CISA practice questions to prep for the exam

Ready to take the Certified Information Systems Auditor exam? Use these CISA practice questions to test your knowledge of the audit process job practice domain.

The Certified Information Systems Auditor certification covers five job practice domains, ranging from Governance and Management of IT to Protection of Information Assets. Performing an audit is, of course, one of an auditor's main tasks, so it's no wonder it ranks as the second most highly weighted domain of the CISA exam.

As defined by ISACA, the Information Systems Auditing Process domain is meant to "establish and/or maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organization goals and objectives."

There's a lot more to the audit process than just performing an audit and gathering evidence. Auditors must not only plan the audit and communicate its results clearly, but also follow the Information Technology Assurance Framework (ITAF) and adhere to ISACA's Code of Professional Ethics. Both will guide auditors and ensure a consistent, trustworthy audit methodology is used.

The Information Systems Auditing Process job practice domain covers the ITAF, Code of Professional Ethics, audit management, audit risk and analysis, self-control audits and more.

CISA coverClick to learn more about
CISA: Certified Information
Systems Auditor Practice
by Peter Gregory

The following questions, excerpted from Chapter 3 of CISA: Certified Information Systems Auditor Practice Exams written by Peter Gregory and published by McGraw-Hill, will quiz your knowledge of this job practice domain to help you prep for the CISA exam.

For additional questions and answers, download a PDF of Chapter 3, "The Audit Process." For more insights into what you can expect from the exam and pointers for success, check out this Q&A with Gregory.

About the author

Peter GregoryPeter Gregory

Peter H. Gregory, CISM, CISA, CRISC, CISSP, CIPM, CCISO, CCSK, PCI-QSA, is a 30-year career technologist and an executive director at Optiv Security. He has been developing and managing information security management programs since 2002 and has been leading the development and testing of secure IT environments since 1990. In addition, he spent many years as a software engineer and architect, systems engineer, network engineer and security engineer. Throughout his career, he has written many articles, white papers, user manuals, processes and procedures and has conducted numerous lectures, training classes, seminars and university courses.

Gregory is the author of more than 40 books about information security and technology. He is an advisory board member at the University of Washington's certificate program in information security and risk management and the lead instructor (emeritus) and advisory board member for the University of Washington certificate program in cybersecurity. He is an advisory board member and instructor at the University of South Florida's Cybersecurity for Executives program, a former board member of the Washington State chapter of InfraGard and a founding member of the Pacific CISO Forum. He is a 2008 graduate of the FBI Citizens' Academy and a member of the FBI Citizens' Academy Alumni Association.

Gregory resides with his family in the Seattle area and can be contacted at

Dig Deeper on Careers and certifications

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing