Certified Information Systems Auditor
(CISA) EXAM 2 QUESTIONS AND
CORRECT ANSWERS (VERIFIED
ANSWERS) PLUS RATIONALES 2025
Domain 1: Information System Auditing Process (21 Questions)
1. What is the primary objective of an IS audit?
A) To develop new information systems
B) To evaluate the adequacy and effectiveness of controls
C) To install security software
D) To perform system backups
Rationale: The main goal of an IS audit is to assess controls to ensure they are
effective and adequate in mitigating risks.
2. Which of the following is the MOST important consideration when planning
an IS audit?
A) Available audit tools
, B) Auditor's personal skills
C) Risk assessment and materiality
D) Number of auditors available
Rationale: Risk assessment helps prioritize audit areas based on potential impact,
ensuring efficient resource use.
3. What is the primary purpose of a risk-based audit approach?
A) To check compliance with all policies
B) To reduce audit duration
C) To focus audit efforts on areas with the highest risk
D) To test all system transactions
Rationale: Risk-based auditing directs efforts to areas with the most significant
potential impact on business objectives.
4. During an IS audit, the auditor finds that user accounts are not regularly
reviewed. This is an example of:
A) Logical access control failure
B) Physical security lapse
C) Control deficiency
D) Network vulnerability
Rationale: Failure to review user accounts regularly indicates a breakdown in
access control policies, which is a control deficiency.
, 5. Which of the following best describes a "walkthrough"?
A) Performing detailed transaction testing
B) Executing penetration tests
C) Tracing a transaction through the system to understand controls
D) Reviewing audit logs
Rationale: A walkthrough traces the path of a transaction to verify controls and
processes are correctly designed.
6. Which of these is NOT a primary objective of audit evidence?
A) Sufficiency
B) Reliability
C) Timeliness
D) Confidentiality
Rationale: Confidentiality is important for audit data, but audit evidence is
primarily evaluated for sufficiency, reliability, relevance, and timeliness.
7. What is the best method to confirm that system changes are authorized?
A) Reviewing system configuration files
B) Checking the system logs
C) Reviewing the change management documentation
D) Interviewing the system administrators
Rationale: Change management documentation provides proof of authorization
for changes.
(CISA) EXAM 2 QUESTIONS AND
CORRECT ANSWERS (VERIFIED
ANSWERS) PLUS RATIONALES 2025
Domain 1: Information System Auditing Process (21 Questions)
1. What is the primary objective of an IS audit?
A) To develop new information systems
B) To evaluate the adequacy and effectiveness of controls
C) To install security software
D) To perform system backups
Rationale: The main goal of an IS audit is to assess controls to ensure they are
effective and adequate in mitigating risks.
2. Which of the following is the MOST important consideration when planning
an IS audit?
A) Available audit tools
, B) Auditor's personal skills
C) Risk assessment and materiality
D) Number of auditors available
Rationale: Risk assessment helps prioritize audit areas based on potential impact,
ensuring efficient resource use.
3. What is the primary purpose of a risk-based audit approach?
A) To check compliance with all policies
B) To reduce audit duration
C) To focus audit efforts on areas with the highest risk
D) To test all system transactions
Rationale: Risk-based auditing directs efforts to areas with the most significant
potential impact on business objectives.
4. During an IS audit, the auditor finds that user accounts are not regularly
reviewed. This is an example of:
A) Logical access control failure
B) Physical security lapse
C) Control deficiency
D) Network vulnerability
Rationale: Failure to review user accounts regularly indicates a breakdown in
access control policies, which is a control deficiency.
, 5. Which of the following best describes a "walkthrough"?
A) Performing detailed transaction testing
B) Executing penetration tests
C) Tracing a transaction through the system to understand controls
D) Reviewing audit logs
Rationale: A walkthrough traces the path of a transaction to verify controls and
processes are correctly designed.
6. Which of these is NOT a primary objective of audit evidence?
A) Sufficiency
B) Reliability
C) Timeliness
D) Confidentiality
Rationale: Confidentiality is important for audit data, but audit evidence is
primarily evaluated for sufficiency, reliability, relevance, and timeliness.
7. What is the best method to confirm that system changes are authorized?
A) Reviewing system configuration files
B) Checking the system logs
C) Reviewing the change management documentation
D) Interviewing the system administrators
Rationale: Change management documentation provides proof of authorization
for changes.
