Page 1 of 73
CISA Exam (Information Systems Auditing Process)
2026-2027 COMPLETE QUESTIONS AND VERIFIED
SOLUTIONS LATEST UPDATE THIS YEAR
QUESTION: Several portable computers containing customer-sensitive data were stolen from
the staff's office because they were unattended.
Which of the following is the best advice for an information systems auditor to protect data
when it prevents similar incidents from happening again?
A. Enhance physical security
B. Encrypted disk drive
C. Request for dual certification
D. Requires the use of a cable lock - ANSWER-A. Enhance physical security
QUESTION: During the physical security audit, the information system auditor received a
contactless proximity card that allowed to access to three specific floors of the corporate office
building.
Which of the following questions should be the biggest concern?
,Page 2 of 73
A. In the first two days of field work of audit, the proximity card did not work.
B. No follow-up was made for unsuccessful attempts to access violations.
C. The proximity card incorrectly grants access to the restricted zone
D. No escort required during field work. - ANSWER-C. The proximity card incorrectly grants
access to the restricted zone
QUESTION: The company's operational procedures require urgent changes to be approved for
business within 7 days of the occurrence. The Information Systems Auditor indicates that the
manager verifies process compliance by performing a monthly review via uncompleted urgent
change.
In this case, which one is the biggest risk?
A. Audit risk
B. Detection risk
C. Inherent risk
D. Control risk - ANSWER-C. Inherent risk
,Page 3 of 73
QUESTION: An information system auditor who is conducting an application development
review is attending a meeting of the development team.
Which of the following actions the auditor may impair his independence?
A. Assist in the development of integrated test equipment on the system.
B. Re-execute the test program used by the development team
C. Design and implement the user's acceptance test plan.
D. Review the results of the system tests performed by the development team. - ANSWER-C.
Design and implement the user's acceptance test plan.
QUESTION: The information system auditor found that the accounts payable clerk had direct
access to the file after the payment file was generated.
The most significant risk to the business is that the money may be:
A. Changed.
B. Rejected.
C. Very late to the customer.
D. Copied. - ANSWER-A. Changed.
, Page 4 of 73
QUESTION: Which of the following attacks is best suited for intrusion detection systems (IDS)
checking?
A. Spoofing
B. System scanning
C. Logic bomb
D. Spamming - ANSWER-B. System scanning
QUESTION: A company plans to have automated data feeds from third-party service providers
into enterprise data warehousing.
Which of the following is the best way to prevent receiving bad data?
A. Implement business rules to reject invalid data
B. Purchase data cleanup tools from reputable suppliers
C. Appointment of data quality representatives within the company
D. Get the error code for the data feed indicating the failure - ANSWER-A. Implement business
rules to reject invalid data
CISA Exam (Information Systems Auditing Process)
2026-2027 COMPLETE QUESTIONS AND VERIFIED
SOLUTIONS LATEST UPDATE THIS YEAR
QUESTION: Several portable computers containing customer-sensitive data were stolen from
the staff's office because they were unattended.
Which of the following is the best advice for an information systems auditor to protect data
when it prevents similar incidents from happening again?
A. Enhance physical security
B. Encrypted disk drive
C. Request for dual certification
D. Requires the use of a cable lock - ANSWER-A. Enhance physical security
QUESTION: During the physical security audit, the information system auditor received a
contactless proximity card that allowed to access to three specific floors of the corporate office
building.
Which of the following questions should be the biggest concern?
,Page 2 of 73
A. In the first two days of field work of audit, the proximity card did not work.
B. No follow-up was made for unsuccessful attempts to access violations.
C. The proximity card incorrectly grants access to the restricted zone
D. No escort required during field work. - ANSWER-C. The proximity card incorrectly grants
access to the restricted zone
QUESTION: The company's operational procedures require urgent changes to be approved for
business within 7 days of the occurrence. The Information Systems Auditor indicates that the
manager verifies process compliance by performing a monthly review via uncompleted urgent
change.
In this case, which one is the biggest risk?
A. Audit risk
B. Detection risk
C. Inherent risk
D. Control risk - ANSWER-C. Inherent risk
,Page 3 of 73
QUESTION: An information system auditor who is conducting an application development
review is attending a meeting of the development team.
Which of the following actions the auditor may impair his independence?
A. Assist in the development of integrated test equipment on the system.
B. Re-execute the test program used by the development team
C. Design and implement the user's acceptance test plan.
D. Review the results of the system tests performed by the development team. - ANSWER-C.
Design and implement the user's acceptance test plan.
QUESTION: The information system auditor found that the accounts payable clerk had direct
access to the file after the payment file was generated.
The most significant risk to the business is that the money may be:
A. Changed.
B. Rejected.
C. Very late to the customer.
D. Copied. - ANSWER-A. Changed.
, Page 4 of 73
QUESTION: Which of the following attacks is best suited for intrusion detection systems (IDS)
checking?
A. Spoofing
B. System scanning
C. Logic bomb
D. Spamming - ANSWER-B. System scanning
QUESTION: A company plans to have automated data feeds from third-party service providers
into enterprise data warehousing.
Which of the following is the best way to prevent receiving bad data?
A. Implement business rules to reject invalid data
B. Purchase data cleanup tools from reputable suppliers
C. Appointment of data quality representatives within the company
D. Get the error code for the data feed indicating the failure - ANSWER-A. Implement business
rules to reject invalid data
