Sample Questions for ISACA's CISA Exam

You are the information systems auditor at NovaTech Solutions and you are evaluating the effects of an auditor participating in the deployment of recommended security controls. Which of the following would be most affected by such participation?

• ❏ A. Data integrity

• ❏ B. Data confidentiality

• ❏ C. Auditor independence

• ❏ D. System availability

Which development approach uses iterative prototyping and active user involvement to accelerate delivery, reduce costs, and maintain quality?

• ❏ A. Continuous integration and delivery

• ❏ B. Rapid application development

• ❏ C. Function point analysis

You are an information systems auditor at Crestwave Technologies. While reviewing the company’s IT strategy and planning documents what concern would you judge to be the most significant?

• ❏ A. Insufficient budget for IT initiatives

• ❏ B. Inadequate cybersecurity controls

• ❏ C. IT is not engaged in enterprise strategic planning

• ❏ D. Absence of a formal cloud governance framework

Which action most undermines the assurance provided by an RSA digital signature on a file?

• ❏ A. Modifying the signed file after signing

• ❏ B. Compromise of the sender’s private signing key

• ❏ C. Capturing the signature while in transit

An information systems auditor inspects a random statistical sample of tapes from an offsite archive at Meridian Financial Services to confirm inventory records. Which classification of audit test does this action represent?

• ❏ A. Analytical procedures

• ❏ B. Compliance testing

• ❏ C. Continuous auditing

• ❏ D. Substantive testing

What is the primary objective of incident management within IT support?

• ❏ A. Problem management

• ❏ B. Coordinating incident response to restore services

• ❏ C. Preventing incidents through proactive measures

Which encryption approach will most effectively defend a small office wireless LAN against a man in the middle attack?

• ❏ A. 128 bit Wired Equivalent Privacy WEP

• ❏ B. A pre shared key that is derived from device MAC addresses

• ❏ C. A randomly generated pre shared key for WPA3 Personal

• ❏ D. A long alphanumeric service set identifier SSID

Which control is most effective at detecting accidental bit corruption that occurs during network transmission?

• ❏ A. Packet sequence numbering

• ❏ B. Cyclic redundancy check

• ❏ C. Cryptographic hash

• ❏ D. Parity bit checking

While evaluating a third-party provider that hosts critical IT functions for a regional credit union called NorthPoint Trust what matters should an information systems auditor prioritize when reviewing agreements and operational controls?

• ❏ A. Defined service level agreements and independent audit rights

• ❏ B. Verified ownership of application code and stored data together with a statement of confidentiality and due care and a tested continuity plan

• ❏ C. Evidence of a written confidentiality and due care declaration and contingency arrangements for service continuation

• ❏ D. Proof of ownership for programs and files only

Which artifact explicitly records the permissions granted to a cloud asset?

• ❏ A. Service account keys

• ❏ B. Cloud IAM policies

• ❏ C. Access control lists

• ❏ D. Infrastructure audit logs

All questions come from my CISA Udemy course and certificationexams.pro

Which role in an organization is chiefly responsible for implementing and maintaining both physical and logical protections for information systems, applications, data sets, and hardware?

• ❏ A. Data Custodian

• ❏ B. Data User

• ❏ C. Data Owner

• ❏ D. Security Administrator

Which database control ensures that a multi step update either entirely applies or the database remains unchanged?

• ❏ A. Cloud Audit Logs

• ❏ B. Transaction commit and rollback

• ❏ C. Cloud IAM

What is the main role of a project scope statement within a project plan?

• ❏ A. To list the project stakeholders and define their responsibilities

• ❏ B. To document the project objectives the deliverables to be produced and the boundaries of the project scope

• ❏ C. To assign personnel allocate budget and schedule resource usage

• ❏ D. To define the project start date the end date and major milestones

Which control would be most effective at preventing file transfers through instant messaging applications?

• ❏ A. Cloud Data Loss Prevention

• ❏ B. Application layer firewall

• ❏ C. Security awareness training

You are a systems auditor at NovaTech Solutions and you are examining the problem management procedures used during a software development engagement. Which activity best summarizes what is performed in this process?

• ❏ A. Analyzing and ranking threats and system weaknesses

• ❏ B. Assessing the effect of issues on project scope schedule and costs

• ❏ C. Recording detailed functional and technical requirements for the solution

• ❏ D. Verifying schedule estimates and allocation of team resources

Developers have passed unit tests for all components. What should the auditor recommend next?

• ❏ A. Automated regression testing

• ❏ B. Comprehensive integration testing

• ❏ C. User acceptance testing

You are an IT auditor at Valence Tech and during an examination of the incident log you observe a number of similar incidents recorded across the audit timeframe. What is the most important action you should take in response to this observation?

• ❏ A. Perform a targeted vulnerability scan of critical systems

• ❏ B. Evaluate the effectiveness of user security awareness training

• ❏ C. Confirm whether a root cause analysis was performed

• ❏ D. Review the organization incident response plan and procedures

Which analytical method is most suitable for detecting fraud when there are many input variables to evaluate?

• ❏ A. BigQuery ML

• ❏ B. Random forests

• ❏ C. Neural networks

• ❏ D. Expert systems

You are leading an audit at Lakeshore Solutions which maintains a mature enterprise risk program that each division follows. What is the most effective way for the audit team to leverage this risk management maturity?

• ❏ A. Deploy Google Cloud Security Command Center to add additional controls

• ❏ B. Recommend enhancements to the risk program after completing the audit

• ❏ C. Plan audit activities using the enterprise risk register to focus on the highest risk areas

• ❏ D. Conduct a detailed review of the organization wide risk policies and procedures

What must an IT auditor confirm provides support for the audit conclusions?

• ❏ A. Cloud Audit Logs

• ❏ B. Adequate and appropriate audit evidence

• ❏ C. Management representations

ISACA Exam Simulator Answers

All questions come from my CISA Udemy course and certificationexams.pro

The correct answer is Auditor independence.

An auditor who participates in the deployment of recommended security controls creates a self review threat and directly undermines Auditor independence because they would be later required to evaluate the effectiveness of work in which they were involved. Independence and objectivity are core to auditing and taking an operational role prevents an auditor from remaining impartial.

Data integrity is not the best choice because integrity concerns the accuracy and consistency of data and the question is focused on the auditor’s role conflict rather than the technical state of the data.

Data confidentiality is incorrect because confidentiality deals with protecting information from unauthorized disclosure and the scenario describes a conflict of interest instead of a confidentiality breach.

System availability is wrong because availability concerns uptime and continuity and the primary impact of an auditor participating in deployment is on the auditor’s independence rather than on system uptime.

The correct option is Rapid application development.

This approach emphasizes iterative prototyping and active user involvement to refine requirements quickly and to deliver working components faster while keeping costs down and preserving quality through frequent feedback and early validation.

Continuous integration and delivery is focused on automated building testing and deployment of code and it helps speed release cycles but it is not a development methodology based on iterative prototyping or heavy end user involvement.

Function point analysis is a sizing and estimation technique used to measure the functional size of an application for estimating effort and cost and it does not describe an iterative prototyping development approach.

IT is not engaged in enterprise strategic planning is the most significant concern because it shows that IT is not aligned with business goals and priorities and it creates a governance gap that can lead to many other problems.

When IT is not part of enterprise strategic planning the organization cannot properly prioritize investments or manage risk and the result can be misallocated budgets, inadequate controls, and missed opportunities for innovation.

Insufficient budget for IT initiatives is an important operational problem but it is often a symptom of poor strategic alignment rather than the root cause of IT failures.

Inadequate cybersecurity controls present immediate risk to the organization but weak controls are frequently a consequence of IT not being integrated into strategic planning and governance processes that would allocate resources for security.

Absence of a formal cloud governance framework is a specific governance gap for cloud adoption but it is less fundamental than the broader failure to involve IT in enterprise strategic planning which would drive the need and design for cloud governance.

Compromise of the sender’s private signing key is the correct answer.

RSA digital signatures rely on the secrecy of the signer’s private key. If the Compromise of the sender’s private signing key happens an attacker can create valid signatures on any file and impersonate the sender so integrity and non repudiation are destroyed.

Modifying the signed file after signing is not the best answer because altering the file causes signature verification to fail and the tampering is detected rather than allowing forged signatures.

Capturing the signature while in transit is not the best answer because capturing the signature alone does not let an attacker produce new valid signatures for modified content and verification will still detect tampering unless the private key itself is compromised.

The correct answer is Substantive testing.

Inspecting a random statistical sample of tapes from an offsite archive to confirm inventory records is a direct verification of recorded balances and items and it is therefore a substantive procedure. Substantive testing gathers audit evidence about the existence completeness and valuation of assets and records and physical inspection or confirmation of items is a classic way to obtain that evidence.

Analytical procedures are not correct because they rely on comparisons trend and ratio analysis to identify unusual relationships and they do not typically involve physically inspecting archived tapes.

Compliance testing is not correct because it focuses on whether controls or policies were followed rather than directly verifying the amounts or existence of inventory items.

Continuous auditing is not correct because it describes ongoing automated monitoring or frequent audit processes and it does not describe a one time physical inspection of a sampled set of tapes.

Coordinating incident response to restore services is the correct option.

Incident management is focused on quickly restoring normal service operation and minimizing business impact when an interruption happens. The process emphasizes rapid detection, prioritized response, coordination of technical and support teams, timely communication with stakeholders, and actions that return services to expected levels.

Problem management is not correct because that discipline concentrates on diagnosing root causes and implementing long term fixes to prevent recurrence rather than on the immediate coordination needed to restore service.

Preventing incidents through proactive measures is also not correct because prevention is a proactive activity often addressed by problem management or continual improvement efforts and it does not describe the primary, reactive objective of incident management.

The correct option is A randomly generated pre shared key for WPA3 Personal.

This option is correct because WPA3 Personal uses the SAE handshake which resists offline dictionary attacks and provides forward secrecy. A randomly generated pre shared key that is long and unique makes brute force and guessing attacks impractical and prevents an attacker from easily impersonating the access point or a client. The improved key exchange and authentication in WPA3 Personal therefore offers much stronger protection against man in the middle attacks than older personal mode approaches.

The option 128 bit Wired Equivalent Privacy WEP is wrong because WEP is fundamentally broken and trivial to crack. WEP uses weak initialization vectors and static keys and it is deprecated so it cannot reliably defend against man in the middle attacks.

The option A pre shared key that is derived from device MAC addresses is wrong because MAC addresses are publicly observable and easily spoofed. Deriving a shared key from a predictable and non secret value produces a weak key and it does not prevent an active attacker from intercepting or impersonating devices.

The option A long alphanumeric service set identifier SSID is wrong because the SSID only names the network and does not provide encryption or authentication. A longer SSID does not stop a man in the middle attack and it can still be broadcast or faked by an attacker.

The correct option is Cyclic redundancy check.

Cyclic redundancy check computes a compact checksum by treating the data as a polynomial and using polynomial division so receivers can recompute the value and compare it with the transmitted checksum. This approach catches common transmission errors including burst errors and random bit flips and it is efficient enough to be implemented in hardware for real time link layer and frame integrity checks.

Packet sequence numbering can reveal lost or out of order packets but it does not detect whether the bits inside a received packet were altered during transfer.

Cryptographic hash will detect changes and it provides strong tamper evidence, but it is computationally heavier and it is not the standard, efficient mechanism used by network links to detect accidental bit corruption.

Parity bit checking is a very simple method that only detects an odd number of bit errors and it misses many multi bit error patterns, so it is far less effective than a CRC for network error detection.

Verified ownership of application code and stored data together with a statement of confidentiality and due care and a tested continuity plan is the correct choice.

This option is correct because verified ownership of application code and stored data gives the credit union legal rights to access modify and retrieve critical assets and it reduces the risk of vendor lock in. A formal statement of confidentiality and due care establishes clear responsibilities for protecting sensitive member data and supports regulatory compliance for a financial institution. A tested continuity plan ensures the provider can restore services and meet recovery objectives for critical IT functions which is essential for operational resilience.

Defined service level agreements and independent audit rights is incorrect because while SLAs and audit rights are important controls they do not by themselves guarantee legal ownership of code or data or that confidentiality obligations and continuity plans are in place. Those rights help oversight but they are incomplete without ownership and tested continuity.

Evidence of a written confidentiality and due care declaration and contingency arrangements for service continuation is incorrect because it omits verified ownership of the application code and stored data. Confidentiality and contingency arrangements are necessary but they do not address legal control or access to the code and data which are critical when a provider hosts core systems.

Proof of ownership for programs and files only is incorrect because ownership alone does not ensure the provider has committed to confidentiality and due care or that they have a tested continuity plan. All three elements are needed to protect data meet regulatory expectations and ensure service continuity for a credit union.

The correct answer is Access control lists.

Access control lists are the resource-level artifact that explicitly lists which principals have which permissions on a specific cloud asset. They are stored with or attached to the asset and serve as the recorded source of truth for who can read write or manage that particular object.

Service account keys are credentials that authenticate a service account and do not themselves document what permissions are granted to a resource. Keys prove identity and enable actions but they do not list granted permissions.

Cloud IAM policies define role bindings and manage permissions at project folder or organization scope in many clouds but the question is asking which artifact confirms permissions on a specific asset and per-asset ACLs are the direct artifact used to show that information for resources that use ACLs.

Infrastructure audit logs record who performed actions and when and they are useful for forensic and compliance purposes. Logs show historical activity and outcomes but they do not by themselves state the current permissions granted to an asset.

All questions come from my CISA Udemy course and certificationexams.pro

Security Administrator is correct because this role is chiefly responsible for implementing and maintaining both physical and logical protections for information systems, applications, data sets, and hardware.

Security Administrator implements technical controls such as access management, system hardening, patching, network protections, encryption, monitoring, and incident response tooling. They also coordinate with facilities and operations teams to ensure physical controls and hardware protections are maintained alongside logical defenses.

Data Custodian is focused on the operational handling and safekeeping of data and on applying the policies set by owners and administrators. That role does not typically own the overall security program or set organization wide protections.

Data User merely accesses and uses data according to established policies and does not have responsibility for implementing or maintaining system wide physical or logical protections.

Data Owner is accountable for classification, acceptable use, and protection requirements for specific data sets and for approving access. The owner defines policy and requirements but usually does not perform the technical implementation and day to day maintenance of protections.

The correct answer is Transaction commit and rollback.

Transaction commit and rollback provide atomicity for multi step database updates so that either all steps are applied or the database remains unchanged. A commit makes all changes permanent when every operation in the transaction succeeds and a rollback undoes all changes if any operation fails, which is the behavior described in the question.

Cloud Audit Logs captures and stores audit and access events for GCP services but it does not enforce transactional behavior or perform commits and rollbacks. It is useful for logging and auditing rather than controlling data consistency.

Cloud IAM controls who can access resources and what actions they can perform, but it does not provide database transaction semantics and cannot ensure multi step updates are applied atomically.

To document the project objectives the deliverables to be produced and the boundaries of the project scope is the correct answer.

The project scope statement defines what the project will deliver and what is out of scope and it sets measurable objectives and acceptance criteria. It provides a baseline for controlling scope and for evaluating change requests so the team and stakeholders share a common understanding of the expected deliverables.

To list the project stakeholders and define their responsibilities is incorrect because stakeholder identities and responsibilities belong in a stakeholder register or a RACI matrix rather than in the scope statement. The scope statement may reference stakeholders but it does not replace those role focused documents.

To assign personnel allocate budget and schedule resource usage is incorrect because assigning people allocating budgets and scheduling resources are tasks for resource management budgeting and the project schedule. The scope statement informs those processes but it does not perform them.

To define the project start date the end date and major milestones is incorrect because dates and milestone sequencing are captured in the project schedule and milestone list. The scope statement focuses on what will be produced rather than the detailed timing.

The correct option is Application layer firewall.

An application layer firewall inspects traffic at the application protocol level and can identify and block file transfer operations used by instant messaging clients. It applies protocol specific rules and content based filters in real time so it can stop transfers as they occur rather than only detecting them after the fact.

Cloud Data Loss Prevention is incorrect because DLP is primarily focused on discovering, classifying, and redacting sensitive data and it often operates on stored data or through scanning APIs. It can help detect risky transfers but it does not by itself provide real time enforcement to block file transfers without additional gateway or blocking tools.

Security awareness training is incorrect because training changes user behavior over time and reduces risk but it does not provide a technical, real time control that can immediately prevent file transfers through instant messaging applications. Training is a valuable complement but not the most effective single control for immediate prevention.

Assessing the effect of issues on project scope schedule and costs is the correct activity that best summarizes what is performed in problem management during a software development engagement.

Problem management focuses on diagnosing incidents and underlying causes and on evaluating the consequences so teams can decide on workarounds and permanent fixes to reduce impact. That emphasis on evaluating impacts and guiding corrective actions is why Assessing the effect of issues on project scope schedule and costs aligns with the process goals.

Analyzing and ranking threats and system weaknesses is primarily a risk assessment and security activity and it addresses potential vulnerabilities rather than resolving problems that are already affecting project work.

Recording detailed functional and technical requirements for the solution describes requirements engineering and specification work that usually happens earlier in the lifecycle and not the reactive impact analysis and remediation central to problem management.

Verifying schedule estimates and allocation of team resources is a project planning and control task and it does not capture the diagnostic and corrective nature of problem management which focuses on root causes and mitigation.

Comprehensive integration testing is the correct recommendation.

Unit tests confirm that individual components behave as expected in isolation. Comprehensive integration testing is the next logical step because it verifies that those components work together correctly and it exercises interfaces, configuration, data flow, and external dependencies that unit tests do not cover. Running integration tests before system level and acceptance tests reduces the risk of integration defects appearing later in the development lifecycle.

Automated regression testing is important for catching reintroduced defects and for validating that existing functionality still works after changes. It is usually executed after integration and system tests or continuously as part of a CI pipeline, and it is not the immediate next activity when unit tests have only shown component correctness.

User acceptance testing is performed by end users or stakeholders to validate that the system meets business requirements. It should occur after successful integration and system testing so that users are evaluating a stable and integrated application, and therefore it is not the step immediately following unit tests.

Confirm whether a root cause analysis was performed is the most important action to take when you observe a number of similar incidents across the audit timeframe.

An auditor must determine whether the organization investigated the repeated incidents to find the underlying cause. Verify that the root cause analysis identified systemic issues, documented corrective actions, included timelines, and had evidence of validation so you can be confident the problem will not recur.

Only after confirming that a root cause analysis was performed and that remediation was effective should you prioritize other responses such as scanning, training, or plan updates because those actions may not address the true underlying issue.

Perform a targeted vulnerability scan of critical systems is not the most important immediate action because scanning can find technical issues but it does not prove that the organization identified or fixed the root cause of repeated incidents.

Evaluate the effectiveness of user security awareness training is useful when incidents point to user behavior but it may miss technical or process failures that a proper root cause analysis would reveal.

Review the organization incident response plan and procedures is a valid audit step but it does not substitute for confirming that a specific investigation was done and that corrective actions were implemented for the incidents you observed.

The correct answer is Neural networks.

Neural networks are well suited to fraud detection when many input variables must be evaluated because they can learn complex, nonlinear relationships and interactions among large numbers of features. They can automatically discover hierarchical patterns in the data and scale to high dimensional inputs and large datasets, which helps reveal subtle and combined signals of fraud that simpler methods may miss.

BigQuery ML is a platform for training models inside BigQuery and not an analytical method by itself. It can be used to build models, including neural networks, but

the option names a tool rather than the underlying analytical approach that best handles many input variables.

Random forests are a strong ensemble method and they handle many variables and noisy features well. They are often a good baseline, but they may not capture very deep, high dimensional feature interactions as effectively as Neural networks for certain complex fraud detection problems.

Expert systems rely on human defined rules and are not designed to automatically discover complex patterns when many inputs interact. They are not well suited to large scale, data driven fraud detection that requires learning from examples.

The correct option is Plan audit activities using the enterprise risk register to focus on the highest risk areas.

Using the enterprise risk register lets the audit team concentrate effort where the organization already identifies the greatest risks. This approach leverages the mature risk program and aligns audit scope with business priorities so work is efficient and impactful.

Planning from the enterprise risk register also helps the auditors validate that controls and mitigations are operating for the highest rated risks. It reduces redundant reviews and supports consistent, risk based coverage across divisions that follow the enterprise program.

Deploy Google Cloud Security Command Center to add additional controls is incorrect because deploying a specific security product is a remediation or implementation action and not a way to plan an audit. The audit should use existing risk artifacts to focus testing rather than proposing tool deployments as the primary planning method.

Recommend enhancements to the risk program after completing the audit is incorrect because it is reactive and it does not leverage the program’s existing maturity for planning. The question asks how to most effectively leverage that maturity during audit planning and recommending later changes misses the opportunity to focus the audit on known high risks now.

Conduct a detailed review of the organization wide risk policies and procedures is incorrect because a mature program means policies are already established and followed across divisions. A detailed policy review is often lower value than testing risks and controls tied to the highest rated items in the register, so it is less effective for targeting audit effort.

Adequate and appropriate audit evidence is the correct option because auditors must obtain sufficient and reliable evidence to support their audit conclusions.

Audit evidence must be sufficient in quantity and appropriate in quality which means it must be relevant to the audit objectives and reliable for the assertions being tested. Auditors combine procedures such as inspection, observation, confirmation, recalculation, and inquiry to gather a body of evidence that provides a reasonable basis for their conclusions.

Cloud Audit Logs can be a valuable source of evidence because they record activities and changes in cloud environments. However they are only a single type of evidence and by themselves they may not be sufficient or fully appropriate to support all audit conclusions.

Management representations are statements from management that are useful as part of the evidence mix and they can address matters that are difficult to verify. Auditing standards indicate that representations alone are not adequate and they require corroboration from other evidence.