Free CISA Practice Test Questions 2026

During an audit of a reciprocal disaster recovery agreement between two companies, the
IS auditor would be MOST concerned with the:

A.

differences in IS policies and procedures

B.

maintenance of hardware and software compatibility

C.

frequency of system testing

D.

allocation of resources during an emergency

Which of the following is the BEST source of information when assessing the amount of time a project will take?

A.

Critical path analysis

B.

Workforce estimate

C.

GANT chart

D.

Scheduling budget

An advantage of installing a thin client architecture in a local area network (LAN) is that this would:

A.

stabilize network bandwidth requirements

B.

reduce the risk of a single point of failure

C.

facilitate the updating of software versions.

D.

ensure application availability when the server is down.

Which of the following is an IS auditor s GREATEST concern when an organization does not regularly update software on individual workstations in the internal environment?

A.

The organization may be more susceptible to cyber-attacks.

B.

The organization may not be in compliance with licensing agreement.

C.

System functionality may not meet business requirements.

D.

The system may have version control issues.

The information security function in a large organization is MOST effective when:

A.

partnered with the IS development team to determine access rights

B.

decentralized as close to the user as possible

C.

established at a corporate-wide level.

D.

the function reports directly to the IS operations manager.

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

A.

Complexity of business processes identified in the audit

B.

Peak activity periods for the business

C.

Remediation dates included m management responses

D.

Availability of IS audit resources

Which of the following would be the MOST likely reason for an intrusion prevention system (IPS) being unable to block an ongoing web attack?

A.

Monitoring personnel are not proactive

B.

The network design contains flaws.

C.

Signatures are outdated

D.

The firewall is not configured propert

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

A.

business continuity plan.

B.

business impact analysis.

C.

threat and risk assessment

D.

disaster recovery plan

A security review reveals an organization b struggling with a large number of findings from vulnerability scans. What should the IS auditor recommend be done FIRST.

A.

Remediate vulnerabilities for the most critical systems B. Conduct penetration tests to confirm critical findings.

B.

Remediate issues that are rated as most critical

C.

Address gaps for all internally developed applications

When migrating critical systems to a cloud provider, the GREATEST data security concern for an organization would be that data from different clients may be:

A.

subject to different service level agreements (SLAs) for disaster recovery.

B.

subject to varying government compliance regulations.

C.

requested during a legal discovery process.

D.

improperly separated from each other.

Which of the following would be the MOST efficient audit approach, given that a compliance-based approach was adopted in the previous year?

A.

Perform a review of significant transactions posted within the system

B.

interview systems personnel to evaluate all automated controls

C.

Evaluate the controls surrounding changes to programs.

D.

Validate all applications using test data

An IS auditor auditing the effectiveness of utilizing a hot site will MOST likely:

A.

review reciprocal agreements

B.

review logical access controls

C.

evaluate physical access control

D.

analyze system restoration procedures