Free CISA Practice Test Questions 2026

A post-implementation review of a system implementation has identified that the defined objectives were changed several times without the approval of the project board. What would the IS auditor do NEXT?

A.

Determine whether the revised objectives are appropriate

B.

Notify the project sponsor and request that the project be reopened.

C.

Ask management to obtain retrospective approvals

D.

Notify the project management office and raise a finding

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration foe a go-live decision?

A.

Post-implementation review objectives

B.

Test cases

C.

Rollback strategy

D.

Business case

Which of the following should be an IS auditor's PRIMARY consideration when evaluating the development and design of a privacy program?

A.

Information security and incident management practices

B.

Industry practice and regulatory compliance guidance

C.

Data governance and data classification procedures

D.

Policies and procedures consistent with privacy guidelines

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed the audit function. In order to resolve the situation, the IS auditor/, BEST course of action would be to:

A.

postpone follow-up activities and escalate the alternative controls to senior audit management

B.

schedule another audit due to the implementation of alternative controls.

C.

reject the alternative controls and re-prioritize the original issue as high risk.

D.

determine whether the alternative controls sufficiently mitigate the risk and record the results

Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?

A.

Review new account applications submitted in the past month for invalid dates of birth

B.

Evaluate configuration settings for the date of birth field requirements.

C.

Review the business requirements document for date of birth field requirements

D.

Attempt to submit new account applications with invalid dates of birth

An organization has established three IS processing environments: development, test, and production. The MAJOR reason for separating the development and test environments is

A.

perform testing in a stable environment

B.

obtain segregation of duties between IS staff and end users

C.

limit the users access rights to the test environment

D.

protect the programs under development from unauthorized testing

When determining the specifications for a server supporting an online application using more than a hundred endpoints, which of the following is the MOST important factor to be Considered?

A.

Cost-benefit comparison between the available systems

B.

High availability of different systems

C.

Transaction volume estimate during peak periods

D.

Reputation of the vendors and their customer base

Which of the following is the BEST time for an IS auditor to perform a post-implementation review?

A.

Before decommissioning the legacy system

B.

Immediately after the new system goes into production

C.

After the completion of user testing

D.

When the system has stabilized

Which of the following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?

A.

Desktop passwords do not require special characters

B.

Employees are not required to sign a non-compete agreement.

C.

Users lack technical knowledge related to security and data protection

D.

Security education and awareness workshops have not been completed

What is the MOST important business concern when an organization is about to migrate a mission-critical application to a virtual environment?

A.

Adequacy of the fallback procedures

B.

Adequacy of the virtual architecture

C.

The organization's experience with virtual applications

D.

Confidentiality of network traffic

An organization implements a data loss prevention tool as a control to mitigate the risk of sensitive data leaving the organization via electronic mail. Which of the following would provide the BEST indication of adequate control design?

A.

Management has formally approved the control design

B.

Rules enforced by the tool were based on the classification of the data.

C.

Management presents evidence that data loss incidents have decreased

D.

Security administrators can demonstrate the functions of the tool

Which of the following is the MOST effective control for a utility program?

A.

Allowing only authorized personnel to use the program

B.

Storing the program in a production library

C.

Renaming the versions in the programmers libraries

D.

Installing the program on a separate server