ISACA CISA Practice Test

Certified Information Systems Auditor (CISA) is ISACA’s IT audit and assurance credential. It is a strong candidate for scenario-based practice because questions often require choosing the best audit step, evidence source, control implication, or governance response.

Use these 12 original sample questions for initial self-assessment. The full IT Mastery route for CISA is not available yet; try the preview and use the Notify me form if this is your target route.

What this route should test

• audit planning, scope, risk, evidence, and reporting decisions
• governance and management of information systems
• systems acquisition, development, implementation, operations, resilience, and information-asset protection
• recognizing the difference between an auditor’s role and management’s role

Common candidate trap

CISA questions often ask for the best audit response, not the best technical fix. Practice should train role discipline: identify the evidence, report the finding, or evaluate the control without taking over management’s job.

Sample Exam Questions

These questions are original IT Mastery preview items for CISA audit and assurance judgment. They are not official ISACA exam questions.

Question 1

Topic: audit role

During an audit, the auditor finds that privileged access reviews are not performed for a critical finance system. What is the best auditor response?

• A. Remove the privileged accounts immediately
• B. Document the condition, obtain evidence, assess risk, and report the control weakness through the audit process
• C. Rewrite the access policy
• D. Approve all existing privileged accounts

Best answer: B

Explanation: The auditor should evaluate and report the control issue, not take over management’s responsibility for remediation. Evidence, risk impact, and clear reporting are central to CISA-style reasoning.

Question 2

Topic: evidence quality

Which evidence is generally strongest when testing whether production changes were approved before deployment?

• A. A developer’s verbal statement that approvals usually happen
• B. A screenshot of the login page
• C. A project plan with no approval detail
• D. System-generated workflow records showing approval timestamps before implementation

Best answer: D

Explanation: System-generated records tied to the actual change workflow are stronger than verbal statements or unrelated documents. CISA questions often test evidence reliability and relevance.

Question 3

Topic: audit planning

An audit begins with low-risk scope assumptions, but recent incidents show repeated unauthorized changes in the same environment. What should the auditor do?

• A. Reassess risk and adjust audit scope or procedures as needed
• B. Ignore the incidents because the plan is already approved
• C. Cancel all audit testing
• D. Test only the lowest-risk controls

Best answer: A

Explanation: Audit planning is risk-based. New information that changes risk should affect scope, testing depth, or audit procedures.

Question 4

Topic: remediation ownership

An auditor recommends stronger segregation of duties. Management asks the auditor to design the new access matrix. What is the best response?

• A. Design the matrix and approve it
• B. Assign all access personally
• C. Preserve independence by explaining the control objective while management designs and owns remediation
• D. Stop the audit

Best answer: C

Explanation: Auditors can clarify criteria and risk, but management owns control design and implementation. Taking over remediation can impair independence.

Question 5

Topic: change management

An application team migrates emergency changes to production before formal approval, then documents approval after the fact. What is the key audit concern?

• A. Emergency changes are always prohibited
• B. Documentation style is the only issue
• C. Developers used the wrong font in the ticket
• D. Emergency-change authorization, review, testing, and post-implementation control may be weak

Best answer: D

Explanation: Emergency changes may be legitimate, but they still need controlled authorization and post-implementation review. After-the-fact approval can indicate weak control operation.

Question 6

Topic: resilience

Management states that backups are performed nightly. What evidence best supports recoverability?

• A. A backup policy title
• B. Successful restore-test results and evidence that recovery objectives can be met
• C. A list of server names only
• D. A screenshot of the storage dashboard without test results

Best answer: B

Explanation: Backup existence is not the same as recoverability. Restore testing and recovery-objective evidence are more relevant to business resilience.

Question 7

Topic: third-party risk

A business-critical process is outsourced to a service provider. What should the auditor assess first?

• A. Contractual control responsibilities, service commitments, audit rights, and assurance evidence
• B. The provider’s logo
• C. Whether the provider has a larger office
• D. The colour of the vendor dashboard

Best answer: A

Explanation: Outsourcing does not remove accountability. The auditor should evaluate governance, control responsibilities, monitoring, and evidence that provider controls support business requirements.

Question 8

Topic: access review

An access review asks managers to approve lists of users, but managers do not know what the system roles allow. What is the main control weakness?

• A. The review list is too short
• B. The system has too many screens
• C. Reviewers lack enough role and privilege context to make a meaningful certification
• D. The review is performed by email

Best answer: C

Explanation: Access reviews need informed reviewers. If managers cannot understand privileges, the review may become a rubber-stamp control.

Question 9

Topic: incident response audit

After a security incident, what audit evidence is most useful for assessing whether the response process operated effectively?

• A. A marketing announcement
• B. The incident team’s office location
• C. A password reset screen
• D. Incident timeline, escalation records, containment actions, communications, lessons learned, and closure evidence

Best answer: D

Explanation: Effective incident response is demonstrated by process evidence: detection, escalation, containment, communication, review, and improvement.

Question 10

Topic: data integrity

An interface transfers customer records from one system to another nightly. What audit test best addresses completeness and accuracy?

• A. Ask whether users like the interface
• B. Reconcile source and target counts, exceptions, transformations, and error handling
• C. Review only the interface name
• D. Confirm that both systems have dashboards

Best answer: B

Explanation: Data-interface assurance requires reconciling what was sent, transformed, rejected, and received. Counts and exception handling are stronger than surface-level review.

Question 11

Topic: audit reporting

Which audit finding is most useful to management?

• A. A finding that states criteria, condition, cause, risk/effect, and a practical recommendation
• B. A vague statement that “security is bad”
• C. A list of opinions without evidence
• D. A finding with no risk impact

Best answer: A

Explanation: Useful findings connect evidence to criteria, impact, cause, and action. This helps management prioritize remediation.

Question 12

Topic: independence

An auditor previously helped implement the control being audited. What should happen?

• A. The auditor should ignore the prior involvement
• B. The auditor should certify the control as effective
• C. The potential impairment should be disclosed and the audit assignment adjusted if independence is affected
• D. The control should be removed

Best answer: C

Explanation: Prior implementation involvement can impair objectivity. The issue should be disclosed and managed through reassignment or other safeguards.

CISA quick checklist

Related ISACA pages

• CISM
• CRISC
• ISACA certification updates