ISACA · IT-Audit-Fund
Validates foundational IT audit knowledge, covering audit performance, IT environment and components, specific audit subjects, newer technologies, controls and risk, and the audit function, including IT audit terminology, concepts, and general practices.
Questions
627
Duration
120 minutes
Passing Score
65%
Difficulty
FoundationalLast Updated
Feb 2026
Use this IT-Audit-Fund practice exam to prepare for IT Audit Fundamentals Certificate with realistic questions, detailed explanations, and focused study modes. The practice bank includes 627 questions for ISACA IT-Audit-Fund, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The ISACA IT Audit Fundamentals Certificate is a foundational-level credential that validates knowledge of core IT audit terminology, concepts, and general practices across six functional domains. It covers the full audit lifecycle—from understanding the audit function and organizational controls to performing audits and evaluating specific IT subjects such as networking, operating systems, and IT general controls. The certificate was introduced by ISACA in 2022 to address growing demand for entry-level IT audit professionals and provides a structured foundation for those entering the field.
The program blends knowledge-based and performance-based learning, reflecting real-world audit skills rather than pure theoretical recall. It specifically addresses newer technologies including artificial intelligence (AI), blockchain, and the Internet of Things (IoT), ensuring candidates are equipped to audit modern IT environments. Successful candidates earn a digital badge through ISACA's Credly platform and a recognized certificate, positioning them as credible candidates for IT audit roles.
This certificate is designed for early-career professionals seeking to enter the IT audit field, as well as IT practitioners—such as system administrators, network engineers, and security specialists—who want to transition into audit roles. It is equally relevant for internal and external auditors with limited IT audit exposure, compliance officers who need to understand IT audit processes, and risk management personnel who work alongside audit teams.
Because no prior IT audit experience is required, the certificate also suits recent graduates in information systems, accounting, or cybersecurity programs who want a recognized credential to support job applications. It serves as a clearly defined first step toward the CISA (Certified Information Systems Auditor) certification, ISACA's globally recognized advanced credential for IT auditors.
There are no formal prerequisites for the IT Audit Fundamentals Certificate. Candidates can register at any time without needing to demonstrate prior work experience or hold any other certification. This open eligibility makes it accessible to career changers, students, and early-career professionals alike.
While no prerequisites are required, candidates will benefit from a basic familiarity with IT concepts such as networks, operating systems, and databases, as the exam covers IT environment components at a foundational level. A general understanding of business processes and organizational risk management practices will also help candidates contextualize the audit concepts covered across the six exam domains.
The IT Audit Fundamentals exam is delivered online via remote proctoring and has a time limit of 120 minutes. It combines two question types: traditional multiple-choice (knowledge-based) questions and interactive performance-based questions that simulate real audit scenarios. The exact total number of scored questions is not publicly disclosed by ISACA.
Candidates must achieve a passing score of 65% or higher. Exam eligibility is valid for 12 months from the date of registration, and testing appointments can be scheduled as early as 48 hours after payment. There is no penalty for rescheduling as long as changes are made at least 48 hours before the scheduled appointment. Exam fees are $175 USD for ISACA members and $225 USD for non-members.
The IT Audit Fundamentals Certificate positions holders for entry-level IT audit roles at a time when demand for audit professionals is expanding alongside growth in cyberattacks, cloud adoption, and regulatory compliance requirements. Entry-level IT auditor salaries in the United States range from approximately $57,000 to $78,000 annually, with Glassdoor data placing average entry-level compensation around $74,658. Salaries increase substantially with experience, reaching roughly $88,932 for professionals with 4–6 years of experience and over $119,000 for senior practitioners. Common entry-level roles for certificate holders include IT Auditor, Junior Risk Analyst, Compliance Analyst, and IT Controls Analyst.
Beyond immediate job placement, the certificate serves as a recognized stepping stone to the CISA certification — the global gold standard for IT auditors — giving holders a structured credential pathway. ISACA's digital badge, issued via Credly, allows professionals to display the credential on LinkedIn and resumes for employer recognition. For organizations, the certificate validates that team members have a standardized, vendor-neutral foundation in IT audit practices, making it valuable for upskilling internal audit, risk, and compliance teams.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 627 questions.
Preview — answers shown1. An auditor evaluates the effectiveness of detective controls in an accounts payable system. Management states that daily reconciliation reports identify all payment discrepancies. However, the auditor discovers that reconciliation reports are generated but not reviewed by anyone for the past 6 months. How should the auditor classify this control? (Select one!)
Explanation
Detective controls must not only generate information but also have that information reviewed and acted upon to be effective. A reconciliation report that is generated but never reviewed cannot detect discrepancies, rendering the control ineffective regardless of generation frequency. This is a common audit finding where control design exists but operating effectiveness fails. The control is not effective simply because it runs. It is not compensating since it addresses its intended purpose but fails in execution. The control is correctly classified as detective but is ineffective, not a reclassification issue.
2. During fieldwork, an auditor observes that the incident response team successfully detects and responds to security events, but the team lacks formal documentation of lessons learned and does not update response procedures based on past incidents. Which type of control deficiency does this represent? (Select one!)
Explanation
This represents a monitoring control deficiency. Monitoring controls evaluate the quality and effectiveness of internal controls over time and incorporate improvements based on lessons learned. While the incident response team has effective detective controls (detecting events) and corrective controls (responding to incidents), the failure to document lessons learned and update procedures represents inadequate monitoring of control effectiveness. COSO defines monitoring as a key component of internal control that ensures controls continue to operate effectively. Preventive controls stop incidents before occurrence. Detective controls identify incidents after they happen. Corrective controls fix problems after detection. The missing element is continuous improvement through monitoring and learning from past experiences.
3. An organization implements Control Self-Assessment workshops where process owners evaluate control effectiveness in their departments. The internal audit team plans to rely on these self-assessments to reduce detailed compliance testing. Which statement best describes the relationship between CSA and internal audit? (Select one!)
Explanation
Control Self-Assessment emphasizes management's accountability and promotes continuous improvement, but it does not eliminate the need for independent internal audit verification. CSA provides management's perspective on control effectiveness, which auditors should consider but must verify through independent testing. Management inherently lacks the objectivity that independent auditors provide. CSA complements but does not replace the assurance function. Process owners may have blind spots or conflicts of interest that prevent objective assessment. Audit findings from independent testing typically carry more weight than self-assessments when conflicts arise, precisely because of independence. CSA is applicable to all types of controls including IT, not just financial controls, making it a valuable governance tool across the enterprise.
4. An auditor reviews privileged access management and finds that system administrators have permanent 24/7 access to production databases with full superuser privileges. Privileged access activities are logged but logs are stored on the same servers administrators can access. What should the auditor recommend as the most important improvement? (Select one!)
Explanation
The most critical improvements are implementing just-in-time privileged access with automatic expiration and ensuring audit logs cannot be modified by those being audited. System administrators should not have permanent superuser privileges; they should request elevated access only when needed with automatic time-based expiration. Equally important, logs must be stored where administrators cannot tamper with evidence of their activities. This implements the principle of accountability and prevents administrators from covering their tracks. Requiring business justification is useful but does not limit the duration of excessive privileges. Multi-factor authentication improves authentication strength but does not address permanent superuser access or log integrity. Quarterly reviews detect issues after the fact but do not prevent excessive access. The current configuration violates two fundamental security principles: least privilege (administrators should not have permanent superuser access) and separation of duties (those being audited should not control audit logs). Just-in-time access with automatic expiration and tamper-proof logging address both violations.
5. A manufacturing company implements Industrial IoT sensors to monitor equipment performance. The auditor identifies that 200 IoT devices have default passwords and are on the same network segment as financial systems. Which risk should the auditor prioritize in the report? (Select one!)
Explanation
The combination of default passwords and lack of network segmentation creates critical risk. Attackers can easily compromise IoT devices using default credentials, then use those devices as pivot points to access financial systems on the same network segment. This is a classic IoT security failure with severe consequences. Network performance issues are operational concerns, not security priorities. While firmware updates and physical security are important, they are secondary to the immediate risk of lateral movement from compromised IoT devices to financial systems. The lack of segmentation violates fundamental security architecture principles. IoT devices should be isolated on separate VLANs with strict firewall rules controlling access to critical business systems.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Risk Fundamentals Certificate
Risk-Fund · 616 questions
$17.99
One-time access to this exam