Practice CISA Information System Auditing Process questions with full explanations on every answer.
Start practicing
Information System Auditing Process — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An IS auditor is reviewing a change management process. A developer made an emergency change directly to production without following the standard change approval process. The change was later documented as a normal change. Which control weakness is MOST indicated by this scenario?
2Based on the exhibit, what should the IS auditor MOST likely recommend?
3An IS auditor is evaluating the effectiveness of an organization's business continuity plan (BCP). Which of the following findings would be of GREATEST concern?
4During an audit of a financial application, the IS auditor discovers that user access reviews are performed quarterly instead of monthly as required by policy. Which of the following is the BEST initial action for the auditor?
5Based on the exhibit, the IS auditor is reviewing access to the payroll folder. Which of the following is the MOST significant finding?
6Which TWO of the following are the MOST effective controls to prevent unauthorized changes to production data?
7Which THREE of the following are key elements that should be included in a risk assessment report for information systems?
8An IS auditor is reviewing the logical access controls of a system. Which of the following is the BEST evidence that access rights are appropriately assigned?
9The exhibit shows a log entry from a domain controller. The IS auditor is investigating account lockout issues. What is the MOST likely cause of this event?
10An organization uses a cloud-based ERP system to manage financial transactions. The system is accessed by employees in finance, procurement, and sales departments. The IS auditor is reviewing the user access review process. The access review is performed quarterly by the IT manager using a report generated by the ERP system. The report lists all users and their roles. The IT manager manually checks off users who are still employed and approves the report. The auditor notes that the IT manager does not have detailed knowledge of job functions in each department. Additionally, the ERP system allows role combinations that may create segregation of duties conflicts, such as a user having both 'create purchase order' and 'approve purchase order' roles. The company's policy requires segregation of duties reviews to be performed by business process owners. Which of the following is the BEST recommendation?
11Arrange the steps to configure a firewall rule in the correct order.
12Order the steps for performing a disaster recovery test in the correct sequence.
13Match each audit risk component to its definition.
14Match each CISA domain to its focus.
15An IS auditor is planning an audit of a newly implemented financial system. Which of the following is the PRIMARY consideration when determining the audit scope?
16During an audit of a cloud service provider, the IS auditor discovers that the provider's data center access logs show an employee accessing the production environment outside of normal business hours without a change request. What should the auditor do FIRST?
17An IS auditor is reviewing an organization's change management process. The auditor notes that all emergency changes are approved post-implementation by the change advisory board (CAB) within 48 hours. Which of the following is the auditor's BEST course of action?
18An IS auditor is using statistical sampling to test a population of 10,000 transactions. The desired confidence level is 95%, and the tolerable error rate is 5%. Which of the following factors would MOST likely increase the required sample size?
19During an audit of an organization's disaster recovery plan (DRP), the IS auditor finds that the plan was last tested 18 months ago and no test results were documented. What should the auditor recommend?
20An IS auditor is evaluating the effectiveness of an organization's information security awareness program. Which of the following is the BEST indicator of program effectiveness?
21An IS auditor is reviewing the logical access controls of an enterprise resource planning (ERP) system. The auditor finds that terminated employees' accounts are disabled but not deleted. What is the PRIMARY risk associated with this practice?
22An organization uses continuous auditing techniques to monitor transactions. The IS auditor is evaluating the effectiveness of these techniques. Which of the following is the PRIMARY benefit of continuous auditing over traditional periodic auditing?
23An IS auditor is performing a review of an organization's IT governance framework. Which of the following findings would be of MOST concern?
24Which TWO of the following are primary objectives of the audit planning phase? (Select TWO.)
25Which THREE of the following are acceptable methods for gathering audit evidence? (Select THREE.)
26Which TWO of the following are indicators that an IS auditor may need to adjust the audit approach during fieldwork? (Select TWO.)
27Refer to the exhibit. An IS auditor is reviewing firewall logs and notices repeated denied SSH attempts from an internal host (10.0.1.50) to a server (172.16.0.1). After the denied attempts, the host initiates permitted HTTPS connections to another server (172.16.0.5). Which of the following is the BEST interpretation of this pattern?
28Refer to the exhibit. An IS auditor is reviewing an IAM policy for a cloud data platform. The auditor notices that user jdoe has READ_ONLY access to all tables matching 'sales_', but asmith has READ_WRITE access to the same set of tables. Which of the following is the MOST critical control issue?
29Refer to the exhibit. An IS auditor is reviewing backup error logs. The error indicates a failed backup due to a missing file. What is the MOST likely cause?
30An IS auditor is planning an audit of a newly implemented ERP system. The auditor wants to ensure that the audit covers critical controls. Which of the following is the most appropriate first step in the audit planning process?
31During an audit of an organization's change management process, the IS auditor selects a sample of 50 change requests from a population of 500. The auditor finds that 3 of the 50 did not have proper approval. What is the estimated error rate in the population?
32An IS auditor is evaluating the use of continuous auditing techniques. Which of the following is the most significant benefit of implementing continuous monitoring over traditional periodic audits?
33An organization has outsourced its IT operations to a third-party provider. The IS auditor is planning an audit of the outsourced services. What is the most appropriate source of audit evidence?
34During an audit, the IS auditor discovers that the audit log for a critical server is overwritten every 24 hours. The auditor wants to ensure logs are preserved for a longer period. Which of the following recommendations is most appropriate?
35An IS auditor is testing the effectiveness of a preventive control that rejects invalid transactions. The auditor uses a computer-assisted audit technique (CAAT) to create a set of test transactions. What is the primary risk associated with this approach?
36Which of the following is the most important factor to consider when determining sample size for a compliance test?
37An IS auditor is reviewing the audit follow-up process. The auditor notes that management has implemented corrective actions for 80% of previous audit findings. What should the auditor conclude?
38An organization uses a risk-based audit approach. For a high-risk area, the auditor decides to perform 100% testing instead of sampling. Which of the following is a valid reason for this decision?
39An IS auditor is evaluating the reliability of audit evidence. Which TWO of the following are characteristics of reliable audit evidence?
40An IS auditor is selecting an appropriate audit sample. Which THREE of the following are factors that affect the sample size?
41An IS auditor is assessing the effectiveness of an organization's IT governance framework. Which THREE of the following are key indicators of a mature governance process?
42An IS auditor reviews the exhibit. Which of the following is the most likely cause of the denied traffic?
43An IS auditor reviews the exhibit during an audit of database controls. What is the most appropriate recommendation?
44An IS auditor reviews the exhibit from a cloud access policy. Which of the following is a potential security concern?
45An IS auditor is evaluating the effectiveness of an organization's change management process. Which of the following is the most important control to verify during the audit?
46During an audit of a cloud service provider, the IS auditor finds that the provider's datacenter access logs show multiple successful logins by an employee during non-business hours over several weeks. The employee works in the sales department. What should the auditor do first?
47An organization uses a COTS (commercial off-the-shelf) ERP system with significant customizations. The IS auditor is reviewing the system's configuration management. Which of the following findings would MOST indicate a weakness?
48An IS auditor is reviewing the logical access controls of a financial application. Which of the following is the BEST way to verify that user access rights are appropriate?
49An IS auditor is assessing the backup and recovery procedures for a critical database. Which TWO of the following are the MOST important controls to ensure recoverability?
50An organization is implementing a new identity management system. Which THREE of the following are essential requirements for the system?
51An IS auditor is conducting an audit of a small manufacturing company's IT operations. The company has 50 employees and uses a single server running Windows Server 2019 for file sharing and print services. There is no formal change management process. The IT manager, who also doubles as the system administrator, has full administrative rights and is the only person who can make changes to the server. During the audit, the auditor notices that the server's local security policy is configured to allow unlimited password attempts and no account lockout. The IT manager states that this is to avoid locking out users who forget their passwords. The auditor also finds that the guest account is enabled on the server. What should the auditor recommend as the HIGHEST priority action?
52A financial institution recently experienced a data breach where an attacker exfiltrated customer data through an SQL injection vulnerability in a web application. The IS auditor has been asked to review the application security controls. The web application is developed in-house and runs on an application server behind a web application firewall (WAF). The auditor reviews the WAF logs and finds that no SQL injection attacks were detected before the breach, but the logs show many blocked XSS attempts. The developer states that all input validation is performed on the client side using JavaScript. During the audit, the auditor also finds that the application uses a shared database account with DBA privileges for all connections. What is the MOST significant weakness that directly contributed to the breach?
53An IS auditor is reviewing the disaster recovery plan (DRP) for an e-commerce company that generates 90% of its revenue online. The DRP states that the recovery time objective (RTO) for the transactional database is 4 hours, and the recovery point objective (RPO) is 1 hour. The current backup strategy includes nightly full backups and hourly transaction log backups stored on a local disk array. The backups are then copied to a remote datacenter via a WAN link with an average transfer speed of 10 Mbps. The database size is 500 GB. The auditor calculates that the time to transfer the full backup over the WAN is approximately 12 hours. The organization's management is confident that the DRP is adequate because they have never had to invoke it. What is the auditor's MOST critical finding?
54An IS auditor is auditing the user access management process for a large healthcare organization that uses an electronic health records (EHR) system. The organization has 5,000 users including doctors, nurses, and administrative staff. The auditor reviews a sample of access requests and finds that 20% of the requests were approved by the user's manager but the approval was not documented in the system. The auditor also finds that there is no periodic review of user access rights. The IT security manager states that users are automatically provisioned based on their role in the HR system, and that access reviews are performed manually by managers but not documented. What is the auditor's BEST recommendation to address the most significant risk?
55Which TWO of the following are primary objectives of an information system audit?
56Based on the exhibit, what is the most likely control weakness that allowed this condition?
57You are the lead IT auditor for a multinational corporation that recently completed a merger with another company. During the post-merger integration audit, you discover that the acquired company's legacy HR system contains sensitive personal data of 20,000 employees and has been directly accessible from the internet for the last 18 months. The system runs on an unsupported operating system (Windows Server 2008) and uses a custom-built application with no logging enabled. The acquired company's IT manager argues that the server is isolated behind a firewall and has never been compromised. However, your review of firewall logs shows numerous connection attempts from unknown IP addresses. The integration team plans to decommission this system in three months. You need to determine the appropriate audit response. Which of the following should you do NEXT?
The Information System Auditing Process domain covers the key concepts tested in this area of the CISA exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISA domains — no account required.
The Courseiva CISA question bank contains 57 questions in the Information System Auditing Process domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Information System Auditing Process domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included