CISA Cheat Sheet 2026
The 30 highest-yield CISA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
150 questions
240 min time limit
75% to pass
- When planning an IS audit, an auditor should review the organization's IT policies, standards, and procedures to: → understand the control environment and established control objectives.
- Which of the following is the PRIMARY purpose of implementing an IT balanced scorecard? → To translate IT strategy into measurable objectives and monitor its performance. [5]
- When auditing data quality, an IS auditor is PRIMARILY concerned with ensuring data is: → Accurate, complete, consistent, and timely for its intended use
- The concept of 'due professional care' in IS auditing requires that an auditor: → Apply the care and skill expected of a reasonably prudent IS auditor
- What does the acronym COBIT stand for? → Control Objectives for Business and Related Technology
- The COSO Internal Control — Integrated Framework is primarily designed to help organizations with which concern? → Internal control and enterprise risk management
- Which of the following would BEST guarantee that a wide area network (WAN) is continuously operational throughout the organization? → Built-in alternative routing
- Which database auditing approach captures all SQL statements executed against a database, providing the most comprehensive audit trail? → Full database activity monitoring (DAM)
- A CISA auditor finds that database audit logging is disabled. The MOST significant risk this creates is: → Inability to detect or investigate unauthorized data access or modification
- A CISA auditor reviewing network segmentation should PRIMARILY verify that: → Critical systems are isolated in separate network zones
- Which technique protects sensitive data in non-production environments by replacing real values with realistic but fictitious data? → Data masking
- What is the PRIMARY output of the Business Impact Analysis (BIA) phase in the business continuity planning process? → A prioritization of critical business processes and their recovery time objectives.
- COBIT 2019 organizes governance and management objectives into how many domains? → 5
- In a risk-based audit approach, the IS auditor's decisions on the nature, timing, and extent of testing should be PRIMARILY based on the: → assessment of inherent and control risks.
- When auditing a VPN implementation, an IS auditor should FIRST verify that: → Strong encryption algorithms and multi-factor authentication are enforced
- Which of the following BEST reduces the risk of unauthorized wireless network access? → Using WPA3 with strong pre-shared keys and 802.1X authentication
- Which ISO standard specifically addresses IT governance for organizations? → ISO 38500
- Which of the following BEST describes data sovereignty? → The legal principle that data is subject to the laws of the country in which it is stored
- Within ISACA's framework, which component provides IS auditors with specific step-by-step procedures for conducting an audit? → Tools and Techniques
- In COBIT 2019, which governance domain is responsible for evaluating stakeholder needs and setting strategic direction for IT? → EDM — Evaluate, Direct and Monitor
- A software development team is using an Agile methodology. To ensure risk is managed effectively, when should risk management activities be performed? → Continuously throughout the project lifecycle, especially during sprint planning.
- In IS auditing, 'audit risk' is composed of which three components? → Inherent risk, control risk, and detection risk
- Within a Public Key Infrastructure (PKI), what is the primary role of a Certificate Authority (CA)? → To act as a trusted third party that binds a public key to a verified entity's identity.
- Which concept describes the property that committed database transactions are permanently saved even in the event of a system failure? → Durability
- What is the primary purpose of IT governance frameworks such as COBIT for an organization? → To provide a common language and framework for aligning IT with business objectives
- Which type of database backup captures only the data that has changed since the last full backup, minimizing backup window time? → Incremental backup
- A data owner is BEST described as: → The business executive accountable for the data and its appropriate use
- During a network review, an auditor finds that network administrators share a single privileged account. This PRIMARILY violates the principle of: → Non-repudiation and individual accountability
- What could happen if an IS auditor breaks the ISACA Code of Professional Ethics when they are members of ISACA and CISA certified? → Loss of ISACA certifications
- Which statement regarding the ISACA Audit Standards and Audit Guidelines is accurate? → ISACA Audit Standards are mandatory
Turn these facts into recall: