Free CISA Practice Test Questions 2026

Which of the following is the BEST key performance indicator (KPI) for determining how well the IT policy is aligned to the business requirements?

A.

Number of inquiries regarding the policy

B.

Total cost to support the policy

C.

Number of approved exceptions to the policy

D.

Total cost of policy breaches

An organization has outsourced the development of a core application. However, the organization plans to
bring the support and future maintenance of the application back in-house. Which of the following findings
should be the IS auditor's GREATEST concern?

A.

A training plan for business users has not been developed.

B.

The vendor development team is located overseas.

C.

The cost of outsourcing is lower than in-house development

D.

The data model is not dearly documented.

A database audit reveals an issue with the way data ownership for client data is defined. Which of the
following roles should be accountable for this finding?

A.

Business management

B.

Database administrator

C.

Information security management

D.

Privacy manager

Which of the following would be the PRIMARY benefit of replacing physical keys with an electronic badge
system for access to a data center?

A.

Tracking employee work hours

B.

Increasing reliability

C.

Increasing accountability

D.

Maintaining compliance

Which of the following is the BEST way to increase the effectiveness of security incident detection?

A.

Determining containment activities based on the type of incident

B.

Documenting root cause analysis procedures

C.

Educating end users on identifying suspicious activity

D.

Establishing service level agreements (SLAs) with appropriate forensic service providers

An IS auditor notes that several of a client’s servers are vulnerable to attack due to open unused ports and
protocols. The auditor recommends management implement minimum security requirements. Which type of
control has been recommended?

A.

Preventive

B.

Corrective

C.

Directive

D.

Compensating

An IS auditor notes that a number of application plug-ins currently in use are no longer supported. Which of
the following is the auditor's BEST
recommendation to management?

A.

Implement role-based access controls

B.

Review content backup and archiving procedures

C.

Review on-boarding and off-boarding processes

D.

Conduct a vulnerability assessment to determine exposure

When creating a new risk management program, it is CRITICAL to consider

A.

the risk appetite

B.

risk mitigation techniques.

C.

compliance measures

D.

resource utilization

Which of the following is a benefit of requiring management to issue a report to stakeholders regarding the internal controls over IT?

A.

Transparency of IT costs

B.

Improved cost management

C.

Improved portfolio management

D.

Focus on IT governance

Which of the following is the BEST way to help ensure new IT implementations align with enterprise
architecture principles and requirements?

A.

Consider stakeholder concerns when defining the enterprise architecture.

B.

Conduct enterprise architecture reviews as part of the change advisory board.

C.

Perform mandatory post-implementation reviews of IT implementations.

D.

Document the security view as part of the enterprise architecture.

An IS auditor is auditing the infrastructure of an organization that hosts critical applications withing a virtual environment. Which of the following is MOST important for the auditor to focus on?

A.

The ability to copy and move virtual machines in real time

B.

The controls in place to prevent compromise of the host

C.

Issues arising from system management of a virtual infrastructure

D.

Qualifications of employees managing the applications

Which of the following is an advantage of decentralized security administration?

A.

Greater integrity

B.

Faster turnaround

C.

More uniformity

D.

Better-trained administrators