CISA Practice Exam Spring 2025
QUESTIONS & ANSWERS
Which of the following would be MOST important for an IS auditor to verify while conducting a
business continuity audit?
A.Data backups are performed on a timely basis.
B.A recovery site is contracted for and available as needed.
C.Human safety procedures are in place.
D.Insurance coverage is adequate and premiums are current. - correct answer ✔✔ C.Human
safety procedures are in place.
Explanation: The most important element in any business continuity process is the protection of
human life. This takes precedence over all other aspects of the plan.
A comprehensive and effective email policy should address the issues of email structure, policy
enforcement, monitoring and:
A.recovery.
B.retention.
C.rebuilding.
D.reuse. - correct answer ✔✔ B.retention.
Explanation:Besides being a good practice, laws and regulations may require an organization to
keep information that has an impact on the financial statements. The prevalence of lawsuits in
which email communication is held in the same regard as the official form of classic paper
makes the retention policy of corporate email a necessity. All email generated on an
organization's hardware is the property of the organization, and an email policy should address
the retention of messages, considering both known and unforeseen litigation. The policy should
,also address the destruction of emails after a specified time to protect the nature and
confidentiality of the messages themselves.
An IS auditor who was involved in designing an organization's business continuity plan (BCP) has
been assigned to audit the plan. The IS auditor should:
A.decline the assignment.
B.inform management of the possible conflict of interest after completing the audit assignment.
C.inform the BCP team of the possible conflict of interest prior to beginning the assignment.
D.communicate the possibility of conflict of interest to audit management prior to starting the
assignment. - correct answer ✔✔ D. communicate the possibility of conflict of interest to audit
management prior to starting the assignment.
Explanation:A possible conflict of interest, likely to affect the IS auditor's independence, should
be brought to the attention of management prior to starting the assignment.
Which of the following is the MOST critical element to effectively execute a disaster recovery
plan?
A.Offsite storage of backup data
B.Up-to-date list of key disaster recovery contacts
C.Availability of a replacement data center
D.Clearly defined recovery time objective (RTO) - correct answer ✔✔ A.Offsite storage of
backup data
Explanation: Remote storage of backups is the most critical disaster recovery plan (DRP)
element of the items listed because access to backup data is required to restore systems.
An IS auditor found that the enterprise architecture (EA) recently adopted by an organization
has an adequate current-state representation. However, the organization has started a separate
project to develop a future-state representation. The IS auditor should:
,A.recommend that this separate project be completed as soon as possible.
B.report this issue as a finding in the audit report.
C.recommend the adoption of the Zachmann framework.
D.re-scope the audit to include the separate project as part of the current audit. - correct
answer ✔✔ B. report this issue as a finding in the audit report.
Explanation: It is critical for the EA to include the future state because the gap between the
current state and the future state will determine IT strategic and tactical plans. If the EA does
not include a future-state representation, it is not complete, and this issue should be reported
as a finding.
What is the PRIMARY consideration for an IS auditor reviewing the prioritization and
coordination of IT projects and program management?
A.Projects are aligned with the organization's strategy.
B.Identified project risk is monitored and mitigated.
C.Controls related to project planning and budgeting are appropriate.
D.IT project metrics are reported accurately. - correct answer ✔✔ A.Projects are aligned with
the organization's strategy.
Explanation: The primary goal of IT projects is to add value to the business, so they must be
aligned with the business strategy to achieve the intended results. Therefore, the IS auditor
should first focus on ensuring this alignment.
When selecting audit procedures, an IS auditor should use professional judgment to ensure
that:
A.sufficient evidence will be collected.
B.significant deficiencies will be corrected within a reasonable period.
C.all material weaknesses will be identified.
, D.audit costs will be kept at a minimum level. - correct answer ✔✔ A.sufficient evidence will be
collected.
Explanation:Procedures are processes that an IS auditor may follow in an audit engagement. In
determining the appropriateness of any specific procedure, an IS auditor should use
professional judgment that is appropriate to the specific circumstances. Professional judgment
involves a subjective and often qualitative evaluation of conditions arising during an audit.
Judgment addresses a grey area where binary (yes/no) decisions are not appropriate, and the IS
auditor's past experience plays a key role in making a judgment. The IS auditor should use
judgment in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide
information on how to meet the standards when performing IS audit work.
Which of the following line media would provide the BEST security for a telecommunication
network?
A.Broadband network digital transmission
B.Baseband network
C.Dial-up
D.Dedicated lines - correct answer ✔✔ D.Dedicated lines
Explanation: These are set apart for a particular user or organization. Because there is no
sharing of lines or intermediate entry points, the risk of interception or disruption of
telecommunications messages is lower.
The PRIMARY purpose of an IT forensic audit is:
A.to participate in investigations related to corporate fraud.
B.the systematic collection and analysis of evidence after a system irregularity.
C.to assess the correctness of an organization's financial statements.
D.to preserve evidence of criminal activity. - correct answer ✔✔ B.the systematic collection and
analysis of evidence after a system irregularity.
QUESTIONS & ANSWERS
Which of the following would be MOST important for an IS auditor to verify while conducting a
business continuity audit?
A.Data backups are performed on a timely basis.
B.A recovery site is contracted for and available as needed.
C.Human safety procedures are in place.
D.Insurance coverage is adequate and premiums are current. - correct answer ✔✔ C.Human
safety procedures are in place.
Explanation: The most important element in any business continuity process is the protection of
human life. This takes precedence over all other aspects of the plan.
A comprehensive and effective email policy should address the issues of email structure, policy
enforcement, monitoring and:
A.recovery.
B.retention.
C.rebuilding.
D.reuse. - correct answer ✔✔ B.retention.
Explanation:Besides being a good practice, laws and regulations may require an organization to
keep information that has an impact on the financial statements. The prevalence of lawsuits in
which email communication is held in the same regard as the official form of classic paper
makes the retention policy of corporate email a necessity. All email generated on an
organization's hardware is the property of the organization, and an email policy should address
the retention of messages, considering both known and unforeseen litigation. The policy should
,also address the destruction of emails after a specified time to protect the nature and
confidentiality of the messages themselves.
An IS auditor who was involved in designing an organization's business continuity plan (BCP) has
been assigned to audit the plan. The IS auditor should:
A.decline the assignment.
B.inform management of the possible conflict of interest after completing the audit assignment.
C.inform the BCP team of the possible conflict of interest prior to beginning the assignment.
D.communicate the possibility of conflict of interest to audit management prior to starting the
assignment. - correct answer ✔✔ D. communicate the possibility of conflict of interest to audit
management prior to starting the assignment.
Explanation:A possible conflict of interest, likely to affect the IS auditor's independence, should
be brought to the attention of management prior to starting the assignment.
Which of the following is the MOST critical element to effectively execute a disaster recovery
plan?
A.Offsite storage of backup data
B.Up-to-date list of key disaster recovery contacts
C.Availability of a replacement data center
D.Clearly defined recovery time objective (RTO) - correct answer ✔✔ A.Offsite storage of
backup data
Explanation: Remote storage of backups is the most critical disaster recovery plan (DRP)
element of the items listed because access to backup data is required to restore systems.
An IS auditor found that the enterprise architecture (EA) recently adopted by an organization
has an adequate current-state representation. However, the organization has started a separate
project to develop a future-state representation. The IS auditor should:
,A.recommend that this separate project be completed as soon as possible.
B.report this issue as a finding in the audit report.
C.recommend the adoption of the Zachmann framework.
D.re-scope the audit to include the separate project as part of the current audit. - correct
answer ✔✔ B. report this issue as a finding in the audit report.
Explanation: It is critical for the EA to include the future state because the gap between the
current state and the future state will determine IT strategic and tactical plans. If the EA does
not include a future-state representation, it is not complete, and this issue should be reported
as a finding.
What is the PRIMARY consideration for an IS auditor reviewing the prioritization and
coordination of IT projects and program management?
A.Projects are aligned with the organization's strategy.
B.Identified project risk is monitored and mitigated.
C.Controls related to project planning and budgeting are appropriate.
D.IT project metrics are reported accurately. - correct answer ✔✔ A.Projects are aligned with
the organization's strategy.
Explanation: The primary goal of IT projects is to add value to the business, so they must be
aligned with the business strategy to achieve the intended results. Therefore, the IS auditor
should first focus on ensuring this alignment.
When selecting audit procedures, an IS auditor should use professional judgment to ensure
that:
A.sufficient evidence will be collected.
B.significant deficiencies will be corrected within a reasonable period.
C.all material weaknesses will be identified.
, D.audit costs will be kept at a minimum level. - correct answer ✔✔ A.sufficient evidence will be
collected.
Explanation:Procedures are processes that an IS auditor may follow in an audit engagement. In
determining the appropriateness of any specific procedure, an IS auditor should use
professional judgment that is appropriate to the specific circumstances. Professional judgment
involves a subjective and often qualitative evaluation of conditions arising during an audit.
Judgment addresses a grey area where binary (yes/no) decisions are not appropriate, and the IS
auditor's past experience plays a key role in making a judgment. The IS auditor should use
judgment in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide
information on how to meet the standards when performing IS audit work.
Which of the following line media would provide the BEST security for a telecommunication
network?
A.Broadband network digital transmission
B.Baseband network
C.Dial-up
D.Dedicated lines - correct answer ✔✔ D.Dedicated lines
Explanation: These are set apart for a particular user or organization. Because there is no
sharing of lines or intermediate entry points, the risk of interception or disruption of
telecommunications messages is lower.
The PRIMARY purpose of an IT forensic audit is:
A.to participate in investigations related to corporate fraud.
B.the systematic collection and analysis of evidence after a system irregularity.
C.to assess the correctness of an organization's financial statements.
D.to preserve evidence of criminal activity. - correct answer ✔✔ B.the systematic collection and
analysis of evidence after a system irregularity.
