Free CISA Practice Test Questions 2026

Which of the following should be the PRIMARY consideration when developing an IT strategy?

A.

Alignment with the IT investment portfolio

B.

IT key performance indicators based on business objectives

C.

Short and long-term plans for the enterprise IT architecture

D.

Alignment with overall business objectives

..risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?

A.

Control

B.

Prevention

C.

Inherent

D.

Detection

Which of the following is the BEST reason for an organization to develop a business continuity plan?

A.

To avoid the costs resulting from the failure of key systems and processes

B.

To establish business un« prioritization of systems projects, and strategies

C.

To develop a detailed desertion of information systems and processes

D.

To identify the users of information systems and processes

Which of the following should be reviewed FIRST when planning an IS audit?

A.

IS audit standards

B.

Annual business unit budget

C.

Recent financial information

D.

The business environment

maturity model is useful in the assessment of IT service management because it:

A.

defines the level of control required to meet business needs 

B.

provides a benchmark for process improvement

C.

specifies the mechanism needed to achieve defined service levels 

D.

indicates the service levels requited for the business area.

MOST critical security weakness of a packet level firewall is that it can be circumvented by:

A.

using a dictionary attack of encrypted passwords

B.

deciphering the signature information of the packets

C.

intercepting packets and viewing passwords sent in clear text

D.

changing the source address on incoming packets

Which of the following is a detective control?

A.

Echo checks m telecommunications

B.

Programmed edit checks

C.

A router rule restricting a service

D.

Procedures for authorizing transactions

An organization uses electronic funds transfer (EFT) to pay its vendors. Which of the following should be an IS auditor s MAIN focus while reviewing controls in the accounts payable Application?

A.

Amount of disbursements

B.

Volume of transactions

C.

Changes to the vendor master file

D.

Frequency of transactions

Which of the following would BEST facilitate the detection of internal fraud perpetrated by an individual?

A.

Mandatory leave

B.

Flexible time

C.

Corporate fraud hotline

D.

Segregation of duties

When evaluating the recent implementation of an intrusion detection system (IDS), an IS auditor should be MOST concerned with inappropriate:

A.

training

B.

encryption

C.

tuning

D.

patching

The PRIMARY advantage of object-oriented technology is enhanced:

A.

management of sequential program execution for data access

B.

management of a restricted variety of data types for a data object

C.

grouping of objects into methods for data access

D.

efficiency due to the re-use of elements of logic

When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical systems do not exceed which of the following?

A.

Service level objective (SLO)

B.

Recovery time objective (RTO)

C.

Maximum acceptable outage (MAO)

D.

Recovery point objective (RPO)