 42
, Q5 Question 5 of 75
An IS auditor has completed fieldwork for a network security audit and is preparing the audit report.
Several findings indicate that firewall rules have not been reviewed in over two years, and the network
team disputes these findings, claiming that an automated tool manages rule updates. The auditor
verified that the automated tool was implemented but found no evidence of periodic rule reviews. How
should the auditor handle this disagreement in the final report?
A. Omit the findings from the report since the network team has provided an alternative explanation
that could be valid
B. Delay issuing the report until the auditor and network team can reach full consensus on the severity
of the findings
C. Revise the findings to reflect a lower risk rating to accommodate the network team's concerns
about the automated tool implementation
D. Include the findings with objective evidence supporting the conclusion and document the
network team's response as a management comment in the report
Correct Answer: D
Rationale:
The auditor must include the findings with supporting evidence because audit reports must present factual,
objective conclusions regardless of auditee disagreement. Documenting management's response as a comment
preserves both the integrity of the audit conclusion and management's perspective, while omitting findings,
downgrading severity without evidence, or delaying for consensus would compromise audit independence and
objectivity.
Q6 Question 6 of 75
A regional bank's internal audit department is conducting a follow-up audit to verify that previously
reported findings from a business continuity audit have been remediated. The auditor discovers that
management accepted the risk of one critical finding instead of implementing the recommended
controls. What is the auditor's most appropriate course of action?
A. Close the finding because management has formally accepted the risk, which is within their
authority
B. Reopen the audit and conduct additional testing to force management to implement the original
recommendations
C. Override management's risk acceptance and insist on implementation of the recommended
controls to protect the organization
D. Verify that the risk acceptance was properly documented and approved by appropriate
authority, then report the current status to the audit committee
Correct Answer: D
Rationale:
The auditor should verify proper documentation and escalation of the risk acceptance because while
management can accept risk, critical findings typically require senior management or board-level approval.
Reporting the status CISA
to theInformation
audit committee ensures
Systems Auditor appropriate
-- 2026/2027 governance
| Passing oversight
Score: 75% | Pageof4 the
of 42risk acceptance
decision, whereas closing without verification, overriding management authority, or forcing implementation all
exceed or neglect the auditor's proper role.
