Free CISA Practice Test Questions 2026

An IS auditor has discovered that unauthorized customer management software was installed on a workstation. The auditor determines the software has been uploading customer ita to an external party. Which of the following is the IS auditor's BEST course of action?

A.

Determine the number of customer records that were uploaded

B.

Notify the incident response team.

C.

Review other workstations to determine the extent of the incident

D.

Present the issue at the next audit progress meeting

The grants management system is used to calculate grant payments. Once per day, a batch interface extracts grant amounts and payee details from this system for import into the once system so payments can be made overnight Which of the following controls provides the GREATEST assurance of the accuracy and completeness of the imported payment

A.

Reconciling data from both systems

B.

Restricting access to the grants and finance systems

C.

Reviewing transaction logs for anomalies

D.

Performing monthly bank reconciliations in a timely manner

What is the BEST population to select from when testing that programs are migrated to production with proper approval?

A.

List of changes provided by application programming managers

B.

Change advisory board meeting minutes

C.

Completed change request forms

D.

List of production programs

Which of the following should be an IS auditor's FIRST activity when planning an audit?

A.

Identify proper resources for audit activities.

B.

Gain an understanding of the area to be audited.

C.

Create a list of key controls to be reviewed.

D.

Document specific questions in the audit program

The MAIN reason an organization’s incident management procedures should include a post-incident review is to:

A.

enable better reporting for executives and the audit committee

B.

improve processes by learning from identified weaknesses

C.

take appropriate action when procedures are not followed

D.

ensure evidence is collected tor possible post-event litigation.

The IS auditor's PRIMARY role in control self-assessment (CSA) is to:

A.

evaluate the controls.

B.

facilitate the process.

C.

identify weaknesses

D.

draw up an action plan.

Which of the following projects would be MOST important to review in an audit of an organizations financial statements?

A.

Automation of operational risk management processes

B.

Resource optimization of the enterprise resource planning (ERP) system

C.

Security enhancements to the customer relationship database

D.

Outsourcing of the payroll system to an external service provider

Both statistical and nonstatistical sampling techniques:

A.

permit the auditor to quantify and fix the level of risk

B.

permit the auditor to quantity the probability of error,

C.

provide each item an equal opportunity of being selected,

D.

require judgment when defining population characteristics

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor s NEXT course of action?

A.

Report the security posture of the organization.

B.

Report the mitigating control

C.

Determine the value of the firewall.

D.

Determine the risk of not replacing the firewall

Which of the following features can be provided only by asymmetric encryption?

A.

Data confidentiality

B.

Information privacy

C.

Nonrepudiation

D.

128-bit key length

Due to cost restraints, a company defers the replacement of hardware supporting core applications. Which of the following represents the GREATEST risk?

A.

Eventual replacement may be more expensive.

B.

future upgrades may not be possible.

C.

Maintenance costs may rise

D.

Systems availability may suffer.

These members of an emergency incident response team should be:

A.

restricted to IT personnel

B.

appointed by the CISO

C.

selected from multiple departments

D.

assigned at the time of each incident