Saturday, June 13, 2026

MCQ question CISA certification Domain 1 to 4



MCQ QUESTIONS... CISA certification 

**1. Which of the following BEST demonstrates effective IT governance?**


A. IT budget approval by CIO


B. Alignment of IT strategy with business goals


C. Detailed IT procedures


D. Strong incident management process


**Answer: 


### **2. The PRIMARY objective of an IT governance framework is to:**


A. Reduce IT risk


B. Ensure regulatory compliance


C. Enable value delivery through IT


D. Improve project management


**Answer:


### **3. Who is primarily responsible for ensuring IT supports business objectives?**


A. CIO


B. IT Steering Committee


C. Internal Audit


D. System Owner


**Answer:



### **4. A key responsibility of the CIO is:**


A. Approving audit reports


B. Aligning IT strategy with corporate strategy


C. Managing business operations


D. Monitoring financial statements


**Answer:


### **5. Which of the following BEST describes "Value Delivery"?**

A. Measuring IT ROI


B. Ensuring IT investments provide expected benefits


C. Ensuring compliance with IT policies


D. Optimizing hardware usage


**Answer:


### **6. COBIT’s “Plan and Organize” (PO) domain focuses on:**

A. Project management


B. Continuous improvement


C. Strategic alignment of IT


D. Incident response


**Answer:


### **7. The MOST important factor for successful IT governance implementation is:**


A. Detailed IT documentation


B. Strong executive support


C. Updated IT policies


D. Skilled IT staff


**Answer:


### **8. Which risk response strategy involves transferring risk to another entity?**

A. Mitigation


B. Avoidance


C. Acceptance


D. Outsourcing


**Answer:


### **9. The PRIMARY role of an IT policy is to:**

A. Provide detailed steps for IT operations


B. Define high-level IT principles


C. Describe system configurations


D. Outline audit procedures


**Answer:


### **10. An IT balanced scorecard is MOST useful for:**


A. Tracking patch management


B. Monitoring operational logs


C. Linking IT performance to business goals


D. Scheduling IT resources


**Answer: 


### **11. Which practice BEST supports IT-business alignment?**


A. Quarterly IT risk assessments


B. Joint development of IT strategy with business leaders


C. Detailed SLAs


D. Increased IT security controls


**Answer: 


### **12. Which of the following is MOST important in IT portfolio management?**


A. Availability of project resources


B. Categorization of IT investments


C. Approval from CIO


D. Status reporting


**Answer:


### **13. An IT metric that measures uptime of critical systems relates to:**


A. Efficiency


B. Effectiveness


C. Confidentiality


D. Integrity


**Answer:


### **14. Who owns data in an organization?**


A. CIO


B. Data Owner


C. DBA


D. Security Manager


**Answer:


### **15. Who is responsible for enforcing data access controls?**

A. Data Owner


B. Data Custodian


C. IT Auditor


D. Senior Management


**Answer:


### **16. A maturity model helps management:**


A. Reduce costs


B. Benchmark IT processes


C. Monitor daily operations


D. Train IT staff


**Answer:


### **17. The PRIMARY purpose of enterprise architecture (EA) is to:**

A. Reduce system downtime


B. Provide a blueprint for business-IT alignment


C. Support hardware upgrades


D. Monitor security threats


**Answer:


### **18. Separation of duties (SoD) in IT is designed to reduce:**


A. Service downtime


B. Unauthorized access


C. Fraud risks


D. Audit workload


**Answer:

### **19. Which is the MOST important element of IT strategy?**


A. Detailed procedures


B. Alignment with corporate objectives


C. Vendor contracts


D. IT asset management


**Answer:


### **20. The MOST critical success factor for a change management program is:**


A. Updated documentation


B. Stakeholder involvement


C. Automated tools


D. Training IT staff


**Answer:


### **21. Which document defines roles and responsibilities for IT controls?**


A. RACI matrix


B. Risk register


C. SLA


D. Policy


**Answer:

### **22. The PRIMARY objective of IT resource management is to:**


A. Reduce incidents


B. Optimize use of people, processes, and technology


C. Improve vendor contracts


D. Reduce audit findings


**Answer: 

### **23. What is the PRIMARY purpose of the IS Steering Committee?**


A. Approve audit reports


B. Oversee major IT projects and priorities


C. Approve IT hiring


D. Monitor help desk performance


**Answer:


### **24. When an organization outsources IT operations, who retains accountability?**


A. Vendor


B. CIO


C. Internal Auditor


D. Project Manager


**Answer: 


### **25. KPI stands for:**

A. Key Planning Indicator


B. Key Performance Indicator


C. Key Process Improvement


D. Key Priority Item


**Answer:


# **🔷 Domain 2 – Information Systems Auditing (25 MCQs)**


### **26. The PRIMARY objective of an IS audit is to:**

A. Detect fraud


B. Evaluate adequacy of controls


C. Improve IT efficiency


D. Reduce costs


**Answer:


### **27. The FIRST step in the IS audit process is:**


A. Testing controls


B. Preparing audit report


C. Audit planning


D. Risk assessment


**Answer:


### **28. The MOST important factor in audit planning is:**


A. Auditor experience


B. Availability of staff


C. Risk assessment results


D. Past audit results


**Answer:


### **29. Which of the following should be included in the audit charter?**


A. Audit budget


B. Audit methodology


C. Authority and responsibility of internal audit


D. Detailed audit procedures


**Answer:


### **30. Independence of the IS auditor is MOST threatened when:**


A. Auditor evaluates unfamiliar systems


B. Auditor reports to IT manager


C. Auditor requests documentation


D. Auditor interviews staff


**Answer:

### **31. During an audit, evidence must be:**


A. Complete, accurate, reliable


B. Technical in nature


C. Verified by management


D. Financial


**Answer:


### **32. The MOST reliable form of audit evidence is:**


A. Inquiry


B. Analytical procedures


C. Observation


D. Reperformance


**Answer:


### **33. Which sampling method gives every item an equal chance of selection?**

A. Haphazard


B. Attribute


C. Random


D. Stratified


**Answer:


### **34. A control deficiency should be reported when it:**

A. Results in financial loss


B. Increases risk above acceptable level


C. Is minor


D. Is expected by management


**Answer:


### **35. The PRIMARY purpose of walkthroughs is to:**


A. Evaluate training


B. Understand process flow and identify key controls


C. Detect fraud


D. Reduce sampling size


**Answer:


### **36. Which tool helps identify bottlenecks in a process?**


A. Gantt chart


B. Flowchart


C. Checklist


D. RACI


**Answer:

### **37. Materiality in IS audit refers to:**


A. Technical details


B. Significance of errors or control weaknesses


C. Auditor skills


D. Time spent


**Answer: 


### **38. An IS auditor discovers conflicts of interest. The BEST action is to:**


A. Ignore


B. Report to audit management


C. Escalate to board directly


D. Discuss with IT staff


**Answer:


### **39. The MOST appropriate technique to test access control is:**


A. Observation


B. Password cracking


C. Review of access logs


D. Reperformance


**Answer:

### **40. A major risk in auditing a new system implementation is:**


A. Low user training


B. Lack of change control


C. Old documentation


D. Lack of antivirus software


**Answer:


### **41. The PRIMARY objective of audit documentation is to:**


A. Support audit conclusions


B. Reduce audit time


C. Train new auditors


D. Provide system details


**Answer:


### **42. The MOST appropriate control for data integrity testing is:**


A. Reconciliation


B. Encryption


C. Segregation of duties


D. Penetration testing


**Answer:

### **43. Dual control requires:**


A. Two people authorize the same transaction


B. Two passwords


C. Two systems verifying input


D. Two-factor authentication


**Answer:


### **44. When an auditor identifies fraud indicators, the FIRST step is to:**


A. Report to police


B. Collect additional evidence


C. Notify audit committee


D. Close the audit


**Answer: 


### **45. Which is a detective control?**


A. Encryption


B. Audit trails


C. Access restrictions


D. Firewalls


**Answer:


### **46. A limitation of CAATs is:**


A. Faster testing


B. Large data access


C. Lack of technical skills by auditors


D. Reduced cost


**Answer:


### **47. The MOST important reason to review system logs:**


A. Lower operating costs


B. Detect unauthorized activities


C. Train users


D. Update documentation


**Answer: 


### **48. A risk-based audit approach helps auditors:**


A. Reduce audit staff


B. Focus on high-risk areas


C. Increase scope


D. Complete faster


**Answer:


### **49. An IS auditor reviewing cloud environments should FIRST examine:**


A. SLA agreements


B. Network diagrams


C. Vendor financials


D. User complaints


**Answer:


### **50. Which is the BEST technique to verify completeness of transaction processing?**


 


A. Hash totals


B. Differential analysis


C. Data encryption


D. Exception testing


**Answer:



Below are 50 CISA-style MCQs (Domains 1 & 2: Information Systems Auditing Process and Governance & Management of IT). Since 100 questions with explanations would be extremely long, 


CISA Domain 1 & 2 MCQs

1.

The PRIMARY purpose of an IS audit charter is to:

A. Define audit procedures

B. Establish audit authority and responsibility

C. Identify audit findings

D. Approve audit reports


Answer: 


2.

An IS auditor should FIRST review:

A. Previous audit reports

B. Audit charter

C. Organizational chart

D. Risk register


Answer: 


3.

Which audit evidence is MOST reliable?

A. Oral confirmation from management

B. Internal reports

C. Auditor's direct observation

D. User statements


Answer: 


4.

The MOST important factor when planning an audit is:

A. Available budget

B. Auditor experience

C. Risk assessment results

D. Number of employees


Answer: 


5.

Sampling risk refers to:

A. Auditor incompetence

B. Wrong conclusion based on sample testing

C. Lack of evidence

D. Fraud risk


Answer: 


6.

An auditor discovers a material weakness. The FIRST action should be:

A. Report immediately to regulators

B. Gather sufficient evidence

C. Inform employees

D. Stop audit work


Answer: 


7.

Which is a preventive control?

A. Exception report

B. Reconciliation

C. Segregation of duties

D. Audit trail review


Answer: 


8.

Independence of IS auditors is BEST achieved by reporting to:

A. CIO

B. IT Manager

C. Audit Committee

D. Security Manager


Answer: 


9.

The PRIMARY objective of audit evidence is to:

A. Support audit conclusions

B. Increase audit costs

C. Satisfy management

D. Reduce testing


Answer: 


10.

An auditor using CAATs can MOST effectively:

A. Eliminate audit risk

B. Analyze large volumes of data

C. Replace audit judgment

D. Prevent fraud


Answer: 


11.

Risk-based auditing focuses primarily on:

A. High-cost areas

B. High-risk areas

C. Large departments

D. Recent projects


Answer: 


12.

Which control is detective?

A. Password policy

B. Fire suppression system

C. Log review

D. Segregation of duties


Answer: 


13.

The BEST source of evidence regarding system configuration is:

A. Interviews

B. Observation

C. System-generated reports

D. User questionnaires


Answer: 


14.

Audit scope should be determined during:

A. Reporting

B. Planning

C. Follow-up

D. Fieldwork completion


Answer: 


15.

Which is MOST likely to impair auditor independence?

A. Prior audit experience

B. Reporting to audit committee

C. Designing controls being audited

D. Continuous training


Answer: 


16.

The MAIN purpose of audit documentation is:

A. Reduce findings

B. Support audit conclusions

C. Eliminate risks

D. Increase efficiency


Answer: 


17.

An auditor identifies excessive privileged accounts. This indicates weakness in:

A. Change management

B. Access management

C. Capacity planning

D. Backup procedures


Answer: 


18.

The MOST effective way to verify disaster recovery readiness is:

A. Interview management

B. Review policy

C. Conduct recovery testing

D. Review budgets


Answer: 


19.

A control objective describes:

A. How controls operate

B. Desired result of controls

C. Audit procedures

D. Audit evidence


Answer: 


20.

Which type of evidence provides the HIGHEST assurance?

A. Inquiry

B. Observation

C. Recalculation

D. Written representation


Answer: 


Domain 2 – Governance and Management of IT

21.

The PRIMARY responsibility for IT governance belongs to:

A. Internal audit

B. IT department

C. Board of directors

D. Security team


Answer: 


22.

The main objective of IT governance is:

A. Increase technology spending

B. Align IT with business objectives

C. Reduce employee count

D. Eliminate all risks


Answer: 


23.

Which framework is MOST associated with IT governance?

A. COBIT

B. ITIL

C. Agile

D. Six Sigma


Answer: 


24.

A steering committee primarily ensures:

A. Network availability

B. Strategic alignment of IT initiatives

C. Software coding quality

D. Security monitoring


Answer: 


25.

The BEST indicator of effective IT governance is:

A. Large IT budget

B. Business objectives achieved through IT

C. More employees

D. Increased audit findings


Answer: 


26.

Who is ultimately accountable for enterprise risk management?

A. IT Manager

B. Security Officer

C. Board and senior management

D. Auditors


Answer: 


27.

The purpose of an IT strategy is to:

A. Replace business strategy

B. Support business goals

C. Increase IT staff

D. Reduce governance activities


Answer: 


28.

A balanced scorecard is used to:

A. Conduct penetration testing

B. Measure organizational performance

C. Create backups

D. Manage passwords


Answer: 


29.

Which COBIT domain focuses on governance?

A. APO

B. BAI

C. DSS

D. EDM


Answer: 


30.

The MOST important characteristic of IT governance metrics is:

A. Complexity

B. Relevance to objectives

C. Length

D. Costliness


Answer: 


31.

Enterprise architecture primarily helps:

A. Align business and IT processes

B. Detect fraud

C. Conduct audits

D. Reduce backups


Answer: 


32.

An IT steering committee should include:

A. Only IT staff

B. Only auditors

C. Business and IT representatives

D. Vendors only


Answer: 


33.

The PRIMARY objective of portfolio management is:

A. Maximize project quantity

B. Optimize investment value and risk

C. Reduce documentation

D. Increase staffing


Answer: 


34.

The MOST effective governance structure provides:

A. Clear accountability

B. More technology

C. Larger budgets

D. More reports


Answer: 


35.

Which role should approve risk appetite?

A. Help Desk Manager

B. Project Manager

C. Board of Directors

D. Developer


Answer: 


36.

The BEST measure of project success is:

A. Budget spent

B. Business benefits realized

C. Staff assigned

D. Number of reports


Answer: 


37.

Which is MOST important for vendor governance?

A. Vendor size

B. Contract monitoring

C. Vendor location

D. Number of employees


Answer: 


38.

The purpose of IT policies is to:

A. Provide strategic direction and control requirements

B. Replace procedures

C. Eliminate risks

D. Reduce accountability


Answer:


39.

Which governance practice BEST supports accountability?

A. Informal communication

B. Defined roles and responsibilities

C. Verbal agreements

D. Ad hoc reviews


Answer: 


40.

A key objective of benefits realization is:

A. Increase project costs

B. Ensure expected value is achieved

C. Increase staffing

D. Reduce governance


Answer: 


41.

The MOST important output of risk assessment is:

A. Risk ranking

B. Audit budget

C. Headcount report

D. Project schedule


Answer: 


42.

An organization with mature governance will MOST likely have:

A. Undefined responsibilities

B. Ad hoc processes

C. Formalized decision-making structures

D. Minimal reporting


Answer: 


43.

The PRIMARY reason for establishing KPIs is to:

A. Measure performance achievement

B. Increase spending

C. Replace audits

D. Reduce controls


Answer: 


44.

Which is MOST critical when outsourcing IT services?

A. Vendor advertising

B. Service level agreements (SLAs)

C. Vendor office size

D. Vendor profits


Answer: 


45.

IT governance maturity is BEST assessed through:

A. Staff interviews only

B. Governance framework assessment

C. Financial statement review only

D. Source code review


Answer: 


46.

The PRIMARY objective of enterprise risk management is:

A. Eliminate risks

B. Manage risks within risk appetite

C. Avoid all technology projects

D. Reduce controls


Answer: 


47.

Which governance activity ensures management follows board direction?

A. Monitoring and reporting

B. Programming

C. System testing

D. Coding standards


Answer: 


48.

A business case should be approved BEFORE:

A. Benefits review

B. Project initiation

C. Project closure

D. Audit reporting


Answer: 


49.

The MOST effective method to ensure IT supports business goals is:

A. Strong governance processes

B. More technology spending

C. Frequent audits only

D. Larger IT staff


Answer: 


50.

Which stakeholder is MOST interested in strategic alignment of IT?

A. Data entry operator

B. Board of Directors

C. Help desk analyst

D. Network technician


Answer: 


These questions follow the ISACA CISA exam style and focus on the first two domains:


1.      Information Systems Auditing Process


2.      Governance and Management of IT


For the CISA Certification Exam, the most heavily tested and high-scoring topics are:


1. Information Systems Auditing Process

Sample Question

An IS auditor discovers that audit evidence collected from interviews is inconsistent with system-generated reports. What should the auditor do FIRST?


A. Accept the system reports as accurate

B. Report the discrepancy immediately

C. Obtain additional evidence to resolve the inconsistency

D. Rely on management representations


Answer: 


Explanation: Auditors must gather sufficient and appropriate evidence before reaching conclusions. Contradictory evidence requires further investigation.


2. IT Governance and Management

Sample Question

Who has the PRIMARY responsibility for ensuring that IT supports business objectives?


A. CIO

B. Internal Audit

C. Board of Directors and Senior Management

D. IT Steering Committee


Answer: 


Explanation: The board and senior management are ultimately accountable for IT governance and strategic alignment.


3. Risk Management

Sample Question

Which of the following should be performed FIRST in a risk assessment process?


A. Select controls

B. Identify assets and risks

C. Conduct penetration testing

D. Develop recovery plans


Answer: 


Explanation: Risks must be identified before they can be analyzed and treated.


4. Internal Controls

Sample Question

Which of the following is a preventive control?


A. Audit log review

B. Exception report

C. Segregation of duties

D. Reconciliation


Answer: 


Explanation: Segregation of duties prevents unauthorized actions before they occur.


5. Business Continuity & Disaster Recovery

Sample Question

What provides the GREATEST assurance that a disaster recovery plan will work?


A. Management approval

B. Documentation review

C. Successful testing of the plan

D. Annual updates


Answer: 


Explanation: Only testing demonstrates that recovery procedures can actually be executed successfully.


6. Access Controls

Sample Question

An employee transferred to another department but retained access to previous applications. This is a failure in:


A. Change management

B. Incident management

C. User access administration

D. Capacity management


Answer: 


Explanation: User access rights should be reviewed and updated whenever job responsibilities change.


7. Change Management

Sample Question

What is the MOST important control over emergency program changes?


A. Developer approval

B. User approval

C. Post-implementation review and authorization

D. Source code documentation


Answer: 


Explanation: Emergency changes may bypass normal controls but must undergo subsequent review and approval.


8. System Development Life Cycle (SDLC)

Sample Question

User involvement is MOST critical during which SDLC phase?


A. Programming

B. Requirements definition

C. Testing only

D. Maintenance


Answer: 


Explanation: Incorrect requirements can cause project failure regardless of technical quality.


9. Outsourcing and Vendor Management

Sample Question

The MOST important element of an outsourcing agreement is:


A. Vendor size

B. Service Level Agreement (SLA)

C. Vendor profitability

D. Vendor location


Answer: 


Explanation: SLAs define measurable performance expectations and responsibilities.


10. COBIT

Sample Question

Which COBIT domain is responsible for governance activities?


A. APO

B. BAI

C. DSS

D. EDM


Answer: 


Explanation: Evaluate, Direct and Monitor (EDM) is the governance domain in COBIT.


11. Cybersecurity

Sample Question

Which security principle ensures information is not altered without authorization?


A. Confidentiality

B. Integrity

C. Availability

D. Nonrepudiation


Answer: 


Explanation: Integrity protects data from unauthorized modification.


12. Incident Management

Sample Question

After a security breach is detected, the FIRST action should be to:


A. Notify the media

B. Preserve evidence and follow incident response procedures

C. Shut down all systems

D. Terminate employees


Answer: 


Explanation: Evidence preservation is critical for investigation and legal purposes.


Top CISA Exam Topics by Importance

Priority


Topic


Exam Importance


1


Risk-Based Auditing


★★★★★


2


Internal Controls


★★★★★


3


IT Governance


★★★★★


4


Access Management


★★★★★


5


Change Management


★★★★★


6


Business Continuity & DRP


★★★★☆


7


SDLC & Project Management


★★★★☆


8


COBIT Framework


★★★★☆


9


Vendor Management


★★★★☆


10


Cybersecurity & Incident Response


★★★★☆


CISA Exam Tip

For many CISA questions:


·         Board = Governance


·         Management = Implementation


·         Auditor = Independent Assessment


·         Risk Assessment comes before Controls


·         Preventive Controls are preferred over Detective Controls


·         Business Objectives come before Technology Decisions


Mastering these concepts will help answer a large percentage of CISA exam questions correctly.


CISA Exam Style MCQs on System Development Life Cycle (SDLC)

1.

During which SDLC phase should user requirements be formally documented?


A. Testing

B. Design

C. Requirements Definition

D. Implementation


Answer: 


Explanation: Business and user requirements must be clearly defined before design begins.


2.

The PRIMARY reason for user involvement during system development is to:


A. Reduce programming effort

B. Ensure business requirements are met

C. Increase system complexity

D. Reduce testing costs


Answer: 


3.

An IS auditor reviewing a system development project should be MOST concerned if:


A. Project meetings are documented

B. User requirements have not been approved

C. Test plans exist

D. Project milestones are defined


Answer: 


4.

Which document serves as the basis for system design?


A. Test Plan

B. Change Request

C. Requirements Specification

D. User Manual


Answer: 


5.

The MOST important objective of feasibility analysis is to determine:


A. Programming standards

B. Project viability

C. User training needs

D. Audit scope


Answer: 


6.

Which SDLC phase includes creation of program specifications?


A. Requirements Analysis

B. Design

C. Testing

D. Maintenance


Answer: 


7.

The PRIMARY purpose of a system test is to verify:


A. Individual modules function properly

B. Entire system meets requirements

C. Source code quality

D. User documentation


Answer: 


8.

User Acceptance Testing (UAT) is intended to confirm that:


A. Programmers approve the system

B. Auditors approve the system

C. Business requirements have been satisfied

D. Hardware specifications are adequate


Answer: 


9.

An IS auditor finds that developers have unrestricted access to production programs. The GREATEST risk is:


A. Increased maintenance costs

B. Unauthorized changes to production systems

C. Delayed implementation

D. User dissatisfaction


Answer: 


10.

Which testing phase is generally performed by end users?


A. Unit Testing

B. Integration Testing

C. User Acceptance Testing

D. Regression Testing


Answer: 


11.

The PRIMARY objective of post-implementation review is to determine whether:


A. Programmers followed standards

B. The project met business objectives

C. Testing was completed

D. Hardware is functioning


Answer: 


12.

Which SDLC methodology delivers software in small, incremental releases?


A. Waterfall

B. Agile

C. Spiral

D. V-Model


Answer: 


13.

In Agile development, requirements are typically:


A. Fixed throughout the project

B. Defined only after implementation

C. Refined continuously during iterations

D. Ignored


Answer: 


14.

The MOST significant risk of inadequate requirements gathering is:


A. Increased training costs

B. System fails to meet business needs

C. More hardware purchases

D. Audit findings


Answer: 


15.

A project sponsor is responsible for:


A. Coding the application

B. Conducting penetration tests

C. Providing project oversight and support

D. Approving source code


Answer: 


16.

Which control BEST ensures completeness of program changes?


A. Emergency changes

B. Version control procedures

C. User training

D. Network monitoring


Answer: 


17.

An IS auditor reviewing project management should FIRST verify:


A. Programmer qualifications

B. Approved business case exists

C. Number of test cases

D. Training schedule


Answer: 


18.

The MOST effective method to ensure application controls work correctly is:


A. Review policies

B. Conduct testing

C. Interview users

D. Observe operations


Answer: 


19.

Which testing method verifies changes have not adversely affected existing functionality?


A. Unit Testing

B. Stress Testing

C. Regression Testing

D. Parallel Testing


Answer: 


20.

The PRIMARY purpose of configuration management is to:


A. Increase development speed

B. Control changes to system components

C. Eliminate testing requirements

D. Reduce user involvement


Answer: 


21.

A successful project should be measured primarily by:


A. Budget compliance only

B. Number of programmers assigned

C. Achievement of business objectives

D. Project duration


Answer: 


22.

The BEST evidence that a system satisfies user requirements is:


A. Signed user acceptance documentation

B. Management representation

C. Project status reports

D. Training records


Answer: 


23.

An auditor discovers that testing was performed using production data without masking sensitive information. The GREATEST concern is:


A. Increased storage costs

B. Privacy and confidentiality risk

C. Reduced performance

D. User dissatisfaction


Answer: 


24.

Which SDLC model has the HIGHEST risk of discovering requirements errors late in the project?


A. Agile

B. Incremental

C. Waterfall

D. Scrum


Answer: 


25.

The PRIMARY benefit of prototyping is:


A. Reduced documentation

B. Improved understanding of user requirements

C. Faster coding

D. Reduced audit effort


Answer: 


Difficult CISA Case-Based Questions

26.

A company is developing a payroll application. During testing, users identify several calculation errors. What should the IS auditor recommend FIRST?


A. Implement the system immediately

B. Correct defects and retest the application

C. Conduct staff training

D. Update documentation only


Answer: 


27.

Management wants to skip user acceptance testing because the project is behind schedule. The auditor should conclude that:


A. This is acceptable if system testing is completed

B. Risk increases that business requirements will not be met

C. Audit approval can replace UAT

D. Project costs will decrease


Answer: 


28.

An organization allows developers to migrate code directly into production during emergencies. Which control is MOST important?


A. Developer training

B. Post-implementation review and management approval

C. Increased budget

D. Additional programmers


Answer: 


29.

An auditor reviewing an Agile project should focus MOST on:


A. Extensive upfront documentation

B. Sprint reviews and product backlog management

C. Fixed requirements documents

D. Sequential phase approvals


Answer: 


30.

A project was completed on time and within budget but failed to improve business operations. The project should be considered:


A. Successful

B. Technically successful but business unsuccessful

C. Failed only from an audit perspective

D. Fully compliant


Answer: 


High-Yield SDLC Areas Frequently Tested in CISA

1.      Requirements Definition


2.      Feasibility Study


3.      Project Governance


4.      User Acceptance Testing (UAT)


5.      Change Management


6.      Segregation of Duties in Development


7.      Agile vs Waterfall


8.      Post-Implementation Review


9.      Configuration Management


10.  Migration to Production Controls


These topics appear regularly in CISA questions because they directly affect whether systems meet business

Tuesday, June 9, 2026

Question Answers on basic concepts on financial accounting, Cost Accounting, economics etc

100 Q&A covering the topic based on *US CMA Part 1 Section A + ACCA MA/FMA. Short, exam-focused


*A. Basic Financial Accounting Concepts - Q1 to Q15*

1. *Q*: What is the accounting equation? *A*: Assets = Liabilities + Equity. Foundation of double entry.

2. *Q*: What is accrual basis vs cash basis? *A*: Accrual records revenue/expense when earned/incurred. Cash when cash moves.

3. *Q*: What is matching principle? *A*: Expenses matched to revenues of same period.

4. *Q*: What is conservatism principle? *A*: Recognize losses early, gains only when realized.

5. *Q*: What are 4 financial statements? *A*: Income Statement, Balance Sheet, Cash Flow, Statement of Equity.

6. *Q*: Debit vs Credit rule for assets? *A*: Assets increase with Debit, decrease with Credit.

7. *Q*: What is contra account? *A*: Account with opposite normal balance. E.g. Accumulated Depreciation.

8. *Q*: What is revenue recognition 5-step model? *A*: Identify contract → performance obligations → price → allocate → recognize.

9. *Q*: What is materiality concept? *A*: Ignore immaterial items if it won’t affect decisions.

10. *Q*: What is going concern assumption? *A*: Business will continue operations, not liquidate soon.

11. *Q*: What is consistency principle? *A*: Use same accounting methods period to period.

12. *Q*: What is entity concept? *A*: Business separate from owner.

13. *Q*: What is historical cost principle? *A*: Record assets at original cost, not market value.

14. *Q*: What is trial balance purpose? *A*: Check arithmetic accuracy of ledger postings.

15. *Q*: What is adjusting entry for prepaid rent? *A*: Dr Rent Expense, Cr Prepaid Rent.


*B. Basic Cost Concepts - Q16 to Q30*

16. *Q*: Direct vs Indirect cost? *A*: Direct traceable to product. Indirect needs allocation.

17. *Q*: Variable vs Fixed cost behavior? *A*: VC total changes with output. FC total constant.

18. *Q*: What is semi-variable cost? *A*: Has fixed + variable component. E.g. electricity.

19. *Q*: Prime cost formula? *A*: Direct Material + Direct Labor.

20. *Q*: Conversion cost formula? *A*: Direct Labor + Factory Overhead.

21. *Q*: Product vs Period cost? *A*: Product cost goes to inventory. Period cost expensed now.

22. *Q*: What is sunk cost? *A*: Already incurred, irrelevant for decisions.

23. *Q*: Engineered vs Discretionary cost? *A*: Engineered has cause-effect, e.g. DM. Discretionary set by budget, e.g. ads.

24. *Q*: What is step cost? *A*: Fixed over range, jumps at new level. E.g. supervisor salary.

25. *Q*: What is relevant range? *A*: Output range where cost behavior assumptions hold true.

26. *Q*: What is opportunity cost? *A*: Benefit lost by choosing one option over next best.

27. *Q*: Inventoriable cost? *A*: All manufacturing costs: DM + DL + FOH.

28. *Q*: COGS formula? *A*: Opening FG + COGM - Closing FG.

29. *Q*: COGM formula? *A*: Opening WIP + Total mfg cost - Closing WIP.

30. *Q*: What is cost object? *A*: Anything for which cost is measured: product, dept, customer.


*C. Basic Business Acumen - Q31 to Q40*

31. *Q*: What are 4 Ps of marketing? *A*: Product, Price, Place, Promotion.

32. *Q*: What is SWOT? *A*: Strengths, Weaknesses, Opportunities, Threats for strategy.

33. *Q*: What is value chain? *A*: Activities that add value from supplier to customer.

34. *Q*: What is competitive advantage? *A*: Ability to outperform rivals via cost or differentiation.

35. *Q*: What is economies of scale? *A*: Cost per unit falls as output increases.

36. *Q*: What are diseconomies of scale? *A*: Cost per unit rises after optimal size due to inefficiency.

37. *Q*: What is break-even point? *A*: Sales where total revenue = total cost. Profit = 0.

38. *Q*: BEP in units formula? *A*: Fixed Cost / Contribution per unit.

39. *Q*: What is margin of safety? *A*: Sales above BEP. MOS = Actual sales - BEP sales.

40. *Q*: What is operating leverage? *A*: % change in profit / % change in sales. Higher FC = higher leverage.


*D. Accounting Information System - Q41 to Q50*

41. *Q*: 3 components of AIS? *A*: People, Procedures + instructions, Data + software.

42. *Q*: What is audit trail? *A*: Record of all transactions + changes for tracking.

43. *Q*: Input control example? *A*: Range check, limit check to prevent wrong data entry.

44. *Q*: Processing control example? *A*: Run-to-run totals to check all data processed.

45. *Q*: Output control example? *A*: Review output for reasonableness before distribution.

46. *Q*: What is ERP? *A*: Integrated system for all business functions: finance, HR, inventory.

47. *Q*: Source document in purchase cycle? *A*: Purchase Order, Goods Received Note, Vendor Invoice.

48. *Q*: What is segregation of duties in AIS? *A*: Different person for authorization, recording, custody.

49. *Q*: Cloud vs On-premise AIS risk? *A*: Cloud = data security risk. On-premise = maintenance cost risk.

50. *Q*: What is master file? *A*: Permanent data file like customer/vendor master in AIS.


*E. Basic Economics - Q51 to Q60*

51. *Q*: Law of demand? *A*: Price ↑, Quantity demanded ↓, other things equal.

52. *Q*: Law of supply? *A*: Price ↑, Quantity supplied ↑, other things equal.

53. *Q*: What is elasticity? *A*: % change in Q demanded / % change in price.

54. *Q*: What are factors of production? *A*: Land, Labor, Capital, Entrepreneurship.

55. *Q*: Short run vs Long run? *A*: Short run: at least 1 factor fixed. Long run: all factors variable.

56. *Q*: What is diminishing marginal returns? *A*: Adding more of variable input yields smaller output increase.

57. *Q*: GDP vs GNP? *A*: GDP = output in country. GNP = output by country’s citizens.

58. *Q*: Inflation effect on accounting? *A*: Historical cost understates asset value, overstates profit.

59. *Q*: What is opportunity cost in economics? *A*: Value of next best alternative foregone.

60. *Q*: Perfect competition feature? *A*: Many buyers/sellers, identical product, price taker.


*F. Corporate Governance - Q61 to Q70*

61. *Q*: 3 main parties in governance? *A*: Board of Directors, Management, Shareholders.

62. *Q*: Role of Audit Committee? *A*: Oversee financial reporting, IA, external audit, risk.

63. *Q*: What is agency problem? *A*: Conflict between owners and managers due to different interests.

64. *Q*: Board independence importance? *A*: Prevents management override, protects shareholders.

65. *Q*: What is tone at top? *A*: Ethical culture set by senior management/board.

66. *Q*: What is whistleblower policy? *A*: Channel for employees to report misconduct without retaliation.

67. *Q*: CEO/Chair duality risk? *A*: Reduces board independence, weakens oversight.

68. *Q*: Sarbanes-Oxley Section 404? *A*: Management must assess internal controls over financial reporting.

69. *Q*: Stakeholder theory vs Shareholder theory? *A*: Stakeholder: serve all groups. Shareholder: maximize owner wealth.

70. *Q*: What is fiduciary duty of directors? *A*: Duty of care + duty of loyalty to company.


*G. Basic Data Analytics - Q71 to Q80*

71. *Q*: 4 types of data analytics? *A*: Descriptive, Diagnostic, Predictive, Prescriptive.

72. *Q*: Descriptive analytics example? *A*: Sales report, dashboard showing past performance.

73. *Q*: Predictive analytics example? *A*: Forecast next month sales using past data.

74. *Q*: What is data mining? *A*: Finding patterns in large data sets.

75. *Q*: Big Data 3 Vs? *A*: Volume, Velocity, Variety.

76. *Q*: Benford’s Law use in audit? *A*: Detect fraud by checking digit frequency in data.

77. *Q*: What is visualization in analytics? *A*: Charts/graphs to make data insights clear.

78. *Q*: Structured vs Unstructured data? *A*: Structured = rows/columns. Unstructured = emails, images.

79. *Q*: What is KPI? *A*: Key Performance Indicator to measure success.

80. *Q*: Data analytics benefit for MA? *A*: Better budgeting, variance analysis, fraud detection.


*H. Stakeholders + Production + Costing Methods - Q81 to Q100*

81. *Q*: Who are internal stakeholders? *A*: Employees, managers, owners.

82. *Q*: Who are external stakeholders? *A*: Customers, suppliers, govt, creditors, community.

83. *Q*: Customer interest from company? *A*: Quality product at fair price, timely delivery.

84. *Q*: Govt interest from company? *A*: Taxes, legal compliance, employment.

85. *Q*: Creditor interest? *A*: Timely repayment + interest, financial stability.

86. *Q*: High-Low method purpose? *A*: Separate fixed + variable part of mixed cost.

87. *Q*: High-Low VC rate formula? *A*: (Cost at high - Cost at low) / (Activity at high - Activity at low).

88. *Q*: What is overcosting? *A*: Product charged more OH than actual resources used.

89. *Q*: What is undercosting? *A*: Product charged less OH than actual resources used.

90. *Q*: Overapplied overhead meaning? *A*: Applied OH > Actual OH. Dr OH Control, Cr COGS.

91. *Q*: Underapplied overhead meaning? *A*: Actual OH > Applied OH. Dr COGS, Cr OH Control.

92. *Q*: How to dispose underapplied OH? *A*: Write off to COGS, or prorate to WIP, FG, COGS.

93. *Q*: Diseconomies of scale cause? *A*: Bureaucracy, communication gap, coordination loss in large firm.

94. *Q*: Short run production decision? *A*: Can change variable input only. FC remains.

95. *Q*: Long run production decision? *A*: Can change all inputs including plant size.

96. *Q*: What is joint cost? *A*: Common cost before split-off point for multiple products.

97. *Q*: Joint cost allocation method? *A*: Physical units method or Net Realizable Value method.

98. *Q*: What is cost tracing? *A*: Direct assignment of cost to cost object.

99. *Q*: What is cost allocation? *A*: Assign indirect cost using allocation base.

100. *Q*: What is reapportionment? *A*: Secondary allocation of service dept cost to production depts.


*Exam Tip*: For CMA + ACCA MA, focus on definitions + formulas + “why it matters”. They test application, not theory essays.

Question on basic concepts of financial accounting, Cost Accounting, economics business acumen organisation structure etc

 Here are *100 Q&A* covering the topics you listed – based on *US CMA Part 1 Section A + ACCA MA/FMA*. Short, exam-focused, no fluff.

Mocktest.Basic concept of financial accounting,cost accounting, economics, accounting information system etc

*A. Basic Financial Accounting Concepts - Q1 to Q15*

1. *Q*: What is the accounting equation? *A*: 

2. *Q*: What is accrual basis vs cash basis? *A*: 

3. *Q*: What is matching principle? *A*

4. *Q*: What is conservatism principle? *A*

5. *Q*: What are 4 financial statements? *A*: 

6. *Q*: Debit vs Credit rule for assets..A..

7. *Q*: What is contra account? *A*: 

8. *Q*: What is revenue recognition 5-step model? *A*: 

9. *Q*: What is materiality concept? *A*: 

10. *Q*: What is going concern assumption? *A*:

11. *Q*: What is consistency principle? *A*: 

12. *Q*: What is entity concept? *A*: 

13. *Q*: What is historical cost principle? *A*: 

14. *Q*: What is trial balance purpose? *A*

15. *Q*: What is adjusting entry for prepaid rent? *A*: 


*B. Basic Cost Concepts - Q16 to Q30*

16. *Q*: Direct vs Indirect cost? *A*: 

17. *Q*: Variable vs Fixed cost behavior? *A*:

18. *Q*: What is semi-variable cost? A .

19. *Q*: Prime cost formula? *A*: 

20. *Q*: Conversion cost formula..A ....

21. *Q*: Product vs Period cost? *A...

22. *Q*: What is sunk cost? *A*: 

23. *Q*: Engineered vs Discretionary cost? *A*:

24. *Q*: What is step cost? *A*: 

25. *Q*: What is relevant range? *A .

26. *Q*: What is opportunity cost? *A*:

27. *Q*: Inventoriable cost? *A*: 

28. *Q*: COGS formula? *A*:

29. *Q*: COGM formula? *A*:

30. *Q*: What is cost object? *A*:


*C. Basic Business Acumen - Q31 to Q40*

31. *Q*: What are 4 Ps of marketing? *A*: 

32. *Q*: What is SWOT? *A*: 

33. *Q*: What is value chain? *A*: 

34. *Q*: What is competitive advantage? *A*: 

35. *Q*: What is economies of scale? *A

36. *Q*: What are diseconomies of scale? *A*:

37. *Q*: What is break-even point? *A*

38. *Q*: BEP in units formula? *A*:

39. *Q*: What is margin of safety? *A*: 

40. *Q*: What is operating leverage? *A..


*D. Accounting Information System - Q41 to Q50*

41. *Q*: 3 components of AIS? *A*:

42. *Q*: What is audit trail? *A*: 

43. *Q*: Input control example? *A*

44. *Q*: Processing control example? *A*: .

45. *Q*: Output control example? *A*: 

46. *Q*: What is ERP? *A*: 

47. *Q*: Source document in purchase cycle? *A*

48. *Q*: What is segregation of duties in AIS? *A*: 

49. *Q*: Cloud vs On-premise AIS risk? *A*: 

50. *Q*: What is master file? *A*: 


*E. Basic Economics - Q51 to Q60*

51. *Q*: Law of demand? *A*:

52. *Q*: Law of supply? *A*

53. *Q*: What is elasticity? *A*:

54. *Q*: What are factors of production? *A*: 

55. *Q*: Short run vs Long run? *A*:

56. *Q*: What is diminishing marginal returns? *A*: 

57. *Q*: GDP vs GNP? *A*: .

58. *Q*: Inflation effect on accounting? *A*: 

59. *Q*: What is opportunity cost in economics? *A*: 

60. *Q*: Perfect competition feature? *A*:


*F. Corporate Governance - Q61 to Q70*

61. *Q*: 3 main parties in governance? *A*: 

62. *Q*: Role of Audit Committee? *A*: 

63. *Q*: What is agency problem? *A*: 

64. *Q*: Board independence importance? *A*: 

65. *Q*: What is tone at top? *A*:

66. *Q*: What is whistleblower policy? *A

67. *Q*: CEO/Chair duality risk? *A*: 

68. *Q*: Sarbanes-Oxley Section 404? *A*: 

69. *Q*: Stakeholder theory vs Shareholder theory? *A*: 

70. *Q*: What is fiduciary duty of directors? *A*:


*G. Basic Data Analytics - Q71 to Q80*

71. *Q*: 4 types of data analytics? *A*:

72. *Q*: Descriptive analytics example? *A*: 

73. *Q*: Predictive analytics example? *A

74. *Q*: What is data mining? *A*:

75. *Q*: Big Data 3 Vs? *A*: 

76. *Q*: Benford’s Law use in audit? *A*: Detect fraud by checking digit frequency in data.

77. *Q*: What is visualization in analytics? *A*: 

78. *Q*: Structured vs Unstructured data? *A*: 

79. *Q*: What is KPI? *A*:

80. *Q*: Data analytics benefit for MA? *A*: 


*H. Stakeholders + Production + Costing Methods - Q81 to Q100*

81. *Q*: Who are internal stakeholders? *A*: 

82. *Q*: Who are external stakeholders? *A*

83. *Q*: Customer interest from company? *A*: 

84. *Q*: Govt interest from company? *A*:

85. *Q*: Creditor interest? *A*:

86. *Q*: High-Low method purpose? *A*: 

87. *Q*: High-Low VC rate formula? *A*:

88. *Q*: What is overcosting? *A*: 

89. *Q*: What is undercosting? *A*: .

90. *Q*: Overapplied overhead meaning? *A*:

91. *Q*: Underapplied overhead meaning? *A*: 

92. *Q*: How to dispose underapplied OH? *A*:

93. *Q*: Diseconomies of scale cause? *A*:

94. *Q*: Short run production decision? *A*:

95. *Q*: Long run production decision? *A*: 

96. *Q*: What is joint cost? *A*: 

97. *Q*: Joint cost allocation method? *A*:

98. *Q*: What is cost tracing? *A*: 

99. *Q*: What is cost allocation? *A*:

100. *Q*: What is reapportionment? *A*: 



*Exam Tip*: For CMA + ACCA MA, focus on definitions + formulas + “why it matters”. They test application, not theory essays.


www.gmssuccess.in

For online exam mocktest software,access click here link 🖇️ 

www.finzo.pw


Monday, June 1, 2026

Case-Based MCQs – Revenue, Payroll & Procurement Cycles

  

Case-Based MCQs – Revenue, Payroll & Procurement Cycles


*Exam Style*: CIA Part 1/2, US CMA Part 1, ACCA F8/FIA  


*Focus*: Documents, Responsible Person, Risk Owner, Deliverables, Key Controls


*CASE 1: REVENUE CYCLE – “TechSell Ltd”*


*Scenario:*  


TechSell Ltd sells software licenses. Process flow:  

1. *Sales Rep* prepares Quote → approved by Sales Manager.  

2. *Customer Service* creates Sales Order in ERP using approved quote.  

3. *Warehouse* ships activation key via email; Delivery Note generated.  

4. *Billing Clerk* prepares Invoice from Sales Order + Delivery Note.  

5. *AR Clerk* records payment; *Treasury* deposits cash.  

6. *Credit Manager* sets credit limits and approves new customers.


*Risk Identified*: Sales orders created without credit approval for new customers. Last month $200k shipped to customer who later defaulted.


*Q1. Which document should be mandatory before creating a Sales Order for a new customer?*  


A. Delivery Note  


B. Purchase Order from customer  


C. Approved Credit Application Form  


D. Invoice  


*Answer: 


*Q2. Who is the PRIMARY risk owner for “revenue loss due to uncollectible sales”?*  


A. Sales Rep  


B. Billing Clerk  


C. Credit Manager  


D. CFO  


*Answer:.


*Q3. Which deliverable evidences that goods were transferred to customer under ASC 606?*  


A. Quote  


B. Sales Order  


C. Delivery Note/Proof of Delivery  


D. Invoice  


*Answer: 


*Q4. Segregation of Duties violation in TechSell would be:*  


A. Sales Rep prepares quote + approves quote  


B. Billing Clerk prepares invoice + AR Clerk records payment  


C. Credit Manager approves credit + collects cash  


D. Warehouse ships + Billing invoices  


*Answer:



*CASE 2: PAYROLL CYCLE – “ManuCorp”*

*Scenario:*  


ManuCorp has 500 employees. Process:  

1. *Supervisors* approve timesheets in system.  

2. *HR Manager* adds new hires/terminations and updates salary master file.  

3. *Payroll Clerk* processes payroll using approved timesheets + HR master data.  

4. *Treasury Manager* releases EFT payments after reviewing payroll register.  

5. *HR Manager* also reconciles payroll bank account.  


*Risk*: Ghost employee detected last audit – salary paid to terminated employee for 3 months.


*Q5. Which key control failed that allowed payment to terminated employee?*  


A. Supervisor approval of timesheets  


B. Independent reconciliation of payroll bank account  


C. Timely HR update of master file + restricted access  


D. Treasury review of payroll register  


*Answer:


*Q6. Who should be the risk owner for “unauthorized changes to payroll master file”?*  


A. Payroll Clerk  


B. HR Manager  


C. IT Manager  


D. Treasury Manager  


*Answer: 


*Q7. Key deliverable from payroll processing that Treasury uses to authorize payment:*  


A. Timesheets  


B. Payroll Register/Report  


C. HR Appointment Letter  


D. Bank Statement  


*Answer: 


*Q8. SOD conflict in ManuCorp is:*  


A. Supervisor approves timesheet + Payroll Clerk processes  


B. HR Manager updates master file + reconciles payroll bank account  


C. Treasury releases payment + CFO reviews  


D. Payroll Clerk processes + Treasury pays  


*Answer



*CASE 3: PROCUREMENT CYCLE – “BuildCo”*


*Scenario:*  


BuildCo construction company. Process:  

1. *Site Engineer* raises Purchase Requisition when stock low.  

2. *Purchase Manager* selects vendor, creates Purchase Order. Approved by *Procurement Head* if >$50k.  

3. *Receiving Dept* checks goods vs PO, prepares Goods Received Note.  

4. *AP Clerk* 3-way matches: PO + GRN + Invoice, then records payable.  

5. *Treasury* makes payment after *Finance Manager* approval.  

6. *Vendor Master* maintained by *Purchase Manager*.


*Risk*: Duplicate payments made to vendor due to duplicate invoices. AP Clerk paid same invoice twice.


*Q9. Which document is missing in 3-way match if duplicate payment occurred?*  


A. Purchase Order  


B. Goods Received Note  


C. Vendor Invoice  


D. None – all present but control failed  


*Answer:


*Q10. Who should be risk owner for “unauthorized changes to Vendor Master File”?*  


A. AP Clerk  


B. Purchase Manager  


C. IT Manager  


D. Finance Manager  


*Answer: 


*Q11. Key preventive control to avoid ordering unneeded goods:*  


A. 3-way match  


B. Approved Purchase Requisition by Dept Head  


C. Invoice approval  


D. Bank reconciliation  


*Answer: 


*Q12. Deliverable evidencing that goods were actually received in good condition:*  


A. Purchase Order  


B. Purchase Requisition  


C. Goods Received Note signed by Receiving Dept  


D. Vendor Invoice  


*Answer: 


SUMMARY TABLE – KEY ROLES BY CYCLE.. Gmsisuccess students, please refer this..

**Cycle** **Key Document** **Responsible Person** **Risk Owner** **Key Deliverable**


**Revenue** Sales Order, Invoice, Delivery Note Sales Rep, Billing Clerk Credit Manager Aged AR Report, Credit Approval


**Payroll** Timesheet, Payroll Register Supervisor, Payroll Clerk HR Manager Payroll Register, Bank Rec


**Procurement** PR, PO, GRN, Invoice Site Engineer, Purchase Mgr Purchase Mgr, Receiving Head 3-way Match Report, PO Register


www.gmsisuccess.in

*EXAM TIPS – CIA/CMA/ACCA*  


1. *Risk Owner* = Manager with authority to manage/mitigate risk, not auditor.  


2. *SOD*: Never combine Authorization + Custody + Recording + Reconciliation.  


3. *Documents*: PR→PO→GRN→Invoice→Payment. Missing any link = control gap.  


4. *Deliverable* = tangible output used for next step: PO, GRN, Payroll Register.  


5. *Integration*: IA must understand these cycles to test controls, but never perform them.