FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
                     FREQUENTLY ASKED QUESTIONS 
INCISA CERTIFIED 
ROLE INTERVIE
W
CISA
The Certified Information Systems Auditor (CISA) certification is highly desired 
after  credential for IT risk, IT security, and IT Auditors. Many CISA (Certified 
Information  Systems Auditor) certified positions are available in reputable firms 
such as Internal  Auditor, Accountant, Accounts and Audit Assistant, Accounts 
Executive, Account  Assistant, Accounts Manager, Accounts Officer, and Audit 
Executive. Here we will  discuss frequently asked questions in a CISA interview.
www.infosectrain.com | 02
[email protected]
Interview 
Questions
1 What exactly is a Request for Change (RFC)?
A Request for Change (RFC) is a  method that provides 
 authorization for system changes. The CISA Auditor 
must  be able to recognize and act on developments 
that  could risk the network’s security. The RFC keeps 
2 Wtrahcka otf  iasl l C chuarrenngt ea nMd apnreavigouesm syesntetm?  changes.
Change Management is typically a group of  
professionals tasked with identifying the risk and 
impact  of system modifications. The CISA will be in 
charge of  assessing security concerns associated 
with  modifications.
3 What happens if a change harms a 
system or  does not go as planned?
Calling a rollback is the responsibility of the CISA and  
other change management personnel. If something 
goes  wrong with the deployment, all modifications 
should  include a rollback plan.
www.infosectrain.com | 03
[email protected]
4 tWo hparot tseecctu argitayi nssyts tuenmaus tdhoo ryiozeud h tarvaeffi icn? 
plaAct ethe router or server level, firewalls safeguard the  
internal network. Penetration testing systems use 
scripts  to discover potential network risks, while 
antivirus  protection prevents virus software from 
installing.
5 What is the role of a CISA Audit Trail?
Audit trails enable you and the firm to keep track of  
systems that contain sensitive data. Audit trails are  
primarily used to keep track of which users accessed  
data and when they did so. These trails can assist  
businesses in detecting unauthorized access to 
personal  information.
6 In performing a risk-based audit, which 
risk
assessment is completed first by an IS 
Auditor?
Inherent risk assessment. Inherent risk exists  
independently of an audit and can occur because of 
the  nature of the business. It is necessary to be 
aware of the  related business process to conduct an 
audit  successfully. To perform an audit, an IS Auditor 
needs to  understand the business process. By 
understanding the  business process, an IS Auditor 
better understands the  inherent risk.
www.infosectrain.com | 04
[email protected]
7 pWlahnant iinsg t hseh omuolds tb iem rpeovrietawnetd r aeta spoenri aond ic 
audinittervals?
To consider changes to the risk environment, it is  
important to review audit planning at periodic 
intervals.  Short and long-term issues that drive audit 
planning can  be heavily impacted by the changes to 
the organization’s  risk environment, technologies, and 
business processes.
8 What is the goal of an IT audit?
An IT audit’s primary function is to evaluate 
existing  methods to maintain an organization’s 
essential  information.
9 What exactly are IT General 
Controls?
IT General Controls (ITGC) are the fundamental 
controls  that apply to IT systems such as databases, 
applications,  operating systems, and other IT 
infrastructure to ensure  the integrity of the systems’ 
processes and data.
10an external audit?What is the distinction between an 
iEnmtpelornyeaels a onf tdhe company conduct internal 
audits.  External audits are carried out by 
professionals of a  third-party firm. Some sectors 
necessitate an external  audit to ensure 
compliance with industry regulations.
www.infosectrain.com | 05
[email protected]
11 What are the essential skills of an IT The following are essential skills for an IT 
AudAuitdoitorr?:
1 IT risk
2 Security risk management
3 Security testing and auditing
4 Internal auditing standards
5 General computer security
6 Data analysis and visualization tools
7 Analytical and critical thinking skills
8 Communication skills
www.infosectrain.com | 06
[email protected]
12 aHsosews dsmo eyonut? go about conducting 
a risk
Depending on the industry, risk assessments may 
differ. In  some industries, an auditor is required to 
apply pre-writ-  ten risk assessment procedures. 
However, the goal of any  risk assessment is to use 
available tools or processes to  identify vulnerabilities 
particular to the company being  assessed and 
develop a strategy to address them.
13What are the advantages of an IT audit 
for a\   company or organization?
IT audits assist in identifying weaknesses and  
vulnerabilities in system design, giving the company 
vital  information for further hardening their systems.
14Do you try to resolve a bug in an 
application  yourself?
No. The best approach is to bring it to the attention 
of  both the technical team and the system 
owners. The  problem can be recorded in the final 
report as well.
www.infosectrain.com | 07
[email protected]
15 wWithhy  ndeotewso arkc tfiivreew FaTlPls (?File Transfer 
Protocol) fail
Two TCP connections are formed when a user begins 
a  connection with the FTP server. The FTP server 
initiates  and establishes the second TCP connection 
(FTP data  connection). When there is a firewall 
between the FTP  client and the server, it will prohibit 
the connection  initiated from the FTP server 
because it is an outside  connection. Passive FTP 
can be used to solve this, or the  firewall rule can be 
updated to add the FTP server as  trustworthy.
16How can a Brute Force Attack on a 
windows login  page be prevented?
Set up an account lockout for a certain number of 
failed  login attempts, and the user account will be 
automatically  locked after that amount.
17 How can a CISA Auditor gain 
a better  understanding of the 
system?
CISA Auditor can talk to management, read 
documentation,  observe other employees’ activities, 
and examine system  logs and reports.
www.infosectrain.com | 08
[email protected]
18 What are intangible Intangible assets are those that cannot be seen, such 
asseast s t?he company’s worth.
19 What exactly is Vouching?
Vouching is the process of verifying the presence 
of  something; for example, verifying from the 
overall  record to the required documents.
20How frequently does the company 
update its  assessment of the top risks?
The enterprise-wide risk assessment approach should be  
adaptable to changing business conditions. A solid  
strategy for identifying and prioritizing essential  
enterprise risks, such as emerging risks, is critical to  
maintaining an up-to-date perspective of the top risks.
www.infosectrain.com | 09
[email protected]