CISA Domain 4A Practice Test 001

This practice test covers Domain 4 (Information Systems Operations & Business Resilience) Subdomain A (Information Systems Operations) from the CISA exam content outline.

These questions are inspired by the ISACA CISA exam and are designed to help you test your knowledge of information systems auditing, governance, risk management, IT operations, business resilience, and information asset protection.

These are not official exam questions or brain dumps. They are original scenario-based questions created to reflect the audit judgment, control evaluation, and risk-based decision-making skills tested in the CISA exam.

Note: CISA and Certified Information Systems Auditor are registered trademarks of ISACA. This content is not affiliated with or endorsed by ISACA.

To choose CISA practice tests based on specific domains and subdomains, click that link.

CISA Practice Test — 4A (Information Systems Operations)
10 questions • Single best answer
Question 1
An IS auditor is reviewing the automated batch job scheduling environment at a large retail company's data center. The auditor observes that operators can manually modify production job schedules directly in the scheduler without any documented approval or activity logging. Which of the following should be the auditor's MOST significant concern?
    Question 2
    During an audit of a commercial bank's IT operations, the IS auditor notes that individual incidents are resolved quickly and within the agreed service targets, but the same incidents recur frequently across the environment because their underlying causes are rarely investigated or documented. Which recommendation is MOST appropriate to address this condition?
      Question 3
      During a review of a manufacturing company's IT change management process, an IS auditor finds that emergency changes are applied directly to the production environment and documented afterward, but many of the required retroactive approvals and impact assessments are never completed. What is the auditor's BEST course of action?
        Question 4
        An IS auditor is evaluating the capacity management practices of an e-commerce platform that suffered repeated outages during seasonal sales peaks. The auditor learns that current utilization thresholds are monitored, but no forecasting is performed against projected business growth or planned marketing campaigns. Which finding is MOST significant?
          Question 5
          During an audit of a government agency's IT operations, the IS auditor finds that system and application logs are generated but are automatically overwritten after seven days and are never reviewed by operations staff. Which of the following represents the GREATEST risk associated with this condition?
            Question 6
            An IS auditor reviewing end-user computing controls at an insurance company discovers that critical premium calculations are performed in a complex spreadsheet maintained by a single business analyst, with no version control, supporting documentation, or independent validation of the results. Which control weakness should the auditor consider MOST significant?
              Question 7
              An IS auditor is reviewing the service level agreements between an organization and its outsourced IT service provider. The SLAs define availability targets, but there is no independent verification of the provider's reported performance and no defined reporting obligations. What should the auditor recommend FIRST?
                Question 8
                During an audit of a financial services company's database management practices, the IS auditor finds that several database administrators share a single privileged account for maintenance, and activity performed under that account cannot be traced to any individual. Which of the following is the auditor's GREATEST concern?
                  Question 9
                  An IS auditor reviewing IT asset management at a utility company finds that the asset inventory has not been reconciled to physical devices in over two years, and several decommissioned servers still appear as active in the register. Which finding is MOST significant from a control perspective?
                    Question 10
                    During an audit of an organization's system interfaces, the IS auditor observes that data transferred between the order-entry system and the billing system has no automated reconciliation or exception reporting. Which control provides the BEST assurance that data is transferred completely and accurately between the two systems?

                      Leave a Comment

                      Your email address will not be published. Required fields are marked *

                      Scroll to Top