CISA Isaca Certified Information Systems Auditor Free Practice Exam Questions (2025 Updated)

SQL injection attacks exploit vulnerabilities in web applications by inserting malicious SQL code into input fields, such as a search box. This can cause the server to execute unintended commands, often revealing restricted information.

Man-in-the-Middle (Option A):This intercepts communication but does not involve code injection.

Denial of Service (DoS) (Option B):This aims to disrupt service, not extract information.

Cross-Site Scripting (Option D):Involves injecting malicious scripts to execute in a user's browser but does not extract server-side data.

Comprehensive and Detailed Step-by-Step Explanation:

Ensuring data integrity iscritical, even when handling publicly available information.

Option A (Incorrect):While tracking system interfaces is useful formonitoring, it is not thegreatest concernif the data being transferred is publicly available.

Option B (Incorrect):Encryption isimportant, but if the data is alreadypublic, therisk impact is lowercompared to data integrity issues.

Option C (Incorrect):Data interception may not be a critical issue forpublicdata unless it leads to modification or exploitation.

Option D (Correct):If thedata from the originating system differsfrom the downloaded data, it indicates adata integrity failure. This could result from system errors, transmission faults, or tampering, making it thehighest riskfor an IS auditor to address.

Quarterly steering committee meetings best demonstrate alignment of the IT department with the corporate mission because they provide a regular forum for strategic planning, decision making, and communication between IT leaders and business stakeholders12. Steering committee meetings help to ensure that IT goals and initiatives are aligned with the business vision, mission, and objectives, and that IT performance and value are monitored and evaluated34.

References

1: IT Governance and the Balanced Scorecard - ISACA Journal

2: IT Steering Committee Best Practices: A Recipe for Success

3: What is IT Governance? - Definition from Techopedia

4: CISA Cybersecurity Strategic Plan | CISA

High employee turnover (A) poses the greatest risk because it leads to knowledge loss, operational disruptions, and potential security risks from departing employees. A constantly changing workforce can also impact compliance, training, and overall IT stability.

Other options:

Lack of customer satisfaction surveys (B) is a business issue but not a critical IT risk.

Aging staff (C) may be a long-term risk but does not have an immediate impact.

Frequent software upgrades (D) can be beneficial if managed correctly.

The greatest risk to an organization’s ability to manage QC processes is the lack of policies and procedures that define the QC objectives, standards, methods, roles, and responsibilities. Without policies and procedures, the QC processes may be inconsistent, ineffective, inefficient, or noncompliant with the relevant regulations and best practices. Policies and procedures provide the foundation and guidance for the QC processes and help to ensure their quality, reliability, and accountability.

References

ISACA CISA Review Manual, 27th Edition, page 253

Quality Control - an overview | ScienceDirect Topics

Quality Control: Meaning, Importance, Definition and Objectives

A digital signature is a mathematical algorithm that validates the authenticity and integrity of a message or document by generating a unique hash of the message or document and encrypting it using the sender’s private key1. The primary reason for using a digital signature is to authenticate the sender of a message, as only the sender has access to their private key and can produce a valid signature2. A digital signature also verifies the integrity of the data, as any modification to the message or document will result in a different hash value and invalidate the signature1. However, a digital signature does not provide availability or confidentiality to the transmission, as it does not prevent denial-of-service attacks or encrypt the entire message or document3.

References

1: Understanding Digital Signatures | CISA

2: Signature Verification | CISA

3: SECFND: Digital Signatures from Skillsoft | NICCS

Comprehensive and Detailed Step-by-Step Explanation:

To ensure that aservice vendor maintains required control levels, direct verification throughonsite assessmentsis the most effective approach.

Option A (Correct):Onsite assessmentsallow auditors todirectly reviewcontrols, procedures, and evidence of compliancein real time, ensuring that service levels are being met.

Option B (Incorrect):Unannounced vulnerability assessments may violatecontractual agreementsand ethical considerations.

Option C (Incorrect):Reviewing theSLAensures agreement terms are clear but doesnot verify actual compliance.

Option D (Incorrect):AControl Self-Assessment (CSA)is useful but relies onvendor-provided information, which may be biased or incomplete.

Comprehensive and Detailed Step-by-Step Explanation:

When outsourcingIS functions,independent audit provisionsensure thatcontractors meet security, compliance, and operational standards.

Option A (Incorrect):Security procedures should be included but are subject tochangeandmay not be detailedin the contract.

Option B (Correct):Independent audit rightsallow the organization toverifythat the vendor complies with security, operational, and regulatory requirements.

Option C (Incorrect):Naming specific staff isimpracticaland not acore contractual requirement.

Option D (Incorrect):Data transfer protocols are important, but they are atechnical detailrather than aprimary contract requirement.

Comprehensive and Detailed Step-by-Step Explanation:

A key aspect ofbackup managementis ensuring backups are performed on time and without manual intervention to avoid human error.

Option A (Incorrect):While separation of duties is important, the concern here is not aconflict of interestbut rather the reliability of backup execution.

Option B (Incorrect):Load balancer configuration relates tonetwork traffic management, which is not directly relevant to backup reliability.

Option C (Incorrect):Cloud-based backups can be a good option, but the immediate priority is toverify if backups are consistently executedbefore suggesting alternative solutions.

Option D (Correct):Reviewing backup logs provides concreteevidenceof whether backups are performed on schedule and if they weremisseddue to peak usage periods. If issues are found, automation or scheduling adjustments may be recommended.

Disabling operational logging compromises critical functions such as security monitoring, troubleshooting, and compliance reporting. Logs are essential for tracking system activities, identifying anomalies, and conducting forensic investigations in case of incidents. Enhancing processing speed and saving storage should not come at the cost of reducing logging, as this increases security risks and weakens the organization's ability to detect and respond to threats.

Adopting a Peer-Inspired Service Delivery Model (Option B):This might pose risks if not customized for the organization's context, but it is not as critical as the loss of operational logging.

Delegating Business Decisions to the CRO (Option C):While unconventional, this does not inherently introduce risks to IT service delivery unless operational control issues arise.

Eliminating Reports and KPIs (Option D):This could hinder performance tracking but does not compromise operational security as severely as disabling logging.

Operational logging is foundational to maintaining security, reliability, and accountability in IT environments.

The business impact analysis (BIA) is a critical component of an organization's business continuity planning (BCP) process. The most concerning issue is when system criticality information is provided only by the IT manager (Option B). This presents a risk of bias or incomplete analysis, as business units must also provide input to ensure a comprehensive assessment.

ISACA CISA Reference: According to ISACA’s BCP and DRP guidelines, BIA should involve input from multiple business functions, including finance, operations, and risk management, rather than relying solely on IT.

Risk Implication: Without broader business input, the criticality of systems may be misclassified, leading to incorrect recovery priorities and potential business disruption.

Alternative Choices:

Option A: While a risk assessment is important, a BIA can still be completed without it and later validated.

Option C: The use of questionnaires is a valid method if responses are verified.

Option D: Lack of executive sign-off is concerning but does not directly impact the accuracy of system criticality assessment.

The best way to determine whether IT investments are meeting business objectives is to compare the realized return on investment (ROI) versus the projected ROI (Option B). This approach measures actual performance against planned expectations.

ISACA CISA Reference: The ISACA IT Governance framework emphasizes performance measurement through ROI analysis, ensuring IT investments align with strategic objectives.

Risk Implication: If actual ROI is lower than projected, this may indicate ineffective investment decisions, poor execution, or misalignment with business goals.

Alternative Choices:

Option A: Break-even analysis only determines when an investment recoups its costs but does not measure performance against business objectives.

Option C: Budgeted versus actual spend assesses financial discipline but does not indicate business impact.

Option D: Industry average ROI provides benchmarking but does not assess internal goal achievement.

User requirements are the foundation of any successful application. Properly defining what the application needs to do and how it should serve users is critical before moving into design or development.

Comprehensive and Detailed Step-by-Step Explanation:

Thebest protectionfor a stolen laptop isfull disk encryption, which prevents unauthorized accesseven if the device is lost.

Option A (Incorrect):Remote wipe capabilitiesare useful, but theyrequire an internet connectionto function, which is not always available when a device is stolen.

Option B (Correct):Full disk encryption (FDE)ensures that data remainsunreadablewithout the correct decryption key,even if the hard drive is removed.

Option C (Incorrect):User awarenessis helpful, but itdoes not physically securedata on a lost device.

Option D (Incorrect):Password-protected filescan be bypassed by copying them to another system, making them an inadequate security measure.

The best approach from a risk management perspective when implementing a large and complex data center IT infrastructure is to use a deployment plan based on sequenced phases, as this will allow the organization to break down the project into manageable and measurable stages, and to monitor and control the progress, quality, and outcomes of each phase12. A phased deployment plan can also help to reduce the risks of errors, failures, or disruptions that could affect the entire infrastructure, and to implement corrective actions or contingency plans as needed34.

References

1: Data Center Project Planning: A Guide to Success2 2: Data Center Project Planning: A Guide to Success4 3: Data Center Migration: A Step-by-Step Guide3 4: Data Center Migration: A Step-by-Step Guide1

Imaging the affected system is the best way to protect evidence in a forensic investigation, because it creates a bit-by-bit copy of the original data that can be analyzed without altering or compromising the original source. Imaging preserves the integrity and authenticity of the evidence and allows for verification and validation of the results34. Powering down or rebooting the affected system can cause data loss or corruption, while protecting the hardware does not prevent unauthorized access or tampering with the software or data. References: 3: CISA Review Manual (Digital Version), Chapter 6, Section 6.4.1 4: CISA Online Review Course, Module 6, Lesson 4

A test plan for the BCP is essential to ensure that the plan is effective, updated and aligned with the current business needs and objectives. A change in organizational structure with significant impact to business processes may require a revision of the BCP and a new test plan to validate its adequacy. The lack of a test plan for the BCP for two years indicates a high risk of failure in the event ofa disaster or disruption. Therefore, this should be the auditor’s greatest concern among the given options. References:

ISACA, IT Control Objectives for Sarbanes-Oxley, 4th Edition, section 5.3.21

ISACA, CISA Review Manual, 27th Edition, chapter 5, section 5.42

The best way to track organizational data in a BYOD environment is to enroll the personal devices in the organization’s mobile device management (MDM) program. This will allow the organization to monitor, control, and secure the data on the devices remotely. Employees must also report lost or stolen devices and sign the acceptable use policy, but these are not sufficient to enable tracking of data. References: Info Technology & Systems Resources |COBIT, Risk, Governance … - ISACA, section “Book IT Control Objectives for Sarbanes-Oxley, 4th Edition | Digital | English”

 The best process for continuous auditing for a large financial institution is validating access controls for real-time data systems. This is because access controls are critical for ensuring the confidentiality, integrity, and availability of the financial data that is processed and transmitted by the real-time data systems. Real-time data systems are systems that provide timely and accurate information to support decision-making and transactions in a dynamic and complex environment. Examples of real-time data systems in the financial sector include payment systems, trading platforms, risk management systems, and fraud detection systems. Continuous auditing of access controls can help detect and prevent unauthorized access, data leakage, data manipulation, or data loss that could compromise the security, reliability, or compliance of the real-time data systems.

Testing encryption standards on the disaster recovery system is not the best process for continuous auditing for a large financial institution. Encryption standards are important for protecting the data stored or transmitted by the disaster recovery system, which is a system that provides backup and recovery capabilities in case of a disruption or disaster. However, testing encryption standards is not a continuous process, but rather a periodic or event-driven process that can be performed as part of the disaster recovery plan testing or validation.

Performing parallel testing between systems is not the best process for continuous auditing for a large financial institution. Parallel testing is a process of comparing the results of two or more systems that perform the same function or task, such as a new system and an old system, or a primary system and a backup system. Parallel testing can help verify the accuracy, consistency, and compatibility of the systems. However, parallel testing is not a continuous process, but rather a temporary or transitional process that can be performed as part of the system implementation or migration.

Validating performance of help desk metrics is not the best process for continuous auditing for a large financial institution. Help desk metrics are indicators that measure the efficiency, effectiveness, and quality of the help desk service, which is a service that provides technical support and assistance to the users of information systems and technology. Help desk metrics can include metrics such as response time, resolution time, customer satisfaction, and service level agreement (SLA) compliance. Validating performance of help desk metrics can help evaluate and improve the help desk service. However, validating performance of help desk metrics is not a continuous auditing process, but rather a continuous monitoring process that can be performed by the help desk management or quality assurance team.

 An organization outsourced its IS functions. To meet its responsibility for disaster recovery, the organization should coordinate disaster recovery administration with the outsourcing vendor. This is because the organization remains accountable for ensuring the continuity and availability of its IS functions, even if they are outsourced to a third party. The organization should establish clear roles and responsibilities, communication channels, testing procedures, and escalation processes with the outsourcing vendor for disaster recovery purposes. The organization should not discontinue maintenance of the disaster recovery plan (DRP), as it still needs to have a documented and updated plan for restoring its IS functions in case of a disaster. The organization should not delegate evaluation of disaster recovery to a third party or internal audit, as it still needs to monitor and review the performance and compliance of the outsourcing vendor with respect to disaster recovery objectives and standards. References: CISA Review Manual (Digital Version), [ISACA Auditing Standards]

The greatest concern for an IS auditor when auditing an organization’s IT strategy development process is that information security was not included as a key objective in the IT strategic plan. Information security is a vital component of IT strategy, as it ensures the confidentiality, integrity and availability of information assets, and supports the business objectives and regulatory compliance. The other options are not as significant as the lack of information security in the IT strategic plan. References: CISA Review Manual (Digital Version), Chapter 1, Section 1.31

 Recounting the transaction records to ensure no records are missing provides assurance that the best transactions were recovered successfully from a snapshot copy. This is because recounting the transaction records can verify that the number of records in the restored database matches the number of records in the snapshot copy, which represents the state of the database before the deletion occurred. Recounting the transaction records can also detect any data corruption or inconsistency that may have occurred during the restore process1.

Reviewing transaction recovery logs to ensure no errors were recorded is not the best answer, because transaction recovery logs may not capture all the details or issues that may affect the data quality or integrity. Transaction recovery logs are mainly used to monitor and troubleshoot the restore process, but they may not reflect the actual content or accuracy of the restored data2.

Rerunning the process on a backup machine to verify the results are the same is not the best answer, because rerunning the process may introduce additional errors or inconsistencies that may affect the data quality or integrity. Rerunning theprocess may also consume more time and resources than necessary, and it may not guarantee that the results are identical to the original data3.

Comparing transaction values against external statements to verify accuracy is not the best answer, because external statements may not be available or reliable for all transactions. External statements are documents or reports that provide information about transactions from a third-party source, such as a bank, a vendor, or a customer. However, external statements may not cover all transactions, or they may have differentformats, standards, or timeliness than the internal data

 A computer forensic audit is a process of collecting, preserving, analyzing, and presenting digital evidence from electronic devices in a legally admissible manner. It is most relevant in situations where data loss due to hacking of servers occurs, as it can help to identify the source, method, and extent of the attack, as well as recover the lost or damaged data. The other options are not as suitable for a computer forensic audit, as they relate to internal control issues, data quality issues, orsystem maintenance issues, which can be addressed by other types of audits or reviews. References: CISA Review Manual (Digital Version), Domain 4: Information Systems Operations and Business Resilience, Section 4.5 Computer Forensics1

The best recommendation to prevent unauthorized access to cloud-based applications and data is to implement multi-factor authentication (MFA). MFA is a method of verifying the identity of a user by requiring two or more pieces of evidence, such as a password, a code sent to a phone, or a biometric factor. MFA adds an extra layer of security to prevent unauthorized access, even if the user’s password is compromised or stolen. MFA can also help comply with data privacy and security regulations, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).

The other options are not as effective as MFA in preventing unauthorized access. An intrusion detection system (IDS) is a tool that monitors network traffic and alerts administrators of suspicious or malicious activity, but it does not prevent access by itself. Updating security policies and procedures is a good practice, but it does not ensure that users follow them or that they are enforced. Utilizing strong anti-malware controls on all computing devices can help protect against malware infections, but it does not prevent users from accessing cloud-based applications and data from any Internet-connected web browser.

The most importantoutcome of an information security program is to improve the organizational awareness of security responsibilities, as this will foster a culture of security and ensure that all stakeholders are aware of their roles and obligations in protecting the information assets of the organization. An information security program should also aimto achieve other outcomes, such as identifying operating system weaknesses, understanding and accepting emerging security technologies, and reducing the cost to mitigate information security risk, but these are not as important as improving the awareness of security responsibilities, which is the foundation of any effective information security program. *References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 2402 Planning, “The IS audit and assurance professional should identify and assess risk relevant to the area under review.” 1 One of the risk factors to consider is “the level of awareness of management and staff regarding IT risk management” 1. According to the ISACAIT Audit and Assurance Guideline G13 Information Security Management, “The objective of an information security management audit/assurancereview is to provide management with an independent assessment relating to the effectiveness of information security management within the enterprise.” The guideline also states that “the audit/assurance professional should evaluate whether there is an appropriate level of awareness throughout the enterprise regarding information security policies, standards, procedures and guidelines.” According to a web search result from Microsoft Security, “Information security programs need to: … Support the execution of decisions.” 2 One of the ways to support the execution of decisions is to ensure that everyone in the organization understands their security responsibilities and follows the security policies and procedures.

The management decision that presents the greatest risk associated with data leakage is not providing security awareness training to staff. This is because staff are often the weakest link in the information security chain, and they may unintentionally or maliciously leak sensitive data through various channels, such as email, social media, cloud storage, or removable media. Security awareness training is essential to educate staff on the importance of protecting data, the policies and procedures for handling data, and the best practices for preventing and reporting data leakage incidents. Not requiring desktops to be encrypted, allowing staff to work remotely, and not updating security policies in the past year are also management decisions that may increase the risk of data leakage, but they are not as significant as not providing security awareness training to staff. Encryption, remote work, and security policies are technical or administrative controls that can be implemented or enforced by management, but they cannot fully prevent or mitigate human errors or malicious actions by staff. References: CISA Review Manual (Digital Version), [ISACA Privacy Principles and Program Management Guide]

Comprehensive and Detailed in-Depth Explanation:

The primary role of KPIs is to provide measurable insights into the performance of business processes and identify variances that may require corrective actions. KPIs help organizations understand whether their processes are achieving desired outcomes and where improvements are needed.

While Option A discusses workflow optimization, it is a secondary benefit rather than the primary purpose. Options B and C do not accurately describe the core purpose of KPIs.

ISACA CISA Reference: Domain 1 - Information System Auditing Process

The main purpose of an IDS is to detect and report malicious or suspicious activity on a network or a host. If an IDS fails to identify actual attacks, it means that the IDS is not functioning properly or effectively, and it exposes the organization to serious security risks and potential damage. This is the most concerning scenario for an IS auditor, as it indicates a major deficiency in the IDS performance and configuration.

ReferencesWhat is an intrusion detection system (IDS)?What is Intrusion Detection Systems (IDS)?How does it Work?When reviewing an intrusion detection system (IDS), an IS auditor …Intrusion Detection Systems (IDS)—An Overview with a Generalized …An overview of issues in testing intrusion detection systems - NISTA Review of Intrusion Detection Systems and Their …

A firewall between internal network segments improves security and reduces risk by inspecting all traffic flowing between network segments and applying security policies. This will prevent unauthorized or malicious access, data leakage, or network attacks from compromising the network resources or data. Logging all packets passing through network segments may provide audit trails and evidence, but not prevent or mitigate security incidents. Monitoring and reporting on sessions between network participants may help to identify anomalous or suspicious activities, but not block or filter them. Ensuring all connecting systems have appropriate security controls enabled may enhance the overall network security posture, but not isolate or segregate different network segments. References: Info Technology & Systems Resources | COBIT, Risk, Governance … - ISACA, section “Book COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution | Digital | English”

 The answer C is correct because preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs) would be of greatest concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business-critical server hardware. This is because outsourcing preventive maintenance to multiple vendors without NDAs exposes the organization to the risk of unauthorized access, disclosure, or modification of sensitive data and information stored on the servers. NDAs are legal contracts that bind the vendors to protect the confidentiality and security of the data and information they access or handle during the preventive maintenance. Without NDAs, the vendors may not have any obligation or incentive to safeguard the data and information, and they may misuse, leak, or compromise them for malicious or commercial purposes. This could result in financial losses, reputational damage, legal liabilities, or regulatory penalties for the organization.

The other options are not as concerning as option C. Preventive maintenance costs exceed the business allocated budget (option A) is a financial issue that may affect the profitability or efficiency of the organization, but it does not directly impact the security or availability of the server hardware. Preventive maintenance has not been approved by the information system (option B) is a procedural issue that may indicate a lack of coordination or communication between the IT department and the business units, but it does not necessarily affect the quality or effectiveness of the preventive maintenance. The preventive maintenance schedule is based on mean time between failures (MTBF) parameters (option D) is a technical issue that may influence the frequency or timing of the preventive maintenance, but it does not imply any risk or deficiency in the preventive maintenance itself.

The best indication to an IS auditor that management’s post-implementation review was effective is that lessons learned were documented and applied, as this shows that the management has identified and addressed the issues and gaps that arose during the implementation, and has improved the processes and practices for future projects. Business and IT stakeholders participating in the post-implementation review is a good practice, but it does not guarantee that the review was effective or that the outcomes were implemented. Post-implementation review being a formal phase in the system development life cycle (SDLC) is a requirement, but it does not ensure that the review was effective or that the outcomes were implemented. Internal audit follow-up being completed without any findings is a desirable result, but it does not indicate that the management’s post-implementation review was effectiveorthat the outcomes were implemented. References: CISA Review Manual (Digital Version), Chapter 3: Information Systems Acquisition, Development andImplementation, Section 3.2: Project Management Practices1

 An IT balanced scorecard is primarily used for measuring IT strategic performance. An IT balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth. An IT balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and competencies. The otheroptions are not the primary uses of an IT balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy. References: CISA Review Manual (Digital Version)1, Chapter 1, Section 1.2.3

A balanced scorecard is a framework that translates the IT strategy into measurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps to monitor and evaluate how well the IT function is delivering value to the organization, achieving its strategic goals, and improving its capabilities and competencies. The other options are not the primary uses of a balanced scorecard, because they either focus on specific aspects of IT rather than the overall performance, or they are not directly related to the IT strategy.

The programmer having access to the production programs is a control weakness that would have contributed most to the problem of unauthorized changes to key fields in a payroll system report. This is because it violates the principle of segregation of duties, which requires that different individuals or groups perform different functions related to system development, testing, implementation, and operation. Allowing programmers to access production programs increases the risk of errors, fraud, or malicious actions that may compromise the integrity, availability, or confidentiality of the system or its data. The other options are not as significant as having access to production programs, as they relate to other aspects of system development or maintenance, such as user involvement in testing (which affects user satisfaction and acceptance), user requirements documentation (which affects system functionalityand quality), and payroll files control (which affects data security and accuracy). References: CISA Review Manual (Digital Version), Domain 3: Information Systems Acquisition, Development and Implementation, Section 3.2 Project Management Practices

 The primary reason to perform a risk assessment is to determine the current risk profile of the organization, which is the level of risk exposure and the likelihood and impact of potential threats. This will help the organization to identify and prioritize the risks that need to be addressed and to align the risk management strategy with the business objectives. A risk assessment may also help to achieve compliance, support the BIA, and allocate budget, but these are not the primary reasons. References: ISACA Glossary of Terms, section “risk assessment”

Due professional care is the obligation of an IS auditor to exercise the appropriate level of skill, competence, and diligence in performing an audit. It also requires the IS auditor to comply with the relevant standards, guidelines, and ethical principles of the profession. Completing an engagement by email only may compromise due professional care, as it may limit the IS auditor’s ability to obtain sufficient and appropriate evidence, to communicate effectively with the auditee and other stakeholders, and to perform adequate quality assurance and review procedures. The other options are not as relevant as due professional care, as they relate to specific aspects of an audit, such as proficiency (the knowledge and skills of the IS auditor), sufficient evidence (the quantity and quality of the audit evidence), and reporting (the presentation and communication of the audit results). References: CISA Review Manual (Digital Version), Domain 1: The Process of Auditing Information Systems, Section 1.2 ISACA IT Audit and Assurance Standards