The document outlines common interview questions and topics related to the Certified Information Systems Auditor (CISA) certification, which is valued in IT risk and security roles. Key areas covered include change management, security systems, risk assessments, audit planning, and the distinction between internal and external audits. Additionally, it highlights essential skills for IT auditors and the significance of IT audits for organizations, emphasizing the need for constant adaptability to changing risk environments.

1. FREQUENTLY ASKED QUESTIONS IN
CISA CERTIFIED ROLE
INTERVIEW

2. www.infosectrain.com | sales@infosectrain.com 02
CISA
The Certified Information Systems Auditor (CISA) certification is highly desired after
credential for IT risk, IT security, and IT Auditors. Many CISA (Certified Information
Systems Auditor) certified positions are available in reputable firms such as Internal
Auditor, Accountant, Accounts and Audit Assistant, Accounts Executive, Account
Assistant, Accounts Manager, Accounts Officer, and Audit Executive. Here we will
discuss frequently asked questions in a CISA interview.

3. www.infosectrain.com | sales@infosectrain.com 03
1 What exactly is a Request for Change (RFC)?
A Request for Change (RFC) is a method that provides
authorization for system changes. The CISA Auditor must
be able to recognize and act on developments that
could risk the network’s security. The RFC keeps track of all
current and previous system changes.
Interview Questions
2 What is Change Management?
Change Management is typically a group of
professionals tasked with identifying the risk and impact
of system modifications. The CISA will be in charge of
assessing security concerns associated with
modifications.
3 What happens if a change harms a system or
does not go as planned?
Calling a rollback is the responsibility of the CISA and
other change management personnel. If something goes
wrong with the deployment, all modifications should
include a rollback plan.

4. www.infosectrain.com | sales@infosectrain.com 04
4 What security systems do you have in place
to protect against unauthorized traffic?
At the router or server level, firewalls safeguard the
internal network. Penetration testing systems use scripts
to discover potential network risks, while antivirus
protection prevents virus software from installing.
5 What is the role of a CISA Audit Trail?
Audit trails enable you and the firm to keep track of
systems that contain sensitive data. Audit trails are
primarily used to keep track of which users accessed
data and when they did so. These trails can assist
businesses in detecting unauthorized access to personal
information.
6 In performing a risk-based audit, which risk
assessment is completed first by an IS Auditor?
Inherent risk assessment. Inherent risk exists
independently of an audit and can occur because of the
nature of the business. It is necessary to be aware of the
related business process to conduct an audit
successfully. To perform an audit, an IS Auditor needs to
understand the business process. By understanding the
business process, an IS Auditor better understands the
inherent risk.

5. www.infosectrain.com | sales@infosectrain.com 05
7 What is the most important reason an audit
planning should be reviewed at periodic intervals?
To consider changes to the risk environment, it is
important to review audit planning at periodic intervals.
Short and long-term issues that drive audit planning can
be heavily impacted by the changes to the organization’s
risk environment, technologies, and business processes.
8 What is the goal of an IT audit?
An IT audit’s primary function is to evaluate existing
methods to maintain an organization’s essential
information.
9 What exactly are IT General Controls?
IT General Controls (ITGC) are the fundamental controls
that apply to IT systems such as databases, applications,
operating systems, and other IT infrastructure to ensure
the integrity of the systems’ processes and data.
10 What is the distinction between an internal and
an external audit?
Employees of the company conduct internal audits.
External audits are carried out by professionals of a
third-party firm. Some sectors necessitate an external
audit to ensure compliance with industry regulations.

6. www.infosectrain.com | sales@infosectrain.com 06
11What are the essential skills of an IT Auditor?
The following are essential skills for an IT Auditor:
IT risk
1
Security risk management
2
Security testing and auditing
3
Data analysis and visualization tools
6
Analytical and critical thinking skills
7
Communication skills
8
Internal auditing standards
4
General computer security
5

7. www.infosectrain.com | sales@infosectrain.com 07
12 How do you go about conducting a risk
assessment?
Depending on the industry, risk assessments may differ. In
some industries, an auditor is required to apply pre-writ-
ten risk assessment procedures. However, the goal of any
risk assessment is to use available tools or processes to
identify vulnerabilities particular to the company being
assessed and develop a strategy to address them.
13 What are the advantages of an IT audit for a
company or organization?
IT audits assist in identifying weaknesses and
vulnerabilities in system design, giving the company vital
information for further hardening their systems.
14Do you try to resolve a bug in an application
yourself?
No. The best approach is to bring it to the attention of
both the technical team and the system owners. The
problem can be recorded in the final report as well.

8. www.infosectrain.com | sales@infosectrain.com 08
15 Why does active FTP (File Transfer Protocol) fail
with network firewalls?
Two TCP connections are formed when a user begins a
connection with the FTP server. The FTP server initiates
and establishes the second TCP connection (FTP data
connection). When there is a firewall between the FTP
client and the server, it will prohibit the connection
initiated from the FTP server because it is an outside
connection. Passive FTP can be used to solve this, or the
firewall rule can be updated to add the FTP server as
trustworthy.
16 How can a Brute Force Attack on a windows login
page be prevented?
Set up an account lockout for a certain number of failed
login attempts, and the user account will be automatically
locked after that amount.
17 How can a CISA Auditor gain a better
understanding of the system?
CISA Auditor can talk to management, read documentation,
observe other employees’ activities, and examine system
logs and reports.

9. www.infosectrain.com | sales@infosectrain.com 09
18 What are intangible assets?
Intangible assets are those that cannot be seen, such as
the company’s worth.
19 What exactly is Vouching?
Vouching is the process of verifying the presence of
something; for example, verifying from the overall
record to the required documents.
20How frequently does the company update its
assessment of the top risks?
The enterprise-wide risk assessment approach should be
adaptable to changing business conditions. A solid
strategy for identifying and prioritizing essential
enterprise risks, such as emerging risks, is critical to
maintaining an up-to-date perspective of the top risks.