Free CISA Practice Test Questions 2026

An IS auditor concludes that a local area network's (LAN's) access security is satisfactory. In reviewing the
work, the audit manager should:

A.

re-perform some steps of the audit to verify the quality of the work

B.

verify user management's agreement with the findings

C.

assess whether the auditor had the appropriate skills to perform the work

D.

verify that the elements of an agreed-upon audit plan have been addressed.

When an organization is having new software implemented under contract, which of the following is key to
controlling escalating costs due to scope creep?

A.

Change management

B.

Problem management

C.

Quality management

D.

Risk management

Which of the following would BEST detect that a distributed-denial-of-service attack (DDoS) is occurring?

A.

Server crashes

B.

Penetration testing

C.

Automated monitoring of logs

D.

Customer service complaints

Which of the following is the MOST effective control to restrict the use of instant messaging (IM) within an
organization?

A.

Application-based firewall

B.

Antivirus software

C.

Intrusion detection system (IDS)

D.

Packet filtering firewall

Which of the following is the PRIMARY reason for an IS auditor to map out the narrative of a business
process?

A.

To verify the business process is as described in the engagement letter

B.

To identify the resources required to perform the audit

C.

To ensure alignment with organizational objectives

D.

To gain insight into potential risks

A web application is developed in-house by an organization. Which of the following would provide the BEST
evidence to an IS auditor that the application is secure from external attack?

A.

Code review by a third party

B.

Web application firewall implementation

C.

Penetration test results

D.

Database application monitoring logs

Which of the following is the MOST important control to help minimize the risk of data leakage from calls made to a business-to-business application programming interface (API)?

A.

Deploying content inspection at the API gateway

B.

Implementing API server clusters

C.

Providing API security awareness training to developers

D.

Implementing an API versioning system

Which of the following controls would BEST decrease the exposure if a password is compromised?

A.

Password changes are forced periodically

B.

Passwords are encrypted.

C.

Passwords are masked

D.

Passwords have format restrictions

Which of the following audit procedures would BEST assist an IS auditor in determining the effectiveness of a
business continuity plan (BCP)?

A.

Performing an assessment of BCP test documentation

B.

Participating in BCP meetings held with user department managers

C.

Performing a maturity assessment of BCP methodology against industry standards

D.

Observing tests of the BCP performed at the alternate processing site

During an audit, it is discovered that several suppliers with standing orders have been deleted from the supplier master file. Which of the following controls would have BEST prevented such an occurrence?

A.

Logical relationship check

B.

Table look-ups

C.

Existence check

D.

Referential integrity

A database administrator (DBA) extracts a user listing for an auditor as testing evidence. Which of the
following will provide the GREATEST assurance that the user listing is reliable'

A.

Obtaining sign-off from the DBA to attest that the list is complete

B.

Obtaining sign-off from the DBA to attest that the list is complete

C.

Requesting a copy of the query that generated the user listing

D.

Requesting a query that returns the count of the users

E.

Witnessing the DBA running the query in-person

Which of the following would help to ensure the completeness of batch file transfers?

A.

Hash totals

B.

Input controls

C.

Self-checking digits

D.

Parity check