CISA Cheat Sheet 2026

The 30 highest-yield CISA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

150 questions
240 min time limit
75% to pass
  1. When planning an IS audit, an auditor should review the organization's IT policies, standards, and procedures to: understand the control environment and established control objectives.
  2. Which of the following is the PRIMARY purpose of implementing an IT balanced scorecard? To translate IT strategy into measurable objectives and monitor its performance. [5]
  3. When auditing data quality, an IS auditor is PRIMARILY concerned with ensuring data is: Accurate, complete, consistent, and timely for its intended use
  4. The concept of 'due professional care' in IS auditing requires that an auditor: Apply the care and skill expected of a reasonably prudent IS auditor
  5. What does the acronym COBIT stand for? Control Objectives for Business and Related Technology
  6. The COSO Internal Control — Integrated Framework is primarily designed to help organizations with which concern? Internal control and enterprise risk management
  7. Which of the following would BEST guarantee that a wide area network (WAN) is continuously operational throughout the organization? Built-in alternative routing
  8. Which database auditing approach captures all SQL statements executed against a database, providing the most comprehensive audit trail? Full database activity monitoring (DAM)
  9. A CISA auditor finds that database audit logging is disabled. The MOST significant risk this creates is: Inability to detect or investigate unauthorized data access or modification
  10. A CISA auditor reviewing network segmentation should PRIMARILY verify that: Critical systems are isolated in separate network zones
  11. Which technique protects sensitive data in non-production environments by replacing real values with realistic but fictitious data? Data masking
  12. What is the PRIMARY output of the Business Impact Analysis (BIA) phase in the business continuity planning process? A prioritization of critical business processes and their recovery time objectives.
  13. COBIT 2019 organizes governance and management objectives into how many domains? 5
  14. In a risk-based audit approach, the IS auditor's decisions on the nature, timing, and extent of testing should be PRIMARILY based on the: assessment of inherent and control risks.
  15. When auditing a VPN implementation, an IS auditor should FIRST verify that: Strong encryption algorithms and multi-factor authentication are enforced
  16. Which of the following BEST reduces the risk of unauthorized wireless network access? Using WPA3 with strong pre-shared keys and 802.1X authentication
  17. Which ISO standard specifically addresses IT governance for organizations? ISO 38500
  18. Which of the following BEST describes data sovereignty? The legal principle that data is subject to the laws of the country in which it is stored
  19. Within ISACA's framework, which component provides IS auditors with specific step-by-step procedures for conducting an audit? Tools and Techniques
  20. In COBIT 2019, which governance domain is responsible for evaluating stakeholder needs and setting strategic direction for IT? EDM — Evaluate, Direct and Monitor
  21. A software development team is using an Agile methodology. To ensure risk is managed effectively, when should risk management activities be performed? Continuously throughout the project lifecycle, especially during sprint planning.
  22. In IS auditing, 'audit risk' is composed of which three components? Inherent risk, control risk, and detection risk
  23. Within a Public Key Infrastructure (PKI), what is the primary role of a Certificate Authority (CA)? To act as a trusted third party that binds a public key to a verified entity's identity.
  24. Which concept describes the property that committed database transactions are permanently saved even in the event of a system failure? Durability
  25. What is the primary purpose of IT governance frameworks such as COBIT for an organization? To provide a common language and framework for aligning IT with business objectives
  26. Which type of database backup captures only the data that has changed since the last full backup, minimizing backup window time? Incremental backup
  27. A data owner is BEST described as: The business executive accountable for the data and its appropriate use
  28. During a network review, an auditor finds that network administrators share a single privileged account. This PRIMARILY violates the principle of: Non-repudiation and individual accountability
  29. What could happen if an IS auditor breaks the ISACA Code of Professional Ethics when they are members of ISACA and CISA certified? Loss of ISACA certifications
  30. Which statement regarding the ISACA Audit Standards and Audit Guidelines is accurate? ISACA Audit Standards are mandatory
Turn these facts into recall: