CISA Certified Information Systems Auditor Practice Tests E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editors

Introduction

The CISA Exam

CISA Exam Objectives

Chapter 1: The Audit Process

Questions

Chapter 2: Governance and Management of IT

Questions

Chapter 3: IT Life Cycle Management

Questions

Chapter 4: IT Service Management and Continuity

Questions

Chapter 5: Information Asset Protection

Questions

Practice Test 1

Practice Test 2

Appendix

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Practice Test 1

Practice Test 2

Index

End User License Agreement

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editors

Introduction

Begin Reading

Practice Test 1

Practice Test 2

Appendix

Index

End User License Agreement

Pages

iii

iv

v

vi

vii

viii

xi

xii

xiii

xiv

xv

xvi

xvii

xviii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

CISA® Certified Information Systems Auditor Practice Tests

Covers 2024–2029 Exam Objectives

Copyright © 2025 by John Wiley & Sons, Inc. All rights, including for text and data mining, AI training, and similar technologies, are reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada and the United Kingdom.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

The manufacturer’s authorized representative according to the EU General Product Safety Regulation is Wiley-VCH GmbH, Boschstr. 12, 69469 Weinheim, Germany, e-mail: [email protected].

Trademarks: WILEY, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. CISA is a trademark or registered trademark of Information Systems Audit and Control Association, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993. For product technical support, you can find answers to frequently asked questions or reach us via live chat at sybexsupport.wiley.com.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our website at www.wiley.com.

Library of Congress Control Number: 2025908051

Print ISBN: 9781394290109

ePdf ISBN: 9781394290123

ePub ISBN: 9781394290116

oBook ISBN: 9781394324460

Cover Design: Wiley

Cover Image: © Jeremy Woodhouse/Getty Images

To my grandchildren – may they grow up in a safer world.

—Peter

To my wife, Renee. We are a quarter century into this adventure together and yet we still find ourselves standing on the precipice of change. Here’s to what’s next!

—Mike

Acknowledgments

Books like this involve work by many people, and as authors, we truly appreciate the hard work and dedication that the team at Wiley shows. We would especially like to thank our acquisitions editor, Jim Minatel, who jumped through some incredible hoops to make this project possible.

We also greatly appreciated the editing and production team for the book, including Christine O’Connor, the managing editor, who brought years of experience and great talent to the project; Archana Pragash, the project manager, who kept the train on the tracks; Bobby Rogers and Jessica Chang, the technical editors, who provided insightful advice and gave wonderful feedback throughout the book; and Liz Britten, the production editor, who guided us through layouts, formatting, and final cleanup to produce a great book. We would also like to thank the many behind-the-scenes contributors, including the graphics, production, and technical teams who made the book and companion materials into a finished product.

Shahla Pirnia, Elastos Chimwanda, Craig Sheffield, and Laurence Urbano, members of Mike’s team at CertMike.com, were instrumental in helping us get all the details straightened out as we prepared the manuscript.

Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful opportunities, advice, and assistance throughout our writing careers.

Finally, we would like to thank our families, who supported us through the late evenings, busy weekends, and long hours that a book like this requires to write, edit, and get to press.

About the Authors

Peter H. Gregory, CISSP, CISM, CISA, CRISC, CIPM, CDPSE, CCSK, A/CCRF, A/CCRP, A/CRMP, is the author of more than 60 books on security and technology, including Solaris Security (Prentice Hall, 2000), The Art of Writing Technical Books (Waterside, 2022), CISA Certified Information Systems Auditor Study Guide (John Wiley, 2025), Chromebook For Dummies (Wiley, 2023), and Elementary Information Security (Jones & Bartlett Learning, 2024).

Peter is a career semi-retired technologist and security executive. Earlier, he held security leadership positions at GCI (www.gci.com), Optiv Security (www.optiv.com), and Concur Technologies (www.concur.com). Peter is an advisory board member for the University of Washington and Seattle University for education programs in cybersecurity. He is a 2008 graduate of the FBI Citizens’ Academy.

Peter resides in Central Washington State and can be found at www.peterhgregory.com.

Mike Chapple, PhD, CISA, CISSP, CISM, CIPP/US, CIPM, CCSP, CySA+, is the author of more than 50 books, including the best-selling CISSP ISC2 Certified Information Systems Security Professional Official Study Guide (Sybex, 2024), the CISA Certified Information Systems Auditor Study Guide (John Wiley, 2025), and the CISSP ISC2 Official Practice Tests (Sybex 2024). He is a cybersecurity professional with 25 years of experience in higher education, the private sector, and government.

Mike currently serves as teaching professor in the IT, Analytics, and Operations department at the University of Notre Dame’s Mendoza College of Business, where he teaches undergraduate and graduate courses on cybersecurity, data management, and business analytics.

Mike previously served as executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. He also spent four years in the information security research group at the National Security Agency and served as an active-duty intelligence officer in the US Air Force.

Mike earned both his BS and PhD degrees in computer science and engineering from Notre Dame. He also holds an MS in computer science from the University of Idaho and an MBA from Auburn University.

Learn more about Mike and his other security certification materials at his website, https://CertMike.com.

About the Technical Editors

Bobby Rogers is a senior cybersecurity professional with more than 30 years in the field. He serves as a cybersecurity auditor and virtual chief information security officer (vCISO) for a variety of clients. He works with a major engineering company in Huntsville, Alabama, helping to secure networks and manage cyber risk for its customers. In addition to numerous educational institutions, Bobby’s customers have included the US Army, NASA, the State of Tennessee, and private/commercial companies and organizations. Bobby’s specialties are cybersecurity engineering, security compliance, and cyber risk management, but he has worked in almost every area of cybersecurity, including network defense, computer forensics and incident response, and penetration testing.

He has narrated and produced more than 30 computer training videos for several training companies. He is the author of McGraw-Hill Education’s CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002), 1st Edition and CISSP Certification Passport, 1st Edition; coauthor of Certified in Risk and Information Systems Control (CRISC) All-in-One Certification Guide, 1st and 2nd editions; and contributing author/technical editor for the popular CISSP All-in-One Exam Guide (7th, 8th, and 9th editions).

Jessica Chang is a licensed CPA in the state of Colorado with more than 15 years of public accounting and general accounting experience in multiple leadership roles. She has worked in various industries, including telecommunications, hospitality, real estate, and e-commerce, and has served as the chief audit executive for multiple companies.

Introduction

Congratulations on choosing to become a Certified Information Systems Auditor (CISA). Whether you have worked for several years in information systems auditing or have just recently been introduced to the world of controls, assurance, and security, don’t underestimate the hard work and dedication required to obtain and maintain CISA certification. Although ambition and motivation are essential, the rewards of being CISA certified can far exceed the effort.

You probably never imagined yourself working in auditing or looking to obtain a professional auditing certification. Perhaps the increase in legislative or regulatory requirements for information system security led to your introduction to this field. Or, possibly, you noticed that CISA-related career options are increasing exponentially, and you have decided to get ahead of the curve. You aren’t alone; since the inception of the CISA certification in 1978, more than 200,000 professionals worldwide reached the same conclusion and have earned this well-respected certification. Welcome to the journey and the amazing opportunities that await you.

How to Use This Book

This book is a companion to the CISA Certified Information Systems Auditor Study Guide: Covers 2024 Exam Objectives (Sybex, 2025, Gregory/Chapple). If you’re looking to test your knowledge before you take the CISA exam, this book will help you by providing a combination of 700 questions that cover the CISA domains with easily understood explanations for correct answers.

Since this is a companion to the CISA Certified Information Systems Auditor Study Guide, this book is designed to be similar to taking the CISA exam. It contains standard multiple-choice questions similar to those you may encounter in the certification exam itself. The book is divided into five chapters, each corresponding to the five domains in the CISA Job Practice.

We have compiled this information in both books to help you understand the commitment needed, prepare for the exam, and maintain your certification. Not only do we wish you to prepare for and pass the exam with flying colors, but we also provide you with the information and resources to maintain your certification and represent yourself and the professional world of information system (IS) auditing proudly with your new credentials.

If you’re preparing for the CISA exam, you’ll undoubtedly want to find as much information as possible about information systems and auditing. The more information you have, the better off you’ll be when attempting the exam. The companion study guide was written with that in mind. The goal was to provide enough information to prepare you for the test, but not so much that you’ll be overloaded with information outside the exam’s scope.

Together, these books present the material at an intermediate technical level. Experience with and knowledge of security and auditing concepts will help you fully understand the challenges you’ll face as an information systems auditor.

If you can answer 80% or more of the review questions correctly for a given domain, you can feel safe moving on to the next domain. If you’re unable to answer that many correctly, reread the companion book chapter and try the questions again. Your score should improve.

Don’t just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

About ISACA

ISACA (formerly known as the Information Systems Audit and Control Association) is a recognized leader in control, assurance, and IT governance. Formed in 1967, this nonprofit organization represents more than 180,000 professionals in more than 188 countries. ISACA administers several exam certifications, including:

Certified Information Systems Auditor (CISA)

Certified Information Security Manager (CISM)

Certified in Risk and Information Systems Control (CRISC)

Certified Data Privacy Solutions Engineer (CDPSE)

Certified in Governance of Enterprise IT (CGEIT)

Certified Cybersecurity Operations Analyst (CCOA)

The certification program has been accredited under ISO/IEC 17024:2012, which means that ISACA’s procedures for accreditation meet international requirements for quality, continuous improvement, and accountability.

If you’re new to ISACA, we recommend you tour the organization’s website (www.isaca.org) and familiarize yourself with the available guides and resources. In addition, if you’re near one of the 225 local ISACA chapters in 99 countries worldwide, consider contacting the chapter board for information on local meetings, training days, conferences, or study sessions. You may be able to meet other IS auditors who can give you additional insight into the CISA certification and the audit profession.

Established in 1978, the CISA certification primarily focuses on audit, controls, assurance, and security. It certifies the individual’s knowledge of testing and documenting IS controls and their ability to conduct formal IS audits. Organizations seek qualified personnel for assistance with developing and maintaining robust control environments. A CISA-certified individual is a great candidate for these positions.

The CISA Exam

The CISA exam is designed to be a vendor-neutral certification for information systems auditors. ISACA recommends this certification for those who already have experience in auditing and want to demonstrate that experience to current and future employers.

The exam covers five major domains:

Information Systems Auditing Process

Governance and Management of IT

Information Systems Acquisition, Development, and Implementation

Information Systems Operations and Business Resilience

Protection of Information Assets

These five areas include a range of topics, from enterprise risk management to evaluating cybersecurity controls. They focus heavily on scenario-based learning and the role of the information systems auditor in various scenarios. You’ll need to learn a lot of information, but you’ll be well rewarded for possessing this credential. ISACA reports that the average salary of CISA credential holders is more than $145,000. And according to Certification Magazine’s 2023 salary survey, ISACA credentials, including CISA, are among the top 10 highest paying in IT.

The CISA exam includes only standard multiple-choice questions. Each question has four possible answer choices, and only one of those answers is correct. When taking the test, you’ll likely find some questions where you think multiple answers might be correct. In those cases, remember that you’re looking for the best possible answer to the question!

The exam costs $575 for ISACA members and $760 for non-members. More details about the CISA exam and how to take it can be found at www.isaca.org/credentialing/cisa

You’ll have four hours to take the exam and be asked to answer 150 questions during that time. Your exam will be scored on a scale ranging from 200 to 800, with a passing score of 450.

ISACA frequently does what is called item seeding, which is the practice of including unscored questions on exams. It does so to gather psychometric data, which is then used when developing new versions of the exam. Before you take the exam, you will be told that your exam may include these unscored questions. So, if you come across a question that does not appear to map to any of the exam objectives—or, for that matter, does not appear to belong in the exam—it is likely a seeded question. However, you never really know whether a question is seeded, so always try to answer every question.

Taking the Exam

Once fully prepared to take the exam, you can visit the ISACA website to register. Currently, ISACA offers two options for taking the exam: an in-person exam at a testing center and an at-home exam on your own computer through a remote proctoring service.

In-Person Exams

ISACA partners with PSI Exams testing centers, so your next step will be to locate a testing center near you. In the US, you can do this based on your address or your ZIP code, whereas non-US test takers may find it easier to enter their city and country. You can search for a test center near you on the PSI Exams website: https://www.psiexams.com

Now that you know where you’d like to take the exam, simply set up a PSI testing account and schedule an exam on the site.

On the day of the test, bring a government-issued identification card or passport that contains your full name (exactly matching the name on your exam registration), your signature, and your photograph. Be sure to show up with plenty of time before the exam starts. Remember that you cannot take your notes, electronic devices (including smartphones and watches), or other materials into the testing center with you.

At-Home Exams

ISACA also offers online exam proctoring. Candidates using this approach will take the exam at their home or office and be proctored over a webcam by a remote proctor.

Due to the rapidly changing nature of the at-home testing experience, candidates wishing to pursue this option should check the ISACA website for the latest details.

One critical fact worth noting is that you must have a computer with a webcam and full administrative control over the computer. You’ll likely have some difficulty using an employer-based computer that restricts your control. We recommend that you use a personally owned computer instead.

After the CISA Exam

Once you have taken the exam, you will be notified of your score immediately, so you’ll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam. You’re now ready to begin the certification application process, described here.

Meeting the Experience Requirement

The CISA program is designed to demonstrate that an individual is a qualified information systems auditor. That requires more than just passing a test – it also requires real hands-on work experience.

The basic CISA work experience requirement is that you must have five years of work experience in information systems audit, controls, assurance, or security. If your work aligns with any job practice statements found later in this introduction, that experience likely qualifies.

You will be required to get your work experience verified by your supervisor or manager for each organization where you claim experience.

If you’re a current information systems auditor or cybersecurity professional, you may find it easy to meet these requirements. If you don’t yet meet the experience requirement, you may still take the exam, and then you’ll have five years to gain the experience and become fully certified after passing the test.

Some waivers are available that can knock one, two, or three years off your experience requirement:

If you hold an associate’s degree in any field, you qualify for a one-year waiver.

If you hold a bachelor’s, master’s, or doctoral degree in any field, you qualify for a two-year waiver.

If you hold a master’s degree in information systems or a related field, you qualify for a three-year waiver.

If you hold full certification from the Chartered Institute of Management Accountants (CIMA), you qualify for a two-year waiver.

If you are a member of the Association of Chartered Certified Accountants (ACCA), you qualify for a two-year waiver.

These waivers may not be combined. You may only use one of these waiver options against your certification requirements.

You must have earned all of the experience used toward your requirement within the 10 years preceding your application or within five years of the date you pass the exam.

Once you complete your application, you must acknowledge the ISACA Terms and Conditions Agreement and pay a US $50 application processing fee. When you have received final approval from ISACA, you can include the CISA moniker in your professional matters, including your email signature, resume, social media, and other materials.

Maintaining Your Certification

Information systems auditing is constantly evolving, with new threats and controls arising regularly. All CISA holders must complete continuing professional education annually to keep their knowledge current and their skills sharp. The guidelines around continuing professional education are somewhat complicated, but they boil down to two main requirements:

You must complete 120 hours of credit every three years to remain certified.

You must have at least 20 credit hours every year during that cycle.

You must meet both of these requirements. For example, if you earn 120 credit hours during the first year of your certification cycle, you still must earn 20 additional credits in each of the next two years.

Continuing education requirements follow calendar years, and your clock will begin ticking on January 1 of the year after you earn your certification. You are allowed to start earning credits immediately after you’re certified. They’ll just count for the following year.

There are many acceptable ways to earn CPE credits, many of which do not require travel or attending a training seminar. The important requirement is that you generally do not earn CPEs for work that you perform as part of your regular job. CPEs are intended to cover professional development opportunities outside of your day-to-day work. You can earn CPEs in several ways:

Attending conferences

Attending training programs

Attending professional meetings and activities

Taking self-study courses

Participating in vendor marketing presentations

Teaching, lecturing, or presenting

Publishing articles, monographs, or books

Participating in the exam development process

Volunteering with ISACA

Earning other professional credentials

Contributing to the profession

Mentoring

For more information on the activities that qualify for CPE credits, visit this site:www.isaca.org/credentialing/how-to-earn-cpe.

Additional Study Tools

This book has additional study tools to help you prepare for the exam. They include the following.

Go to www.wiley.com/go/Sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

Sybex Test Preparation Software

Sybex’s test preparation software lets you prepare with electronic test versions of the review questions from each chapter, the practice exam, and the bonus exam included in this book. You can build and take tests on specific domains or by chapter, or cover the entire set of CISA exam objectives using randomized tests.

Bonus Practice Exams

In addition to the practice questions for each chapter, this book includes two full 150-question practice exams. We recommend using them both to test your preparedness for the certification exam.

CISA Exam Objectives

ISACA publishes relative weightings for each of the exam’s objectives. The following table lists the five CISA domains and the extent to which they are represented on the exam.

Domain

% of Exam

1. Information Systems Auditing Process

18%

2. Governance and Management of IT

18%

3. Information Systems Acquisition, Development, and Implementation

12%

4. Information Systems Operations and Business Resilience

26%

5. Protection of Information Assets

26%

Chapter 1The Audit Process

THIS CHAPTER COVERS CISA DOMAIN 1, “INFORMATION SYSTEMS AUDITING PROCESS,” AND INCLUDES QUESTIONS FROM THE FOLLOWING TOPICS:

Audit management

ISACA auditing standards and guidelines

Audit and risk analysis

Internal controls

Performing an audit

Control self-assessments

Audit recommendations

The topics in this chapter represent 18% of the CISA examination.

This topic is fully covered in the companion guide, “CISA Certified Information Systems Auditor Study Guide,” in Chapter 2.

Questions

You can find the answers to the questions in Appendix A.

The IT Assurance Framework consists of all of the following except:

ISACA Code of Professional Ethics

IS audit and assurance standards

ISACA Audit Job Practice

IS audit and assurance guidelines

An auditor is examining an IT organization’s change control process. The auditor has determined that Change Advisory Board (CAB) meetings take place on Tuesdays and Fridays, where planned changes are discussed and approved. The CAB does not discuss emergency changes that are not approved in advance. What opinion should the auditor reach concerning emergency changes?

The CAB should not be discussing changes made in the past.

The CAB should be discussing recent emergency changes.

Personnel should not be making emergency changes without CAB permission.

Change control is concerned only with planned changes, not emergency changes.

A conspicuous video surveillance system would be characterized as what type(s) of control?

Detective and deterrent

Detective only

Deterrent only

Preventive and deterrent

Michael is developing an audit plan for an organization’s data center operations. Which of the following will help Michael determine which controls require potentially more scrutiny than others?

Security incident log

Last year’s data center audit results

Risk assessment of the data center

Data center performance metrics

An organization processes payroll and expense reports for thousands of corporate customers in an SAAS-based environment. Those customers want assurance that the organization’s processes are effective. What kind of audit should the organization undertake?

Compliance audit

Operational audit

Service provider audit

IS audit

An audit project has been taking far too long, and management is beginning to ask questions about its schedule and completion. This audit may be lacking:

Effective project management

Cooperation from individual auditees

Enough skilled auditors

Clearly stated scope and objectives

An auditor is auditing the user account request and fulfillment process. The event population consists of hundreds of transactions, so the auditor cannot view them all. The auditor wants to view a random selection of transactions. This type of sampling is known as:

Judgmental sampling

Random sampling

Stratified sampling

Statistical sampling

An auditor is auditing an organization’s user account request and fulfillment process. What is the first type of evidence collection the auditor will likely want to examine?

Observation

Document review

Walkthrough

Corroborative inquiry

A lead auditor is building an audit plan for a client’s financial accounting system. The plan calls for periodic testing of a large number of transactions throughout the audit project. What is the best approach for accomplishing this?

Reperform randomly selected transactions.

Periodically submit test transactions to the audit client.

Develop one or more CAATs.

Request a list of all transactions to analyze.

A lead auditor is building an audit plan for a client’s financial transaction processing system. The audit will take approximately three months. Which of the following is the best approach for reporting audit exceptions to the audit client?

Report the exceptions to the audit committee.

List the exceptions in the final audit report.

Include the exceptions in a weekly status report.

Advise the client of exceptions as they are discovered and confirmed.

Which of the following is true about the ISACA Audit Standards and Audit Guidelines?

ISACA Audit Standards are mandatory.

ISACA Audit Standards are optional.

ISACA Audit Guidelines are mandatory.

ISACA Audit Standards are only mandatory for SOX audits.

An auditor is auditing an organization’s identity and access management program. The auditor has found that automated workflows are used to receive and track access requests and approvals. However, the auditor has identified a number of exceptions where subjects were granted access without the necessary requests and approvals. What remedy should the auditor recommend?

Monthly review of access approvers

Annual review of access approvers

Annual user access reviews

Monthly user access reviews

Why are preventive controls preferred over detective controls?

Preventive controls are easier to justify and implement than detective controls.

Preventive controls are less expensive to implement than detective controls.

Preventive controls stop unwanted events from occurring, whereas detective controls only record them.

Detective controls stop unwanted events from occurring, whereas preventive controls only record them.

For the purposes of audit planning, can an auditor rely on the audit client’s risk assessment?

Yes, in all cases.

Yes, if the risk assessment was performed by a qualified external entity.

No. The auditor must perform a risk assessment themselves.

No. The auditor does not require a risk assessment to develop an audit plan.

An organization processes payroll and expense reports in an SAAS-based environment for thousands of corporate customers. Those customers want assurance that the organization’s processes are effective. What kind of an audit should the organization undertake?

AUP

PA DSS

PCI DSS

SSAE18

An auditor is auditing an organization’s system-hardening policy within its vulnerability management process. The auditor has examined the organization’s system-hardening standards and wants to examine the configuration of some of the production servers. What is the best method for the auditor to obtain evidence?

Capture screenshots from servers selected by the systems engineer during a walkthrough.

Request screenshots from servers selected by the systems engineer.

Request screenshots of randomly selected servers from the systems engineer.

Capture screenshots from randomly selected servers during a walkthrough with the systems engineer.

An auditor is auditing the user account request and fulfillment process. The event population consists of hundreds of transactions, so the auditor cannot view them all. The auditor wants to view a random selection of transactions, as well as some of the transactions for privileged access requests. This type of sampling is known as:

Judgmental sampling

Random sampling

Stratified sampling

Statistical sampling

An auditor is auditing an organization’s user account request and fulfillment process. The auditor has requested that the control owner describe the process to the auditor. What type of auditing is taking place?

Observation

Document review

Walkthrough

Corroborative inquiry

An external audit firm is performing an audit of a customer’s financial accounting processes and IT systems. While examining a data storage system’s user access permissions, the staff auditor discovered the presence of illegal content. What should the staff auditor do next?

Notify law enforcement.

Inform their supervisor.

Notify the auditee.

Notify the auditee’s audit committee.

A QSA auditor in an audit firm has completed a PCI DSS audit of a client and found the client noncompliant with one or more PCI DSS controls. Management in the audit firm has asked the QSA auditor to sign off the audit as compliant, arguing that the client’s level of compliance has improved from prior years. What should the QSA auditor do?

Refuse to sign the audit report as compliant.

Sign the audit report as compliant, under duress.

Sign the audit report as compliant.

Notify the audit client of the matter.

An organization wants to drive accountability for the performance of security controls to their respective control owners. Which activity is the best to undertake to accomplish this objective?

Direct control owners to sign a document of accountability.

Have the internal audit department audit the controls.

Have an external audit firm audit the controls.

Undergo control self-assessments (CSAs).

An auditor is evaluating a control related to a key card mechanism protecting a data center from unauthorized visitors. The auditor has determined that the key card control is ineffective because visitors often “piggyback” their way into the data center. What detective control should be implemented to compensate for this control deficiency?

A video surveillance system with 90-day content retention that records all entrances into and exits from the data center

A visitor’s log inside the data center that all visitors would be required to sign

A man trap

A policy requiring all visitors to be escorted

A US-based organization processes payroll and expense reports in an SAAS-based environment for thousands of corporate customers. Customers outside the US want assurance that the organization’s processes are effective. What kind of an audit should the organization undertake?

ISO/IEC 27001

SOC2

ISAE3402

SSAE18

A large merchant organization has commissioned a QSA (PCI) audit firm to perform a PCI DSS Report on Compliance (ROC). The audit firm has noted that the merchant’s compliance deadline is less than one month away. What should the audit firm do next?

File a compliance extension with the PCI Standards Council on behalf of the merchant.

Inform the merchant that the ROC can be completed on time.

Inform the merchant that the ROC cannot be completed on time and that an extension should be requested.

File a compliance extension with the merchant’s acquiring bank.

An auditor is developing an audit plan for an accounts payable function. Rather than randomly selecting transactions to examine, the auditor wants to select transactions from low, medium, and large payment amounts. Which sample methodology is appropriate for this approach?

Judgmental sampling

Stratified sampling

Nonrandom sampling

Statistical sampling

A cybersecurity audit firm has completed a penetration test of an organization’s web application. The final report contains two findings that indicate the presence of two critical vulnerabilities. The organization disputes the findings because of compensating controls outside the web application interface. How should the audit proceed?

The audit firm should remove the findings from the final report.

The organization should select another firm to conduct the penetration test.

The organization’s management should protest the findings and include a letter accompanying the pen test report.

The audit firm should permit the customer to include some management comments in the final report.

What is the objective of the ISACA audit standard on organizational independence?

The auditor’s placement in the organization should ensure that the auditor can act independently.

The auditor should not work in the same organization as the auditee.

To ensure that the auditor has the appearance of independence.

To ensure that the auditor has a separate operating budget.

An auditor is auditing an organization’s risk management process. During the walkthrough, the auditor asked the auditee to list all of the information sources contributing to the process. The auditee cited penetration tests, vendor advisories, nonvendor advisories, and security incidents as inputs. What conclusion should the auditor draw from this?

The process is effective because risks are obtained from several disparate sources.

The process is ineffective as risk assessments do not occur or contribute to the process.

The process is effective because both internal and external sources are used.

The process is ineffective because an anonymous tip line was not among the sources.

The capability wherein a server is constituted from backup media is known as which type of control?

Primary control

Manual control

Compensating control

Recovery control

Prior to planning an audit, an auditor would need to conduct a risk assessment to identify high-risk areas in all of the following situations

except

:

When a client’s most recent risk assessment is two years old

When a client’s risk assessment does not appear to be adequately rigorous

A PCI “Report on Compliance” audit

A SOC2 audit

Which of the following audit types is appropriate for a financial services provider such as a payroll service?

SOC 1

SAS70

AUP

Sarbanes-Oxley

Which of the following is the best method for ensuring that an audit project can be completed on time?

Distribute a “provided by client” evidence request list at the start of the audit.

Prepopulate the issues list with findings likely to occur.

Increase the number of auditors on the audit team.

Reduce the frequency of status meetings from weekly to monthly.

An auditor is about to start an audit of a user account access request and fulfillment process. The audit covers six months, from January through June. The population contains 1,800 transactions. Which of the following sampling methodologies is best suited for this audit?

Examine the results of the client’s control self-assessment (CSA).

Submit some user account access requests and observe how they are performed.

Request the first 30 transactions from the auditee.

Request the first five transactions from each month in the audit period.

An auditor is auditing an organization’s personnel onboarding process and examining the background check process. The auditor is mainly interested in whether background checks are performed for all personnel and whether background checks result in no-hire decisions. Which of the following evidence-collection techniques will support this audit objective?

Request the full contents of background checks along with hire/no-hire decisions.

Request the background check ledger that includes the candidates’ names, results of background checks, and hire/no-hire decisions.

Request the hire/no-hire decisions from the auditee.

Examine the background check process, and note which characteristics of each candidate are included.

An auditor wants to audit the changes made to the DBMS configuration of a financial accounting system. What should the auditor use as the transaction population?

All of the transactions in the database

All of the requested changes in the change management process

All of the changes made to the database

All of the approved changes in the change management business process

A credit card payment processor undergoes an annual PCI DSS Report on Compliance (ROC) audit. What evidence of a passing audit should the payment processor provide to merchant organizations and others?

The signed Report on Compliance (ROC)

The signed attestation of compliance (AOC)

The signed report of validation (ROV)

The signed self-assessment questionnaire (SAQ)

Which of the following statements about the ISACA Audit Guidelines is correct?

ISACA Audit Guidelines apply only to audit firms and not to internal audit departments.

ISACA Audit Guidelines are required. Violations may result in fines for violators.

ISACA Audit Guidelines are required. Violations may result in loss of certifications.

ISACA Audit Guidelines are not required.

An external auditor is auditing an organization’s third-party risk management (TPRM) process. The auditor has observed that the organization has developed an ISO 27001-based questionnaire sent to all third-party service providers annually. What value-added remarks can the auditor provide?

The process can be more efficient if the organization develops risk-based tiers to save time auditing low-risk vendors.

The organization should not be sending questionnaires to vendors every year.

The organization should structure its questionnaires based on CSA Star.

The organization should outsource its third-party management process.

What is the difference between SSAE18 Type I and SSAE18 Type II audits?

A Type I audit is an audit of process effectiveness, whereas a Type II audit is an audit of process effectiveness and design.

A Type I audit is an audit of process design and effectiveness, whereas a Type II audit is an audit of process design.

A Type I audit is an audit of process design, whereas a Type II audit is an audit of process design and effectiveness.

A Type I audit is an audit of process design and effectiveness, whereas a Type II audit is an audit of process effectiveness.

An auditor is auditing the payment systems for a retail store chain that has 80 stores in the region. The auditor needs to observe and take samples from some of the stores’ systems. The audit client has selected two stores in the same city as the store chain headquarters and two stores in a nearby town. How should the audit of the store locations proceed?

The auditor should learn more about the stores’ systems and practices before deciding what to do.

The auditor should audit the selected stores and proceed accordingly.

The auditor should accept the sampling but select additional stores.

The auditor should select which stores to examine and proceed accordingly.

As part of an audit of a business process, the auditor has discussed the process with the control owner and the control operators and has collected procedure documents and records related to the process. The auditor is asking internal customers of the business process to describe in their own words how the business process is operated. What kind of evidence collection are these discussions with internal customers?

Reconciliation

Reperformance

Walkthrough

Corroborative inquiry

Three months after the completion of an audit, the auditor contacted the auditee to inquire about the auditee’s activities since the audit and whether the auditee has made any progress related to audit findings. What sort of communication is this outreach from the auditor?

The auditor is a good audit partner and wants to ensure that the auditee is successful.

The auditor is acting improperly by contacting the auditee outside of an audit and should be censored for unethical behavior.

The auditee should assume that the auditor’s outreach is personal in nature because this kind of communication is forbidden.

The auditor clearly ensures that the auditee is happy with the auditor’s work so that the auditor gets next year’s audit assignment.

According to ISACA Audit Standard 1202, which types of risks should be considered when planning an audit?

Fraud risk

Business risk

Cybersecurity risk

Financial risk

An IT service desk department that provisions user accounts performs a monthly activity whereby all user account changes in the prior month are checked against the list of corresponding requests in the ticketing system. This activity is known as:

An audit

A monthly provisioning review

A control threat assessment (CTA)

A risk assessment

An organization that uses video surveillance at a work center has placed visible notices on building entrances that inform people that video surveillance systems are in use. The notices are an example of:

Administrative controls

Preventive controls

Detective controls

Deterrent controls

An auditor is planning an audit of a financial planning application. Can the auditor rely on a recent application penetration test as a risk-based audit?

No, because a penetration test does not reveal risks.

No, because a penetration test is not a risk assessment.

No: the auditor can make use of the pen test, but a risk assessment is still needed.

Yes, because the penetration test serves as a risk assessment in this case.

Which of the following is the best example of a control self-assessment of a user account provisioning process?

An examination of Active Directory to ensure that only domain administrators can make user account permission changes

Checks to see that only authorized personnel made user account changes

Confirmation that all user account changes were approved by appropriate personnel

Reconciliation of all user account changes against approved requests in the ticketing system

The proper sequence of an audit of an accounts payable process is:

Identify control owners, make evidence requests, perform walkthroughs, and perform corroborative interviews.

Make evidence requests, identify control owners, and perform corroborative interviews.

Identify control owners, perform corroborative interviews, make evidence requests, and perform walkthroughs.

Perform corroborative interviews, identify control owners, make evidence requests, and perform walkthroughs.

An auditor is auditing an accounts payable process and has found no exceptions. The auditor has decided to select additional samples to see whether any exceptions may be found. Which type of sampling is the auditor performing?

Stop-or-go sampling

Discovery sampling

Judgmental sampling

Exception sampling

Which of the following methods is best suited for an auditee to deliver evidence to an auditor during the audit of a background check process?

FTP server

Secure file transfer portal

Email with SMTP over TLS

Courier

An auditor has completed an audit, and the deliverable is ready to give to the audit client. What is the best method for delivering the audit report to the client?

Courier

Secure file transfer portal

Email with SMTP over TLS

In person, in a close-out meeting

What are the potential consequences if an IS auditor is a member of ISACA and CISA certified and violates the ISACA Code of Professional Ethics?

Fines

Imprisonment

Termination of employment

Loss of ISACA certifications

An auditor is auditing an accounts payable process and has discovered that a single individual has requested and also approved several payments to vendors. What kind of an issue has the auditor found?

A separation-of-duties issue

A split-custody issue

A dual-custodian issue

No issue has been identified

An organization uses an automated workflow process for request, review, approval, and provisioning of user accounts. Anyone in the organization can request access. Specific individuals are assigned to the review and approval steps. Provisioning is automated. What kind of control is the separation of duties between the review and approval steps?

Compensating control

Manual control

Preventive control

Administrative control

An auditor is planning an audit of a monthly terminated-users review procedure. The auditor is planning to ask the auditee for a list of current user accounts in Active Directory, as well as a list of current employees and a list of terminated employees from Human Resources so that the auditor can compare the lists. What kind of an audit is the auditor planning to perform?

Reperformance

Observation

Corroboration

Walk-back

An IT service desk manager is the control owner for the IT department change control process. In an audit of the change control process, the auditor has asked the IT service desk manager to provide all change control tickets whose request numbers end with the digit 6. What sampling methodology has the auditor used?

Judgmental sampling

Statistical sampling

Stratified sampling

Stop-or-go sampling

An audit firm is planning an audit of an organization’s asset management records. For what reason would the auditor request a copy of the entire asset database from the third-party DBA versus a report of assets from the owner of the asset process?

Honesty of the evidence provider

Objectivity of the evidence provider

Independence of the evidence provider

Qualification of the evidence provider

An auditor has delivered a Sarbanes–Oxley audit report containing 12 exceptions to the audit client, who disagrees with the findings. The audit client is upset and is asking the auditor to remove six findings from the report. A review of the audit findings confirmed that all 12 findings are valid. How should the auditor proceed?

Remove the three lowest-risk findings from the report.

Remove the six lowest-risk findings from the report.

Report the auditee to the Securities and Exchange Commission.

Explain to the auditee that the audit report cannot be changed.

An auditor has delivered a Sarbanes–Oxley audit report containing 12 exceptions to the audit client, who disagrees with the findings. The audit client is upset and is asking the auditor to remove six findings from the report in exchange for a payment of $25,000. A review of the audit findings confirmed that all 12 findings are valid. How should the auditor proceed?

The auditor should report the matter to their manager.

The auditor should reject the payment and meet the auditee halfway by removing three of the findings.

The auditor should reject the payment and remove six of the findings.

The auditor should report the incident to the audit client’s audit committee.

An auditor is auditing a change control process. During a walkthrough, the control owner described the process as follows: “Engineers plan their changes and send an email about their changes to the IT manager before 5

p.m

.

on Wednesday. The engineers then proceed with their changes during the change window on Friday evening.” What, if any, findings should the auditor identify?

The change control process is fine as is but could be improved by creating a ledger of changes.

The change control process is fine as is.

The change control process lacks a review step.

The change control process lacks review and approval steps.

An organization utilizes a video surveillance system on all ingress and egress points in its work facility; surveillance cameras are concealed from view, and there are no visible notices. What type of control is this?

Administrative control

Secret control

Detective control

Deterrent control

An auditor is selecting samples from records in the user access request process. Although privileged access requests account for approximately 5% of all access requests, the auditor wants 20% of the samples to be requests for administrative access. What sampling technique has the auditor selected?

Judgmental sampling

Stratified sampling

Statistical sampling

Variable sampling

An auditor is auditing a change control process by examining change logs in a database management system and requesting change control records to show that those changes were approved. The auditor plans to proceed until the first exception is found. What sampling technique is being used here?

Discovery sampling

Stop-or-go sampling

Attribute sampling

Exception sampling

Which of the following is the best description of stop-or-go sampling?

The auditor wants to select samples based on arbitrary criteria.

The auditor wants to know how many transactions contain a certain range of values.

The auditor wants to know the total value of the transaction population.

The auditor believes the risk is low and wants to sample as few records as possible.

While auditing a payroll process, an auditor intends to keep selecting samples until an error is found. What type of sampling is being performed?

Discovery sampling

Stop-or-go sampling

Attribute sampling

Exception sampling

A staff auditor is auditing a process, which involves examining the contents of some employee laptop computers. The auditor has detected the presence of child pornography on one laptop computer. What should the auditor do next?

Confront the user of the laptop computer.

Delete the content from the laptop computer.

Notify their supervisor.

Notify law enforcement.

An audit firm has completed an audit of several auditee business processes. The audit firm is in the process of archiving information for the audit. Which of the following information can be excluded from the archiving process?

Field notes

Draft audit report

Sampled transactions

None of these

In an external audit of a client organization, one of the staff auditors realizes that their business partner in a side business is one of the auditee managers in the client organization. What should the staff auditor do about this?

Maintain professional and ethical behavior during the audit.

Refrain from discussing the side business with their business partner during the audit.

Notify their supervisor about a potential conflict of interest.

Request reassignment to another audit project.

An auditor is auditing a release management process by examining policies, procedures, and records and interviewing personnel. The auditor has determined that the personnel who initiate individual software releases are also the approvers. What might the auditor conclude from this?

The process appears to have a segregation-of-duties issue.

The process appears to have a race condition.

The design of the process is appropriate and sound.

Nothing can be concluded from this information.

An auditor is auditing an organization’s vendor risk practices. The information security manager described the process to the auditor, which consists of the security manager performing a security scan of a new vendor’s website to measure the level of risk and reaching a conclusion about the vendor’s suitability solely based on the scan results. What might the auditor conclude from this?

The organization’s vendor management risk process is adequate because security scanning is the primary means for identifying risk.

The organization’s vendor management risk process is inadequate because an objective party should perform the scan.

The organization’s vendor management risk process is inadequate because the organization should also issue a questionnaire to the vendor.

The organization’s vendor management risk process is inadequate because it should be performed by an outside party instead of internally.

An auditor has completed fieldwork on a customer’s SOC 2 audit and has briefed the customer on findings that will appear in the report. What should the customer do next?

Challenge the auditor and ask them to prove their findings.

Agree with the auditor.

Ask for a second opinion from a different partner in the audit firm.

Produce management comments that will appear in the published report.