ISACA · CISA
Validates expertise in auditing, controlling, monitoring, and assessing an organization's information technology and business systems. The gold standard for IT audit professionals.
Questions
895
Duration
240 minutes
Passing Score
450/800
Difficulty
ProfessionalLast Updated
Jan 2026
Use this CISA practice exam to prepare for Certified Information Systems Auditor (CISA) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 895 questions for ISACA CISA, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Information Systems Auditing Process, Governance and Management of IT, Information Systems Acquisition, Development and Implementation, Information Systems Operations and Business Resilience, and Protection of Information Assets. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified Information Systems Auditor (CISA) is ISACA's flagship certification and the globally recognized standard for IT audit, control, assurance, and security professionals. First introduced in 1978, the credential validates a professional's ability to assess vulnerabilities, report on compliance, and institute controls within an enterprise — covering the full scope of information systems auditing, governance, acquisition, operations, and asset protection. More than 151,000 professionals worldwide currently hold the CISA designation, and it has been shortlisted for Best Professional Certification Program by SC Awards Europe and SC Awards North America in 2025.
The certification is specifically designed to demonstrate competency across five critical job practice domains: the IS auditing process, IT governance and management, IS acquisition and development, IS operations and business resilience, and protection of information assets. It has evolved to address emerging technologies including artificial intelligence, cloud computing, blockchain, and IoT security, ensuring holders remain relevant in a rapidly changing threat landscape.
CISA is designed for mid-career to senior IT and information security professionals who perform or manage audit, control, assurance, or security functions. Typical roles include IT auditors, internal auditors, IS audit managers, IT risk and compliance managers, security consultants, and IT governance officers. The certification is particularly valuable for professionals at organizations subject to regulatory oversight — such as financial services, healthcare, and government — where IT audit and compliance functions are critical.
Candidates are not required to meet experience requirements before sitting the exam, making it accessible to professionals who are transitioning into IS audit roles. However, full certification requires five or more years of professional experience in IS auditing, control, or security, making it most appropriate for those with a solid foundation in IT operations, security, or internal audit.
ISACA has no formal educational prerequisites for sitting the CISA exam itself — any candidate may register and attempt the exam regardless of background. However, to achieve full CISA certification after passing, candidates must demonstrate a minimum of five years of professional work experience in information systems auditing, control, assurance, or security. This experience must be verified and submitted within five years of passing the exam.
ISACA offers experience waivers of up to three years for candidates who hold a relevant university degree (two-year or four-year), a graduate degree in IS or IT, or other recognized certifications such as CISM, CISSP, or CRISC. Recommended knowledge before attempting the exam includes a solid understanding of IT infrastructure, information security fundamentals, risk management frameworks (such as COBIT or NIST), and basic business auditing principles. Most successful candidates have at least two to three years of hands-on IT or audit experience prior to sitting the exam.
The CISA exam consists of 150 multiple-choice questions, all with four answer options (A, B, C, D), to be completed in 240 minutes (4 hours). Questions are a mix of knowledge-based items testing recall of frameworks and standards, and scenario-based questions — which typically comprise 60–70% of the exam — requiring candidates to apply audit principles to realistic workplace situations. A small number of questions are unscored research items used for future exam development and do not affect a candidate's score.
The exam is delivered via computer-based testing (CBT) at authorized PSI testing centers worldwide, or as a remotely proctored online exam. Scores are reported on a scale of 200 to 800, with a passing score of 450. The scaled scoring model accounts for question difficulty, so harder questions carry more weight. There is no penalty for incorrect answers. Preliminary pass/fail results are available immediately upon exam completion, with official scores typically posted to a candidate's ISACA account within 5–7 business days. Candidates who do not pass must wait 30 days before retaking and may sit the exam up to four times within a rolling 12-month period.
CISA consistently ranks among the highest-paying IT certifications globally. ISACA reports that CISA holders earn an average annual salary of US$149,000, and 22% of certified professionals report receiving a pay increase following certification. The credential opens doors to senior roles including IT Audit Manager, IS Audit Director, Chief Information Security Officer (CISO), IT Risk Manager, and Compliance Officer across industries with heavy regulatory requirements such as financial services, healthcare, government, and critical infrastructure.
The CISA's international recognition — backed by ISACA's global presence and more than four decades of credentialing history — makes it particularly valuable for professionals working in multinational organizations or seeking roles across different regulatory jurisdictions. Compared to alternatives such as the Certified Internal Auditor (CIA) or CRISC, CISA's specific focus on IS audit and control gives it a distinct advantage in technology-forward audit functions. Seventy percent of CISA holders report measurable on-the-job improvement after certification, reflecting the credential's direct applicability to daily audit and governance responsibilities.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 895 questions.
Preview — answers shown1. A global manufacturing company is implementing COBIT 2019 and has established an IT governance structure. During the audit, the IS auditor finds that the board of directors is actively involved in reviewing IT project status reports, approving vendor contracts, and managing daily help desk operations. Which governance principle is being violated? (Select one!)
Explanation
COBIT 2019 establishes a clear distinction between governance and management. Governance responsibilities include evaluating strategic options, directing through policy setting, and monitoring outcomes, which belong to the board level. Management responsibilities include day-to-day operations like help desk management and tactical decisions. The board involving itself in operational activities like daily help desk operations violates this fundamental separation. While EDM01 addresses governance framework setting and APO01 addresses management framework, the core issue is the inappropriate mixing of governance and management functions by having the board perform operational tasks.
2. Litware Technologies' IS auditor is reviewing the organization's PKI implementation. During the audit, the auditor discovers that when users need to verify whether a digital certificate has been revoked, the system downloads a complete list of revoked certificates from the Certificate Authority once daily. What is the PRIMARY security concern with this approach? (Select one!)
Explanation
The primary concern with using Certificate Revocation Lists (CRLs) that are downloaded periodically is the latency between certificate revocation and when that revocation is recognized. With daily downloads, a certificate that is revoked could continue to be trusted for up to 24 hours until the next CRL update, creating a significant security window. Online Certificate Status Protocol (OCSP) provides real-time certificate status queries to address this limitation. While CRLs do consume bandwidth, this is an operational concern rather than a security concern. The scenario describes normal CRL operation, not a capacity issue.
3. Oakwood Technologies is performing project earned value analysis at month four of a six-month project. The planned value is $400,000, earned value is $320,000, and actual cost is $380,000. The project sponsor asks the IS auditor to assess project performance. What should the auditor report? (Select two!)
Multiple correct answersExplanation
Schedule Variance equals EV minus PV, which is $320,000 minus $400,000 equals negative $80,000, indicating the project is behind schedule. Schedule Performance Index equals EV divided by PV, which is $320,000 divided by $400,000 equals 0.80, confirming the project has only completed 80% of planned work. Cost Variance equals EV minus AC, which is $320,000 minus $380,000 equals negative $60,000, indicating the project is over budget. Cost Performance Index equals EV divided by AC, which is $320,000 divided by $380,000 equals approximately 0.84, meaning the project is getting only 84 cents of value for every dollar spent. Both indicators show the project is performing poorly in terms of schedule and cost efficiency.
4. An IS auditor is evaluating an organization's implementation of the NIST Cybersecurity Framework 2.0. The auditor notes that the organization has documented cybersecurity policies but has not defined roles and responsibilities for cybersecurity risk management decisions, nor established mechanisms for board oversight of cybersecurity performance. Which function of the framework is the organization PRIMARILY deficient in? (Select one!)
Explanation
NIST CSF 2.0, released in February 2024, added GOVERN as a sixth core function that is foundational to all other functions. The GOVERN function establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy. It includes defining roles and responsibilities, establishing governance structures, and ensuring board-level oversight of cybersecurity performance. The deficiencies described—lack of defined roles for risk management decisions and absence of board oversight mechanisms—are specifically addressed by the GOVERN function. While policies exist (which could relate to Protect), the governance structure to implement and oversee those policies is missing.
5. Tailspin Manufacturing's IS auditor is evaluating earned value management for a critical ERP implementation project. At the midpoint review, the project shows: Planned Value (PV) = $2,000,000, Earned Value (EV) = $1,600,000, and Actual Cost (AC) = $1,800,000. What should the auditor conclude about project status? (Select one!)
Explanation
The earned value metrics indicate the project is both behind schedule and over budget. Schedule Performance Index (SPI) = EV/PV = $1,600,000/$2,000,000 = 0.80, indicating the project has completed only 80% of planned work, meaning it is behind schedule. Cost Performance Index (CPI) = EV/AC = $1,600,000/$1,800,000 = 0.89, indicating the project is getting only 89 cents of value for each dollar spent, meaning it is over budget. Schedule Variance (SV) = EV - PV = -$400,000 (negative indicates behind schedule). Cost Variance (CV) = EV - AC = -$200,000 (negative indicates over budget). Both indices below 1.0 and negative variances confirm unfavorable project performance in both schedule and cost dimensions.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
IT Risk Fundamentals Certificate
Risk-Fund · 616 questions
$17.99
One-time access to this exam