Free CISA Practice Test Questions 2026

An organization s data retention policy states that all data will be backed up, retained for 10 years, and then destroyed. When conducting an audit of the long-term offsite backup program, an IS auditor should:

A.

verify that business owners review data before it is destroyed.

B.

verify that there is a process to ensure readability and restore capability

C.

confirm that business interruption insurance coverage is in place.

D.

review data classification schemes for appropriate security levels.

An IS auditor is planning to audit an organization's infrastructure for access, patching, and change management. Which of the following is the BEST way to prioritize the systems?

A.

Complexity of the environment

B.

Criticality of the system

C.

System hierarchy within the infrastructure

D.

System retirement plan

Which of the following are BEST suited for continuous auditing?

A.

Manual transactions

B.

Irregular transactions

C.

Low-value transactions

D.

Real-time transactions

Which of the following is the FIRST step when conducting a business impact analysis?

A.

identifying critical information resources

B.

Identifying events impacting continuity of operations

C.

Analyzing past transaction volumes

D.

Creating a data classification scheme

The GREATEST benefit of risk-based auditing is that it:

A.

demonstrates compliance with regulatory requirements

B.

enables alignment of resources to significant risk areas.

C.

allows an organization to identify and eliminate low-risk areas

D.

identifies problem areas within an organization

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Which of the following is a directive control?

A.

Establishing an information security operations team

B.

Updating data loss prevention software

C.

Implementing an information security policy

D.

Configuring data encryption software

During business process reengineering (BPR) of a bank's teller activities, an IS auditor should evaluate:

A.

the impact of changed business processes.

B.

the cost of new controls.

C.

BPR project plans

D.

continuous improvement and monitoring plans

To create a digital signature in a message using asymmetric encryption, it is necessary to:

A.

First use a symmetric algorithm for the authentication sequence

B.

encrypt the authentication sequence using a public key.

C.

transmit the actual digital signature in unencrypted clear text.

D.

encrypt the authentication sequence using a private key.

Which of the following is the MOST likely cause of a successful firewall penetration?

A.

Use of a Trojan to bypass the firewall

B.

Loophole m firewall vendor's code

C.

Virus infection

D.

Firewall misconfiguration by the administrator

A security administrator should have read-only access for which of the following?

A.

Router configuration

B.

Password policy

C.

Security logs

D.

Services/daemons configuration

Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted audit techniques (CAATs)?

A.

To efficiently test an entire population

B.

To perform direct testing of production data

C.

To conduct automated sampling for testing

D.

To enable quicker access to information