CISA EXAM SOLVED
QUESTIONS AND ANSWERS 2025
Chapter 1 - Answer -
Source code - Answer - uncompiled, archive code
Object code - Answer - compiled code that is distributed and put into production; not able to be read by
humans
Inherent risk - Answer - the risk that an error could occur assuming no compensating control exist
Control risk - Answer - the risk that an error exists that would not be prevented by internal controls
Detection risk - Answer - the risk that an error exists, but is not detected. The risk that an IS auditor may
use an inadequate test procedure and conclude that no material error exists when in fact errors do exist.
Audit risk - Answer - the overall level of risk; the level of risk the auditor is prepared to accept.
Compliance testing - Answer - determines if controls are being applied in a manner that complies with
mgmt's policies and procedures
Substantive testing - Answer - evaluates the integrity of individual transactions, data, and other
information.
Regression testing - Answer - used to retest earlier program abends that occurred during the initial
testing phase.
,Sociability testing - Answer - to ensure the application works as expected in the specified environment
where other applications run concurrently. Includes testing of interfaces with other systems.
Parallel testing - Answer - Feeding test data into two systems and comparing the results.
White box testing - Answer - test the software's program logic.
Black box testing - Answer - Testing the functional operating effectiveness without regard to internal
program structure.
Redundancy check - Answer - detects transmission errors by appending calculated bits onto the end of
each segment of data.
Variable sampling - Answer - used to estimate the average or total value of a population.
Discovery sampling - Answer - used to determine the probability of finding an attribute in a population.
Attribute sampling - Answer - selecting items from a population based on a common attribute. Used for
compliance testing.
Chapter 2 - Answer -
Steering Committee - Answer - Appointed by senior management. Serves as a general review board for
projects and acquisitions... not involved in routine operations. The committee should include
representatives from senior management, user management, and the IS department. Escalates issues to
senior management.
Request for Proposal (RFP) - Answer - A document distributed to software vendors requesting their
submission of a proposal to develop or provide a software product. RFP should include: Project
Overview, Key Requirements and Constraints, Scope Limitations, Vendor questionnaire, customer
references, demonstrations, etc.
, Quality Assurance - Answer - Check to verify policies are followed.
Quality Control - Answer - Check to verify free from defects.
Bottom-up approach for policy development - Answer - begins by defining operational-level
requirements and policies which are derived and implemented as a result of a risk assessment.
Chapter 3 - Answer -
OSI Model - Answer - All People Seem To Need Dominos Pizza
Layer 7 - Application layer - Answer - The application layer interfaces directly to and performs common
application services for the application processes.
Layer 6 - Presentation layer - Answer - The presentation layer relieves the Application layer of concern
regarding syntactical differences in data representation within the end-user systems. MIME encoding,
data compression, encryption, and similar manipulation of the presentation of data is done at this layer.
Layer 5 - Session layer - Answer - The session layer provides the mechanism for managing the dialogue
between end-user application processes (By dialog we mean that whose turn is it to transmit). It
provides for either duplex or half-duplex operation. This layer is responsible for setting up and tearing
down TCP/IP sessions.
Layer 4 - Transport layer - Answer - The transport layer is responsible for reliable data delivery. The
transport layer provides transparent transfer of data between end users, thus relieving the upper layers
from any concern with providing reliable and cost-effective data transfer. The transport layer controls the
reliability of a given link. The transport layer can keep track of packets and retransmit those that fail. Also
addresses packet sequencing. The best known example of a layer 4 protocol is TCP.
Layer 3 - Network layer - Answer - The network layer provides the functional and procedural means of
transferring variable length data sequences from a source to a destination via one or more networks
while maintaining the quality of service requested by the Transport layer. The Network layer performs
network routing, flow control, segmentation/desegmentation, and error control functions. Routers
operate at this layer -- sending data throughout the extended network
QUESTIONS AND ANSWERS 2025
Chapter 1 - Answer -
Source code - Answer - uncompiled, archive code
Object code - Answer - compiled code that is distributed and put into production; not able to be read by
humans
Inherent risk - Answer - the risk that an error could occur assuming no compensating control exist
Control risk - Answer - the risk that an error exists that would not be prevented by internal controls
Detection risk - Answer - the risk that an error exists, but is not detected. The risk that an IS auditor may
use an inadequate test procedure and conclude that no material error exists when in fact errors do exist.
Audit risk - Answer - the overall level of risk; the level of risk the auditor is prepared to accept.
Compliance testing - Answer - determines if controls are being applied in a manner that complies with
mgmt's policies and procedures
Substantive testing - Answer - evaluates the integrity of individual transactions, data, and other
information.
Regression testing - Answer - used to retest earlier program abends that occurred during the initial
testing phase.
,Sociability testing - Answer - to ensure the application works as expected in the specified environment
where other applications run concurrently. Includes testing of interfaces with other systems.
Parallel testing - Answer - Feeding test data into two systems and comparing the results.
White box testing - Answer - test the software's program logic.
Black box testing - Answer - Testing the functional operating effectiveness without regard to internal
program structure.
Redundancy check - Answer - detects transmission errors by appending calculated bits onto the end of
each segment of data.
Variable sampling - Answer - used to estimate the average or total value of a population.
Discovery sampling - Answer - used to determine the probability of finding an attribute in a population.
Attribute sampling - Answer - selecting items from a population based on a common attribute. Used for
compliance testing.
Chapter 2 - Answer -
Steering Committee - Answer - Appointed by senior management. Serves as a general review board for
projects and acquisitions... not involved in routine operations. The committee should include
representatives from senior management, user management, and the IS department. Escalates issues to
senior management.
Request for Proposal (RFP) - Answer - A document distributed to software vendors requesting their
submission of a proposal to develop or provide a software product. RFP should include: Project
Overview, Key Requirements and Constraints, Scope Limitations, Vendor questionnaire, customer
references, demonstrations, etc.
, Quality Assurance - Answer - Check to verify policies are followed.
Quality Control - Answer - Check to verify free from defects.
Bottom-up approach for policy development - Answer - begins by defining operational-level
requirements and policies which are derived and implemented as a result of a risk assessment.
Chapter 3 - Answer -
OSI Model - Answer - All People Seem To Need Dominos Pizza
Layer 7 - Application layer - Answer - The application layer interfaces directly to and performs common
application services for the application processes.
Layer 6 - Presentation layer - Answer - The presentation layer relieves the Application layer of concern
regarding syntactical differences in data representation within the end-user systems. MIME encoding,
data compression, encryption, and similar manipulation of the presentation of data is done at this layer.
Layer 5 - Session layer - Answer - The session layer provides the mechanism for managing the dialogue
between end-user application processes (By dialog we mean that whose turn is it to transmit). It
provides for either duplex or half-duplex operation. This layer is responsible for setting up and tearing
down TCP/IP sessions.
Layer 4 - Transport layer - Answer - The transport layer is responsible for reliable data delivery. The
transport layer provides transparent transfer of data between end users, thus relieving the upper layers
from any concern with providing reliable and cost-effective data transfer. The transport layer controls the
reliability of a given link. The transport layer can keep track of packets and retransmit those that fail. Also
addresses packet sequencing. The best known example of a layer 4 protocol is TCP.
Layer 3 - Network layer - Answer - The network layer provides the functional and procedural means of
transferring variable length data sequences from a source to a destination via one or more networks
while maintaining the quality of service requested by the Transport layer. The Network layer performs
network routing, flow control, segmentation/desegmentation, and error control functions. Routers
operate at this layer -- sending data throughout the extended network
