View CISA Exam Questions

Q: 1

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

Options

Discussion

Chris A. Jan 29, 2026 3:35 am

A , not having periodic external assessments is a direct violation of mandatory QA standards, bigger flag than just missing some testing (D). Seen similar in CISA guides.

Sean Feb 12, 2026 12:34 am

A , saw this in a similar practice set and official CISA guide says missing external QA violates standards, which is a huge problem for audit credibility.

IvyU Feb 13, 2026 4:48 pm

D . If you don't do substantive testing during some assessments, you could totally miss key control failures. That feels like a bigger risk to audit quality, even if A is more about compliance.

Riley Jan 27, 2026 6:02 am

Missing external QA reviews (A) is a direct standards violation, so it's the biggest problem here. Consistency in tracking (C) matters, but not meeting IIA requirements for external review is the real deal-breaker. Pretty sure about this, but happy to hear any counterpoints.

FriendlyOps1732 Jan 31, 2026 2:17 am

A, No external reviews (A) is a mandatory QAIP failure, bigger concern than D missing testing, at least for CISA. Open to other views if I missed something.

Cameron C. Jan 27, 2026 8:55 am

If the org is already required by policy or regulation to do external QA reviews (which is standard in most places), not having that makes A a bigger red flag. In rare cases where it's not required, D could technically impact results more directly, but for CISA purposes I think A is right. Disagree?

Jack N. Feb 3, 2026 9:27 am

Why isn't B considered more serious? Wouldn't lack of audit committee updates be a huge QA issue too?

Avery Feb 3, 2026 9:14 am

A tbh. D trips people up since it sounds like a big risk, but similar exam questions point to A because external assessments are actually required by standards. Missing those is a huge red flag even if D feels riskier in practice.

Ajay Feb 12, 2026 9:30 pm

D . Had something like this in a mock and picked D since not doing substantive testing could lead to missed audit issues, and that's a real problem for the quality of findings. External reviews (A) are key but feel more about compliance than immediate QA failures. Anyone else think D is riskier in practice? Not 100% sure though.

Robin U. Jan 30, 2026 4:49 am

D imo. Skipping substantive testing during assessments means the audit might miss major findings, so that seems like a bigger concern to me. A is important but feels more like a process deficiency than a direct risk.

Be respectful. No spam.

Correct Answer:

Explanation

The absence of periodic external assessments is a direct violation of mandatory professional standards, such as The Institute of Internal Auditors (IIA) Standard 1312, which requires an external quality assessment at least once every five years. This is a fundamental component of a Quality Assurance and Improvement Program (QAIP). Failure to perform this independent review presents the greatest concern because it undermines the credibility, objectivity, and perceived value of the entire internal audit function. It deprives the audit committee and senior management of independent assurance that the audit activity conforms with globally recognized standards and operates effectively.

Why Incorrect

B. While reporting to the audit committee is critical, the specific frequency (e.g., quarterly) is a procedural detail; a lack of reporting altogether would be the core issue.

C. Inconsistent tracking of corrective actions is a significant internal process weakness, but the lack of an external assessment is a more fundamental governance failure that would likely identify such issues.

D. The use of substantive testing depends on the specific audit's objectives and risk assessment; its absence is not inherently a quality assurance failure for all audits.

---

References

1. The Institute of Internal Auditors (IIA)

International Standards for the Professional Practice of Internal Auditing (Standards)

July 2023. Standard 1312: External Assessments states

"External assessments must be conducted at least once every five years by a qualified

independent assessor or assessment team from outside the organization." The standard's interpretation notes that this assessment provides an independent opinion on the internal audit activity's conformance with the Standards and Code of Ethics.

2. ISACA

CISA Review Manual

27th Edition

2019. Domain 1: Information System Auditing Process

Section 1.5.4 Quality Assurance of the Audit Function. This section discusses the need for a quality assurance and improvement program that includes both internal and external reviews to ensure the audit function's compliance with standards and its overall effectiveness. The manual emphasizes that external reviews provide independent assurance to stakeholders.

3. Anderson

U. L.

Head

M. J.

Ramamoorti

Riddle

Salamasick

& Sobel

P. J. Internal Auditing: Assurance & Advisory Services

4th Edition. The IIA Research Foundation

2017. Chapter 2

"The International Professional Practices Framework: Authoritative Guidance for the Internal Audit Profession

" details the components of a QAIP

explicitly citing Standard 1312 and explaining that external assessments are crucial for validating the internal audit function's conformance with professional standards and identifying opportunities for improvement.

Q: 2

During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

Options

Discussion

Kevin O. Feb 12, 2026 1:53 am

Don't think it's A since that's skipping protocol, and C/D miss the reporting piece. B is the best call here.

Sara H. Feb 2, 2026 1:44 pm

Don't think it's A-standard process is to inform the audit manager first. B is what I've seen in similar questions.

Layla H. Jan 28, 2026 2:57 am

B vs A. If "best" means stick to process, then B is right since you always report up the audit chain before escalating. But if it was an urgent risk or management was actively creating exposure, some exam questions flip to A. Here, pretty sure ISACA wants B due to standard escalation. Agree?

Morgan Y. Feb 5, 2026 4:43 am

I don't think you'd go straight to the audit committee for this. Option A is tempting since it's a serious change, but chain of command matters. B

Karan V. Feb 2, 2026 4:31 pm

Its B here because the auditor has to respect the reporting line and let the audit manager decide on next steps. Jumping straight to A would skip proper protocol unless it's an immediate/critical issue, which isn't stated. Pretty sure that's what ISACA expects, but open if anyone's seen this handled differently.

Amelia E. Feb 2, 2026 9:33 pm

Makes sense why it's B, audit manager is always the first escalation point in the process for stuff like this.

Quinn W. Feb 10, 2026 10:13 am

Would official ISACA review materials or practice exams cover nuances like this management change scenario in audit follow-up?

DirectArchitect5571 Feb 8, 2026 12:34 pm

Seriously, ISACA loves the reporting line stuff. B

Piya T. Feb 11, 2026 12:54 am

Guessing A here. Escalating straight to the audit committee seems right if management ignores agreed recommendations, since it's a governance issue. Almost picked B but I think bypassing that step is justified in this scenario. Could be wrong though.

Be respectful. No spam.

Correct Answer:

Explanation

The IS auditor's immediate responsibility is to report findings and significant developments within the audit's chain of command. The decision by new management to not implement previously accepted recommendations represents a change in risk acceptance and is a material finding for the follow-up audit. The auditor must report this to the audit manager, who is responsible for overseeing the audit engagement. The audit manager will then determine the appropriate next steps, which may include discussing the issue with senior management and deciding whether escalation to the audit committee is warranted. This ensures that the audit function's internal procedures and reporting lines are respected.

Why Incorrect

A. Notifying the chair of the audit committee is a significant escalation. This step should be determined by audit management, not undertaken unilaterally by the auditor as a first action.

C. Retesting the control is irrelevant. The issue is not the control's operational effectiveness but management's conscious decision not to implement the agreed-upon remediation.

D. Closing the audit finding is incorrect. The finding cannot be closed because the risk has not been mitigated as planned. Management's decision to accept the risk must be documented and reported.

---

References

1. ISACA

CISA Review Manual

27th Edition. Chapter 1

The Process of Auditing Information Systems

p. 59. The manual states

"The IS auditor should report to the audit manager/director... The audit manager/director is responsible for ensuring that the communication is directed to the appropriate parties." This establishes the correct internal reporting line that the auditor must follow.

2. ISACA

ITAF: A Professional Practices Framework for IS Audit/Assurance

4th Edition. Guideline 2401 Reporting

Section 2401.7 Supervisory Review. This guideline emphasizes that "IS audit and assurance work papers should be reviewed by a senior member of the IS audit and assurance function before the audit reports are finalized and issued." This reinforces the principle that findings

especially significant ones like a change in management's risk posture

must be reviewed internally by management (i.e.

the audit manager) first.

3. ISACA

CISA Review Manual

27th Edition. Chapter 1

The Process of Auditing Information Systems

p. 61. Regarding follow-up

it notes

"If management has assumed the risk of not correcting the reported condition

this should be documented by the IS auditor and communicated to senior management and the audit committee." While this communication is necessary

the process begins with reporting the situation to the audit manager

who then directs these subsequent communications.

Q: 3

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

Options

Discussion

Piya S. Feb 5, 2026 9:34 am

Nah, B is tempting because of the sensitive data, but it's C. Admin rights let users make unauthorized changes, way riskier on an external system.

MiaO Feb 1, 2026 1:56 pm

C or D. Both are risky but I'm leaning to C since unauthorized changes can break stuff or cause breaches. Not totally sure though, could see an argument for D.

Jason E. Jan 28, 2026 6:28 pm

I don’t think it’s B. C is the bigger issue here because admin rights let users make unauthorized changes, which messes with both integrity and availability. B just covers viewing data, but C can lead to way worse breaches. Some might pick D for open-licensed software but that risk usually isn’t greater than allowing anyone to change configs. Open to other takes though.

Taylor Feb 10, 2026 4:35 pm

Anyone else find the official guide hammers home least privilege for these? Similar practice questions almost always put C as the biggest risk.

QuietDev6564 Feb 7, 2026 10:18 pm

Would C still be right if most users only had read-only access instead of admin?

Reese M. Feb 12, 2026 11:19 pm

Its C since admin access means users can change configs or data, intentionally or accidentally. That risk outweighs just seeing data (B) or installing stuff (D). Least privilege is totally ignored here. I saw a similar question in practice exams, and unauthorized changes were always flagged as highest risk when admin rights are overused. Anyone disagree?

Be respectful. No spam.

Correct Answer:

Explanation

The principle of least privilege is a fundamental security concept requiring that users be granted only the access and permissions necessary to perform their job duties. In this scenario, providing administrator rights to most users on an externally facing system containing sensitive data is a severe violation of this principle. Administrator privileges inherently grant the ability to alter system configurations, modify or delete data, and change security settings. This creates the greatest risk of unauthorized changes, whether malicious or accidental, which directly compromises the integrity, availability, and confidentiality of the system and its data.

Why Incorrect

A. While administrators can export logs, this is a specific action. The ability to make any unauthorized change is a much broader and more significant risk.

B. Viewing sensitive data is a function of the system for both user types. The core issue highlighted is the risk from excessive privileges, not authorized access.

D. Installing software is a subset of the actions an administrator can perform. The overarching risk is the general capability to make unauthorized changes, which includes more than just software installation.

---

References

1. ISACA

CISA Review Manual

27th Edition. Domain 4: Information Systems Operations

Maintenance and Service Management

Section 4.4 Logical Access. The manual emphasizes that access rights should be granted based on the "need-to-know" and "need-to-do" principles

and that powerful privileges (such as administrator rights) must be strictly controlled to prevent unauthorized activities that could compromise the system.

2. National Institute of Standards and Technology (NIST) Special Publication 800-53

Revision 5. Security and Privacy Controls for Information Systems and Organizations

Control AC-6 "Least Privilege." This control states: "The organization employs the principle of least privilege

allowing only authorized accesses for users...that are necessary to accomplish assigned tasks." The discussion section notes that this prevents users from making unauthorized changes or performing functions outside their roles.

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE

63(9)

1278-1308. This foundational academic paper introduces the principle of least privilege

stating

"Every program and every user of the system should operate using the least set of privileges necessary to complete the job." The rationale is to limit the damage that can result from an accident or error. (DOI: https://doi.org/10.1109/PROC.1975.9939

Section I.A.3).

Q: 4

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Options

Correct Answer:

Explanation

The integrity of the audit trail is paramount for an IS auditor. If a firewall is compromised, an attacker's first action is often to alter or delete local logs to cover their tracks. Storing logs on a separate, protected host (e.g., a SIEM or a hardened log server) ensures that a reliable and tamper-evident record of all network activity and potential security incidents is preserved. This preserved evidence is essential for forensic investigation, incident response, and for the auditor to verify the firewall's operational effectiveness over time.

Why Incorrect

B. Automated alerts are being sent when a risk is detected: Alerts are generated from log data. If the underlying logs are not protected and can be tampered with (as addressed in A), the alerts become unreliable or may not be generated at all.

C. Insider attacks are being controlled: This is a broad security objective, not a specific firewall control. A firewall is only one component in a defense-in-depth strategy to mitigate insider threats.

D. Access to configuration files Is restricted: While this is a critical preventive control, a system can still be compromised via other means (e.g., a zero-day vulnerability). In such a case, secure, external logs are the only way to detect and investigate the breach. The integrity of evidence (logs) is fundamental to the audit function.

---

References

1. ISACA

CISA Review Manual

27th Edition

2019.

Page 213

Section 4.4.4 Security Event Logging and Monitoring: "The IS auditor should verify that security events are logged and that the logs are secured to prevent tampering... Log data should be sent to a dedicated log server to prevent the logs from being destroyed by an attacker." This directly supports the critical need to secure logs on a separate host to prevent tampering

which is a primary concern for an auditor.

2. ISACA

"Auditing Network Perimeters

" Audit Program

2016.

Section 3.2.4: The audit program directs the auditor to "Verify that firewall logs are enabled to log all inbound and outbound traffic

and sent to a dedicated and secured log server." This step is crucial for ensuring a complete and reliable audit trail

which underpins the entire audit of the control's operation.

3. NIST Special Publication 800-92

"Guide to Computer Security Log Management

" 2006.

Section 3.4.1

Page 3-10: "Organizations should store logs on dedicated log servers

not on the hosts that generate the logs... Storing logs on a different system from the one that generates them makes it more difficult for attackers to tamper with the logs." This official guideline establishes the practice as a fundamental security principle for maintaining log integrity.

Q: 5

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options

Discussion

LiamM Jan 25, 2026 11:27 pm

Option C

Rowan Q. Jan 30, 2026 4:09 pm

Option C makes sense. If IT strategy is only following trends and not aligning with actual business objectives, that's a huge risk. The point is to support the organization's needs, not just chase what’s new in the market. Pretty sure that's the biggest red flag here. Agree?

Ishaan B. Feb 5, 2026 1:58 am

It's gotta be C here. If IT goals only come from market trends, that's a big red flag since there's no guarantee they're helping with what the business actually needs. That misalignment is what IS auditors worry about most, I think. Anyone disagree?

Drew I. Feb 11, 2026 6:45 pm

C is the real issue since IT strategy needs to fit business goals, not just follow trends. If strategic direction comes only from the market, you risk major misalignment. Pretty confident in C but open if anyone sees it differently.

Owen Y. Jan 31, 2026 12:06 am

I don't think B is as critical as some think-strategic alignment is a bigger deal. C looks right here, since just chasing market trends without mapping to business objectives is a classic trap for auditors. C.

PracticalAnalyst3727 Jan 28, 2026 5:20 am

Honestly, I'd say B here. Not hitting last year's IT strategic goals signals ongoing issues that might impact future strategies. I know C is risky too, but missing objectives feels like a big red flag to me. Anyone else see it that way?

Avery Z. Jan 30, 2026 8:25 am

Maybe C. If the IT goals only track market trends, they're probably missing what the business actually needs. Misalignment with business strategy tends to be a big deal for IS auditors. Not totally sure, but that's my take.

Sanjay I. Jan 30, 2026 12:55 pm

B for me

Riley Feb 6, 2026 2:51 pm

Its C. Saw a similar question on my mock and C was flagged as biggest concern.

Olivia G. Feb 14, 2026 12:38 am

C , that's the biggest audit concern. An IT strategy just chasing market trends usually means no real tie-in to business objectives, which is a classic misalignment. From what I've seen, that's always called out on CISA practice reviews.

Be respectful. No spam.

Correct Answer:

Explanation

The primary objective of an IT strategy is to ensure that IT plans and activities support and enable the overall business strategy. An IT strategy derived solely from market trends is fundamentally misaligned with the organization's specific goals and needs. This represents the greatest strategic risk because it can lead to the misallocation of resources, investment in inappropriate technologies, and a failure to deliver value to the business. The IS auditor's main concern in a strategic review is this alignment between business objectives and IT initiatives.

Why Incorrect

A. Defining target architecture at a technical level within a strategy document can indicate thorough planning and is not inherently a concern.

B. While not achieving prior goals is a concern about execution, a flawed basis for the current strategy is a more fundamental and critical issue.

D. Including financial estimates is a best practice for effective planning, budgeting, and demonstrating due diligence, not a point of concern.

References

1. ISACA. (2019). CISA Review Manual

27th Edition. Domain 2: Governance and Management of IT

Section 2.3.1 IT Strategic Plan. The manual states

"The IT strategic plan must be an integral part of the overall business strategic plan... The focus should be on strategic alignment..." This highlights that the business plan

not external trends alone

must be the primary driver.

2. ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. Chapter 3

The COBIT Core Model

p. 21. The COBIT goals cascade model explicitly shows that enterprise goals are derived from stakeholder needs

and alignment goals (IT-related goals) are derived from enterprise goals. This framework establishes a clear top-down linkage from business needs to IT strategy.

3. Luftman

J. N. (2000). Assessing business-IT alignment maturity. Communications of the Association for Information Systems

4(1)

Article 14. This foundational academic paper on strategic alignment maturity notes that lower levels of maturity are characterized by a lack of a clear

business-driven IT strategy. Relying on trends instead of business goals is indicative of low alignment maturity. (DOI: https://doi.org/10.17705/1CAIS.00414)

Q: 6

Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?

Options

Discussion

Mia Feb 3, 2026 4:21 pm

C , that's how audit reporting works per most CISA books.

Morgan Feb 15, 2026 3:57 am

Nah, I don’t think it’s D. C is the main filter here since materiality drives what gets reported.

RaviW Jan 29, 2026 10:16 am

Its C, but if the audit covers low criticality areas sometimes D gets reported too, weird edge cases.

Priya V. Feb 4, 2026 7:18 am

Option D

Quinn U. Feb 7, 2026 2:19 pm

Ajay R. Feb 2, 2026 2:24 pm

I agree with C here since materiality is always the main filter for audit findings in the report. Inherent risk (D) matters for planning but not really for deciding what ends up in the final report. Pretty sure this is what ISACA expects but happy if someone disagrees.

Chris O. Feb 5, 2026 8:03 pm

C vs D? D looks relevant too since inherent risk is important but I think a lot of people get tripped up by that one. Pretty sure it's actually C per most ISACA materials.

Arjun F. Jan 31, 2026 12:09 pm

C is right since materiality basically determines if an audit issue is significant enough for management to care. I saw something like this in other practice tests too, so pretty sure C is what ISACA wants here. Disagree?

Grace N. Feb 12, 2026 5:48 pm

Honestly, ISACA loves asking this. Probably C, it's always about materiality with audit reports.

Daniel Jan 27, 2026 8:25 pm

Makes sense that C is the pick here.

Be respectful. No spam.

Correct Answer:

Explanation

The primary consideration for an IS auditor when determining which issues to include in an audit report is materiality. Materiality refers to the significance of a finding in the context of the audit objectives. An audit finding is material if its omission or misstatement could influence the decisions of management or other stakeholders. The purpose of the audit report is to communicate significant findings that require management's attention and potential action. Focusing on material issues ensures that the report is relevant, impactful, and drives improvements in governance, risk management, and control, rather than overwhelming stakeholders with trivial details.

Why Incorrect

A. Professional skepticism is a critical professional attitude and mindset that must be applied throughout the entire audit process, not a specific criterion for selecting which findings to report.

B. Requiring management's agreement on findings before inclusion would fundamentally compromise the auditor's independence and objectivity, which are cornerstones of the audit profession.

D. Inherent risk is assessed during the audit planning phase to determine the nature and extent of audit procedures, not to decide which identified findings are significant enough for the final report.

---

References

1. ISACA. (2019). CISA Review Manual

27th Edition. Section 1.3.2

"Materiality

" states

"Materiality is a key concept that will be used when planning the audit and when evaluating the identified errors and irregularities... The IS auditor should consider materiality when determining the reportable findings."

2. ISACA. (2014). ITAF: A Professional Practices Framework for IS Audit/Assurance

4th Edition. Guideline 2204

"Materiality

" Section 3.1

notes that "IS audit and assurance professionals should consider materiality and its relationship to audit risk when... evaluating the effect of identified control weaknesses and/or lack of compliance with established processes." This evaluation directly informs what is reported.

3. Singleton

T. (2011). The Core of the CISA Exam. ISACA Journal

Volume 2. This article emphasizes that a CISA candidate must understand core concepts

stating

"Materiality is a concept that relates to the importance or significance of an amount

transaction or discrepancy... The IS auditor must consider materiality in determining the appropriate reportable conditions."

Q: 7

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

Options

Discussion

Ben V. Feb 3, 2026 12:32 pm

D . Asset life cycle management isn't just about what gets bought, it's about reviewing, maintaining, and retiring applications too. That covers unused apps hanging around. Pretty sure that's what the question targets.

SharpAnalyst4424 Jan 27, 2026 4:45 pm

I don’t think it’s D. I picked B since business case development should stop people from buying stuff they don’t really need in the first place. Seems like if you have that up front, you avoid shelfware entirely. Maybe I’m missing how ongoing life cycle steps would catch it later, but B seems closer to root cause for me. Agree?

Casey Feb 12, 2026 3:21 am

D imo. Had something like this in a mock exam and asset life cycle management was the expected pick for unused apps.

Maya Feb 10, 2026 1:48 pm

C vs D here-if it's about ongoing review and retiring unused apps, D (Asset life cycle management) is probably the way to go since it covers the whole process. C only handles what gets acquired, not after. Pretty sure D is best but I see why folks get stuck.

FriendlyOps3521 Feb 12, 2026 10:00 pm

I think D, not C. Asset life cycle management covers retirement, not just acquisition. C is a common trap here.

Maya J. Feb 2, 2026 8:49 pm

Sick of how ISACA always makes these sound trickier than they are. D imo.

Morgan K. Feb 10, 2026 2:27 pm

Why not C for acquisition policy if the main concern is just preventing excess apps upfront, not managing them through retirement?

ArjunX Feb 15, 2026 3:57 am

D tbh, asset life cycle management handles removal and review so unused apps don't keep piling up.

Layla L. Feb 7, 2026 12:51 pm

B Saw a similar question on a mock exam and picked business case development for this kind of issue.

Priya B. Feb 2, 2026 3:31 am

C vs D here. I went with C because having an acquisition policy should filter out unnecessary apps upfront, right? But now I'm wondering if that's enough for ongoing management. Maybe I'm missing something, but a clear approval process feels pretty key. Anyone disagree?

Be respectful. No spam.

Correct Answer:

Explanation

The presence of unused applications indicates a failure in managing the entire lifespan of IT assets. Asset life cycle management is a comprehensive process that governs an asset from planning and acquisition through deployment, utilization, maintenance, and eventual retirement. Implementing this framework ensures that applications are periodically reviewed for their continued business value and are properly decommissioned when no longer needed. This proactive management directly prevents the accumulation of unused software ("shelfware") by embedding review and retirement phases into standard procedure, addressing the root cause of the problem.

Why Incorrect

A. A formal request for proposal (RFP) process only addresses the procurement phase, not the ongoing management or retirement of the asset.

B. Business case development justifies the initial acquisition but does not ensure the asset is used or retired appropriately later in its life cycle.

C. An information asset acquisition policy governs how assets are purchased but does not cover their management throughout their useful life and disposal.

---

References

1. ISACA

CISA Review Manual

27th Edition (2019). Domain 2: IT Governance and Management

Section 2.5

"IT Resource Management." This section details the importance of managing IT assets throughout their life cycle

including acquisition

deployment

maintenance

and retirement

to ensure they continue to provide value to the business.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective BAI09

Managed Assets. This objective explicitly covers the need to "Manage IT assets through their life cycle to make sure that their use is optimized for value

and they are disposed of in a timely and proper manner." (p. 153).

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective APO05

Managed Portfolio. This objective includes practices for managing the portfolio of IT-enabled investments

which involves evaluating and retiring obsolete or low-value applications and services to optimize overall portfolio value. (p. 85).

Q: 8

When classifying information, it is MOST important to align the classification to:

Options

Discussion

Ethan H. Jan 30, 2026 12:03 pm

Option A, business risk. Info classification really needs to map directly to what could impact the business most.

Layla C. Feb 10, 2026 3:37 am

A . Classification always comes back to business risk, since that's what determines the level of control or protection you need. Policy is important but it's built from risk assessments anyway.

Jordan Feb 9, 2026 10:20 am

A, Practice exams and the ISACA official review manual both say business risk is the top factor here. Someone disagree?

CalmEngineer1454 Feb 14, 2026 4:32 am

CuriousAnalyst9909 Jan 31, 2026 6:12 am

I don’t think it’s A. B makes more sense since aligning with the security policy ensures everyone classifies data the same way across the org. Business risk is important too but policies are what everyone actually follows day to day. Could be wrong here but that’s my take, especially thinking about real-life processes. Anyone disagree?

Hannah U. Feb 7, 2026 4:26 pm

I don’t think B makes sense here. A (business risk) is what I saw on similar exam reports.

Ajay O. Jan 27, 2026 2:33 pm

C/D? I can see why retention (C) and industry standards (D) might factor in, but real world classification always circles back to the impact on the business. Still, curious if there are any orgs out there that treat industry requirements as primary drivers. Most I've seen use risk at the core.

Sofia A. Jan 31, 2026 5:04 pm

Why not C? Retention matters but classification really drives controls based on business risk, not just legal timelines.

Be respectful. No spam.

Correct Answer:

Explanation

Information classification is a fundamental process in information security governance and risk management. Its primary purpose is to ensure that security controls are applied in a manner that is proportionate to the value of the information and the potential impact of its compromise. This potential impact—covering confidentiality, integrity, and availability—is the definition of business risk. Therefore, aligning the classification scheme directly with business risk ensures that the most critical assets receive the highest level of protection, optimizing security investments and effectively mitigating threats to the organization's objectives.

Why Incorrect

B. The security policy mandates and defines the classification process, but the classification levels within the policy must be based on business risk.

C. Data retention requirements are an important part of the information lifecycle but are a consequence of classification and legal/regulatory needs, not the primary driver for it.

D. Industry standards provide valuable frameworks and best practices, but they must be adapted to the specific business context and risk appetite of the organization.

References

1. ISACA

CISA Review Manual

27th Edition. Domain 3: Information Systems Acquisition

Development

and Implementation

Section 3.4.2

"Information Asset Classification." The manual states

"The objective of classification is to ensure that information assets receive an appropriate level of protection... The classification is based on the value of the asset to the organization

its sensitivity and its criticality." This concept of value

sensitivity

and criticality is a direct measure of business risk.

2. ISACA

COBIT® 2019 Framework: Governance and Management Objectives. Management Objective APO14

"Managed Data." The description for this objective emphasizes the need to "Classify data in accordance with its business criticality." This directly links the classification process to the data's importance to business operations

which is a core component of business risk assessment.

3. National Institute of Standards and Technology (NIST)

Special Publication 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations. Control Family: Program Management (PM)

Control: PM-11

"Mission/Business Process Definition." The guidance notes that understanding mission/business processes is essential for determining information protection needs. This establishes a direct link between business context (and its associated risks) and the application of security controls

which is governed by classification.

Q: 9

Which of the following should be of MOST concern to an IS auditor reviewing an organization's operational log management?

Options

Discussion

ParkerZ Feb 3, 2026 3:23 am

D. Not B, since logging to immutable files is usually best practice for integrity. Lack of standard formats (D) just breaks correlation and makes audits a nightmare. Seen similar stuff in exam reports.

Casey Y. Feb 11, 2026 11:54 am

Standardizing log formats is key or analysis becomes a nightmare. D is much more of a blocker than A or C.

Quinn Jan 26, 2026 8:44 pm

C . Dealing with multiple log files per app seems like it could cause more issues for an auditor trying to follow a complete event trail, even if formats are mostly ok. Not 100% though, happy to hear other takes.

SeasonedReviewer6471 Feb 4, 2026 11:23 am

B. not D. I get why lack of standardization (D) is a pain, but if critical events are logged to immutable files (B) and something isn't right with their integrity or access, that could actually be worse. I'm iffy here so maybe missing something obvious.

Ava L. Feb 7, 2026 9:02 am

A is wrong, D. Official guide really stresses standardization for log review, so without it, audit and correlation basically break down.

Leo Feb 2, 2026 6:52 am

D , saw something like this on a practice test. Without standardized log formats, correlating events and running any kind of automated analysis is almost impossible. The other issues slow you down but format chaos kills auditing. Pretty sure this is what ISACA looks for, but open to pushback.

Taylor M. Jan 30, 2026 8:44 am

C/D? Both are issues, but I remember seeing something like this before and D was flagged as the bigger problem. Without standardized formats, you can't do effective correlation or automated analysis. C is annoying for auditors, but with standard formats you can still parse everything. Not 100% though, open to other views.

Ishaan Feb 14, 2026 1:57 am

I don’t think D is as urgent here-C actually stands out more to me. If apps are logging to multiple files, it really complicates centralized monitoring and makes it a hassle for auditors, even more so if you’re already dealing with decent format consistency. Maybe I’m missing something but C feels like the real headache.

Olivia F. Jan 28, 2026 4:17 pm

C tbh. Multiple files makes aggregation a pain, more so than just inconsistent formats imo.

Jason Y. Feb 10, 2026 6:59 am

Maybe C, since having events in multiple log files can make monitoring trickier and harder to correlate. Not totally sure though.

Be respectful. No spam.

Correct Answer:

Explanation

The lack of standardized data formats across logs is the most significant concern for an IS auditor. Non-standardized logs severely hinder the ability to aggregate, correlate, and analyze security events across different systems and applications. This makes it extremely difficult, if not impossible, to perform effective automated monitoring, trace the sequence of events during a security incident, or conduct meaningful forensic analysis. This fundamental flaw undermines the primary purpose of log management, which is to provide a coherent and actionable view of operational and security-related activities throughout the IT environment.

Why Incorrect

A. Growing log file size is an expected operational trend, primarily representing a capacity and retention policy issue, not a fundamental control weakness.

B. Logging critical events to immutable files is a security best practice that ensures log integrity and is considered a control strength, not a concern.

C. It is common and often necessary for complex applications to generate multiple log files for different functions; this is manageable with proper log aggregation tools.

References

1. ISACA. (2019). CISA Review Manual

27th Edition. Page 238. The manual states that for logs to be useful for analysis and to create a proper audit trail

they should be "in a consistent format." A lack of standardization directly violates this principle.

2. National Institute of Standards and Technology (NIST). (2006). Special Publication 800-92: Guide to Computer Security Log Management. Section 3.1.2

"Log Generation." This guide explicitly states

"Organizations should also establish standardized log formats

such as the same timestamp format

for all logs. Standardization makes it much easier to perform automated log analysis."

3. Kent

& Souppaya

M. (2006). The challenges of log analysis. CrossTalk

The Journal of Defense Software Engineering

19(5)

21-25. The article highlights that a major challenge in log analysis is the "lack of a standard logging format

" which complicates the correlation of events from diverse sources.

Q: 10

Which of the following provides the MOST assurance of the integrity of a firewall log?

Options

Discussion

VikramM Feb 9, 2026 5:46 pm

Had something like this in a mock. C makes sense since log can't be altered, which is the main thing for integrity. Rest are good but not enough to guarantee original data.

Liam C. Jan 26, 2026 7:58 am

Its C, not B. Being read-only prevents tampering, initial or ongoing review isn't enough here.

Neha W. Jan 26, 2026 10:58 pm

My vote is C since logs that can't be modified provide the most direct assurance of integrity. Reviewing or restricting access helps, but only immutability really stops tampering. I think that's what the question is looking for, agree?

Neha M. Feb 2, 2026 6:59 am

C imo, because if the log can't be modified, its integrity is preserved regardless of who accesses it or how often it's reviewed. The others are good practices but they don't actually prevent tampering. Pretty sure that's the main point.

Piya U. Feb 3, 2026 1:58 am

Why assume monthly reviews (A) would guarantee integrity if someone could still alter the log?

Jordan P. Feb 2, 2026 11:19 am

Honestly, I'm between C and B here. Not sure since authorized access (B) helps, but if the log can't be modified at all (C), that's better for pure integrity. Monthly reviews or retention don't actually stop tampering. C feels right for MOST assurance, but open to counterpoints.

Ava O. Feb 6, 2026 9:20 am

Option C. but only if the logs are truly immutable. If write-once isn't enforced, A could matter more.

Ava Jan 27, 2026 11:24 pm

C imo, review official guide and practice questions for log integrity scenarios.

SteadyNeteng2352 Feb 9, 2026 1:05 am

Probably C, similar question in the official guide. For integrity, immutability is key so I'd use that as the answer.

Be respectful. No spam.

Correct Answer:

Explanation

The principle of integrity in information security ensures that data has not been altered in an unauthorized manner. A log that cannot be modified (i.e., is immutable or write-once) provides the highest level of assurance that its contents are original, accurate, and trustworthy. This is a fundamental preventive control for maintaining the evidentiary value of logs. While other options are good security practices, they do not directly guarantee that the log data itself has not been tampered with. Immutability is the most direct and effective control for assuring log integrity.

Why Incorrect

A. Reviewing logs is a detective control used to identify anomalies after they occur; it does not prevent the log from being altered beforehand.

B. Authorized access is a control primarily for confidentiality. An authorized user with modification privileges could still alter the log, compromising its integrity.

D. Retaining logs according to policy ensures their availability for future analysis and meets compliance requirements, but it does not protect the content from modification.

---

References

1. ISACA

CISA Review Manual

27th Edition. Domain 4: Information Systems Operations and Business Resilience

Task Statement 4.5. The manual emphasizes that for logs to be effective for forensic analysis

their integrity must be maintained. It discusses techniques such as writing logs to write-once

read-many (WORM) devices or a separate

secured log server to prevent modification.

2. National Institute of Standards and Technology (NIST) Special Publication 800-92

"Guide to Computer Security Log Management." Section 3.3

"Log Storage and Disposal

" states

"Protecting log information from unauthorized modification and destruction is critical for preserving its integrity." It recommends storing logs on a separate

dedicated log server with restricted access and using append-only mechanisms to prevent alteration of existing log data.

3. ISACA

IT Audit

Control

and Security

by Robert R. Moeller (2009). Chapter 16

"Auditing Firewalls

Extranets

and Other Network Security Systems." The text discusses the importance of firewall logs as an audit trail and highlights that their value is contingent on controls that prevent tampering

such as remote logging to a secure

write-protected server. This directly supports the concept that immutability is the key to integrity.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE