Free practice test · no sign-up
ISACA CISAFree Certified Information Systems Auditor practice test
10 real ISACA CISA practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 1,123questions whenever you’re ready. The ISACA CISA passing score is 450 / 800.
An online retailer has just started processing credit card transactions and wants to verify that their payment controls align with the relevant industry standard. Which compliance framework should guide their audit?
Answer key
All 10 ISACA CISA questions & answers
Prefer to just read the answers and explanations? Here’s the full key for this free ISACA CISA test.
Q1. An online retailer has just started processing credit card transactions and wants to verify that their payment controls align with the relevant industry standard. Which compliance framework should guide their audit?
Correct answer: A. PCI-DSS
PCI-DSS (Payment Card Industry Data Security Standard) applies to organizations that handle cardholder data. HIPAA governs health information privacy, GLBA applies to financial services firms, and GDPR addresses personal data protection in the European Union.
Q2. An organization is worried about potential future liability lawsuits and decides to purchase liability coverage from an insurer. Which risk treatment strategy does this represent?
Correct answer: D. Risk transfer
Purchasing insurance shifts the financial burden of a risk to a third party, which is the defining characteristic of risk transfer. Risk acceptance means tolerating the risk without action, risk reduction means applying controls to lower it, and risk avoidance means ceasing the activity that creates the risk.
Q3. A company wants to engage one auditor to simultaneously evaluate specific business processes and check readiness for an upcoming Sarbanes-Oxley audit. Which audit type encompasses both goals?
Correct answer: D. Integrated audit
An integrated audit merges financial and operational audit components into a single engagement, making it useful for organizations preparing for regulatory audits while also wanting process-level scrutiny. A compliance audit focuses solely on regulatory adherence, an operational audit targets specific process controls, and a financial audit covers only accounts and financial statements.
Q4. A cloud provider needs an in-depth review of the logical access controls governing its internal workforce. Which audit type is best suited for this purpose?
Correct answer: D. Operational audit
An operational audit examines the controls within a specific organizational process, including both the design and effectiveness of those controls. A compliance audit checks adherence to regulations, a financial audit addresses accounting systems, and an integrated audit combines financial and operational elements.
Q5. An organization wants to give control operators direct responsibility for monitoring and assessing their own controls rather than depending entirely on outside auditors. Which methodology supports this approach?
Correct answer: B. CSA
Control Self-Assessment (CSA) empowers business unit staff and management to evaluate the adequacy of controls internally, reducing reliance on external review. BIA identifies business impact from disruptions, SDLC guides secure software development, and DRP outlines recovery steps after a disaster.
Q6. During strategic planning, leadership enumerates the desired outcomes of key business functions and then establishes policies, procedures, and safeguards to ensure each outcome is achieved. What term describes these desired outcomes?
Correct answer: D. Control objectives
Control objectives define what must be accomplished within a process or role to support the organization's strategic goals; specific controls are then designed to achieve them. Assets are items of value, threats are potential dangers, and sampling methodologies are techniques for selecting data subsets during audit testing.
Q7. A newly appointed audit manager is asked to produce a formal document that establishes the purpose, authority, and responsibilities of the internal audit function. What document should be created?
Correct answer: C. Audit charter
An audit charter formally defines the mandate, authority, and accountability of the audit function and requires approval from the highest level of the audit committee. An audit program outlines the scope, resources, and procedures for a specific engagement, an audit report presents findings, and an audit trail is a chronological record of events.
Q8. A computer hardware manufacturer conducts a voluntary internal control review. Which of the following represents a key benefit of this self-assessment?
Correct answer: C. It raises employee awareness of the controls in place
A control self-assessment (CSA) increases employees' understanding of established controls, which can lead to stronger ownership and earlier detection of weaknesses. A CSA does not replace external audits, typically adds temporary workload for participants, and cannot reliably expose fraud if the perpetrators are conducting the assessment.
Q9. A technology services firm wants to move beyond annual audits and implement continuous monitoring of its network in real time. Which technology best supports this continuous monitoring requirement?
Correct answer: A. IDS
An Intrusion Detection System (IDS) monitors network traffic in real time and generates alerts when anomalous or malicious activity is detected. ERP integrates business processes, EFT handles electronic money movement, and DSS supports managerial decision-making.
Q10. A server room at a financial firm has a keyed door lock but no mechanism to record who enters or exits. An auditor recommends installing cameras at the entry and exit points. What category of control does this recommendation represent?
Correct answer: D. Detective
Detective controls identify and log the occurrence of events, with video surveillance being a classic example. Preventive controls actively block unauthorized actions, compensating controls substitute for a control that cannot be applied directly, and corrective controls restore normal operations after an incident.
Exam facts and objectives sourced from the official ISACA certification page. Last reviewed June 2026.
Ready for the full ISACA CISA bank? Start free.
1,123 questions, timed mock exams, and missed-question review — 30 free questions, no card.
Start free trial