Free CISA Practice Test Questions 2026

Which of the following BEST describes a common risk in implementing a new application software package?

A.

Sensitivity of transactions is high

B.

Transaction volume is excessive

C.

The application lacks audit trails.

D.

Parameter settings are incorrect

Which of the following BEST describes the relationship between vulnerability scanning and penetration testing?

A.

For entities with regulatory drivers, the two tests must be the same

B.

Both are labor-intensive in preparation, planning and execution.

C.

Both utilize a risk-based analysis that considers threat scenarios.

D.

The scope of both is determined primarily by the likelihood of exploitation

Which of the following would provide the BEST evidence of successfully completed batch uploads?

A.

Reviewing process logs

B.

Enforcing batch cut-off times

C.

Using sequence controls

D.

Sign-off on the batch journal

When conducting a requirements analysis for a project, the BEST approach would be to:

A.

prototype the requirements

B.

test operational deliverable

C.

consult key stakeholders

D.

conduct a control self-assessment

Which of the following should the IS auditor do FIRST to ensure data transfer integrity for Internet of Things (loT) devices?

A.

Verify access control lists to the database where collected data is stored.

B.

Determine how devices are connected to the local network.

C.

Confirm that acceptable limits of data bandwidth are defined for each device.

D.

Ensure that message queue telemetry transport (MQTT) is used.

Which of the following is MOST important for the improvement of an organization's incident response processes

A.

Regular upgrades to incident management software

B.

Ongoing incident response training for users

C.

Post-event reviews by the incident response team

D.

Periodic walk-through of incident response procedures

mission-critical applications with a low recovery time objective (RTO). which of the following is the BEST backup strategy?

A.

Archiving to conventional disk

B.

Use of virtual tape libraries

C.

Mirroring

D.

Frequent back-ups to tape

Which of the following would be MOST important for an IS auditor to review during an audit of an automated continuous monitoring process being used by the finance department.

A.

Resiliency of the monitoring service

B.

Configuration of the monitoring tool

C.

Management sign-off of test documentation

D.

Dual control and approvals embedded in processes

An airlines online booking system uses an automated script that checks whether fares are within the defined threshold of what is reasonable before the fares are displayed on the website. Which type of control is in place?

A.

Preventer control

B.

Corrective control

C.

Detective control

D.

Compensating control

An IS auditor is conducting a review of an organization s information systems and discovers data that is no longer needed by business applications. Which of the following would b IS auditor's BEST recommendation?

A.

Ask the data custodian to remove it after confirmation from the business user

B.

Keep the data and protect it using a data classification policy

C.

Assess the data according to the retention policy.

D.

Back up the data to removable media and store in a secure area.

An IS auditor should ensure that an application's audit trail:

A.

has adequate security.

B.

is accessible online.

C.

does not impact operational efficiency

D.

logs all database records.

Which of the following is MOST important to consider when creating audit follow-up procedures?

A.

Whether follow-up procedures would determine if identified risks have been mitigated

B.

Whether the auditee has allotted sufficient time for the follow-up

C.

Whether management has determined if risk is within the organization's risk appetite

D.

Whether the organization has sufficient funds to address the issue