Free CISA Practice Test Questions 2026

A potential risk of executing a program on an Internet site is that it may:

A.

install executable code on the computer.

B.

lack version control, which may result in the use of an older program.

C.

overwrite system files with older versions

D.

be browser-dependent, and therefore abort.

Which of the following occurs during the issues management process for a system development project?

A.

Contingency planning

B.

mpact assessment

C.

Configuration management

D.

Help desk management

An IS auditor has completed a review of an outsourcing agreement and has communicating the issues at a meeting with senior management?

A.

Present a completed report and discuss the details.

B.

Provide a detailed report in advance and open the floor to questions.

C.

Present an overview highlighting the key findings.

D.

Provide a plan of action and milestones

Which type of risk would MOST influence the selection of a sampling methodology? 

A.

Control

B.

Inherent

C.

Residual

D.

Detection

Which of the following is MOST important when planning a network audit?

A.

Determination of IP range in use

B.

Isolation of rogue access points

C.

Identification of existing nodes

D.

Analysts of traffic content

An IS audit report highlighting inadequate network internal controls is challenged because no serious incident has ever occurred. Which of the following actions performed during the audit would have BEST supported the findings?

A.

Compliance testing

B.

Threat risk assessment

C.

Penetration testing

D.

Vulnerability assessment

Internal audit reports should be PRIMARILY written for and communicated to:

A.

audit management as they are responsible for the quality of the audit.

B.

external auditors, as they provide an opinion on the financial statements.

C.

auditees, as they will eventually have to implement the recommendations

D.

senior management as they should be informed about the identified risks.

Which of the following would provide the MOST reliable evidence to indicate whether employee access has been deactivated in a timely manner following termination?

A.

Comparing termination forms with dates in the HR system 

B.

Reviewing hardware return-of-asset forms

C.

Interviewing supervisors to verify employee data is being updated immediately 

D.

Comparing termination forms with system transaction log entries

To effectively classify data, which of the following MUST be determined?

A.

Data controls

B.

Data ownership

C.

Data users

D.

Data volume

Which of the following control checks would utilize data analytics?

A.

Evaluating configuration settings for the credit card application system

B.

Reviewing credit card applications submitted in the past month for blank data fields 

C.

Attempting to submit credit card applications with blank data fields

D.

Reviewing the business requirements document for the credit card application system

Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?

A.

Preventive

B.

Deterrent

C.

Corrective

D.

Detective

Which of ihe following is the BEST way to control scope creep during application system development?

A.

Involve key stakeholders.

B.

Implement project steering committee review.

C.

Implement a quality management system.

D.

Establish key performance indicators (KPIs).