View CISA Exam Questions

Q: 1

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

Options

Discussion

Chris A. Mar 15, 2026 11:00 am

A , not having periodic external assessments is a direct violation of mandatory QA standards, bigger flag than just missing some testing (D). Seen similar in CISA guides.

Zoe W. Mar 19, 2026 1:11 pm

No external assessment is a dealbreaker for standards so A.

Sean Mar 29, 2026 7:59 am

A , saw this in a similar practice set and official CISA guide says missing external QA violates standards, which is a huge problem for audit credibility.

IvyU Mar 31, 2026 12:13 am

D . If you don't do substantive testing during some assessments, you could totally miss key control failures. That feels like a bigger risk to audit quality, even if A is more about compliance.

Rowan W. Mar 22, 2026 3:17 am

Pretty sure it's D. If you skip substantive testing during assessment, huge audit findings could slip through. Open to being convinced otherwise.

FocusedMentor9952 Mar 30, 2026 10:17 am

Similar question was in the official guide and practice test, both point to A as the main concern.

Jamie Mar 13, 2026 10:30 am

A , not having periodic external assessments is a clear breach of professional audit standards (IIA 1312). D trips people up since missing substantive testing matters, but A is a straight standards violation. Could be wrong, but that's what I saw on similar questions.

Adam Mar 22, 2026 9:34 am

I don’t think it’s A. D is a bigger deal in practice, since missing substantive testing during assessments could lead to undetected issues. Pretty sure about this, but if we're talking strict standards, maybe I'm off.

Riley Mar 13, 2026 1:27 pm

Missing external QA reviews (A) is a direct standards violation, so it's the biggest problem here. Consistency in tracking (C) matters, but not meeting IIA requirements for external review is the real deal-breaker. Pretty sure about this, but happy to hear any counterpoints.

FriendlyOps1732 Mar 17, 2026 9:41 am

A, No external reviews (A) is a mandatory QAIP failure, bigger concern than D missing testing, at least for CISA. Open to other views if I missed something.

Be respectful. No spam.

Correct Answer:

Explanation

The absence of periodic external assessments is a direct violation of mandatory professional standards, such as The Institute of Internal Auditors (IIA) Standard 1312, which requires an external quality assessment at least once every five years. This is a fundamental component of a Quality Assurance and Improvement Program (QAIP). Failure to perform this independent review presents the greatest concern because it undermines the credibility, objectivity, and perceived value of the entire internal audit function. It deprives the audit committee and senior management of independent assurance that the audit activity conforms with globally recognized standards and operates effectively.

Why Incorrect

B. While reporting to the audit committee is critical, the specific frequency (e.g., quarterly) is a procedural detail; a lack of reporting altogether would be the core issue.

C. Inconsistent tracking of corrective actions is a significant internal process weakness, but the lack of an external assessment is a more fundamental governance failure that would likely identify such issues.

D. The use of substantive testing depends on the specific audit's objectives and risk assessment; its absence is not inherently a quality assurance failure for all audits.

---

References

1. The Institute of Internal Auditors (IIA)

International Standards for the Professional Practice of Internal Auditing (Standards)

July 2023. Standard 1312: External Assessments states

"External assessments must be conducted at least once every five years by a qualified

independent assessor or assessment team from outside the organization." The standard's interpretation notes that this assessment provides an independent opinion on the internal audit activity's conformance with the Standards and Code of Ethics.

2. ISACA

CISA Review Manual

27th Edition

2019. Domain 1: Information System Auditing Process

Section 1.5.4 Quality Assurance of the Audit Function. This section discusses the need for a quality assurance and improvement program that includes both internal and external reviews to ensure the audit function's compliance with standards and its overall effectiveness. The manual emphasizes that external reviews provide independent assurance to stakeholders.

3. Anderson

U. L.

Head

M. J.

Ramamoorti

Riddle

Salamasick

& Sobel

P. J. Internal Auditing: Assurance & Advisory Services

4th Edition. The IIA Research Foundation

2017. Chapter 2

"The International Professional Practices Framework: Authoritative Guidance for the Internal Audit Profession

" details the components of a QAIP

explicitly citing Standard 1312 and explaining that external assessments are crucial for validating the internal audit function's conformance with professional standards and identifying opportunities for improvement.

Q: 2

During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

Options

Discussion

SteadyCandidate5911 Mar 14, 2026 4:57 am

Option B, That's the normal escalation, audit manager before going higher. ISACA wants the chain followed. Agree?

ChrisM Mar 28, 2026 7:50 am

Hard to say, B. Reporting up to the audit manager matches the escalation path you see in the official ISACA guide and practice tests. Other options skip steps or don't address change in risk acceptance. Check official resources to drill this process, but I'm pretty sure that's what they want here. Agree?

Kevin O. Mar 29, 2026 9:18 am

Don't think it's A since that's skipping protocol, and C/D miss the reporting piece. B is the best call here.

Sara H. Mar 19, 2026 9:09 pm

Don't think it's A-standard process is to inform the audit manager first. B is what I've seen in similar questions.

Layla H. Mar 14, 2026 10:22 am

B vs A. If "best" means stick to process, then B is right since you always report up the audit chain before escalating. But if it was an urgent risk or management was actively creating exposure, some exam questions flip to A. Here, pretty sure ISACA wants B due to standard escalation. Agree?

Morgan Y. Mar 22, 2026 12:08 pm

I don't think you'd go straight to the audit committee for this. Option A is tempting since it's a serious change, but chain of command matters. B

Casey B. Mar 27, 2026 10:18 am

If management changed and isn't implementing old recommendations, is there any hint the risk level changed too? I'm not sure if that's enough to go to A or if B is just the usual reporting chain. What's the typical ISACA expectation here?

Ryan Mar 28, 2026 9:32 am

B , audit manager is the proper escalation. A is tempting but that's skipping protocol.

Adam Mar 15, 2026 7:13 am

Guessing A here-feels like if management isn't following through, you tell the audit committee chair directly. Retesting or closing seems off for unaddressed recs. Not totally sure, but that's what I'd pick.

RobinI Mar 17, 2026 6:01 am

A is wrong, B. Reporting to the audit manager keeps it in the right escalation path per ISACA.

Be respectful. No spam.

Correct Answer:

Explanation

The IS auditor's immediate responsibility is to report findings and significant developments within the audit's chain of command. The decision by new management to not implement previously accepted recommendations represents a change in risk acceptance and is a material finding for the follow-up audit. The auditor must report this to the audit manager, who is responsible for overseeing the audit engagement. The audit manager will then determine the appropriate next steps, which may include discussing the issue with senior management and deciding whether escalation to the audit committee is warranted. This ensures that the audit function's internal procedures and reporting lines are respected.

Why Incorrect

A. Notifying the chair of the audit committee is a significant escalation. This step should be determined by audit management, not undertaken unilaterally by the auditor as a first action.

C. Retesting the control is irrelevant. The issue is not the control's operational effectiveness but management's conscious decision not to implement the agreed-upon remediation.

D. Closing the audit finding is incorrect. The finding cannot be closed because the risk has not been mitigated as planned. Management's decision to accept the risk must be documented and reported.

---

References

1. ISACA

CISA Review Manual

27th Edition. Chapter 1

The Process of Auditing Information Systems

p. 59. The manual states

"The IS auditor should report to the audit manager/director... The audit manager/director is responsible for ensuring that the communication is directed to the appropriate parties." This establishes the correct internal reporting line that the auditor must follow.

2. ISACA

ITAF: A Professional Practices Framework for IS Audit/Assurance

4th Edition. Guideline 2401 Reporting

Section 2401.7 Supervisory Review. This guideline emphasizes that "IS audit and assurance work papers should be reviewed by a senior member of the IS audit and assurance function before the audit reports are finalized and issued." This reinforces the principle that findings

especially significant ones like a change in management's risk posture

must be reviewed internally by management (i.e.

the audit manager) first.

3. ISACA

CISA Review Manual

27th Edition. Chapter 1

The Process of Auditing Information Systems

p. 61. Regarding follow-up

it notes

"If management has assumed the risk of not correcting the reported condition

this should be documented by the IS auditor and communicated to senior management and the audit committee." While this communication is necessary

the process begins with reporting the situation to the audit manager

who then directs these subsequent communications.

Q: 3

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

Options

Discussion

Luke E. Mar 22, 2026 9:52 am

Getting tired of ISACA questions focused on least privilege but yeah, probably C. This is classic admin rights risk.

Piya S. Mar 22, 2026 4:59 pm

Nah, B is tempting because of the sensitive data, but it's C. Admin rights let users make unauthorized changes, way riskier on an external system.

Anita C. Mar 27, 2026 12:02 am

C or D? After reading the scenario again, I still feel C stands out since admin rights mean users can directly change system configs and data, not just view or install things. That risk is usually more critical than open-source installs (D). I'm mostly sold on C, but if anyone has a solid reason for D, let me know.

Kevin V. Mar 27, 2026 10:33 pm

B for me. If most users have admin access, they obviously can see sensitive data, so exposure is the biggest risk in my view. Maybe I'm missing a bigger process thing but B sticks out.

MiaO Mar 18, 2026 9:20 pm

C or D. Both are risky but I'm leaning to C since unauthorized changes can break stuff or cause breaches. Not totally sure though, could see an argument for D.

Jason E. Mar 15, 2026 1:53 am

I don’t think it’s B. C is the bigger issue here because admin rights let users make unauthorized changes, which messes with both integrity and availability. B just covers viewing data, but C can lead to way worse breaches. Some might pick D for open-licensed software but that risk usually isn’t greater than allowing anyone to change configs. Open to other takes though.

Taylor Mar 27, 2026 11:59 pm

Anyone else find the official guide hammers home least privilege for these? Similar practice questions almost always put C as the biggest risk.

QuietDev6564 Mar 25, 2026 5:43 am

Would C still be right if most users only had read-only access instead of admin?

Reese M. Mar 30, 2026 6:44 am

Its C since admin access means users can change configs or data, intentionally or accidentally. That risk outweighs just seeing data (B) or installing stuff (D). Least privilege is totally ignored here. I saw a similar question in practice exams, and unauthorized changes were always flagged as highest risk when admin rights are overused. Anyone disagree?

Be respectful. No spam.

Correct Answer:

Explanation

The principle of least privilege is a fundamental security concept requiring that users be granted only the access and permissions necessary to perform their job duties. In this scenario, providing administrator rights to most users on an externally facing system containing sensitive data is a severe violation of this principle. Administrator privileges inherently grant the ability to alter system configurations, modify or delete data, and change security settings. This creates the greatest risk of unauthorized changes, whether malicious or accidental, which directly compromises the integrity, availability, and confidentiality of the system and its data.

Why Incorrect

A. While administrators can export logs, this is a specific action. The ability to make any unauthorized change is a much broader and more significant risk.

B. Viewing sensitive data is a function of the system for both user types. The core issue highlighted is the risk from excessive privileges, not authorized access.

D. Installing software is a subset of the actions an administrator can perform. The overarching risk is the general capability to make unauthorized changes, which includes more than just software installation.

---

References

1. ISACA

CISA Review Manual

27th Edition. Domain 4: Information Systems Operations

Maintenance and Service Management

Section 4.4 Logical Access. The manual emphasizes that access rights should be granted based on the "need-to-know" and "need-to-do" principles

and that powerful privileges (such as administrator rights) must be strictly controlled to prevent unauthorized activities that could compromise the system.

2. National Institute of Standards and Technology (NIST) Special Publication 800-53

Revision 5. Security and Privacy Controls for Information Systems and Organizations

Control AC-6 "Least Privilege." This control states: "The organization employs the principle of least privilege

allowing only authorized accesses for users...that are necessary to accomplish assigned tasks." The discussion section notes that this prevents users from making unauthorized changes or performing functions outside their roles.

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE

63(9)

1278-1308. This foundational academic paper introduces the principle of least privilege

stating

"Every program and every user of the system should operate using the least set of privileges necessary to complete the job." The rationale is to limit the damage that can result from an accident or error. (DOI: https://doi.org/10.1109/PROC.1975.9939

Section I.A.3).

Q: 4

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Options

Discussion

PracticalNeteng649 Mar 26, 2026 4:05 am

Always see A flagged for this in official guide and practice questions. For auditor roles, preserving logs on a separate host is crucial since attackers often wipe local logs first. Without that, you can’t reliably trace incidents after a breach. Pretty sure about A here, but if anyone finds newer ISACA guidance that swaps priorities let me know.

Jamie J. Mar 19, 2026 9:54 pm

If the logs are already sent off-device, why wouldn't config file access (D) be just as important for audit trust?

Karan F. Mar 15, 2026 7:51 pm

A here, since log integrity is the main thing an IS auditor checks. If logs aren't on a separate protected host, audit trail can be compromised. Pretty sure that's the CISA perspective, but let me know if you see it differently.

Casey N. Mar 28, 2026 12:40 am

Audit focus so that's A.

PiyaB Mar 14, 2026 12:37 pm

C/D? CISA stuff always flips my brain, but I'm thinking maybe A is too textbooky this time.

Adam C. Mar 28, 2026 5:31 pm

Its D, restricting config file access prevents unauthorized changes so I think that's what matters most. Saw similar in exam reports and config control is always a trap option.

Ava S. Apr 1, 2026 11:22 am

A tbh, audit is all about making sure the logs can't be tampered with, so storing them separately matters most. If attackers get in, local logs might get wiped. Pretty sure that's what ISACA wants here but willing to hear other takes.

Morgan A. Mar 21, 2026 12:55 pm

Its D, had something like this in a mock. Config file access seems most critical for control.

SharpSec6388 Mar 12, 2026 9:54 am

A . Audit needs logs kept safe from tampering, so separate protected host is key here.

Olivia B. Mar 15, 2026 5:14 am

A , saw similar wording before. For auditors, having logs on a separate protected host means reliable evidence even if the firewall is compromised. Config access (D) is key for ops, but audit integrity relies more on untouched logs. Disagree?

Be respectful. No spam.

Correct Answer:

Explanation

The integrity of the audit trail is paramount for an IS auditor. If a firewall is compromised, an attacker's first action is often to alter or delete local logs to cover their tracks. Storing logs on a separate, protected host (e.g., a SIEM or a hardened log server) ensures that a reliable and tamper-evident record of all network activity and potential security incidents is preserved. This preserved evidence is essential for forensic investigation, incident response, and for the auditor to verify the firewall's operational effectiveness over time.

Why Incorrect

B. Automated alerts are being sent when a risk is detected: Alerts are generated from log data. If the underlying logs are not protected and can be tampered with (as addressed in A), the alerts become unreliable or may not be generated at all.

C. Insider attacks are being controlled: This is a broad security objective, not a specific firewall control. A firewall is only one component in a defense-in-depth strategy to mitigate insider threats.

D. Access to configuration files Is restricted: While this is a critical preventive control, a system can still be compromised via other means (e.g., a zero-day vulnerability). In such a case, secure, external logs are the only way to detect and investigate the breach. The integrity of evidence (logs) is fundamental to the audit function.

---

References

1. ISACA

CISA Review Manual

27th Edition

2019.

Page 213

Section 4.4.4 Security Event Logging and Monitoring: "The IS auditor should verify that security events are logged and that the logs are secured to prevent tampering... Log data should be sent to a dedicated log server to prevent the logs from being destroyed by an attacker." This directly supports the critical need to secure logs on a separate host to prevent tampering

which is a primary concern for an auditor.

2. ISACA

"Auditing Network Perimeters

" Audit Program

2016.

Section 3.2.4: The audit program directs the auditor to "Verify that firewall logs are enabled to log all inbound and outbound traffic

and sent to a dedicated and secured log server." This step is crucial for ensuring a complete and reliable audit trail

which underpins the entire audit of the control's operation.

3. NIST Special Publication 800-92

"Guide to Computer Security Log Management

" 2006.

Section 3.4.1

Page 3-10: "Organizations should store logs on dedicated log servers

not on the hosts that generate the logs... Storing logs on a different system from the one that generates them makes it more difficult for attackers to tamper with the logs." This official guideline establishes the practice as a fundamental security principle for maintaining log integrity.

Q: 5

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options

Discussion

LiamM Mar 12, 2026 6:52 am

Option C

Rowan Q. Mar 16, 2026 11:34 pm

Option C makes sense. If IT strategy is only following trends and not aligning with actual business objectives, that's a huge risk. The point is to support the organization's needs, not just chase what’s new in the market. Pretty sure that's the biggest red flag here. Agree?

Luke P. Mar 13, 2026 12:24 pm

Would anyone actually rank B over C for biggest risk to long-term business alignment? Curious how you’d justify that.

Rowan Mar 23, 2026 7:46 pm

Nah, B isn't the biggest concern here. It's C since goals based only on market trends ignore business alignment.

Rowan W. Mar 20, 2026 5:23 pm

C , because if IT goals are just based on market trends and not tied to the actual business strategy, there's a huge risk of misalignment. Option B is tempting but not hitting old goals isn’t as critical as losing focus on business needs. Anyone disagree?

Ishaan B. Mar 22, 2026 9:22 am

It's gotta be C here. If IT goals only come from market trends, that's a big red flag since there's no guarantee they're helping with what the business actually needs. That misalignment is what IS auditors worry about most, I think. Anyone disagree?

Drew I. Mar 29, 2026 2:10 am

C is the real issue since IT strategy needs to fit business goals, not just follow trends. If strategic direction comes only from the market, you risk major misalignment. Pretty confident in C but open if anyone sees it differently.

Owen Y. Mar 17, 2026 7:31 am

I don't think B is as critical as some think-strategic alignment is a bigger deal. C looks right here, since just chasing market trends without mapping to business objectives is a classic trap for auditors. C.

PracticalAnalyst3727 Mar 14, 2026 12:45 pm

Honestly, I'd say B here. Not hitting last year's IT strategic goals signals ongoing issues that might impact future strategies. I know C is risky too, but missing objectives feels like a big red flag to me. Anyone else see it that way?

Avery Z. Mar 16, 2026 3:49 pm

Maybe C. If the IT goals only track market trends, they're probably missing what the business actually needs. Misalignment with business strategy tends to be a big deal for IS auditors. Not totally sure, but that's my take.

Be respectful. No spam.

Correct Answer:

Explanation

The primary objective of an IT strategy is to ensure that IT plans and activities support and enable the overall business strategy. An IT strategy derived solely from market trends is fundamentally misaligned with the organization's specific goals and needs. This represents the greatest strategic risk because it can lead to the misallocation of resources, investment in inappropriate technologies, and a failure to deliver value to the business. The IS auditor's main concern in a strategic review is this alignment between business objectives and IT initiatives.

Why Incorrect

A. Defining target architecture at a technical level within a strategy document can indicate thorough planning and is not inherently a concern.

B. While not achieving prior goals is a concern about execution, a flawed basis for the current strategy is a more fundamental and critical issue.

D. Including financial estimates is a best practice for effective planning, budgeting, and demonstrating due diligence, not a point of concern.

References

1. ISACA. (2019). CISA Review Manual

27th Edition. Domain 2: Governance and Management of IT

Section 2.3.1 IT Strategic Plan. The manual states

"The IT strategic plan must be an integral part of the overall business strategic plan... The focus should be on strategic alignment..." This highlights that the business plan

not external trends alone

must be the primary driver.

2. ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. Chapter 3

The COBIT Core Model

p. 21. The COBIT goals cascade model explicitly shows that enterprise goals are derived from stakeholder needs

and alignment goals (IT-related goals) are derived from enterprise goals. This framework establishes a clear top-down linkage from business needs to IT strategy.

3. Luftman

J. N. (2000). Assessing business-IT alignment maturity. Communications of the Association for Information Systems

4(1)

Article 14. This foundational academic paper on strategic alignment maturity notes that lower levels of maturity are characterized by a lack of a clear

business-driven IT strategy. Relying on trends instead of business goals is indicative of low alignment maturity. (DOI: https://doi.org/10.17705/1CAIS.00414)

Q: 6

Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?

Options

Discussion

Olivia W. Mar 15, 2026 3:07 am

Makes sense to pick C. Practice questions and the official guide both point to materiality as the main factor for what goes into audit reports. I think that's what ISACA focuses on, but open if anyone has a different take.

Mia Mar 20, 2026 11:46 pm

C , that's how audit reporting works per most CISA books.

Sara F. Mar 14, 2026 6:05 pm

Pretty clear for me, it's C. Materiality is that key filter for audit report inclusions.

Morgan Apr 1, 2026 11:22 am

Nah, I don’t think it’s D. C is the main filter here since materiality drives what gets reported.

RaviW Mar 15, 2026 5:41 pm

Its C, but if the audit covers low criticality areas sometimes D gets reported too, weird edge cases.

Priya V. Mar 21, 2026 2:43 pm

Option D

Rowan T. Mar 29, 2026 4:07 am

C vs D for me. C (materiality) is usually the main criterion for what gets reported, but sometimes inherent risk feels close especially in different frameworks. I still think it's probably C though, unless I'm missing a nuance here.

Jack H. Mar 13, 2026 6:07 am

Wouldn't materiality always take precedence over inherent risk for what actually goes in the final audit report? D is important in planning, but C feels more like the reporting filter. Curious if anyone's seen an exception.

Vikram Mar 17, 2026 12:02 pm

C, seen similar in practice exams-materiality is always top when picking what goes in the audit report.

Quinn O. Mar 21, 2026 5:24 pm

C beats D for primary consideration. Materiality is always the core reason findings make it into the report, not just inherent risk. Some folks get tripped up thinking it's about what management agrees on, but that's not the IS auditor focus. Anyone disagree?

Be respectful. No spam.

Correct Answer:

Explanation

The primary consideration for an IS auditor when determining which issues to include in an audit report is materiality. Materiality refers to the significance of a finding in the context of the audit objectives. An audit finding is material if its omission or misstatement could influence the decisions of management or other stakeholders. The purpose of the audit report is to communicate significant findings that require management's attention and potential action. Focusing on material issues ensures that the report is relevant, impactful, and drives improvements in governance, risk management, and control, rather than overwhelming stakeholders with trivial details.

Why Incorrect

A. Professional skepticism is a critical professional attitude and mindset that must be applied throughout the entire audit process, not a specific criterion for selecting which findings to report.

B. Requiring management's agreement on findings before inclusion would fundamentally compromise the auditor's independence and objectivity, which are cornerstones of the audit profession.

D. Inherent risk is assessed during the audit planning phase to determine the nature and extent of audit procedures, not to decide which identified findings are significant enough for the final report.

---

References

1. ISACA. (2019). CISA Review Manual

27th Edition. Section 1.3.2

"Materiality

" states

"Materiality is a key concept that will be used when planning the audit and when evaluating the identified errors and irregularities... The IS auditor should consider materiality when determining the reportable findings."

2. ISACA. (2014). ITAF: A Professional Practices Framework for IS Audit/Assurance

4th Edition. Guideline 2204

"Materiality

" Section 3.1

notes that "IS audit and assurance professionals should consider materiality and its relationship to audit risk when... evaluating the effect of identified control weaknesses and/or lack of compliance with established processes." This evaluation directly informs what is reported.

3. Singleton

T. (2011). The Core of the CISA Exam. ISACA Journal

Volume 2. This article emphasizes that a CISA candidate must understand core concepts

stating

"Materiality is a concept that relates to the importance or significance of an amount

transaction or discrepancy... The IS auditor must consider materiality in determining the appropriate reportable conditions."

Q: 7

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

Options

Discussion

Ben V. Mar 20, 2026 7:57 pm

D . Asset life cycle management isn't just about what gets bought, it's about reviewing, maintaining, and retiring applications too. That covers unused apps hanging around. Pretty sure that's what the question targets.

SharpAnalyst4424 Mar 14, 2026 12:10 am

I don’t think it’s D. I picked B since business case development should stop people from buying stuff they don’t really need in the first place. Seems like if you have that up front, you avoid shelfware entirely. Maybe I’m missing how ongoing life cycle steps would catch it later, but B seems closer to root cause for me. Agree?

Sanjay U. Mar 13, 2026 9:43 pm

D imo, only asset life cycle management handles retiring unused applications so that's the best fit here.

Ethan G. Mar 18, 2026 5:39 am

D , asset life cycle management is what actually covers the whole process from acquisition to retirement, so it helps avoid accumulating unused applications. Just managing acquisition (like C) doesn't catch stuff falling out of use later. Pretty sure D’s the standard governance control here. Open to other takes if I missed something practical.

Ajay Mar 21, 2026 7:10 pm

B , business case procedures should catch if apps aren't needed in the first place. D is tempting though.

QuickSec5015 Mar 17, 2026 9:54 pm

D tbh, that's what covers ongoing review and retiring unused assets. Nothing else here really deals with the whole application lifespan.

Casey Mar 29, 2026 10:46 am

D imo. Had something like this in a mock exam and asset life cycle management was the expected pick for unused apps.

Maya Mar 27, 2026 9:13 pm

C vs D here-if it's about ongoing review and retiring unused apps, D (Asset life cycle management) is probably the way to go since it covers the whole process. C only handles what gets acquired, not after. Pretty sure D is best but I see why folks get stuck.

FriendlyOps3521 Mar 30, 2026 5:25 am

I think D, not C. Asset life cycle management covers retirement, not just acquisition. C is a common trap here.

Maya J. Mar 20, 2026 4:14 am

Sick of how ISACA always makes these sound trickier than they are. D imo.

Be respectful. No spam.

Correct Answer:

Explanation

The presence of unused applications indicates a failure in managing the entire lifespan of IT assets. Asset life cycle management is a comprehensive process that governs an asset from planning and acquisition through deployment, utilization, maintenance, and eventual retirement. Implementing this framework ensures that applications are periodically reviewed for their continued business value and are properly decommissioned when no longer needed. This proactive management directly prevents the accumulation of unused software ("shelfware") by embedding review and retirement phases into standard procedure, addressing the root cause of the problem.

Why Incorrect

A. A formal request for proposal (RFP) process only addresses the procurement phase, not the ongoing management or retirement of the asset.

B. Business case development justifies the initial acquisition but does not ensure the asset is used or retired appropriately later in its life cycle.

C. An information asset acquisition policy governs how assets are purchased but does not cover their management throughout their useful life and disposal.

---

References

1. ISACA

CISA Review Manual

27th Edition (2019). Domain 2: IT Governance and Management

Section 2.5

"IT Resource Management." This section details the importance of managing IT assets throughout their life cycle

including acquisition

deployment

maintenance

and retirement

to ensure they continue to provide value to the business.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective BAI09

Managed Assets. This objective explicitly covers the need to "Manage IT assets through their life cycle to make sure that their use is optimized for value

and they are disposed of in a timely and proper manner." (p. 153).

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective APO05

Managed Portfolio. This objective includes practices for managing the portfolio of IT-enabled investments

which involves evaluating and retiring obsolete or low-value applications and services to optimize overall portfolio value. (p. 85).

Q: 8

When classifying information, it is MOST important to align the classification to:

Options

Discussion

Ethan H. Mar 16, 2026 7:28 pm

Option A, business risk. Info classification really needs to map directly to what could impact the business most.

Layla C. Mar 27, 2026 11:02 am

A . Classification always comes back to business risk, since that's what determines the level of control or protection you need. Policy is important but it's built from risk assessments anyway.

Jordan Mar 26, 2026 5:45 pm

A, Practice exams and the ISACA official review manual both say business risk is the top factor here. Someone disagree?

CalmEngineer1454 Mar 31, 2026 11:57 am

CuriousAnalyst9909 Mar 17, 2026 1:37 pm

I don’t think it’s A. B makes more sense since aligning with the security policy ensures everyone classifies data the same way across the org. Business risk is important too but policies are what everyone actually follows day to day. Could be wrong here but that’s my take, especially thinking about real-life processes. Anyone disagree?

Ajay U. Mar 24, 2026 9:49 am

Yeah, it's A here. Risk is the driver for classification priorities in ISACA's framework.

Noah B. Mar 30, 2026 5:34 pm

Official guide points to A, business risk is what drives classification level decisions. Aligning to it ensures the right controls for confidentiality and impact. Pretty sure on this, but always worth double-checking with official ISACA material if in doubt.

Owen I. Mar 17, 2026 7:08 pm

Not B, A. Security policy matters but business risk is the trap-breaker here.

Olivia G. Mar 20, 2026 3:53 am

Guessing A, but if data retention was the key requirement instead of risk, maybe C could fit. Depends on what they want you to prioritize in the scenario.

Hannah U. Mar 24, 2026 11:51 pm

I don’t think B makes sense here. A (business risk) is what I saw on similar exam reports.

Be respectful. No spam.

Correct Answer:

Explanation

Information classification is a fundamental process in information security governance and risk management. Its primary purpose is to ensure that security controls are applied in a manner that is proportionate to the value of the information and the potential impact of its compromise. This potential impact—covering confidentiality, integrity, and availability—is the definition of business risk. Therefore, aligning the classification scheme directly with business risk ensures that the most critical assets receive the highest level of protection, optimizing security investments and effectively mitigating threats to the organization's objectives.

Why Incorrect

B. The security policy mandates and defines the classification process, but the classification levels within the policy must be based on business risk.

C. Data retention requirements are an important part of the information lifecycle but are a consequence of classification and legal/regulatory needs, not the primary driver for it.

D. Industry standards provide valuable frameworks and best practices, but they must be adapted to the specific business context and risk appetite of the organization.

References

1. ISACA

CISA Review Manual

27th Edition. Domain 3: Information Systems Acquisition

Development

and Implementation

Section 3.4.2

"Information Asset Classification." The manual states

"The objective of classification is to ensure that information assets receive an appropriate level of protection... The classification is based on the value of the asset to the organization

its sensitivity and its criticality." This concept of value

sensitivity

and criticality is a direct measure of business risk.

2. ISACA

COBIT® 2019 Framework: Governance and Management Objectives. Management Objective APO14

"Managed Data." The description for this objective emphasizes the need to "Classify data in accordance with its business criticality." This directly links the classification process to the data's importance to business operations

which is a core component of business risk assessment.

3. National Institute of Standards and Technology (NIST)

Special Publication 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations. Control Family: Program Management (PM)

Control: PM-11

"Mission/Business Process Definition." The guidance notes that understanding mission/business processes is essential for determining information protection needs. This establishes a direct link between business context (and its associated risks) and the application of security controls

which is governed by classification.

Q: 9

Which of the following should be of MOST concern to an IS auditor reviewing an organization's operational log management?

Options

Discussion

ParkerZ Mar 20, 2026 10:48 am

D. Not B, since logging to immutable files is usually best practice for integrity. Lack of standard formats (D) just breaks correlation and makes audits a nightmare. Seen similar stuff in exam reports.

Casey Y. Mar 28, 2026 7:19 pm

Standardizing log formats is key or analysis becomes a nightmare. D is much more of a blocker than A or C.

Logan U. Mar 17, 2026 11:46 am

Maybe D. Most of the official materials and practice tests stress that non-standard log formats make correlation and automated analysis really hard. If you can't easily correlate logs, incident response gets messy fast. Could be wrong if the focus was storage.

Neha J. Mar 31, 2026 12:17 pm

Why does ISACA always slip in questions about log format standardization, like it isn't the most obvious audit headache. D tbh.

Drew X. Mar 20, 2026 1:04 pm

B is a bit of a distractor here. Standardization (D) really trips up correlation across environments, so that's more concerning imo.

Quinn Mar 13, 2026 4:08 am

C . Dealing with multiple log files per app seems like it could cause more issues for an auditor trying to follow a complete event trail, even if formats are mostly ok. Not 100% though, happy to hear other takes.

ChrisB Mar 14, 2026 7:46 am

Wouldn't inconsistent log formats (D) make it almost impossible to correlate events during a security incident investigation?

SkepticalEngineer3381 Mar 24, 2026 5:39 am

D imo. If logs aren't standardized, things like event correlation or root cause analysis get messy or nearly impossible. That's a bigger audit risk than file size or logs being split up. Pretty sure exam reports flag D as the highest concern unless the scenario pushes storage/admin angles.

ThoughtfulSec285 Mar 24, 2026 11:38 am

I don’t think D is the biggest deal here, I'd say C. Having events logged in multiple log files makes tracking an incident pretty painful. Maybe not the top risk, but that's what jumps out to me first-correct me if I'm off.

QuietDev8190 Mar 24, 2026 1:20 pm

C or D. If "MOST concern" means investigation and auditability, then D, but if they're looking from a practical storage/admin angle, C could cause issues too. Not fully sure without more context.

Be respectful. No spam.

Correct Answer:

Explanation

The lack of standardized data formats across logs is the most significant concern for an IS auditor. Non-standardized logs severely hinder the ability to aggregate, correlate, and analyze security events across different systems and applications. This makes it extremely difficult, if not impossible, to perform effective automated monitoring, trace the sequence of events during a security incident, or conduct meaningful forensic analysis. This fundamental flaw undermines the primary purpose of log management, which is to provide a coherent and actionable view of operational and security-related activities throughout the IT environment.

Why Incorrect

A. Growing log file size is an expected operational trend, primarily representing a capacity and retention policy issue, not a fundamental control weakness.

B. Logging critical events to immutable files is a security best practice that ensures log integrity and is considered a control strength, not a concern.

C. It is common and often necessary for complex applications to generate multiple log files for different functions; this is manageable with proper log aggregation tools.

References

1. ISACA. (2019). CISA Review Manual

27th Edition. Page 238. The manual states that for logs to be useful for analysis and to create a proper audit trail

they should be "in a consistent format." A lack of standardization directly violates this principle.

2. National Institute of Standards and Technology (NIST). (2006). Special Publication 800-92: Guide to Computer Security Log Management. Section 3.1.2

"Log Generation." This guide explicitly states

"Organizations should also establish standardized log formats

such as the same timestamp format

for all logs. Standardization makes it much easier to perform automated log analysis."

3. Kent

& Souppaya

M. (2006). The challenges of log analysis. CrossTalk

The Journal of Defense Software Engineering

19(5)

21-25. The article highlights that a major challenge in log analysis is the "lack of a standard logging format

" which complicates the correlation of events from diverse sources.

Q: 10

Which of the following provides the MOST assurance of the integrity of a firewall log?

Options

Discussion

Drew O. Mar 28, 2026 1:26 pm

Nah, I don’t think it's B-just restricting access isn't enough for log integrity. Option C makes more sense because if the log can’t be modified, that directly prevents tampering. Monthly reviews (A) help but don't stop changes from happening in between. Pretty sure C is right here but open if someone sees a gotcha.

Parker Mar 12, 2026 12:30 pm

Option B-require authorized access. I remember similar questions in the official guide focusing on controlled access, not immutability.

Ajay Mar 16, 2026 8:30 am

Monthly reviews show active oversight, so A.

Emma L. Mar 16, 2026 9:28 am

Totally C here. Nothing beats a log that can't be modified when it comes to ensuring integrity.

VikramM Mar 27, 2026 1:11 am

Had something like this in a mock. C makes sense since log can't be altered, which is the main thing for integrity. Rest are good but not enough to guarantee original data.

Liam C. Mar 12, 2026 3:23 pm

Its C, not B. Being read-only prevents tampering, initial or ongoing review isn't enough here.

Ajay J. Mar 17, 2026 5:46 am

Its B, not C. Controlling access stops unauthorized people from viewing or changing logs, which gives strong assurance too.

Leo Mar 26, 2026 4:04 pm

Looks like C

Neha W. Mar 13, 2026 6:23 am

My vote is C since logs that can't be modified provide the most direct assurance of integrity. Reviewing or restricting access helps, but only immutability really stops tampering. I think that's what the question is looking for, agree?

Neha M. Mar 19, 2026 2:24 pm

C imo, because if the log can't be modified, its integrity is preserved regardless of who accesses it or how often it's reviewed. The others are good practices but they don't actually prevent tampering. Pretty sure that's the main point.

Be respectful. No spam.

Correct Answer:

Explanation

The principle of integrity in information security ensures that data has not been altered in an unauthorized manner. A log that cannot be modified (i.e., is immutable or write-once) provides the highest level of assurance that its contents are original, accurate, and trustworthy. This is a fundamental preventive control for maintaining the evidentiary value of logs. While other options are good security practices, they do not directly guarantee that the log data itself has not been tampered with. Immutability is the most direct and effective control for assuring log integrity.

Why Incorrect

A. Reviewing logs is a detective control used to identify anomalies after they occur; it does not prevent the log from being altered beforehand.

B. Authorized access is a control primarily for confidentiality. An authorized user with modification privileges could still alter the log, compromising its integrity.

D. Retaining logs according to policy ensures their availability for future analysis and meets compliance requirements, but it does not protect the content from modification.

---

References

1. ISACA

CISA Review Manual

27th Edition. Domain 4: Information Systems Operations and Business Resilience

Task Statement 4.5. The manual emphasizes that for logs to be effective for forensic analysis

their integrity must be maintained. It discusses techniques such as writing logs to write-once

read-many (WORM) devices or a separate

secured log server to prevent modification.

2. National Institute of Standards and Technology (NIST) Special Publication 800-92

"Guide to Computer Security Log Management." Section 3.3

"Log Storage and Disposal

" states

"Protecting log information from unauthorized modification and destruction is critical for preserving its integrity." It recommends storing logs on a separate

dedicated log server with restricted access and using append-only mechanisms to prevent alteration of existing log data.

3. ISACA

IT Audit

Control

and Security

by Robert R. Moeller (2009). Chapter 16

"Auditing Firewalls

Extranets

and Other Network Security Systems." The text discusses the importance of firewall logs as an audit trail and highlights that their value is contingent on controls that prevent tampering

such as remote logging to a secure

write-protected server. This directly supports the concept that immutability is the key to integrity.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE