Free CISA Practice Test Questions 2026

An audit committee is reviewing an annual IT risk assessment Which of the following is the BEST justification for the audits selected?

A.

Underlying business risks

B.

Applications impacted

C.

Likelihood of an IT process failure

D.

Key IT general process controls

Which of the following BEST provides continuous availability of network bandwidth for critical application services?

A.

Configuration management

B.

Quality of service (QoS)

C.

Cloud computing

D.

Problem management

Which of the following is MOST likely to enable a hacker to successfully penetrate a system?

A.

Unpatched software

B.

Decentralized dialup access

C.

Lack of DoS protection

D.

Lack of virus protection

The operations team of an organization has reported an IS security attack. Which of the following should be the NEXT step for the security incident response team?

A.

Perform a damage assessment

B.

Report results to management.

C.

Document lessons learned

D.

Prioritize resources for corrective action

Which of the following should be done FIRST when planning a penetration test?

A.

Execute nondisclosure agreements (NDAs).

B.

Define the testing scope.

C.

Determine reporting requirements for vulnerabilities

D.

Obtain management consent for the testing

To help ensure the accuracy and completeness of end-user computing output it is MOST important to include strong:

A.

documentation controls.

B.

change management controls.

C.

access management controls

D.

reconciliation controls

When developing a risk-based IS audit plan, the PRIMARY focus should be on functions:

A.

with the most ineffective controls.

B.

with the greatest number of threats.

C.

considered critical to business operations.

D.

considered important by IT management

Which of the following would be MOST helpful when assessing how applications exchange data with other applications?

A.

Results of a risk assessment on the applications

B.

List of servers and their applications

C.

Entity relationship diagram

D.

Configuration management database

An IS auditor has completed a service level management audit related to order management services provided by a third party Which of the following is the MOST significant finding?

A.

The service level agreement does not define how availability is measured

B.

Service desk support is not available outside the company s business hours

C.

Penalties for missing service levels are limited.

D.

The third party has offshore support arrangements.

On a daily basis, an in-house development team moves duplicate copies of production data containing personally identifiable information (Pll) to the test environment Which of the following is the B€ST way to mitigate the privacy risk involved?

A.

Require data owners to sign off on production data

B.

Sanitize the data in the test environment

C.

Encrypt the data file

D.

Obtain customer opt-in acceptances.

Which of the following is the BEST IS audit strategy?

A.

Limit audits to new application system developments

B.

Conduct general control audits annually and application audits in alternating years

C.

Perform audits based on Impact and probability of error and failure.

D.

Cycle general control and application audits over a two-year period

During an external assessment of network vulnerability which of the following activities should be performed FIRST

A.

implement an intrusion detection system (IDS)

B.

Review policies

C.

Monitor the network

D.

Collect network information