Cisa Question And Answer Database
Leda Billock
LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.
NB: there are 3 categories of membership (Professional, Recent Graduate and Student Member) Also note that you can pursue your CISA Certification without being a Member. Membership and Certification are two different things.
NB: The CISA Review Manual is updated to keep pace with rapid changes in the information systems (IS) audit, control, and security professions. As with previous manuals, the 27th edition is the result of contributions from many qualified authorities who have generously volunteered their time and expertise. An international job practice analysis is conducted periodically to maintain the validity of the CISA certification program. A new job practice forms the basis of the CISA. The complete CISA job practice is available at www.isaca.org/cisajobpractice
NB: The CISA Review Questions, Answers & Explanations Manual 12th Edition consists of 1,000 multiple-choice study questions, answers, and explanations arranged in the domains of the current CISA job practice. With this study aid, CISA candidates can quickly identify their strengths and weaknesses by taking random sample exams of varying lengths and breaking the results down by domain. Sample exams also can be chosen by Domain, allowing for concentrated study, one domain at a time, and other sorting features such as the omission of previously correctly answered questions are available.
TIP: When selecting your answers to the question presented, respond solely based on the information provided in the particular step and assume the mindset of an average auditor in that situation. Try not to reflect on your previous experiences with similar situations
With the test passed and the experience still very fresh on my mind, I felt I should take the opportunity share my experience and any advice to aid my fellow aspiring Certified Information Systems Auditors (CISA) out there!
What was most surprising to me upon actually taking the CISA was that none of the questions in the official ISACA test database showed up on the exam. (Christian, the co-author of this blog, said that when he took the exam the test database was very similar to the exam.) Simply running through the test database and memorizing answers will not help you (at least in my experience). It is much more important you take the test questions and read the explanations ISACA gives you then follow up in their review manual for more details.
We were asked to empty our pockets and put any personal items at the front of the room when entering. Cell phones were not allowed in the exam space and had to be checked at the front desk before entering.
During the test, only one person was allowed to go to the restroom at a time and a proctor stood outside the door of the restroom while you went. The only thing allowed on the desk during the test were a few #2 pencils and an eraser. I saw some people have their erasers inspected (because they were covered in a paper wrapping). If the leads broke on all your pencils during the test, you were out of luck and warned of that ahead of time.
The test was all Scantron (fill in the bubble), multiple choice and consisted of 200 questions. I finished the exam in about an hour and a half of the four hours allotted. I was among the first to complete the exam. We were warned repeatedly that there was a zero tolerance policy for breaking any rules and the proctors appeared to take the rules very seriously.
It is quite hard to think of a company that does not use any sort of information system as a basis for doing business. In fact, the actual standard for most companies is having several information systems that are business-critical and will probably contain confidential data such as financial information, personally identifiable information or even trade secrets.
As with any top ISACA certification, the CISA exam is not an easy task and requires adequate preparation. The exam itself has 150 questions from five domains and must be completed in less than four hours. Candidates are also required to provide proof of at least five years of experience in IS audit, control, assurance or security.
It is not unusual for candidates to confuse IS auditor with information security auditor. While information security is the central subject of one of the CISA domains (protection of information assets), it represents only 25% of what is covered on the exam. Other domains include: the process of auditing information systems; governance and management of IT; information systems acquisition; development and implementation; information systems operations; and maintenance and service management. So, if you wish to advance your career as an information security professional, the CISM is probably a better choice, another top-level ISACA certification focused on information security management.
Each year, ISACA updates its candidate guide providing lots of useful information for the exam. The guide can be freely downloaded here. No candidate should take the CISA exam without reading this guide. It reviews topics such as the exam registration process, dates and deadlines, and key candidate details for exam-day administration. It even contains valuable information such as the exam domains, the number of exam questions, its length and the languages available.
As for practice questions, consider using the CISA Review Questions, Answers & Explanations Manual or the CISA Review Questions, Answers & Explanations Database. Both consist of 1,000 multiple-choice study questions that, while not actual exam items, can help CISA candidates to get a better understanding of both the type and structure of what will appear on the actual exam. It also provides a detailed explanation of both the correct answer and incorrect options, and provides a fantastic way of knowing what topics need further attention.
It is important to know both the manual and the subscription-based service have the same questions, but the later has an advantage in terms of usability: Since it is available via the web, CISA candidates can access questions anywhere. It also allows for the creation of custom sample exams, with randomly selected questions from any of the exam domains, thus allowing for a concentrated study in particular areas or a generalist approach. It also keeps track of previous scoring history, making it simple to identify strengths and weaknesses based on specific domains or subjects, and lets you focus study efforts accordingly.
The CISA exam will test you on five domains covering a variety of different subject areas. You must make sure you have enough time to review all domains at least once; this includes not only studying, but also completing mock exams, visiting online forums and spending extra time reviewing areas that need improvement.
Without adequate planning, your chance of success will drop. Creating a study plan that fits your personal needs is essential; even a simple to-do list can help a lot. For your custom study plan, you should consider factors such as:
Going through a certification preparation course lets you spend some time with an experienced instructor, with actual knowledge on how to beat the exam. It is an excellent opportunity to get all your questions answered, share experiences and strategies, and even network if it is in-person training. This results in a greater success rate on any certification exam.
As usual, it is important to verify the credibility of any source you are using. For instance, if you are looking for a formal definition of a concept that is covered in the exam, the best approach is using official material, e.g., books, guidelines and other official publications. But, if you are looking for general advice, posting your question to an online forum such as reddit or TechExams can be quite helpful.
In the end, the CISA certification is a great option for advancing your career. In practical terms, it may just be the competitive edge you need to land a promotion or even a senior IS auditor position. However, as expected, such benefits come at a cost: Only the most dedicated candidates will succeed. Plan ahead, use the aforementioned tips as a basis for your study strategy, but also consider enrolling in official training. Your efforts are sure to pay off.
Cludio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.
Explanation:
Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed.
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team.