Examworthyexamworthy.comCertified Information Systems Auditor (CISA) cheat sheet
ISACA
Free to share. Examworthy is not affiliated with or endorsed by ISACA; CISA and related marks belong to their respective owners.
At a glance
Format: Multiple choice, computer-based at PSI testing centres or remote proctored
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
CISA rewards thinking like an independent auditor, not an engineer: pick the BEST answer for someone who evaluates and reports on controls rather than the one who builds or fixes them.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
The CMDB can replace the software asset register because configuration items already include installed software components and version data.
Why it fails
Although the CMDB does record installed software as configuration items, it tracks operational state for service management, not licence entitlements or contractual rights. A CMDB cannot satisfy software asset management obligations on its own; a separate software asset register is required to capture rights granted by licences, and the two records must be reconciled to evidence compliance.
Information Systems Operations and Business Resilience
Tempting but wrong
a committed future remediation date downgrades a current policy breach from a finding to an observation.
Why it fails
Acknowledgement and a future fix do not change the present state. Audit findings reflect the control's condition during the audit period, so a current breach exposing personal data remains a finding with risk rated on present exposure.
Protection of Information Assets
Tempting but wrong
Fixed three-year rotation of auditable units is the defensible basis for the annual plan because it guarantees coverage.
Why it fails
Fixed-rotation cycles are tempting because they look fair and predictable, but ISACA standards require selection driven by current inherent and control risk, not calendar rotation that ignores threat changes. Predictable coverage is not the same as risk-relevant coverage.
Information Systems Auditing Process
Tempting but wrong
IT governance is the daily oversight of IT operations exercised by the chief information officer, while IT management is the strategic stewardship exercised by the audit committee.
Why it fails
This inverts the recognised roles. The board and its committees govern by evaluating, directing and monitoring the use of IT, while the chief information officer manages day-to-day delivery within governance constraints. Treating the chief information officer as the governance actor and the audit committee as a management actor undermines the segregation of decision rights established by COBIT 2019 and ISO/IEC 38500.
Governance and Management of IT
Tempting but wrong
A business case exists to document the detailed functional and non-functional requirements that the chosen vendor must satisfy before contract award.
Why it fails
This is tempting because requirements and business cases are both early artefacts, but detailed functional and non-functional requirements belong in the requirements specification produced AFTER the business case is approved. The case provides the justification for spending; the specification defines what the vendor must build, and confusing the two collapses two separate deliverables and governance gates.
Information Systems Acquisition, Development and Implementation
Tempting but wrong
The software asset register and CMDB should remain independent to preserve segregation of duties between operations and procurement staff.
Why it fails
Segregation of duties governs who can authorise and record asset changes, not whether two registers may be reconciled. Keeping the records permanently disconnected defeats the purpose of asset management and prevents the entitlement-to-deployment reconciliation that identifies licensing and unsupported software exposures.
Information Systems Operations and Business Resilience
Tempting but wrong
a documented management rationale and a temporary basis are enough to accept a segregation of duties conflict.
Why it fails
Documented rationale alone does not retire the residual risk. Without compensating monitoring the conflict remains exploitable for fictitious vendor fraud, so the auditor must evaluate whether a compensating detective control operates effectively.
Protection of Information Assets
Tempting but wrong
Re-auditing every area with a prior-year high-rated finding before considering new units is the correct primary basis for the plan.
Why it fails
Following up prior findings is necessary but partial; it anchors the plan on history rather than the current risk profile and leaves emerging high-risk areas uncovered. Prior findings inform the plan but cannot replace a current risk assessment.
Information Systems Auditing Process
Key terms
Exam-day rules
- Answer as an auditor, not an engineer. The auditor evaluates, gathers evidence, and reports; any option that has you operating or fixing the control yourself is usually the wrong answer, however sensible the fix.
- Read the qualifier in capitals. ISACA asks for the BEST, MOST important, FIRST, PRIMARY, or GREATEST, not merely a correct answer; the qualifier tells you which axis the single right option is judged on.
- When the question asks what to do FIRST, choose the step that establishes scope, objective, or risk. In audit you understand the risk and the objective before you test or recommend anything.
- Protect independence and objectivity. An auditor cannot assess their own work or own a control they review, so any option that breaks that separation is wrong by definition.
- Prefer evidence over assurance. A conclusion rests on sufficient, reliable evidence (ideally from an independent source or re-performance), not on what management says or what the policy claims.
Revision schedule
- Day 1Map the blueprint and book a date
- Week 1Adopt the auditor's mindset
- Weeks 1 to 2Lock the audit process (Domain 1)
- Weeks 2 to 4Go deep on the two heavy domains (Domains 4 and 5)
- Weeks 4 to 5Cover governance and the build lifecycle (Domains 2 and 3)