Home / Credentialing / CISA / CISA Practice Quiz

FREE CISA PRACTICE QUIZ

Test your knowledge of IT auditing, control and information security with these 10 questions.

Good work, you scored 7 correct!

Your knowledge of IS/IT auditing, control and information security is off to a good start.

Scroll down for your detailed results.

Remember: these questions are a small preview of what you can expect on exam day. The official CISA exam has 150 questions.

You're just a few steps away from obtaining your CISA certification:

  1. Prep for your exam.
  2. Register and pay for your exam.
  3. Schedule your exam.
  4. Ace the CISA exam.

To set yourself up for success on your CISA certification exam, take a look at ISACA's suite of test prep solutions. There's something for every learning style and schedule. Our team of CISA-certified IS/IT audit and control experts have combined cutting-edge industry practices with proven training formats that maximize learning.

Choose the Exam Prep that Best Fits Your Needs.

Explore CISA Prep

Ready for your CISA? Take the exam now.

Register Today

Answers

  1. An audit charter should:

    You chose: outline the overall authority, scope and responsibilities of the audit function.

    Correct! An audit charter should state management's objectives for and delegation of authority to IS auditors.

  2. An IS auditor finds a small number of user access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should:

    You chose: recommend that the owner of the identity management (IDM) system fix the workflow issues.

    This is incorrect. The IS auditor must first determine the root cause and impact of the findings and does not have enough information to recommend fixing the workflow issues.

  3. An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor?

    You chose: There should be a source code escrow agreement in place.

    Correct! A source code escrow agreement is primarily recommended to help protect the enterprise's investment in software because the source code will be available through a trusted third party and can be retrieved if the start-up vendor goes out of business.

  4. An enterprise's risk appetite is BEST established by:

    You chose: the steering committee.

    Correct! The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management.

  5. When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those:

    You chose: that have zero slack time.

    Correct! A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing (i.e., for reduction in their time by payment of a premium for early completion). Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs versus time can be obtained.

  6. An IS auditor is assigned to audit a software development project, which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take?

    You chose: Review the conduct of the project and the business case.

    Correct! Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to bringing the project over budget and over schedule.

  7. A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity?

    You chose: Reviewing executable and source code integrity

    This is incorrect. Reviewing executable and source code integrity is an ineffective control, because the source code was changed back to the original and will agree with the current executable.

  8. Which of the following would BEST ensure continuity of a wide area network (WAN) across the organization?

    You chose: Built-in alternative routing

    Correct! Alternative routing would ensure that the network would continue if a communication device fails or if a link is severed because message rerouting could be automatic.

  9. An IS auditor is reviewing the physical security controls of a data center and notices several areas for concern. Which of the following areas is the MOST important?

    You chose: There are no security cameras inside the data center.

    This is incorrect. The lack of security cameras inside the data center may be a significant concern; however, the more significant issue is the emergency exit door being blocked.

  10. Which of the following choices BEST helps information owners to properly classify data?

    You chose: Training on organizational policies and standards

    Correct! RWhile implementing data classification, it is most essential that organizational policies and standards, including the data classification schema, are understood by the owner or custodian of the data so they can be properly classified.