Free ISACA CISA Actual Exam Questions

A/B? Imaging (A) definitely preserves the data, but powering down (B) can sometimes be necessary to prevent ongoing damage or changes. Still, B risks losing volatile data, so A feels safer overall.

Option A makes the most sense here since imaging creates an exact copy of the data right away, preventing loss or modification. Powering down (B) or rebooting (D) can change or erase volatile info, so they’re risky. While protecting hardware (C) is important to stop physical tampering, it doesn’t preserve the actual digital evidence like imaging does. So imaging is the best way to safeguard the data exactly as it was when found.

Not B, the financial stability of vendors matters but isn't as critical as knowing if the hardware is worth buying in the first place, so D still seems more crucial.

D imo, because without cost-benefit, you can’t justify the purchase itself.

Maybe D could be ruled out quickly since an auditor can’t just replace other team members’ audit duties—that’d break independence and oversight. C also seems too deep for CSA support; detailed audit work usually happens separately. Between A and B, B seems less relevant because the CSA’s about controls and risks, not directly improving productivity. So, A still feels like the best fit since facilitating means guiding the team through identifying issues without taking over.

Option B feels off since improving process productivity isn’t really the auditor’s main job in CSA. They’re there more to support controls, not boost efficiency directly. So A still looks stronger.

A imo, parallel runs also give users hands-on time without risking live data, which helps catch real-world issues early. So training and familiarization are pretty crucial here, not just output matching.

B/D? I get why D makes sense since you’re comparing outputs directly to catch any mismatches early. But the main reason for running both systems simultaneously is to make sure the new system actually meets all business needs without causing disruption. So it’s not just about matching old results, but confirming the new system works correctly in real scenarios, which feels more like B. Training (A) and reducing testing (C) seem secondary or unrelated here.

B/C? While unauthorized changes (C) are a big concern, the fact that most users have admin rights means lots of people can see sensitive data (B) they might not normally access. That could lead to data leaks or misuse. Exporting logs or installing software seem less risky compared to just having too many people able to see or alter sensitive info. But I get why C is popular since admins have broad control.

If most users have admin rights, the big risk is that someone could accidentally or intentionally mess with system settings or data, which points to C. Exporting logs (A) or installing open software (D) seems less critical because logs don't change data and open software might not be allowed anyway. Viewing sensitive data (B) is a concern, but if users already have access, the risk isn't increased by their admin status. So, does having widespread admin rights mainly increase the chance of unauthorized changes, or is there something else we should consider?

It’s C because you can’t control what you don’t define. Without clear classification, any policy or agreement won’t target the right info, making controls ineffective from the start.

B/C? I’m thinking the first step would be to classify the info (C) to know what’s sensitive before controlling emails, but without an acceptable use policy (B), employees might not understand what’s expected. Maybe classification comes just a bit before though? Seen something similar where classification was key to start.

It’s B because outsourcing doesn’t mean the organization loses control; they still must work with the vendor to ensure disaster recovery efforts are aligned and effective, not just rely on internal audit or a third party.

B/D? I agree B makes sense because the organization can’t just outsource and ignore DRP. But D could also fit since internal audit might need to check if the vendor’s disaster recovery measures meet company standards. Still, coordination with the vendor seems more immediate and essential.

B imo. Without built-in integrity checks, running regular table link audits is the only way to find and fix broken references before they cause bigger problems. Other options don’t really address relationship consistency.

B imo. Since referential integrity is about ensuring relationships between tables stay consistent, disabling those controls means the DBMS won’t automatically prevent or catch violations. Periodic table link checks are the only way to actively identify any broken references before they cause bigger problems. The others don’t directly address the missing integrity enforcement. Backups help recover after issues, but don’t prevent or detect them. Concurrent access controls focus on transaction handling, not relationship consistency. Performance tools just monitor speed, not data correctness.

Good point on D, but I think A is stronger since risk policies formally document the organization's risk appetite, making them the primary source. Management views can be subjective or change often. So A.

B imo, risk assessments reveal how risk appetite is applied, showing practical limits.

A/C? Not having a formal change management process (A) means any fixes or tweaks during conversion might not be properly tracked or approved, which could cause bigger issues down the line. Unauthorized data changes (C) are obviously bad, but if there’s no documented process, it’s hard to know how those errors got in or how they’ll be fixed. So the lack of formal change control feels like a more systemic problem that impacts everything else.

Option D seems biggest risk to me because manual conversions are super error-prone and can mess up data on a large scale, especially if there’s no solid backup or audit trail to catch mistakes early.

C imo doesn’t fit since EA is not about executing projects but about guiding overall IT and business alignment. That leaves B and D, but enforcing policies feels more like a governance step after planning investments.

A imo, maintaining detailed system documentation is more of a byproduct of enterprise architecture rather than its primary goal. EA is about big-picture alignment and planning, not just keeping records. That rules out A and also C, since project execution is more tactical. D’s about enforcement but that’s also a narrower function within governance. So between the choices, B still makes the most sense as the primary objective because managing and planning IT investments is how EA ensures resources support overall business strategy.

Option A, since the charter mainly grants auditors their official authority to act.

It’s A. The audit charter gives auditors the formal green light to access records and perform audits, which is crucial. The other options relate more to policies or detailed procedures, not the main purpose.

Not A, since losing application support is more about vendor issues, not untested patches. The real problem here is B—untested patches can break the system or open security holes.

B Untested patches directly threaten system integrity by introducing unknown errors or vulnerabilities. The other options are less immediate risks compared to the potential damage from faulty updates.

Option C makes sense too since documenting objectives helps plan how to best use resources throughout the audit, not just flag risks. It’s about efficiency as much as risk focus.

A/D? Documenting objectives also helps assess overall risk (A) and might influence scheduling meetings (D), though scheduling seems less primary. Definitely more than just resource use or material problem spotting.

It’s B—non-expiring admin passwords are a clear, ongoing attack vector.

B stands out to me because if admin passwords never expire, it’s easier for attackers to gain ongoing access once compromised. Does anyone think not expiring passwords pose a bigger immediate danger than legacy data or default settings?