ISACA · IT-Audit-Fund
Validates foundational IT audit knowledge, covering audit performance, IT environment and components, specific audit subjects, newer technologies, controls and risk, and the audit function, including IT audit terminology, concepts, and general practices.
Questions
627
Duration
120 minutes
Passing Score
65%
Difficulty
FoundationalLast Updated
Feb 2026
Use this IT-Audit-Fund practice exam to prepare for IT Audit Fundamentals Certificate with realistic questions, detailed explanations, and focused study modes. The practice bank includes 627 questions for ISACA IT-Audit-Fund, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The ISACA IT Audit Fundamentals Certificate is a foundational-level credential that validates knowledge of core IT audit terminology, concepts, and general practices across six functional domains. It covers the full audit lifecycle—from understanding the audit function and organizational controls to performing audits and evaluating specific IT subjects such as networking, operating systems, and IT general controls. The certificate was introduced by ISACA in 2022 to address growing demand for entry-level IT audit professionals and provides a structured foundation for those entering the field.
The program blends knowledge-based and performance-based learning, reflecting real-world audit skills rather than pure theoretical recall. It specifically addresses newer technologies including artificial intelligence (AI), blockchain, and the Internet of Things (IoT), ensuring candidates are equipped to audit modern IT environments. Successful candidates earn a digital badge through ISACA's Credly platform and a recognized certificate, positioning them as credible candidates for IT audit roles.
This certificate is designed for early-career professionals seeking to enter the IT audit field, as well as IT practitioners—such as system administrators, network engineers, and security specialists—who want to transition into audit roles. It is equally relevant for internal and external auditors with limited IT audit exposure, compliance officers who need to understand IT audit processes, and risk management personnel who work alongside audit teams.
Because no prior IT audit experience is required, the certificate also suits recent graduates in information systems, accounting, or cybersecurity programs who want a recognized credential to support job applications. It serves as a clearly defined first step toward the CISA (Certified Information Systems Auditor) certification, ISACA's globally recognized advanced credential for IT auditors.
There are no formal prerequisites for the IT Audit Fundamentals Certificate. Candidates can register at any time without needing to demonstrate prior work experience or hold any other certification. This open eligibility makes it accessible to career changers, students, and early-career professionals alike.
While no prerequisites are required, candidates will benefit from a basic familiarity with IT concepts such as networks, operating systems, and databases, as the exam covers IT environment components at a foundational level. A general understanding of business processes and organizational risk management practices will also help candidates contextualize the audit concepts covered across the six exam domains.
The IT Audit Fundamentals exam is delivered online via remote proctoring and has a time limit of 120 minutes. It combines two question types: traditional multiple-choice (knowledge-based) questions and interactive performance-based questions that simulate real audit scenarios. The exact total number of scored questions is not publicly disclosed by ISACA.
Candidates must achieve a passing score of 65% or higher. Exam eligibility is valid for 12 months from the date of registration, and testing appointments can be scheduled as early as 48 hours after payment. There is no penalty for rescheduling as long as changes are made at least 48 hours before the scheduled appointment. Exam fees are $175 USD for ISACA members and $225 USD for non-members.
The IT Audit Fundamentals Certificate positions holders for entry-level IT audit roles at a time when demand for audit professionals is expanding alongside growth in cyberattacks, cloud adoption, and regulatory compliance requirements. Entry-level IT auditor salaries in the United States range from approximately $57,000 to $78,000 annually, with Glassdoor data placing average entry-level compensation around $74,658. Salaries increase substantially with experience, reaching roughly $88,932 for professionals with 4–6 years of experience and over $119,000 for senior practitioners. Common entry-level roles for certificate holders include IT Auditor, Junior Risk Analyst, Compliance Analyst, and IT Controls Analyst.
Beyond immediate job placement, the certificate serves as a recognized stepping stone to the CISA certification — the global gold standard for IT auditors — giving holders a structured credential pathway. ISACA's digital badge, issued via Credly, allows professionals to display the credential on LinkedIn and resumes for employer recognition. For organizations, the certificate validates that team members have a standardized, vendor-neutral foundation in IT audit practices, making it valuable for upskilling internal audit, risk, and compliance teams.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 627 questions.
Preview — answers shown1. During an audit of change management, the auditor finds that emergency changes are implemented immediately with CAB approval obtained within 24 hours. The organization has experienced no failed changes in two years. What should the auditor conclude? (Select one!)
Explanation
Emergency change procedures require pre-implementation approval even in urgent situations, with after-the-fact ratification occurring within defined timeframes. The absence of failures does not validate a control deficiency. Implementing changes before approval violates segregation of duties and change management principles regardless of positive outcomes. This represents a control design deficiency because proper authorization must occur before implementation. Compensating controls must be intentionally designed to address specific control gaps and meet the same control objective, not justified by favorable results. The 24-hour approval timeframe is for post-implementation ratification, but does not replace the need for documented emergency procedures with appropriate pre-approval from designated emergency change authorities.
2. An organization outsources payroll processing to a third-party service provider. The audit team receives the service provider's SOC 2 Type II report covering the period January 1 to December 31 of the prior year. The current audit is being conducted in November of the following year. What should the auditor do? (Select one!)
Explanation
Requesting a bridge letter or performing additional procedures to cover the gap period is correct because the SOC 2 report has a significant time gap. The report covers January through December of the prior year, but the audit is conducted in November of the following year, creating a gap of 10-11 months. Auditors cannot assume controls remained effective during the unexamined period. A bridge letter from the service provider's auditor or the user auditor's own complementary user entity controls testing can address this gap. ITAF Standard 1206 on using work of other experts requires considering timing and sufficiency of evidence. Simply relying on outdated reports violates audit standards requiring current evidence. Declining to provide assurance is premature without attempting to obtain current information. Requiring in-house processing is not practical or necessary when appropriate service auditor reports are available. Organizations should request reports covering their fiscal year or obtain reports at least twice annually for continuous coverage.
3. During fieldwork, an auditor traces a purchase order through the entire procurement process from requisition to payment. This technique helps the auditor understand control flow, identify gaps, and verify documentation. Which audit procedure is being performed? (Select one!)
Explanation
Walk-through involves tracing a single transaction through an entire process from initiation to completion to understand control operation, identify gaps, and verify documentation. This procedure provides insight into process flow and control points. Re-performance involves the auditor independently executing control procedures to verify effectiveness, which is more intensive than observation. Analytical procedures evaluate relationships and trends in data through ratio analysis or comparisons. Confirmation obtains direct responses from external parties to verify information. Walk-throughs are particularly valuable during audit planning to understand processes before designing detailed testing procedures.
4. An organization implements a privacy program to comply with GDPR requirements. During the privacy audit, the auditor discovers that data subjects who submit erasure requests receive responses within 45 days. The privacy officer explains this timeline allows thorough verification of requester identity and coordination across multiple systems. What should the auditor conclude? (Select one!)
Explanation
GDPR Article 12 explicitly requires organizations to respond to data subject rights requests, including erasure requests, within one month (30 days) of receipt. This is a specific regulatory requirement, not a best practice guideline. Complexity of systems and identity verification needs do not extend this deadline - organizations must design their processes to meet the 30-day requirement. GDPR does allow a 2-month extension in complex cases, but this requires informing the data subject within the first month and explaining reasons for the delay. The organization's default 45-day timeline with no communication violates GDPR requirements. Privacy officers cannot establish arbitrary timelines - they must comply with regulatory timeframes regardless of organizational complexity.
5. An organization implements a privileged access management solution that stores administrator passwords in an encrypted vault, automatically rotates passwords every 24 hours, requires multi-factor authentication for vault access, and records all privileged sessions. However, during the audit, the auditor discovers that session recordings are stored for only 15 days due to storage limitations, while the audit log retention policy requires 90 days. How does this impact the overall PAM control effectiveness? (Select one!)
Explanation
Privileged Access Management relies on the IAAA model where Accountability through comprehensive audit trails is essential. While the identification, authentication, and authorization components function properly through the vault, password rotation, and MFA, the accountability component has a design deficiency. The 15-day retention fails to meet the 90-day policy requirement, limiting the ability to investigate security incidents and maintain proper accountability. This represents a design deficiency rather than complete ineffectiveness since other PAM components operate correctly. The finding is significant but not necessarily critical since some accountability exists. Storage limitations do not justify policy violations; management must either allocate resources to meet requirements or formally accept the residual risk through documented risk acceptance.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Risk Fundamentals Certificate
Risk-Fund · 616 questions
$17.99
One-time access to this exam