Questions for the CISA were updated on : Dec 26 ,2025
Which of the following would provide the BEST evidence that a cloud provider's change management
process is effective?
C
Explanation:
P-
The results of a third-party review provided by the vendor would provide the best evidence that a
cloud provider’s change management process is effective, because it would be an independent and
objective assessment of the vendor’s compliance with best practices and standards for managing
changes in the cloud environment. A third-party review would also include testing of the vendor’s
change management controls and procedures, and provide recommendations for improvement if
needed.
Minutes from regular change management meetings with the vendor would not provide sufficient
evidence, because they would only reflect the vendor’s self-reported information and may not
capture all the changes that occurred or their impact on the cloud services. Written assurances from
the vendor’s CEO and CIO would also not provide sufficient evidence, because they would be based
on the vendor’s own opinion and may not be verified by external sources. A copy of change
management policies provided by the vendor would not provide sufficient evidence, because it
would only show the vendor’s intended approach to change management, but not how it is
implemented or monitored in practice.
Reference:
ISACA Cloud Computing Audit Program, Section 4.5: Change Management
Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, Section
4.3: Change Management
When determining the quality of evidence collected during an audit, it is MOST important to ensure
the evidence is:
D
Explanation:
ISACA defines sufficient and appropriate evidence as the standard for audit conclusions.
Appropriateness relates to relevance (applicability) and reliability (persuasiveness). Evidence that is
persuasive and directly applicable to the audit objective provides stronger assurance than evidence
that is merely timely, complete, or reasonable. While the other options describe desirable qualities,
they do not encompass the full ISACA standard. Thus, the most complete characterization of quality
evidence is that it must be persuasive and applicable to the audit’s purpose.
Reference (ISACA): ISACA Audit & Assurance Standards; ISACA ITAF Guidelines on Evidence.
Which of the following is the PRIMARY objective of data loss prevention (DLP) mechanisms?
C
Explanation:
The central goal of DLP is to prevent sensitive data—such as PII, PHI, or intellectual property—from
leaving the organization through unauthorized channels. DLP solutions monitor, detect, and block
potential data exfiltration via email, endpoints, cloud applications, or removable media. While
compliance (D) is often a driver, it is a secondary outcome of implementing DLP. Enhancing
performance (A) and recovery automation (B) are not objectives of DLP. ISACA positions DLP as a
critical control for confidentiality under DSS05 (Managed Security Services).
Reference (ISACA): COBIT® 2019, DSS05 Managed Security Services.
When evaluating whether the expected benefits of a project have been achieved, it is MOST
important for an IS auditor to review:
A
Explanation:
P-
The business case defines the project’s expected benefits, success criteria, and performance metrics.
Reviewing the business case allows the auditor to assess whether the benefits identified at initiation
have been realized post-implementation. The schedule (B) only tracks timeliness, not value.
Proposed enhancements (C) address future improvements, not whether benefits have been
delivered. QA results (D) reflect product quality but not business value. ISACA emphasizes that value
delivery and benefits realization are key elements of enterprise governance of IT, aligning with
COBIT’s EDM02 (Ensure Benefits Delivery).
Reference (ISACA): COBIT® 2019, EDM02 Ensure Benefits Delivery.
How does the emergence of quantum computing impact traditional data encryption methods?
A
Explanation:
Quantum algorithms, such as Shor’s algorithm, can factor large prime numbers exponentially faster
than classical computers, threatening the security of RSA and elliptic-curve cryptography. Similarly,
Grover’s algorithm reduces the effective strength of symmetric key algorithms by half, requiring
larger key sizes. While post-quantum cryptography is being developed, current algorithms may
become obsolete once practical quantum computers exist. Options B, C, and D are incorrect because
quantum does not inherently improve encryption, nor is training the key issue—it is the fundamental
breakage of cryptographic assumptions.
Reference (ISACA): ISACA Journal – Cryptographic Risks and Quantum Computing; CISA Review
Manual, Cryptography.
Which of the following is the MOST effective way for an IS auditor to ensure information is preserved
when conducting a forensic investigation?
B
Explanation:
The forensic principle is to preserve evidence in its original state. Imaging—including capturing
residual and deleted data—ensures that the full contents of a storage device are preserved for
analysis while maintaining the chain of custody. Hardening (A) may alter system state. Encoding logs
(C) is not preservation but transformation. Documenting APIs (D) helps investigation scope but does
not preserve evidence. ISACA guidance on digital forensics stresses the importance of bit-level
imaging and ensuring evidence integrity through hashing and proper custody documentation.
Reference (ISACA): ISACA Incident Response & Forensics Guidance; ISACA Journal – Forensic
Readiness.
An IS auditor is auditing the operating effectiveness of weekly user access reviews. Of the five weekly
reviews sampled, one has not been signed or dated. What is the MAIN reason to note this
observation as a finding?
D
Explanation:
Evidence of a control’s performance must be verifiable. A missing signature or date means there is
P-
no confirmation that the review was actually performed. This undermines the completeness and
reliability of the control. Accuracy (A) and content (B) relate to quality but do not address the missing
attestation. Industry standards (C) may be relevant, but the auditor’s main concern is that the
absence of sign-off creates doubt about whether the control occurred at all. ISACA audit guidance
highlights that sufficient and appropriate evidence is required to support the conclusion that a
control is operating as designed.
Reference (ISACA): ISACA Standards – Evidence Collection; ISACA ITAF Guidelines.
Which of the following BEST indicates an effective internal audit quality assurance and improvement
program?
D
Explanation:
The goal of a quality assurance and improvement program (QAIP) is to drive continuous
enhancement in audit practices and deliver increasing value to stakeholders. Identification and
implementation of opportunities for improvement demonstrate that the program is working
effectively. Oversight (A) and charter updates (B) are important governance aspects, while focusing
on high-risk audits (C) is a prioritization strategy. However, the hallmark of a successful QAIP is the
ability to continuously identify and address gaps, streamline practices, and enhance audit value.
ISACA emphasizes agility, adaptability, and ongoing improvement as key success indicators for
internal audit functions.
Reference (ISACA): ISACA Audit Standards; ISACA Journal – Agile and Continuous Improvement in
Audit.
When planning an audit to assess controls for an application in the cloud environment, it is MOST
important for an IS auditor to understand:
C
Explanation:
In cloud environments, responsibility for controls is split between the provider and the customer. The
division depends on the service model (IaaS, PaaS, SaaS). Misunderstanding the shared responsibility
model can create gaps in control coverage, where critical risks may not be managed by either party.
SLA penalties (A) are contractual issues, not audit priorities. Availability reports (B) and business
process redesign (D) are relevant but not as fundamental as defining control ownership. ISACA’s
cloud audit guidelines stress that proper scoping begins with understanding shared responsibilities to
avoid assurance gaps.
Reference (ISACA): ISACA Cloud Computing Audit Program; ISACA Journal – Shared Responsibility in
Cloud.
During a review of an organization's IT capacity management process, an IS auditor should be MOST
concerned if capacity planning:
B
Explanation:
Capacity management must consider business changes to ensure IT resources can meet future
demand. If changes to critical systems are omitted from planning, capacity forecasts will be
P-
inaccurate, leading to risks of downtime, bottlenecks, and unplanned outages. A six-month review
(A) might be acceptable depending on system dynamics. Lack of administrator input (C) and reliance
on service management (D) reduce planning quality but are less critical than missing major business
drivers. COBIT DSS01 (Managed Operations) and APO02 (Managed Strategy) emphasize alignment
between IT capacity and business requirements.
Reference (ISACA): COBIT® 2019, DSS01 Managed Operations; APO02 Managed Strategy.
Which of the following BEST describes the process of creating a digital envelope?
B
Explanation:
A digital envelope combines the strengths of symmetric and asymmetric cryptography. The message
itself is encrypted using a fast symmetric algorithm. The session key used for symmetric encryption is
then encrypted using the recipient’s public key. This ensures efficiency (large data encrypted quickly
with symmetric keys) and security (session key securely transmitted using asymmetric encryption).
Options A, C, and D describe other cryptographic processes (compression, hashing, or digital
signatures) but do not correctly represent a digital envelope. ISACA training materials and CISA
manuals highlight this hybrid approach as the standard method for secure data transmission.
Reference (ISACA): CISA Review Manual – Cryptography Concepts; ISACA Glossary.
An IS auditor is assigned to perform a post-implementation review of an application system. Which
of the following would impair the auditor’s independence?
A
Explanation:
If an auditor implemented a control, they would later be reviewing their own work, which creates a
self-review threat and compromises independence. Participating in the project without operational
responsibilities (B) or providing advice (C) is acceptable as long as the auditor does not take
ownership of decisions. Designing audit modules (D) is also permissible since they are for audit use
and do not affect operational processes. ISACA’s Code of Professional Ethics and IS Audit Standards
emphasize independence and objectivity as fundamental requirements to maintain credibility and
avoid conflicts of interest.
Reference (ISACA): ISACA Standards for IS Audit and Assurance; ISACA Code of Professional Ethics.
Job scheduling impacts system availability and reliability by:
C
Explanation:
Job scheduling is a core operational control that ensures workloads are executed in an orderly and
P-
efficient manner, balancing demands across processing resources. Its primary benefit is optimization
of system resources—CPU, memory, I/O, and network bandwidth—leading to improved throughput
and consistent service levels. While scheduling may indirectly reduce downtime (A) or support
scalability (B), its direct impact is ensuring resources are allocated efficiently. Decreasing complexity
(D) is not the key purpose of scheduling. ISACA’s DSS01 (Managed Operations) recognizes workload
and job scheduling as crucial practices for sustaining reliable, high-performance IT services.
Reference (ISACA): COBIT® 2019, DSS01 Managed Operations.
Which of the following is MOST important to ensure successful implementation when an
organization decides to purchase software from available products on the market?
P-
A
Explanation:
Defining clear, comprehensive, and testable requirements is critical before selecting and
implementing a software product. Without well-documented requirements, the risk of choosing a
solution that does not align with business needs increases significantly. A support contract (C) is
important for long-term use, and escrow (D) may protect against vendor insolvency, but neither
ensures that the product fits the organization’s objectives. A post-implementation review (B) only
evaluates success after implementation, which may be too late to correct fundamental
misalignment. ISACA’s COBIT framework (BAI03 and BAI05) stresses the importance of requirements
gathering as the foundation for effective solution acquisition and development.
Reference (ISACA): COBIT® 2019, BAI03 Managed Solutions Identification and Build; BAI05 Managed
Organizational Change.
An organization uses an automated continuous integration/continuous deployment (CI/CD) tool to
deploy changes to production. Which of the following would be an IS auditor's GREATEST concern in
this situation?
C
Explanation:
The greatest concern in a CI/CD environment is the accuracy of automated testing. Since code is
deployed rapidly and often without manual intervention, weak or inaccurate test cases can allow
vulnerabilities and defects to be pushed directly into production. Release frequency (A) and changing
user requirements (D) are expected characteristics of agile/DevOps models and can be managed with
governance. Delayed post-implementation reviews (B) may reduce oversight but do not directly
undermine the core pipeline integrity. ISACA’s DevOps guidance emphasizes that automated testing
and validation of requirements must be thorough and reliable to ensure continuous deployment
does not compromise quality or security.
Reference (ISACA): COBIT® Focus Area for DevOps; BAI06 Managed IT Changes.