Commonly Asked CISA Exam Questions with Answers.pdf

CISA
Exam Questions with Answers
Commonly Asked

Table of Content
Introduction 1-2
CISA Practice Exam Questions and Answers
Domain 1: Information System Auditing Process (18%)
Domain 2: Governance and Management of IT (18%)
Domain 3: Information Systems Acquisition, Development, and
Implementation (12%)
Domain 4: Information Systems Operations and Business Resilience (26%)
Domain 5: Protection of Information Assets (26%)
3-17
3-5
6-8
9-11
12-14
15-17
Summary 18

Introduction
Are you ready to take your IT auditing career to the next level with the CISA
certification? The Certified Information Systems Auditor (CISA) certification is the
leading credential for experts responsible for auditing, controlling, monitoring, and
evaluating an organization's IT and business systems.
As you prepare for the CISA exam, you might find yourself wondering,"What kind
of questions will I encounter? How can I best prepare for this challenging test?" We
understand your concerns and are here to help you navigate this critical step in
your professional journey.
www.infosectrain.com
www.infosectrain.com 1
1

2
The CISA exam evaluates your proﬁciency across ﬁve critical domains:
Domain 3: Information Systems Acquisition, Development, and Implementation (12%)
Domain 4: Information Systems Operations and Business Resilience (26%)
Each domain plays a crucial role in the world of IT auditing, and mastering them is
key to your success. Let's embark on this CISA exam practice journey together,
transforming complex concepts into your stepping stones to success. Dive into
commonly asked CISA questions and answers and unlock the door to new
opportunities in information systems auditing!

3
CISA Practice Exam Questions and Answers
Q.1. During which phase of the audit process does an auditor gain an
understanding of the entity's environment and internal controls?
Reporting
Planning
Fieldwork
Follow-up
Answer: B. Planning
Explanation: In the planning phase, auditors gather information about the
entity's environment and internal controls to identify areas of risk and develop
an appropriate audit approach.
Answer: B. Planning
Explanation: In the planning phase, auditors gather information about the
entity's environment and internal controls to identify areas of risk and develop
an appropriate audit approach.
Answer: C. Observation
Explanation: Observation involves the auditor directly watching processes or
activities to understand how they are performed and to identify potential
control issues.
Answer: C. Observation
Explanation: Observation involves the auditor directly watching processes or
activities to understand how they are performed and to identify potential
control issues.
Q.2. What technique involves the auditor watching a process or activity as it is
performed?
Inquiry
Inspection
Observation
Reperformance

4
Q.3. Which scenario best describes an auditor using the inquiry technique?
The auditor watches an employee process transactions.
The auditor reviews ﬁnancial statements for accuracy.
The auditor interviews employees about their job functions.
The auditor examines security logs for unauthorized access attempts.
Q.4. An auditor is reviewing the access control mechanisms in a company’s IT
system. During the review, they discovered that terminated employees still have
active user accounts. What should the auditor do next?
Report the issue to management immediately.
Ignore the issue since it is not signiﬁcant.
Verify if the accounts have been used after termination.
Recommend a complete overhaul of the access control system.
Answer: C. The auditor interviews employees about their job functions.
Explanation: Inquiry involves asking questions to gather information, usually
through interviews with employees to understand processes and controls.
Answer: C. The auditor interviews employees about their job functions.
Explanation: Inquiry involves asking questions to gather information, usually
through interviews with employees to understand processes and controls.
Answer: C. Verify if the accounts have been used after termination
Explanation: Before taking further steps, the auditor should determine if the
accounts have been used improperly, which would indicate a serious control
lapse and guide the next actions.
Answer: C. Verify if the accounts have been used after termination
Explanation: Before taking further steps, the auditor should determine if the
accounts have been used improperly, which would indicate a serious control
lapse and guide the next actions.

5
Q.5. An auditor finds that a company's disaster recovery plan (DRP) has not been
tested in over two years. What is the best course of action for the auditor to
recommend?
Immediately create a new DRP.
Test the existing DRP as soon as possible.
Ignore the issue and proceed with the audit.
Conduct a training session on the importance of DRP.
Answer: B. Test the existing DRP as soon as possible
Explanation: Regular testing of the DRP is essential to ensure it will work
effectively in an actual disaster. Testing the current plan will help identify any
deficiencies or areas for improvement.
Answer: B. Test the existing DRP as soon as possible
Explanation: Regular testing of the DRP is essential to ensure it will work
effectively in an actual disaster. Testing the current plan will help identify any
deficiencies or areas for improvement.

6
Q.1. Which of the following frameworks is commonly used for IT governance and
management?
ISO 9001
COBIT
Six Sigma
ITIL
Answer: COBIT
Explanation: COBIT (Control Objectives for Information and Related
Technology) is a widely recognized framework for IT governance and
management, providing guidelines and best practices.
Answer: COBIT
Explanation: COBIT (Control Objectives for Information and Related
Technology) is a widely recognized framework for IT governance and
management, providing guidelines and best practices.
Answer: A. Data encryption
Explanation: Encrypting data ensures that it remains secure and private when
stored in the cloud, addressing data privacy concerns.
Answer: A. Data encryption
Explanation: Encrypting data ensures that it remains secure and private when
stored in the cloud, addressing data privacy concerns.
Q.2. An organization wants to implement a new cloud-based CRM system. Which
risk management strategy should be applied to address data privacy concerns?
Data encryption
B. Hiring additional IT staff
Increasing the IT budget
Conducting social engineering tests

7
Q.3. An IT manager is tasked with developing a governance framework for a new
IT initiative. What is the ﬁrst step they should take?
Allocate the budget for the initiative.
Identify the stakeholders and their requirements.
Train the IT staff on governance principles.
Purchase the necessary IT infrastructure.
Q.4. Which of the following is an example of a performance metric in IT governance?
Number of IT staff
IT budget allocation
System uptime percentage
Number of IT policies
Answer: B. Identify the stakeholders and their requirements
Explanation: Identifying stakeholders and understanding their requirements is
crucial for developing a governance framework that addresses their needs and
aligns with organizational goals.
Answer: B. Identify the stakeholders and their requirements
Explanation: Identifying stakeholders and understanding their requirements is
crucial for developing a governance framework that addresses their needs and
aligns with organizational goals.
Answer: C. System uptime percentage
Explanation: System uptime percentage is a performance metric that
measures the availability and reliability of IT systems, which is crucial for
assessing the effectiveness of IT governance.
Answer: C. System uptime percentage
Explanation: System uptime percentage is a performance metric that
measures the availability and reliability of IT systems, which is crucial for
assessing the effectiveness of IT governance.

Q.5. Which of the following tools is commonly used for project management in IT
governance?
CMDB
Gantt Chart
SLA
ITIL
Answer: B. Gantt Chart
Explanation: A Gantt chart is a project management tool essential for
planning, scheduling, and tracking project progress, making it particularly
valuable in IT governance.
Answer: B. Gantt Chart
Explanation: A Gantt chart is a project management tool essential for
planning, scheduling, and tracking project progress, making it particularly
valuable in IT governance.
8

9
Domain 3: Information Systems Acquisition, Development,
and Implementation (12%)
Q.1. Which of the following is a primary benefit of using prototyping in system
development?
Reducing documentation
Increasing project costs
Enhancing user involvement and feedback
Extending project timelines
Answer: C. Enhancing user involvement and feedback
Explanation: Prototyping involves users early and often in the development
process, allowing for feedback and adjustments to ensure the final system
meets user needs.
Answer: C. Enhancing user involvement and feedback
Explanation: Prototyping involves users early and often in the development
process, allowing for feedback and adjustments to ensure the final system
meets user needs.
Answer: C. Defining system requirements
Explanation: Defining system requirements is crucial as it forms the basis for
evaluating vendor proposals and selecting the appropriate software solution.
Answer: C. Defining system requirements
Explanation: Defining system requirements is crucial as it forms the basis for
evaluating vendor proposals and selecting the appropriate software solution.
Q.2. An organization is selecting a new software vendor. What is the first step in
the vendor selection process?
Negotiating the contract
Evaluating vendor proposals
Defining system requirements
Conducting a security audit

10
Q.3. What is the main purpose of user acceptance testing (UAT)?
To verify that the system is secure
To ensure the system meets user requirements
To test the system's performance
To identify programming errors
Q.4. An IT project is behind schedule and over budget. What should be the
immediate focus to address these issues?
Answer: B. To ensure the system meets user requirements
Explanation: User Acceptance Testing (UAT) is performed to ensure the
system operates as expected and fulﬁlls the end user’s needs and
requirements.
Answer: B. To ensure the system meets user requirements
Explanation: User Acceptance Testing (UAT) is performed to ensure the
system operates as expected and fulﬁlls the end user’s needs and
requirements.
Cutting project resources
Reassessing project scope and timeline
Increasing project staff
Reducing the quality of deliverables
Answer: B. Reassessing project scope and timeline
Explanation: Reassessing the project scope and timeline helps identify the
causes of delays and cost overruns, allowing for adjustments to bring the
project back on track.
Answer: B. Reassessing project scope and timeline
Explanation: Reassessing the project scope and timeline helps identify the
causes of delays and cost overruns, allowing for adjustments to bring the
project back on track.

11
Q.5. During the implementation of a new ERP system, a critical business process
is not functioning as expected. What should the project team do ﬁrst?
Ignore the issue and continue with the implementation.
Revert to the old system immediately.
Conduct a root cause analysis to identify the issue.
Terminate the project.
Answer: C. Conduct a root cause analysis to identify the issue
Explanation: Conducting a root cause analysis helps to understand the
underlying problem, allowing the project team to address it effectively and
ensure the ERP system functions correctly.
Answer: C. Conduct a root cause analysis to identify the issue
Explanation: Conducting a root cause analysis helps to understand the
underlying problem, allowing the project team to address it effectively and
ensure the ERP system functions correctly.

12
Domain 4: Information Systems Operations and Business
Resilience (26%)
Q.1. Which of the following is an example of preventive maintenance in IT
operations?
Installing software updates
Restoring data from backups
Monitoring system performance
Conducting security audits
Answer: A. Installing software updates
Explanation: Preventive maintenance involves proactive measures such as
installing software updates to prevent potential issues and ensure system
reliability.
Answer: A. Installing software updates
Explanation: Preventive maintenance involves proactive measures such as
installing software updates to prevent potential issues and ensure system
reliability.
Answer: B. Incremental backup
Explanation: Incremental backups copy only the data that has changed since
the last backup, reducing backup time and storage requirements.
Answer: B. Incremental backup
Explanation: Incremental backups copy only the data that has changed since
the last backup, reducing backup time and storage requirements.
Q.2. Which type of backup involves copying only the data that has changed since
the last full backup?
Full backup
Incremental backup
Differential backup
Snapshot backup

13
Q.3. What is the objective of a business impact analysis (BIA)?
To identify potential threats to IT systems.
To assess the impact of disruptions on business operations.
To develop security policies.
To perform regular system maintenance.
Q.4. Which of the following best describes a hot site in disaster recovery planning?
Answer: B. To assess the impact of disruptions on business operations.
Explanation: A BIA identiﬁes and evaluates the effects of disruptions on
business operations, helping to prioritize recovery efforts and develop effective
continuity plans.
Answer: B. To assess the impact of disruptions on business operations.
Explanation: A BIA identiﬁes and evaluates the effects of disruptions on
business operations, helping to prioritize recovery efforts and develop effective
continuity plans.
An alternate site with basic infrastructure.
An alternate site with fully operational systems and data.
An alternate site with only data storage capabilities.
An alternate site with no pre-installed systems.
Answer: B. An alternate site with fully operational systems and data.
Explanation: A hot site is a fully equipped backup location where an
organization can swiftly resume essential business operations in case of a
disaster.
Answer: B. An alternate site with fully operational systems and data.
Explanation: A hot site is a fully equipped backup location where an
organization can swiftly resume essential business operations in case of a
disaster.

14
Q.5. An organization wants to ensure that its critical systems can recover quickly
from a hardware failure. Which of the following strategies should they implement?
Full data backup every month
Redundant Array of Independent Disks (RAID)
Manual system monitoring
Monthly system maintenance
Answer: B. Redundant Array of Independent Disks (RAID)
Explanation: RAID provides redundancy by storing data across multiple disks,
allowing the system to continue operating even if one disk fails, thereby
enhancing fault tolerance and recovery speed.
Answer: B. Redundant Array of Independent Disks (RAID)
Explanation: RAID provides redundancy by storing data across multiple disks,
allowing the system to continue operating even if one disk fails, thereby
enhancing fault tolerance and recovery speed.

15
Q.1. Which of the following is a common method for verifying the integrity of data?
Encryption
Hashing
Compression
Tokenization
Answer: B. Hashing
Explanation: Hashing generates a unique ﬁxed-size string (hash) from data,
which can be used to verify that the data has not been altered by comparing
the hash values.
Answer: B. Hashing
Explanation: Hashing generates a unique ﬁxed-size string (hash) from data,
which can be used to verify that the data has not been altered by comparing
the hash values.
Answer: A. Least privilege
Explanation: The principle of least privilege mandates that users be given only
the minimal access needed to carry out their tasks, thereby minimizing the risk
of unauthorized access to sensitive information.
Answer: A. Least privilege
Explanation: The principle of least privilege mandates that users be given only
the minimal access needed to carry out their tasks, thereby minimizing the risk
of unauthorized access to sensitive information.
Q.2. An employee needs access to sensitive data for a project. What principle
should the IT department apply to grant access?
Least privilege
Full access
Default allow
Maximum privilege

16
Q.3. A company wants to implement multi-factor authentication (MFA) for its
remote employees. Which of the following combinations would provide MFA?
Username and password
Password and security token
Password and email address
Username and email address
Q.4. Which of the following techniques is used to verify the authenticity and
integrity of a digital message?
Answer: B. Password and security token
Explanation: Multi-factor authentication (MFA) requires two or more
verification factors. Combining a password (something you know) with a
security token (something you have) provides MFA.
Answer: B. Password and security token
Explanation: Multi-factor authentication (MFA) requires two or more
verification factors. Combining a password (something you know) with a
security token (something you have) provides MFA.
Digital signature
Symmetric key encryption
Data compression
Firewall
Answer: A. Digital signature
Explanation: A digital signature employs cryptographic methods to verify a
message's authenticity and integrity, ensuring it has not been altered and
confirming the sender's identity.
Answer: A. Digital signature
Explanation: A digital signature employs cryptographic methods to verify a
message's authenticity and integrity, ensuring it has not been altered and
confirming the sender's identity.

17
Q.5. An organization intends to implement a Bring Your Own Device (BYOD) policy.
What is a crucial security measure that should be included in the policy?
Allowing unrestricted access to corporate networks.
Requiring employees to use personal devices without any restrictions.
Implementing mobile device management (MDM) solutions.
Providing employees with unrestricted internet access.
Answer: C. Implementing mobile device management (MDM) solutions.
Explanation: MDM solutions enable the organization to manage and secure
personal devices used for work, enforcing security policies, and protecting
corporate data.
Answer: C. Implementing mobile device management (MDM) solutions.
Explanation: MDM solutions enable the organization to manage and secure
personal devices used for work, enforcing security policies, and protecting
corporate data.

18
Summary
This guide provides a concise yet comprehensive overview of the key domains
covered in the Certiﬁed Information Systems Auditor (CISA) exam, crucial for
professionals in IT auditing. It spans ﬁve critical areas: the Information System
Auditing Process, focusing on audit planning and essential techniques; Governance
and Management of IT, addressing governance frameworks, risk management, and
performance metrics; Information Systems Acquisition, Development, and
Implementation, emphasizing prototyping, vendor selection, and user acceptance
testing; Information Systems Operations and Business Resilience, covering
preventive maintenance, backup strategies, and disaster recovery; and Protection of
Information Assets, highlighting data integrity, access control principles,
multi-factor authentication, and BYOD security. Each domain is explored through
practical questions and detailed explanations, providing valuable insights to help
candidates effectively prepare for the CISA exam and advance their IT auditing
careers.

Commonly Asked CISA Exam Questions with Answers.pdf

More Related Content

What's hot (20)

Similar to Commonly Asked CISA Exam Questions with Answers.pdf (20)

More from infosec train (20)

Recently uploaded (20)

Commonly Asked CISA Exam Questions with Answers.pdf