Here are Exam-Level MCQs from CISA Domains 1–3:
Domain 1: Information System Auditing Process
Domain 2: Governance & Management of IT
Domain 3: Information Systems Acquisition, Development & Implementation
(Designed at difficulty level similar to ISACA’s Certified Information Systems Auditor exam style.)
Section A...
🔹 DOMAIN 1 – Information System Auditing Process
Q1.
During an IS audit, the MOST reliable evidence to support a finding related to unauthorized access would be:
A. Written management representation
B. System-generated access logs obtained by the auditor
C. Inquiry with system administrator
D. Internal policy document
Answer:
Q2.
An IS auditor uses statistical sampling. Which situation MOST justifies using attribute sampling?
A. Estimating average transaction value
B. Testing effectiveness of approval controls
C. Predicting future revenue
D. Performing root cause analysis
Answer:
Q3.
While planning an audit, the PRIMARY objective of a risk assessment is to:
A. Eliminate audit risk
B. Determine sample size
C. Allocate audit resources to high-risk areas
D. Detect fraud
Answer:
Q4.
Which of the following would provide the STRONGEST evidence of control effectiveness?
A. Walkthrough of process
B. Observation of one transaction
C. Reperformance of control by auditor
D. Management inquiry
Answer:
Q5.
An IS auditor discovers a control weakness but determines compensating controls exist. The BEST course of action is to:
A. Ignore the weakness
B. Report weakness without considering compensating control
C. Evaluate effectiveness of compensating control
D. Immediately escalate to board
Answer
🔹 DOMAIN 2 – Governance & Management of IT
Q6.
The PRIMARY responsibility for IT governance rests with:
A. CIO
B. IT Steering Committee
C. Board of Directors
D. IT Security Manager
Answer:
Q7.
Which metric BEST indicates IT alignment with business strategy?
A. Number of servers deployed
B. Percentage of IT projects meeting business objectives
C. Help desk response time
D. Number of IT staff certified
Answer:
Q8.
An organization adopts COBIT. The PRIMARY benefit is:
A. Detailed configuration standards
B. Alignment between IT goals and business goals
C. Replacement of IT staff
D. Elimination of IT risk
Answer:
Q9.
In enterprise risk management (ERM), risk appetite is BEST defined as:
A. Maximum loss before bankruptcy
B. Level of risk organization is willing to accept
C. Amount of insured risk
D. Risk eliminated via controls
Answer:
Q10.
The MOST important success factor for implementing IT performance metrics is:
A. Advanced analytics tools
B. Top management support
C. External consultants
D. Complex KPIs
Answer:
🔹 DOMAIN 3 – IS Acquisition, Development & Implementation
Q11.
During system development, segregation of duties is MOST critical between:
A. Programmer and system analyst
B. Developer and user
C. Developer and production migration authority
D. DBA and network admin
Answer:
Q12.
In Agile development, the GREATEST audit concern is:
A. Excessive documentation
B. Lack of formal approvals
C. Reduced user involvement
D. Waterfall sequencing
Answer
Q13.
User Acceptance Testing (UAT) primarily ensures that:
A. Code is optimized
B. Security vulnerabilities are eliminated
C. System meets business requirements
D. Hardware capacity is adequate
Answer:
Q14.
A post-implementation review should be conducted PRIMARILY to:
A. Approve project budget
B. Evaluate whether expected benefits were realized
C. Replace project manager
D. Restart development
Answer:
Q15.
Which control BEST ensures integrity of data during system conversion?
A. Parallel run reconciliation
B. Firewall configuration
C. Antivirus software
D. Encryption key rotation
Answer:
Section B
Here Exam-Level MCQs from CISA Domains 1–3 (Audit Process, IT Governance, IS Acquisition/Development).
(Standard aligned with ISACA – Certified Information Systems Auditor)
Q1. (All of the following EXCEPT)
During audit planning, all of the following are PRIMARY objectives of risk assessment EXCEPT:
A. Prioritizing audit areas
B. Determining control reliance strategy
C. Eliminating inherent risk
D. Allocating audit resources
Answer:
Q2. (MOST correct)
An IS auditor relying on automated controls should FIRST:
A. Test application controls
B. Verify management oversight
C. Evaluate general IT controls
D. Increase sample size
Answer:
Q3. (LEAST relevant)
While auditing IT governance structure, which is LEAST relevant?
A. Board-approved IT strategy
B. IT steering committee charter
C. Network router configuration
D. Defined IT KPIs
Answer:
Q4. (NEITHER/NOR)
Which scenario indicates NEITHER effective governance NOR proper risk management?
A. IT aligned with business goals but no formal risk register
B. Formal risk register exists but not reviewed by board
C. Documented policies and active monitoring
D. Board approves IT investments based on ROI
Answer:
Q5. (MOST appropriate action)
An auditor identifies control deficiency but impact is low and compensating controls exist. MOST appropriate action?
A. Issue qualified opinion
B. Ignore deficiency
C. Evaluate compensating controls before reporting
D. Escalate to regulator
Answer:
Q6. (All EXCEPT)
Effective IT governance ensures all of the following EXCEPT:
A. Strategic alignment
B. Value delivery
C. Complete elimination of IT risk
D. Performance measurement
Answer:
Q7. (MOST critical)
In Agile implementation, the MOST critical audit risk is:
A. Continuous integration
B. Reduced documentation of approvals
C. Frequent releases
D. Daily stand-up meetings
Answer:
Q8. (LEAST likely evidence)
Which provides the LEAST persuasive audit evidence?
A. Auditor reperformance
B. System logs extracted by auditor
C. Management oral representation
D. Independent confirmation
Answer:
Q9. (MOST correct)
When using CAATs, the PRIMARY risk is:
A. Auditor independence loss
B. Data integrity compromise
C. Overreliance on manual testing
D. Excessive documentation
Answer:
Q10. (All EXCEPT)
During system acquisition, vendor evaluation should include all EXCEPT:
A. Financial stability
B. Source code escrow
C. Developer’s personal social media activity
D. Security compliance certifications
Answer:
Q11. (MOST effective control)
To prevent unauthorized program migration to production, MOST effective control is:
A. Periodic management review
B. Access logging
C. Segregation between development and migration authority
D. Post-implementation review
Answer:
Q12. (NEITHER/NOR)
Which situation reflects NEITHER proper change management NOR effective control?
A. Emergency changes documented after implementation
B. Formal approval but no testing
C. Testing and approval documented
D. Segregated migration access
Answer:
Q13. (LEAST relevant metric)
Which metric is LEAST relevant to measure IT strategic alignment?
A. % IT projects meeting business objectives
B. ROI on IT investments
C. Server CPU utilization rate
D. Balanced scorecard metrics
Answer:
Q14. (MOST appropriate sampling)
For testing presence of approval signatures, MOST appropriate sampling method:
A. Discovery sampling
B. Attribute sampling
C. Variable sampling
D. Judgmental projection
Answer:
Q15. (All EXCEPT)
Post-implementation review evaluates all EXCEPT:
A. Benefit realization
B. Budget variance
C. User satisfaction
D. Future hardware depreciation
Answer:
Q16. (MOST significant risk)
If GITCs are weak, the MOST significant audit impact is:
A. Increased inherent risk
B. Inability to rely on application controls
C. Reduced sampling requirement
D. Improved compliance
Answer:
Q17. (LEAST effective compensating control)
Which is LEAST effective as compensating control for lack of segregation?
A. Independent review of logs
B. Mandatory vacation policy
C. Dual authorization
D. Same individual reviewing own work
Answer:
Q18. (MOST correct)
Risk appetite is BEST approved by:
A. CIO
B. Risk manager
C. Board of Directors
D. Internal audit
Answer:
Q19. (All EXCEPT)
Effective audit documentation should:
A. Support conclusions
B. Be sufficient for re-performance
C. Replace management responsibility
D. Demonstrate scope and methodology
Answer:
Q20. (MOST appropriate FIRST step)
If an auditor detects potential fraud during SDLC review, FIRST step:
A. Inform media
B. Expand audit procedures and gather evidence
C. Accuse developer
D. Immediately terminate project
Answer:
⚠ Difficulty Note
These questions test:
· Control interdependencies
· Governance accountability
· Audit evidence hierarchy
· GITC reliance logic
· SDLC risk layering
· Risk appetite vs tolerance distinction
Section C...
Here are 20 Case-Based Integrated MCQs combining:
· Domain 1: IS Audit Process
· Domain 2: IT Governance & Risk Management
· Domain 3: SDLC / Acquisition / Implementation
(Aligned with exam logic of ISACA – Certified Information Systems Auditor)
Each case integrates governance + audit + SDLC risks like real CISA scenarios.
🔥 20 Integrated Case-Based MCQs
CASE 1 – ERP Implementation Without Board Oversight
A company implements a new ERP system. The CIO approved the project without board review. Post-implementation, cost overruns are 40%.
Q1.
The MOST significant governance weakness is:
A. Poor cost estimation
B. Lack of board-level IT investment oversight
C. Weak user training
D. Ineffective UAT
Answer:
Q2.
The IS auditor’s FIRST step should be to:
A. Review source code
B. Evaluate IT governance structure
C. Test application controls
D. Increase sample size
Answer:
CASE 2 – Weak GITCs in Agile Environment
An organization uses Agile. Developers have production access. No formal change approvals exist.
Q3.
The GREATEST audit risk is:
A. Sprint backlog mismanagement
B. Lack of documentation
C. Unauthorized changes in production
D. Delayed releases
Answer:
Q4.
MOST effective control improvement:
A. Daily stand-up meetings
B. Automated deployment with segregation controls
C. More user stories
D. Increased velocity tracking
Answer:
CASE 3 – Risk Register Exists but Not Reviewed
Risk register is maintained but not reviewed by board or steering committee.
Q5.
This situation indicates:
A. Strong ERM
B. Operational efficiency
C. Weak governance oversight
D. Effective monitoring
Answer:
Q6.
The LEAST relevant audit procedure would be:
A. Reviewing board minutes
B. Testing risk mitigation controls
C. Evaluating firewall configuration
D. Assessing risk escalation process
Answer:
CASE 4 – Vendor-Based Cloud Migration
Cloud vendor selected without due diligence. No SLA performance metrics defined.
Q7.
MOST critical SDLC weakness:
A. Lack of parallel testing
B. Inadequate vendor risk assessment
C. Poor password policy
D. Missing antivirus
Answer:
Q8.
PRIMARY governance failure:
A. Weak help desk
B. Absence of formal IT investment evaluation
C. Incomplete user manual
D. Excessive documentation
Answer:
CASE 5 – Post-Implementation Review Ignored
System implemented successfully, but no post-implementation review conducted.
Q9.
The MOST important objective missed is:
A. Testing controls
B. Benefit realization assessment
C. Budget approval
D. Coding review
Answer:
Q10.
Which is LEAST likely impact?
A. Unidentified control gaps
B. Unrealized ROI
C. Increased inherent risk
D. Improved governance transparency
Answer:
CASE 6 – Segregation Conflict in SDLC
Developer develops, tests, and migrates code.
Q11.
The BEST compensating control would be:
A. Developer self-review
B. Independent log review of migrations
C. Faster deployment
D. Increased salary
Answer:
Q12.
If GITCs are ineffective, auditor should:
A. Rely on application controls
B. Reduce testing
C. Expand substantive testing
D. Issue immediate adverse opinion
Answer:
CASE 7 – IT Strategy Misaligned
IT projects approved but not linked to business strategy.
Q13.
MOST appropriate audit focus:
A. Network diagrams
B. Strategic alignment framework
C. Patch management logs
D. Source code review
Answer:
Q14.
Which metric BEST demonstrates alignment?
A. Number of servers
B. % Projects achieving business objectives
C. Help desk tickets
D. Developer certifications
Answer:
CASE 8 – Emergency Changes Frequently Occur
Emergency fixes implemented without testing; documentation updated later.
Q15.
The GREATEST risk is:
A. Faster service delivery
B. Unauthorized system instability
C. Improved flexibility
D. Reduced cost
Answer:
Q16.
MOST appropriate audit recommendation:
A. Ban emergency changes
B. Implement retrospective approval and independent review
C. Eliminate Agile
D. Increase sprint length
Answer:
CASE 9 – CAATs Used in Audit
Auditor extracts production data using CAATs but does not verify completeness.
Q17.
PRIMARY audit risk:
A. Sampling error
B. Data integrity compromise
C. Increased audit cost
D. Governance failure
Answer:
Q18.
MOST reliable validation method:
A. Management representation
B. Hash total reconciliation
C. Verbal confirmation
D. Screenshot evidence
Answer:
CASE 10 – Risk Appetite Not Defined
Company undertakes high-risk digital transformation but no defined risk appetite.
Q19.
This reflects weakness in:
A. SDLC documentation
B. IT governance framework
C. Antivirus control
D. Data backup policy
Answer:
Q20.
Risk appetite should be approved by:
A. CIO
B. Project manager
C. Board of Directors
D. Internal auditor
Answer:
🎯 Concepts Integrated in These Cases
✔ Governance oversight failures
✔ Board accountability
✔ Risk appetite vs tolerance
✔ GITC reliance
✔ SDLC segregation
✔ Vendor risk
✔ Post-implementation review
✔ CAAT data validation
✔ Strategic alignment metrics
www.gmsisuccess.in
