*CISA Exam Mocktest*
CISA Exam Mocktest..Answers at the end..
Below are 50 MCQ Questions with Answers based on CISA Certification Exam domains (IS Audit, Governance & Management of IT, IS Acquisition, Development & Implementation, IS Operations, Protection of Information Assets, BCP/DR, Cybersecurity, Risk, Controls & Audit Techniques).
(All are exam-style, scenario-based)
50 CISA Scenario-Based MCQs with Answers
IT Governance & Management
1. The primary purpose of IT governance is to: A. Optimize IT cost
B. Align IT with business objectives
C. Reduce audit issues
D. Improve employee productivity
Answer:
2. Who is primarily responsible for managing IT risk? A. Internal auditor
B. Risk owner / Business process owner
C. CIO
D. IT security officer
Answer:
3. Key factor for successful IT strategy implementation is: A. Strong password policy
B. Executive sponsorship
C. Frequent audits
D. Outsourcing
Answer:
Information Systems Audit
4. The first step of an IS audit plan is: A. Risk assessment
B. Reporting results
C. Testing controls
D. Determining sampling size
Answer:
5. Best evidence of effectiveness of password controls is: A. Review password policy
B. Interview IT staff
C. Review system access logs
D. Discuss with users
Answer:
6. Risk = ? A. Impact + Control
B. Threat × Vulnerability × Impact
C. Incident / Probability
D. Exposure – Mitigation
Answer:
7. Greatest risk with outsourcing IT processing: A. High cost
B. Loss of control over operations
C. Technology incompatibility
D. Increased staffing needs
Answer:
8. Most important factor in BCP development: A. Backup systems are tested
B. Business impact analysis (BIA)
C. IT recovery procedures
D. Insurance
Answer:
9. Recovery Time Objective (RTO) means: A. Maximum tolerable data loss
B. Time to restore operations
C. Time data must be backed up
D. Time of system crash
Answer:
Cybersecurity / Access Control
10. Best control to prevent unauthorized system access: A. Audit trail review
B. Multi-factor authentication
C. Network diagram
D. Proxy server
Answer:
11. Role-based access control is based on: A. Job responsibility
B. User preference
C. Seniority
D. Number of users
Answer:
12. A session timeout control primarily protects against: A. Worms
B. Shoulder surfing
C. Unauthorized use of unattended device
D. Denial of service
Answer:
Change & Configuration Management
13. The primary risk when bypassing change control procedures: A. Increased cost
B. System instability
C. Poor employee morale
D. License violation
Answer:
14. Best control over emergency changes: A. Approval before implementation
B. Review and authorization after implementation
C. User testing
D. Training sessions
Answer:
Software Development & SDLC
15. User acceptance testing ensures: A. Technical requirements are met
B. System meets business requirements
C. System is stable
D. System is secure
Answer:
16. Which development method is best for rapidly changing requirements? A. Waterfall
B. Agile
C. Prototyping
D. Object-oriented
Answer:
IT Operations
17. The best evidence of job scheduling effectiveness is: A. Backup logs
B. System downtime
C. Review of job run logs
D. Change logs
Answer:
18. The primary objective of segregation of duties is to: A. Increase productivity
B. Speed up operations
C. Prevent fraud and errors
D. Reduce staff workload
Answer:
19. Greatest risk if a data center fire suppression system fails: A. Loss of confidentiality
B. Loss of availability
C. Loss of accountability
D. Increased cyberattacks
Answer:
20. Best protection of servers from power failure: A. Generator only
B. UPS + Generator
C. Surge protector
D. Auto restart
Answer:
Network & Communication Security
21. Firewalls are primarily used to: A. Encrypt data
B. Block unauthorized access
C. Detect intrusions
D. Block viruses
Answer:
22. IPS (Intrusion Prevention System) differs from IDS because it: A. Monitors network only
B. Blocks attacks in real time
C. Works only offline
D. Requires manual action
Answer:
Database & Application Controls
23. Referential integrity ensures: A. Database backup
B. Consistency between tables
C. Faster response time
D. Accurate audit trails
Answer:
24. Preventing duplicate entries is: A. Output control
B. Input validation control
C. Processing control
D. Accounting control
Answer:
Audit Evidence & Techniques
25. The most reliable audit evidence is: A. Inquiry
B. Observation
C. Reperformance
D. Interview
Answer:
26. CAATs are most useful when: A. Manual controls dominate
B. Systems process large volumes of transactions
C. Staff is not cooperative
D. Audit time is unlimited
Answer:
Encryption & Data Protection
27. Encryption primarily protects: A. Authorization
B. Data confidentiality
C. Data retention
D. Data backup
Answer:
28. Digital signatures ensure: A. Encryption only
B. Non-repudiation and authentication
C. System backup
D. Access logs
Answer:
Malware & Threats
29. Malware that demands payment for file recovery: A. Virus
B. Ransomware
C. Worm
D. Rootkit
Answer:
30. Social engineering attacks target: A. Firewalls
B. Human weaknesses
C. Network routers
D. Encryption
Answer:
Logging & Monitoring
31. Log review helps primarily in: A. Backup recovery
B. Detecting unauthorized activities
C. Asset management
D. SDLC enhancement
Answer:
Third-Party and Cloud
32. Key audit concern with cloud computing: A. Reduced hardware costs
B. Data ownership and control
C. Faster deployment
D. Reduced staffing
Answer:
Incident Management
33. First step after security breach: A. Disconnect servers
B. Notify regulators
C. Contain the incident
D. Fire the administrator
Answer:
Data Backup
34. Best method to protect offsite backup tapes: A. Compression
B. Encryption
C. Replication
D. Labeling
Answer:
Access Control Testing
35. Best way to test user access rights: A. Confirm with managers
B. Review HR documents
C. Review access control list (ACL)
D. Review firewall policies
Answer:
CobiT and Frameworks
36. COBIT focuses on: A. Network security
B. IT governance & control
C. Software testing
D. SDLC
Answer:
Patch Management
37. Risk of missing security patches: A. Poor system performance
B. Vulnerability exploitation threat
C. Software redesign
D. Extra training required
Answer:
Identity & Access
38. Least privilege principle means: A. Full access to everyone
B. Only minimal required access
C. Access based on friendship
D. Access reviewed annually only
Answer:
Types of Testing
39. Penetration testing evaluates: A. Backup reliability
B. System security vulnerabilities
C. System functionality
D. Business process flow
Answer:
Controls
40. A detective control example: A. Encryption
B. Firewalls
C. Log monitoring
D. Password policy
Answer:
Sampling
41. Statistical sampling is preferred when: A. Small data volume
B. Large population size
C. Full audit possible
D. Data unavailable
Answer:
Data Integrity
42. Hash totals ensure: A. Accuracy of processing
B. Confidentiality
C. Recovery ability
D. Faster processing
Answer:
Segregation of Duties
43. In payroll, incompatible duties include: A. Preparing & distributing checks
B. Hiring & training staff
C. Processing & reporting
D. Review & approval
Answer:
Asset Management
44. Best control to track mobile devices: A. Insurance
B. Asset register
C. Firewall
D. User agreement
Answer:
Network
45. Primary risk of unmanaged switches: A. Noise interference
B. Unauthorized network access
C. High power usage
D. Slow response time
Answer:
Audit Reporting
46. Most important part of an audit report: A. Audit procedures
B. Findings and recommendations
C. Management biographies
D. Auditor background
Answer:
47. First step in evidence handling: A. Analyze
B. Report
C. Chain of custody
D. Photograph
Answer:
Authentication
48. Biometric control verifies: A. What the user has
B. What the user knows
C. Who the user is
D. Where the user logs in
Answer:
Availability Risk
49. Most important for high-availability system: A. Encryption
B. Redundancy
C. Antivirus
D. Policies
Answer:
Audit Follow-up
50. Primary purpose of audit follow-up: A. Schedule next audit
B. Verify corrective actions
C. Add new controls
D. Create new risk
Answer
ANSWERS......
Below are 50 MCQ Questions with Answers based on CISA Certification Exam domains (IS Audit, Governance & Management of IT, IS Acquisition, Development & Implementation, IS Operations, Protection of Information Assets, BCP/DR, Cybersecurity, Risk, Controls & Audit Techniques).
(All are exam-style, scenario-based)
50 CISA Scenario-Based MCQs with Answers
IT Governance & Management
1. The primary purpose of IT governance is to: A. Optimize IT cost
B. Align IT with business objectives
C. Reduce audit issues
D. Improve employee productivity
Answer: B
---
2. Who is primarily responsible for managing IT risk? A. Internal auditor
B. Risk owner / Business process owner
C. CIO
D. IT security officer
Answer: B
---
3. Key factor for successful IT strategy implementation is: A. Strong password policy
B. Executive sponsorship
C. Frequent audits
D. Outsourcing
Answer: B
---
Information Systems Audit
4. The first step of an IS audit plan is: A. Risk assessment
B. Reporting results
C. Testing controls
D. Determining sampling size
Answer: A
---
5. Best evidence of effectiveness of password controls is: A. Review password policy
B. Interview IT staff
C. Review system access logs
D. Discuss with users
Answer: C
---
Risk Management
6. Risk = ? A. Impact + Control
B. Threat × Vulnerability × Impact
C. Incident / Probability
D. Exposure – Mitigation
Answer: B
---
7. Greatest risk with outsourcing IT processing: A. High cost
B. Loss of control over operations
C. Technology incompatibility
D. Increased staffing needs
Answer: B
---
BCP / DRP
8. Most important factor in BCP development: A. Backup systems are tested
B. Business impact analysis (BIA)
C. IT recovery procedures
D. Insurance
Answer: B
---
9. Recovery Time Objective (RTO) means: A. Maximum tolerable data loss
B. Time to restore operations
C. Time data must be backed up
D. Time of system crash
Answer: B
---
Cybersecurity / Access Control
10. Best control to prevent unauthorized system access: A. Audit trail review
B. Multi-factor authentication
C. Network diagram
D. Proxy server
Answer: B
---
11. Role-based access control is based on: A. Job responsibility
B. User preference
C. Seniority
D. Number of users
Answer: A
---
12. A session timeout control primarily protects against: A. Worms
B. Shoulder surfing
C. Unauthorized use of unattended device
D. Denial of service
Answer: C
---
Change & Configuration Management
13. The primary risk when bypassing change control procedures: A. Increased cost
B. System instability
C. Poor employee morale
D. License violation
Answer: B
---
14. Best control over emergency changes: A. Approval before implementation
B. Review and authorization after implementation
C. User testing
D. Training sessions
Answer: B
---
Software Development & SDLC
15. User acceptance testing ensures: A. Technical requirements are met
B. System meets business requirements
C. System is stable
D. System is secure
Answer: B
---
16. Which development method is best for rapidly changing requirements? A. Waterfall
B. Agile
C. Prototyping
D. Object-oriented
Answer: B
---
IT Operations
17. The best evidence of job scheduling effectiveness is: A. Backup logs
B. System downtime
C. Review of job run logs
D. Change logs
Answer: C
---
18. The primary objective of segregation of duties is to: A. Increase productivity
B. Speed up operations
C. Prevent fraud and errors
D. Reduce staff workload
Answer: C
---
Physical Security
19. Greatest risk if a data center fire suppression system fails: A. Loss of confidentiality
B. Loss of availability
C. Loss of accountability
D. Increased cyberattacks
Answer: B
---
20. Best protection of servers from power failure: A. Generator only
B. UPS + Generator
C. Surge protector
D. Auto restart
Answer: B
---
Network & Communication Security
21. Firewalls are primarily used to: A. Encrypt data
B. Block unauthorized access
C. Detect intrusions
D. Block viruses
Answer: B
---
22. IPS (Intrusion Prevention System) differs from IDS because it: A. Monitors network only
B. Blocks attacks in real time
C. Works only offline
D. Requires manual action
Answer: B
---
Database & Application Controls
23. Referential integrity ensures: A. Database backup
B. Consistency between tables
C. Faster response time
D. Accurate audit trails
Answer: B
---
24. Preventing duplicate entries is: A. Output control
B. Input validation control
C. Processing control
D. Accounting control
Answer: B
---
Audit Evidence & Techniques
25. The most reliable audit evidence is: A. Inquiry
B. Observation
C. Reperformance
D. Interview
Answer: C
---
26. CAATs are most useful when: A. Manual controls dominate
B. Systems process large volumes of transactions
C. Staff is not cooperative
D. Audit time is unlimited
Answer: B
---
Encryption & Data Protection
27. Encryption primarily protects: A. Authorization
B. Data confidentiality
C. Data retention
D. Data backup
Answer: B
---
28. Digital signatures ensure: A. Encryption only
B. Non-repudiation and authentication
C. System backup
D. Access logs
Answer: B
---
Malware & Threats
29. Malware that demands payment for file recovery: A. Virus
B. Ransomware
C. Worm
D. Rootkit
Answer: B
---
30. Social engineering attacks target: A. Firewalls
B. Human weaknesses
C. Network routers
D. Encryption
Answer: B
---
Logging & Monitoring
31. Log review helps primarily in: A. Backup recovery
B. Detecting unauthorized activities
C. Asset management
D. SDLC enhancement
Answer: B
---
Third-Party and Cloud
32. Key audit concern with cloud computing: A. Reduced hardware costs
B. Data ownership and control
C. Faster deployment
D. Reduced staffing
Answer: B
---
Incident Management
33. First step after security breach: A. Disconnect servers
B. Notify regulators
C. Contain the incident
D. Fire the administrator
Answer: C
---
Data Backup
34. Best method to protect offsite backup tapes: A. Compression
B. Encryption
C. Replication
D. Labeling
Answer: B
---
Access Control Testing
35. Best way to test user access rights: A. Confirm with managers
B. Review HR documents
C. Review access control list (ACL)
D. Review firewall policies
Answer: C
---
CobiT and Frameworks
36. COBIT focuses on: A. Network security
B. IT governance & control
C. Software testing
D. SDLC
Answer: B
---
Patch Management
37. Risk of missing security patches: A. Poor system performance
B. Vulnerability exploitation threat
C. Software redesign
D. Extra training required
Answer: B
---
Identity & Access
38. Least privilege principle means: A. Full access to everyone
B. Only minimal required access
C. Access based on friendship
D. Access reviewed annually only
Answer: B
---
Types of Testing
39. Penetration testing evaluates: A. Backup reliability
B. System security vulnerabilities
C. System functionality
D. Business process flow
Answer: B
---
Controls
40. A detective control example: A. Encryption
B. Firewalls
C. Log monitoring
D. Password policy
Answer: C
---
Sampling
41. Statistical sampling is preferred when: A. Small data volume
B. Large population size
C. Full audit possible
D. Data unavailable
Answer: B
---
Data Integrity
42. Hash totals ensure: A. Accuracy of processing
B. Confidentiality
C. Recovery ability
D. Faster processing
Answer: A
---
Segregation of Duties
43. In payroll, incompatible duties include: A. Preparing & distributing checks
B. Hiring & training staff
C. Processing & reporting
D. Review & approval
Answer: A
---
Asset Management
44. Best control to track mobile devices: A. Insurance
B. Asset register
C. Firewall
D. User agreement
Answer: B
---
Network
45. Primary risk of unmanaged switches: A. Noise interference
B. Unauthorized network access
C. High power usage
D. Slow response time
Answer: B
---
Audit Reporting
46. Most important part of an audit report: A. Audit procedures
B. Findings and recommendations
C. Management biographies
D. Auditor background
Answer: B
---
Digital Forensics
47. First step in evidence handling: A. Analyze
B. Report
C. Chain of custody
D. Photograph
Answer: C
---
Authentication
48. Biometric control verifies: A. What the user has
B. What the user knows
C. Who the user is
D. Where the user logs in
Answer: C
---
Availability Risk
49. Most important for high-availability system: A. Encryption
B. Redundancy
C. Antivirus
D. Policies
Answer: B
---
Audit Follow-up
50. Primary purpose of audit follow-up: A. Schedule next audit
B. Verify corrective actions
C. Add new controls
D. Create new risk
Answer B
www.gmsisuccess.in
