ISACA · CISA
Validates expertise in auditing, controlling, monitoring, and assessing an organization's information technology and business systems. The gold standard for IT audit professionals.
Questions
895
Duration
240 minutes
Passing Score
450/800
Difficulty
ProfessionalLast Updated
Jan 2026
Use this CISA practice exam to prepare for Certified Information Systems Auditor (CISA) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 895 questions for ISACA CISA, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Information Systems Auditing Process, Governance and Management of IT, Information Systems Acquisition, Development and Implementation, Information Systems Operations and Business Resilience, and Protection of Information Assets. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified Information Systems Auditor (CISA) is ISACA's flagship certification and the globally recognized standard for IT audit, control, assurance, and security professionals. First introduced in 1978, the credential validates a professional's ability to assess vulnerabilities, report on compliance, and institute controls within an enterprise — covering the full scope of information systems auditing, governance, acquisition, operations, and asset protection. More than 151,000 professionals worldwide currently hold the CISA designation, and it has been shortlisted for Best Professional Certification Program by SC Awards Europe and SC Awards North America in 2025.
The certification is specifically designed to demonstrate competency across five critical job practice domains: the IS auditing process, IT governance and management, IS acquisition and development, IS operations and business resilience, and protection of information assets. It has evolved to address emerging technologies including artificial intelligence, cloud computing, blockchain, and IoT security, ensuring holders remain relevant in a rapidly changing threat landscape.
CISA is designed for mid-career to senior IT and information security professionals who perform or manage audit, control, assurance, or security functions. Typical roles include IT auditors, internal auditors, IS audit managers, IT risk and compliance managers, security consultants, and IT governance officers. The certification is particularly valuable for professionals at organizations subject to regulatory oversight — such as financial services, healthcare, and government — where IT audit and compliance functions are critical.
Candidates are not required to meet experience requirements before sitting the exam, making it accessible to professionals who are transitioning into IS audit roles. However, full certification requires five or more years of professional experience in IS auditing, control, or security, making it most appropriate for those with a solid foundation in IT operations, security, or internal audit.
ISACA has no formal educational prerequisites for sitting the CISA exam itself — any candidate may register and attempt the exam regardless of background. However, to achieve full CISA certification after passing, candidates must demonstrate a minimum of five years of professional work experience in information systems auditing, control, assurance, or security. This experience must be verified and submitted within five years of passing the exam.
ISACA offers experience waivers of up to three years for candidates who hold a relevant university degree (two-year or four-year), a graduate degree in IS or IT, or other recognized certifications such as CISM, CISSP, or CRISC. Recommended knowledge before attempting the exam includes a solid understanding of IT infrastructure, information security fundamentals, risk management frameworks (such as COBIT or NIST), and basic business auditing principles. Most successful candidates have at least two to three years of hands-on IT or audit experience prior to sitting the exam.
The CISA exam consists of 150 multiple-choice questions, all with four answer options (A, B, C, D), to be completed in 240 minutes (4 hours). Questions are a mix of knowledge-based items testing recall of frameworks and standards, and scenario-based questions — which typically comprise 60–70% of the exam — requiring candidates to apply audit principles to realistic workplace situations. A small number of questions are unscored research items used for future exam development and do not affect a candidate's score.
The exam is delivered via computer-based testing (CBT) at authorized PSI testing centers worldwide, or as a remotely proctored online exam. Scores are reported on a scale of 200 to 800, with a passing score of 450. The scaled scoring model accounts for question difficulty, so harder questions carry more weight. There is no penalty for incorrect answers. Preliminary pass/fail results are available immediately upon exam completion, with official scores typically posted to a candidate's ISACA account within 5–7 business days. Candidates who do not pass must wait 30 days before retaking and may sit the exam up to four times within a rolling 12-month period.
CISA consistently ranks among the highest-paying IT certifications globally. ISACA reports that CISA holders earn an average annual salary of US$149,000, and 22% of certified professionals report receiving a pay increase following certification. The credential opens doors to senior roles including IT Audit Manager, IS Audit Director, Chief Information Security Officer (CISO), IT Risk Manager, and Compliance Officer across industries with heavy regulatory requirements such as financial services, healthcare, government, and critical infrastructure.
The CISA's international recognition — backed by ISACA's global presence and more than four decades of credentialing history — makes it particularly valuable for professionals working in multinational organizations or seeking roles across different regulatory jurisdictions. Compared to alternatives such as the Certified Internal Auditor (CIA) or CRISC, CISA's specific focus on IS audit and control gives it a distinct advantage in technology-forward audit functions. Seventy percent of CISA holders report measurable on-the-job improvement after certification, reflecting the credential's direct applicability to daily audit and governance responsibilities.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 895 questions.
Preview — answers shown1. Contoso Healthcare's IS auditor is reviewing SOC reports from a third-party claims processing vendor. The organization needs assurance that the vendor's controls were not only properly designed but also operated effectively over the past twelve months. Which SOC report type should the auditor request? (Select one!)
Explanation
SOC 1 Type II reports examine controls relevant to Internal Control over Financial Reporting (ICFR) and assess both design adequacy and operating effectiveness over a period of time, typically three to twelve months. Claims processing directly affects financial reporting, making SOC 1 appropriate. Type II reports verify that controls worked consistently over time, which meets the twelve-month operating effectiveness requirement. Type I reports only provide point-in-time assessment of control design. SOC 2 reports focus on Trust Services Criteria rather than financial reporting controls. SOC 3 reports are general-use summary reports intended for public distribution.
2. Woodgrove Financial's IS auditor is assessing the organization's data governance program. The auditor discovers that business managers classify data as confidential but IT administrators determine access permissions without consulting data owners. Database administrators have full access to all production databases. Which governance principle is MOST significantly violated? (Select one!)
Explanation
The scenario describes a violation of segregation of duties between data owners and data custodians. Data owners are business executives responsible for data classification and determining who should have access based on business need. Data custodians (IT roles) are responsible for technical implementation of access controls as determined by data owners. When IT administrators determine access permissions without data owner input, the governance model breaks down. While least privilege is also violated by DBAs having full access, the fundamental issue is the improper allocation of responsibilities between business ownership and technical custodianship roles.
3. Titan Aerospace is conducting earned value analysis on a software development project. The project has a Budget at Completion of $500,000. Current status shows Planned Value of $200,000, Earned Value of $180,000, and Actual Cost of $220,000. What do the schedule and cost performance indices indicate? (Select one!)
Explanation
Schedule Performance Index (SPI) equals EV/PV, which is $180,000/$200,000 = 0.9. An SPI less than 1.0 indicates the project is behind schedule. Cost Performance Index (CPI) equals EV/AC, which is $180,000/$220,000 = 0.82. A CPI less than 1.0 indicates the project is over budget. Both indices below 1.0 confirm the project is both behind schedule and over budget, requiring corrective action to recover performance.
4. European Digital Marketing Agency's IS auditor is reviewing GDPR compliance for customer data processing. A data breach affecting 5,000 customer records was discovered on Monday at 2:00 PM. The incident response team completed its initial assessment by Tuesday at 10:00 AM and notified the supervisory authority on Thursday at 3:00 PM. What compliance issue should the IS auditor identify? (Select one!)
Explanation
GDPR Article 33 requires notification to the supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach. The 72-hour period begins when the organization has reasonable awareness that a breach has occurred. From Monday at 2:00 PM to Thursday at 3:00 PM represents approximately 97 hours, exceeding the 72-hour requirement by approximately 25 hours. When notification cannot occur within 72 hours, the organization must provide reasons for the delay. The breach affected personal data of natural persons, triggering notification requirements regardless of the specific number of records involved.
5. Sterling Manufacturing's IS auditor is assessing threats to auditor objectivity. The lead auditor has been assigned to audit the same manufacturing systems for eight consecutive years and has developed close working relationships with the plant managers. The auditor frequently accepts lunch invitations and regularly socializes with the audit subjects. Which threat to objectivity is MOST relevant in this situation? (Select one!)
Explanation
The familiarity threat is most relevant when an auditor becomes too sympathetic to audit subjects due to long or close relationships. Eight years of auditing the same systems, developing close working relationships, accepting lunch invitations, and socializing creates conditions where the auditor may be reluctant to identify issues or may unconsciously overlook deficiencies. Self-interest involves financial or other personal interests. Self-review involves evaluating one's own previous work. Advocacy involves actively promoting the auditee's position beyond objectivity. Best practice requires rotation of audit assignments to mitigate familiarity threats.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
IT Risk Fundamentals Certificate
Risk-Fund · 616 questions
$17.99
One-time access to this exam