CISA explanation and practice questions

CISA (certified information systems auditor) is a professional certificate for IT auditors. To become CISA you have to complete the exam and become ISACA member. To help you understand what CISA is about, we made a small test with exam level questions.

CISA background

CISA was introduced in 1978. Around this time, IT auditing was mostly an extension of financial auditing. Auditing was mostly done at large companies that were required to have financial controls to prevent  financial fraud. These companies had  many policies, mainframe computers, their own data centers and many formal roles such as project steering committees. Like ISO 27001, CISA is based on risk and controls: it emphasises effective risk management by identifying business objectives, risks and selecting the right controls. Unlike ISO 27001, there is more focus on financial controls: segregation of duties, securing transactions, checksums and reconciliation.
Since the 1978, companies have evolved and are now much more aware of the value of information, the dependence of business services on IT and security and privacy risks. As a result, CISA is now an interesting mix of financial auditing best practices and information security knowledge. This makes it a challenging exam: to pass the exam you need both auditing experience and an IT background.

CISA is managed by ISACA, a professional organisation that manages many certifications. According to ISACA, you can only use the letter C, I, S and A if you become an ISACA member. To stay a member, you must keep sending them money. ISACA also has a code of professional ethics that emphasises that audits must be conducted professionally and independently.

The CISA domains

The CISA book and exam consists of five chapters:

1. Domain 1: auditing. This chapter explains how internal audit programs are set up and how audits should be planned and executed.
2. Domain 2: Governance and management of IT. It explains that IT strategy must be aligned with the business strategy. In order to do this, the different decision makers (board of directors, CEO, executive management, strategy committee, steering committees) should be involved in the right way.
3. Domain 3: IT systems development / acquisition and implementation. This chapters explains how IT projects should be governed so that they deliver the business objectives.
4. Domain 4: IT operations and business continuity. This chapter explains how IT systems are operated, with a focus on mainframes and other enterprise level systems. It also explains business continuity planning: backups, redundancy and disaster recovery.
5. Domain 5: Protection of information assets. This is the most technical chapter and discusses many technical aspects of information security, such as malware, firewalls, security testing and encryption.

Who should do CISA

CISA certification is not legally required for any role, but is a good way to prove that you have the required knowledge to conduct audits. Many companies have internal audit roles where CISA or a similar qualification is needed. CISA is also useful for security officers and perhaps data protection officers. It should be noted however that CISA does not tech you any specific standard. To audit ISO 27001, you should probably also do ISO 27001 lead auditor training. To become a privacy officer or data protection officer, you should study GDPR and perhaps do CIPP/E.
CISA is a good way to extend your knowledge as a professional, but is not a good way to start in any specific role. The exam is designed for people with 2-3 years of professional experience. If you are a recent graduate without relevant working experience, it is a difficult exam. The success rate for first time exam takers is said to be about 50%.

How to pass the CISA Exam

The CISA exam consist of 150 multiple choice questions, that must be completed in 3 hours. It is a closed book exam: you must learn many ISACA specific terms, either from the official book or from a course. Learning the book will bring you only half way: the questions often refer to practical terms not in the book that you should know from your practical experience. The questions also ask you to apply judgement and choose which of four good options is the best or most important. It is highly recommended to practice the specific question style of CISA. Our practice exam is a good first exercise to see how you would do in the CISA exam. ISACA offers an even larger database of test questions.

CISA practice questions

The questions below are ordered according to the five domains. You can download a file with answers from the link below.

1 Which of the following is true:
– The audit committee gets its authority from the audit charter
– An audit charter defines scope and objects of an external audit
– The audit charter describes the frequency of internal and external audits
– The audit charter must be approved by top management or the audit committee

2 Which of the following policy documents regulates the creation and use of complicated financial models with custom macros in excel by business users?
– The information security policy
– The access control policy
– The end user computing policy
– The acceptable use policy

3 You discover that multiple marketing employees all use the same account name / password to use the corporate twitter account. This leads to a lack of:
– confidentiality
– data integrity
– accountability
– access control

4 What is a good control to compensate for lack of segregation of duties?
– transaction logs
– database encryption
– independent security testing
– privacy by design

5 Which document contains a detailed estimate of the project benefits over time?
– The feasibility study
– The business impact analysis
– The business case
– The post implementation review

6 What is the most important of an IS auditor in an application development project?
– monitor project progress and report exceptions
– review and test application controls
– reviewing and approving the business requirements
– test project deliverables against quality standards

7 What is the purpose of a disaster recovery plan?
– provide procedures for sustaining business operations while recovering from a disruption
– provide procedures to recover from a cyberattack
– provide procedures for relocating information system operations at an alternative location
– provide procedures to recover an information system

8 Which of the following would be of the MOST concern to an information systems auditor?
– Backups are made every other day instead of daily
– The organisation has not established a recovery point objective
– Backups are encrypted with an 128 bit key
– Backups are stored at an alternative location only two miles from the main location

9 Which of the following describes the relation between RTO and RPO?
– The RTO can be smaller, larger or equal to the RPO
– The RTO should always be less than the RPO
– The RPO should always be less than the RTO
– The RPO and RTO are most likely to be equal

10 Which of the following devices has the primary function of blocking unwanted network traffic?
– Bridge
– Firewall
– Load balancer
– Router

11 What is the most efficient way to add a digital signature to a large document?
– To sign the document with the sender’s private key and compute a message digest of the signature
– To sign the document with the receiver’s public key and compute a message digest of the signature
– To compute a message digest and sign the digest with the sender’s private key
– To compute a message digest and sign the digest with the receiver’s public key

12 What is the best preventive control against cross site scripting attacks?
– access control
– encoding of untrusted data
– logging
– PEN-testing

You should choose exactly one answer for each question. You can check your answers here.

Image credit: Kimberly Farmer via Unsplash