1 | P a g e | © copyright 2024/2025 | Grade A+
Certified Information Systems Auditor
(CISA) Cert Guide Questions & 100%
Correct Answers
Which of the following best describes a baseline document?
a. A PCI industry standard requiring a 15-minute session timeout
b. Installation step recommendations from the vendor for an Active Directory
server
c. A network topography diagram of the Active Directory forest
d. Security configuration settings for an Active Directory server
✓ :~~ D. A baseline is correct because it is a platform-specific rule related to
the security configuration for an Active Directory server. Answers A, B, and
C are not platform specific.
Which of the following best describes integrated auditing?
a. Integrated auditing places internal control in the hands of management and
reduces the time between the audit and the time of reporting.
b. Integrated auditing combines the operational audit function, the financial audit
function, and the IS audit function.
c. Integrated auditing combines the operational audit function and the IS audit
function.
Master01 | September, 2024/2025 | Latest update
, 2 | P a g e | © copyright 2024/2025 | Grade A+
d. Integrated auditing combines the financial audit function and the IS audit
function
✓ :~~ B. Integrated auditing is a methodology that combines the operational
audit function, the financial audit function, and the IS audit function.
Therefore, Answers C and D are incorrect because they do not list all three
types of functions to be integrated. Answer A is incorrect because it
describes control self-assessment (CSA), which is used to verify the
reliability of internal controls and places internal controls in the hands of
management
Which storage of evidence would best preserve the chain of custody of evidence
obtained during an audit?
a. Locked department safe behind card access doors
b. Offsite location, such as home, out of reach by anyone at work
c. Archival at a third-party offsite facility
d. Locked cabinet on the department floor with only one key, in the possession of
the auditor
Master01 | September, 2024/2025 | Latest update
, 3 | P a g e | © copyright 2024/2025 | Grade A+
✓ :~~ D. The best choice would be a locked cabinet on the department floor
with only one key, in the possession of the auditor. With only one key in the
auditor's possession, there is clear accountability, and access is limited to
one person. Answer A is incorrect because multiple individuals may still
have access to the safe. Answer B is incorrect because it would call into
question the security of the home and the ability to restrict access to family
members. Answer C is incorrect because third-party access cannot be
verified in a third-party site, given the way the facts were presented.
Which of the following best describes risk that can be caused by the failure of
internal controls and can result in a material error?
a. Residual risk
b. Inherent risk
c. Detection risk
d. Control risk
✓ :~~ D. A control risk is risk caused by failure of internal controls; it can
result in a material error. Answer A is incorrect because residual risk is the
amount of risk the organization is willing to accept. Answer B is incorrect
because inherent risk is the risk that can occur because of the lack of
compensating controls. Combined, inherent risks can create a material risk.
Answer C is incorrect because detection risk is the risk if an auditor does not
design tests in such a way as to detect a material risk
Master01 | September, 2024/2025 | Latest update
, 4 | P a g e | © copyright 2024/2025 | Grade A+
Which of the following is not one of the best techniques for gathering evidence
during an audit?
a. Attend board meetings
b. Examine and review actual procedures and processes
c. Verify employee security awareness training and knowledge
d. Examine reporting relationships to verify segregation of duties
✓ :~~ A. Attending board meetings is not one of the best ways to gather
evidence during an audit. The best ways to gather evidence include
observing employee activity, examining and reviewing procedures and
processes, verifying employee security awareness training and knowledge,
and examining reporting relationships to verify segregation of duties.
Which of the following is not an advantage of control self-assessment (CSA)?
a. CSA helps provide early detection of risks.
b. CSA is an audit function replacement.
c. CSA reduces control costs.
d. CSA provides increased levels of assurance.
✓ :~~ B. CSA is not an audit function replacement. Answers A, C, and D are
all advantages of CSA.
If an auditor cannot obtain the material needed to complete an audit, what type
of opinion should the auditor issue?
Master01 | September, 2024/2025 | Latest update
Certified Information Systems Auditor
(CISA) Cert Guide Questions & 100%
Correct Answers
Which of the following best describes a baseline document?
a. A PCI industry standard requiring a 15-minute session timeout
b. Installation step recommendations from the vendor for an Active Directory
server
c. A network topography diagram of the Active Directory forest
d. Security configuration settings for an Active Directory server
✓ :~~ D. A baseline is correct because it is a platform-specific rule related to
the security configuration for an Active Directory server. Answers A, B, and
C are not platform specific.
Which of the following best describes integrated auditing?
a. Integrated auditing places internal control in the hands of management and
reduces the time between the audit and the time of reporting.
b. Integrated auditing combines the operational audit function, the financial audit
function, and the IS audit function.
c. Integrated auditing combines the operational audit function and the IS audit
function.
Master01 | September, 2024/2025 | Latest update
, 2 | P a g e | © copyright 2024/2025 | Grade A+
d. Integrated auditing combines the financial audit function and the IS audit
function
✓ :~~ B. Integrated auditing is a methodology that combines the operational
audit function, the financial audit function, and the IS audit function.
Therefore, Answers C and D are incorrect because they do not list all three
types of functions to be integrated. Answer A is incorrect because it
describes control self-assessment (CSA), which is used to verify the
reliability of internal controls and places internal controls in the hands of
management
Which storage of evidence would best preserve the chain of custody of evidence
obtained during an audit?
a. Locked department safe behind card access doors
b. Offsite location, such as home, out of reach by anyone at work
c. Archival at a third-party offsite facility
d. Locked cabinet on the department floor with only one key, in the possession of
the auditor
Master01 | September, 2024/2025 | Latest update
, 3 | P a g e | © copyright 2024/2025 | Grade A+
✓ :~~ D. The best choice would be a locked cabinet on the department floor
with only one key, in the possession of the auditor. With only one key in the
auditor's possession, there is clear accountability, and access is limited to
one person. Answer A is incorrect because multiple individuals may still
have access to the safe. Answer B is incorrect because it would call into
question the security of the home and the ability to restrict access to family
members. Answer C is incorrect because third-party access cannot be
verified in a third-party site, given the way the facts were presented.
Which of the following best describes risk that can be caused by the failure of
internal controls and can result in a material error?
a. Residual risk
b. Inherent risk
c. Detection risk
d. Control risk
✓ :~~ D. A control risk is risk caused by failure of internal controls; it can
result in a material error. Answer A is incorrect because residual risk is the
amount of risk the organization is willing to accept. Answer B is incorrect
because inherent risk is the risk that can occur because of the lack of
compensating controls. Combined, inherent risks can create a material risk.
Answer C is incorrect because detection risk is the risk if an auditor does not
design tests in such a way as to detect a material risk
Master01 | September, 2024/2025 | Latest update
, 4 | P a g e | © copyright 2024/2025 | Grade A+
Which of the following is not one of the best techniques for gathering evidence
during an audit?
a. Attend board meetings
b. Examine and review actual procedures and processes
c. Verify employee security awareness training and knowledge
d. Examine reporting relationships to verify segregation of duties
✓ :~~ A. Attending board meetings is not one of the best ways to gather
evidence during an audit. The best ways to gather evidence include
observing employee activity, examining and reviewing procedures and
processes, verifying employee security awareness training and knowledge,
and examining reporting relationships to verify segregation of duties.
Which of the following is not an advantage of control self-assessment (CSA)?
a. CSA helps provide early detection of risks.
b. CSA is an audit function replacement.
c. CSA reduces control costs.
d. CSA provides increased levels of assurance.
✓ :~~ B. CSA is not an audit function replacement. Answers A, C, and D are
all advantages of CSA.
If an auditor cannot obtain the material needed to complete an audit, what type
of opinion should the auditor issue?
Master01 | September, 2024/2025 | Latest update
