← All Certifications ISACA

ISACA Certification Prep

Domain guides, practice questions, and exam strategies for ISACA credentials — CISM, CISA, CRISC, CDPSE, and CGEIT. Built for IT governance, audit, and risk management professionals.

150 questions · 4 hours

CISM — Certified Information Security Manager

The management-level credential for information security leaders. CISM is widely required for CISO, security director, and security manager roles. It focuses on governance, risk management, and programme management — not hands-on technical skills. Requires five years of information security work experience, including three years in information security management in at least three of the four domains.

Domain 1 · 17%

Information Security Governance

Establishing and maintaining an information security governance framework aligned to organisational objectives. Covers: security strategy development, security programme charter, organisational structure and roles, integration with enterprise governance (board and executive engagement), legal and regulatory compliance landscape, and security policy hierarchy (policy, standards, procedures, guidelines). Key concept: security governance vs. security management.

Domain 2 · 20%

Information Risk Management

Identifying and managing information risk in alignment with business objectives. Covers: risk identification and assessment methodologies (qualitative and quantitative), risk register maintenance, threat and vulnerability analysis, risk treatment options (accept, mitigate, transfer, avoid), residual risk management, risk appetite and tolerance definition, and third-party risk management integration.

Domain 3 · 33%

Information Security Program

Developing and managing an information security programme that supports business objectives. Covers: programme objectives and roadmap development, security controls framework (NIST CSF, ISO 27001, CIS Controls), security awareness and training programme design, security metrics and reporting (KPIs, KRIs), security architecture integration, third-party security management, and security programme budget management. Highest-weight domain — study thoroughly.

Domain 4 · 30%

Incident Management

Developing an incident management capability and responding to information security incidents. Covers: incident management plan development, incident classification and escalation criteria, crisis communication planning, evidence preservation and chain of custody, business continuity and disaster recovery integration, post-incident review and lessons learned, and regulatory notification obligations (GDPR 72-hour rule, SEC disclosure requirements, state breach notification laws).

CISM exam mindset

Like CISSP, CISM questions require a management perspective. When multiple answers look correct, select the one that:

  • Prioritises risk-based decision making over technical fixes
  • Aligns security decisions to business objectives first
  • Involves senior management or board engagement for strategic decisions
  • Chooses policy/governance responses before technical controls
  • Considers cost-effectiveness and proportionality (not "maximum security")
150 questions · 4 hours

CISA — Certified Information Systems Auditor

The leading credential for IT auditors, audit managers, and IT governance professionals. CISA validates the skills to audit, control, monitor, and assess information systems. Requires five years of professional experience in IS audit, control, or security. Three years of verified experience can be substituted with education or other certifications.

Domain 1 · 21%

Information System Auditing Process

ISACA IS audit standards and guidelines, audit planning and risk assessment, audit execution methodology (sampling, evidence gathering, testing), control evaluation, audit reporting and follow-up. Key: understanding the difference between compliance, substantive, and analytical audit procedures. CISA auditors follow ISACA's IS Audit Standards — ensure you know these.

Domain 2 · 17%

Governance & Management of IT

IT governance frameworks (COBIT, ISO 38500), IT strategy alignment with business goals, IT organisational structure and roles, IT policies and procedures audit, IT investment management, IT human resources management, IT performance monitoring, and IT-related laws and regulations relevant to audit.

Domain 3 · 12%

Information Systems Acquisition, Development & Implementation

Project management and governance audit, SDLC auditing (requirements, design, testing, UAT, go-live controls), change management controls, post-implementation review, and acquisition and vendor management audit (RFP process, contract controls, SLA monitoring).

Domain 4 · 23%

Information System Operations & Business Resilience

IT operations audit (job scheduling, incident management, problem management, capacity management), IT infrastructure audit (hardware, networks, databases), business continuity planning audit, disaster recovery audit (RTO/RPO validation, testing results), and environmental controls audit (physical security, power, HVAC).

Domain 5 · 27%

Protection of Information Assets

Information security governance audit, logical access controls audit (IAM, privileged access, authentication), network security audit (firewall rules, DMZ, encryption), data classification and handling audit, vulnerability management programme audit, and incident response capability audit. Highest-weight domain — prioritise in study plan.

150 questions · 4 hours

CRISC — Certified in Risk and Information Systems Control

The specialist credential for IT risk and control professionals. CRISC validates the skills to identify, assess, evaluate, and manage IT risk and implement appropriate controls. Requires three years of cumulative work experience in at least two CRISC domains, with at least one year in Domain 1 or Domain 2.

Domain 1 · 26%

Governance

Organisational governance and risk culture, risk appetite and tolerance definition, enterprise risk management (ERM) framework alignment (COSO ERM, ISO 31000), IT risk strategy development, risk ownership and accountability structures, and the role of the IT risk function within the three lines of defence model.

Domain 2 · 20%

IT Risk Assessment

Risk identification and scenario analysis, risk assessment methodologies (qualitative: likelihood/impact matrices; quantitative: ALE, ARO, SLE), threat modelling, vulnerability assessment integration with risk process, inherent risk vs residual risk calculation, and IT risk register development and maintenance.

Domain 3 · 32%

Risk Response and Reporting

Risk treatment selection and implementation, control design and evaluation (preventive, detective, corrective, compensating), control testing and assurance, risk reporting to senior management and boards (KRIs, heat maps, dashboards), management of risk exceptions, and emerging risk monitoring. Highest-weight domain.

Domain 4 · 22%

Information Technology and Security

IT concepts relevant to risk and control (infrastructure, applications, data, cloud), IT architecture and design risk considerations, cybersecurity risk (threat intelligence, vulnerability management, incident response from a risk perspective), and technology risk in the context of digital transformation and third-party systems.

120 questions · 3.5 hours

CDPSE — Certified Data Privacy Solutions Engineer

ISACA's technical privacy certification, distinct from legal/compliance privacy credentials. CDPSE focuses on implementing privacy by design, building privacy-enhancing technologies, and engineering privacy controls into systems and data pipelines. Requires two years of experience in privacy governance, privacy architecture, or data lifecycle management.

Domain 1 · 34%

Privacy Governance

Privacy frameworks and regulations (GDPR, CCPA/CPRA, LGPD, PIPL, APPI), privacy programme structure, privacy impact assessments (PIA/DPIA), records of processing activities (ROPA), data classification for privacy, privacy roles (DPO, Privacy Engineer, Data Steward), and privacy-by-design and privacy-by-default principles.

Domain 2 · 36%

Privacy Architecture

Privacy-enhancing technologies (PETs): differential privacy, homomorphic encryption, secure multi-party computation, federated learning, k-anonymity, and data masking/pseudonymisation. Identity and access management from a privacy perspective, consent management platform architecture, data minimisation design patterns, and privacy-preserving analytics. Highest-weight domain — highly technical.

Domain 3 · 30%

Data Lifecycle

Data inventory and mapping, data flow diagrams (DFD), data retention and destruction policies and technical implementation, cross-border data transfer mechanisms (Standard Contractual Clauses, Adequacy Decisions, Binding Corporate Rules), data subject rights implementation (right to access, right to erasure, right to portability), and data breach response engineering.

150 questions · 4 hours

CGEIT — Certified in the Governance of Enterprise IT

The senior governance credential for IT executives, CIOs, and governance professionals. CGEIT validates the skills to govern the use of IT to create value for the organisation. Requires five years of management, advisory, or assurance experience in IT governance. Less common than CISM or CISA but increasingly valued in board and executive governance contexts.

Domain 1 · 40%

Governance of Enterprise IT

IT governance frameworks (COBIT 2019, ISO/IEC 38500, ITIL), IT governance structures (board IT committees, IT steering committees), governance culture and behaviour, IT governance assurance, and integrating IT governance with enterprise governance. Largest domain — two of every five questions.

Domain 2 · 15%

IT Resources

IT resource management (people, processes, information, technology, infrastructure), IT human capital management, IT sourcing strategy (make/buy/outsource decisions), vendor management governance, IT financial management (budgeting, chargeback, TCO), and IT asset management.

Domain 3 · 26%

Benefits Realisation

IT investment portfolio management, business case development and approval, IT programme and project governance, value measurement and benefits tracking, IT performance management (balanced scorecard, KPIs), and post-implementation review processes.

Domain 4 · 19%

Risk Optimisation

Enterprise risk management integration with IT governance, risk appetite governance, IT risk culture, cybersecurity governance oversight (not operational), compliance governance, and resilience governance (BCM programme oversight).

CISM and CISA sample questions

Practice Questions — ISACA

ISACA questions are scenario-based and require prioritising governance and risk management decisions. Always choose the most risk-aligned, business-justified, and governance-appropriate answer.

1. (CISM) A new CISO has been hired at an organisation that has no formal information security programme. Which is the MOST important first step?

  • A) Deploy a SIEM solution to gain immediate visibility into threats
  • B) Perform a risk assessment to understand the organisation's risk posture
  • C) Implement ISO 27001 controls across all systems
  • D) Hire additional security staff to build the team
Answer: B A risk assessment is always the first step when establishing a security programme. It identifies what the organisation's actual risks are, which informs every subsequent decision — which controls to implement (C), what tools to deploy (A), and how to staff the function (D). Deploying tools or implementing frameworks without understanding organisational risk leads to misaligned investment. ISACA and CISM both emphasise risk-based decision making as the foundation of good governance.

2. (CISA) An IS auditor discovers that a company has implemented compensating controls for a control that failed. What should the auditor do FIRST?

  • A) Issue an immediate audit finding for the failed control
  • B) Evaluate whether the compensating controls adequately address the risk posed by the failed control
  • C) Recommend that the original control be reinstated immediately
  • D) Escalate to the audit committee without further investigation
Answer: B The auditor's first responsibility is to evaluate whether the compensating controls adequately mitigate the risk that the failed control was designed to address. If compensating controls are effective, the overall control objective may still be met. Issuing a finding (A) before evaluating compensating controls would be premature and potentially incorrect. ISACA's IS Audit Standards require evaluating the overall control environment, not just individual control failures in isolation.

3. (CRISC) An organisation is considering accepting a risk because the cost of mitigation exceeds the potential financial impact. Which action should the risk manager take NEXT?

  • A) Implement the cheapest available mitigation control regardless of effectiveness
  • B) Document the risk acceptance decision with business owner and senior management approval, and schedule periodic review
  • C) Transfer the risk to an insurance policy immediately
  • D) Ignore the risk as it has been assessed as too costly to address
Answer: B Risk acceptance is a valid and formal risk treatment option — but it must be documented, approved by the appropriate authority (business owner, senior management), and scheduled for periodic review since the risk environment changes. CRISC emphasises that "ignoring" risk (D) is never acceptable — formal acceptance with accountability is required. Risk transfer (C) may be appropriate but isn't the next action following an acceptance decision.
12-week programme

CISM Study Plan for Working Professionals

CISM requires management-level thinking more than technical knowledge. Most candidates need 150–250 study hours. This 12-week plan targets ~15 hours/week.

Weeks 1–3: Governance and Strategy

  • Domain 1 — Information Security Governance (2 weeks)
  • Review key frameworks: NIST CSF, ISO 27001, COBIT
  • Week 3: Domain 2 — Information Risk Management

Weeks 4–7: Programme and Incident Management

  • Week 4–5: Domain 3 — Information Security Programme (highest weight)
  • Week 6–7: Domain 4 — Incident Management
  • Study regulatory breach notification timelines (GDPR 72h, SEC, state laws)

Weeks 8–10: Practice and gaps

  • Week 8: First full-length practice exam (150 questions, 4 hours timed)
  • Week 9: Deep-dive on weakest two domains
  • Week 10: Management mindset drills — practise choosing the "most governance-aligned" answer

Weeks 11–12: Final preparation

  • Week 11: Two additional full-length practice exams; target ≥ 75%
  • Week 12: Review ISACA terminology (controls, KPIs, KRIs, risk appetite vs tolerance)
  • Exam day: Read all answer choices before selecting; think "what would a CISO advise?"

Free & reputable ISACA study resources

Study tools · Active recall · CISA / CISM / CRISC

Flashcards & Term-Matching Game

Active recall beats passive reading for long-term retention. Use the flashcards to drill definitions and the matching game to reinforce connections between concepts. Shuffle to mix domains and reset to start fresh. Keyboard navigation supported on flashcards.

Flashcard Deck — Key Terms

Loading flashcards… ensure JavaScript is enabled.

Term-Matching Game

Click a term on the left, then click its matching definition on the right. Correct pairs lock in green; wrong pairs flash red. Complete all pairs to advance to the next round.

Loading matching game… ensure JavaScript is enabled.

Speed Round — True or False

You have 10 seconds per statement. Answer TRUE or FALSE before the timer runs out. Build a combo multiplier for consecutive correct answers and beat your session high score.

Loading speed round… ensure JavaScript is enabled.

Fill in the Blank

Read the clue and type the missing term. One typo is forgiven for longer answers. Use the hint button if you're stuck — but it costs half the question's points.

Loading fill-in-the-blank… ensure JavaScript is enabled.

Domain Sprint — Categorise the Term

A term appears — click the correct exam domain it belongs to. Correct selections score 100 pts; wrong selections deduct 25 pts. Master domain knowledge before exam day.

Loading domain sprint… ensure JavaScript is enabled.

Explore other certification tracks

← All Certifications ISC2 Prep → Offensive Security →
CISM sample questions

Practice Questions — CISM & CISA

ISACA questions require a management and governance mindset. When faced with multiple plausible answers, select the one that demonstrates the most comprehensive risk management approach — not the most technically specific answer.

1. (CISM) The information security manager discovers that a business unit has deployed a cloud application without security review. What should be the FIRST course of action?

  • A) Immediately shut down the application
  • B) Conduct a risk assessment of the application and present findings to the business unit management
  • C) Report the business unit to executive leadership for policy violation
  • D) Perform a penetration test of the application
Answer: B The information security manager's first action should be to understand the risk by assessing the application, then engage the business unit through a collaborative approach. Immediately shutting it down (A) is disproportionate without knowing the risk level and disrupts business operations. Reporting to executive leadership (C) may be appropriate later, but first escalation is premature without a risk assessment. A penetration test (D) may be part of the assessment but is not the first action.

2. (CISM) Which metric BEST measures the effectiveness of an organisation's information security programme?

  • A) The number of security incidents detected
  • B) The percentage of systems patched within the SLA
  • C) The reduction in residual risk to an acceptable level aligned with risk appetite
  • D) The number of security policies approved by the board
Answer: C The ultimate measure of a security programme's effectiveness is whether it reduces and maintains residual risk within the organisation's defined risk appetite. The other options are activity metrics or output metrics — they measure effort, not outcome. Detecting more incidents (A) might indicate better detection capability or worse security posture — context is required. The CISM exam consistently rewards outcome-oriented, risk-based answers over activity-based ones.

3. (CISA) During an IS audit, an auditor discovers that developers have production database access. The IS manager argues this has always been the case and has never caused an issue. What should the auditor do?

  • A) Accept management's explanation and close the finding
  • B) Flag it as a finding — developer production access violates segregation of duties regardless of incident history
  • C) Recommend a penetration test to verify whether the access has been exploited
  • D) Escalate to the CISO without informing the IS manager
Answer: B Segregation of duties (SoD) is a fundamental control principle. Developers with production database access can modify data to conceal fraud or errors without detection — this is a control weakness regardless of whether an incident has occurred. The absence of detected incidents does not mean the risk has not materialised — it may mean fraud or errors were not detected. CISA auditors evaluate controls against standards, not outcomes.

4. (CRISC) An organisation's risk register shows 47 open risks. Leadership wants to know which risks to prioritise for immediate treatment. Which approach should be used?

  • A) Prioritise all risks rated "high" by likelihood
  • B) Prioritise risks whose residual risk exceeds the organisation's defined risk appetite
  • C) Treat all 47 risks simultaneously with equal resource allocation
  • D) Close risks that have existed in the register for more than 12 months without treatment
Answer: B Risks are prioritised based on how their residual risk (inherent risk minus control effectiveness) compares to the organisation's risk appetite. Risks exceeding appetite require immediate treatment. Risks within appetite may be accepted without additional investment. Using only likelihood (A) ignores impact magnitude. Treating all risks equally (C) misallocates scarce resources. Closing unaddressed risks (D) is inappropriate — they remain risks regardless of time in the register.

5. (CISM) A ransomware attack has encrypted data on 200 production servers. The incident response team has contained the attack. What is the NEXT step?

  • A) Pay the ransom to recover data as quickly as possible
  • B) Notify law enforcement immediately
  • C) Eradicate the malware and restore systems from verified clean backups following the incident response plan
  • D) Conduct a root cause analysis before restoring any systems
Answer: C After containment, the IR lifecycle proceeds to eradication (removing the malware and its persistence mechanisms) and recovery (restoring from clean backups). Paying the ransom (A) is a last resort that doesn't guarantee decryption and funds criminal activity. Law enforcement notification (B) may be required but is not the immediate operational priority after containment. Root cause analysis (D) is the lessons-learned phase — conducting it before recovery extends business disruption unnecessarily.

6. (CISM) An information security manager wants to ensure the security strategy remains aligned with business objectives. What is the MOST effective way to achieve this?

  • A) Require all departments to submit quarterly security risk reports
  • B) Integrate the information security programme into the enterprise risk management (ERM) framework and participate in strategic planning sessions
  • C) Implement a security framework such as NIST CSF and benchmark against industry peers
  • D) Conduct annual penetration tests and present results to the board
Answer: B True strategic alignment requires security to be embedded in business planning — not just reactive reporting. Participating in strategic planning ensures security requirements are considered when new initiatives are proposed, rather than bolted on afterwards. The ERM framework ensures security risk is evaluated on the same scale as operational, financial, and strategic risks, enabling consistent executive prioritisation. The other answers represent valuable activities but do not embed security into the strategic decision-making process.

7. (CISA) An IS auditor is reviewing an organisation's change management process. Which finding represents the GREATEST risk?

  • A) Emergency changes are documented retrospectively within 48 hours
  • B) Developers can move their own code into production without a separate approval and test cycle
  • C) Change records do not include the name of the approving manager for minor changes
  • D) Automated deployment scripts do not include rollback capability
Answer: B A developer who can promote their own code to production bypasses the segregation-of-duties control at the highest-risk point in the SDLC. This creates the opportunity for unauthorised or malicious code to be deployed without independent review, testing, or approval — the exact scenario that enabled fraud in numerous real-world cases (SolarWinds supply-chain attack, Knight Capital's fatal trading error). The other findings are documentation and procedure gaps — serious, but not as fundamentally compromising as missing SoD at the code promotion gate.

8. (CGEIT) The board of directors asks the IT governance committee what percentage of the IT budget should be allocated to cybersecurity. What is the BEST response?

  • A) 10% — the widely cited industry benchmark
  • B) Whatever amount matches the leading peer organisations in the sector
  • C) The amount necessary to reduce risk to within the board-approved risk appetite, as determined by risk assessment
  • D) As much as the CISO requests, since they are the security expert
Answer: C Security investment should be driven by risk, not arbitrary percentages. The appropriate investment is whatever is needed to bring residual risk within the board's approved risk appetite — determined by quantitative risk assessment. Benchmarks (A, B) provide context but cannot replace risk-based budgeting; an organisation facing sophisticated nation-state threats needs different investment from one facing commodity phishing. Option D cedes governance to the CISO — boards are accountable for risk oversight. This is a core CGEIT and CISM governance concept.
CDPSE sample questions

Practice Questions — CDPSE

CDPSE (Certified Data Privacy Solutions Engineer) is ISACA's only technical privacy credential — combining privacy governance with implementation engineering. Heavily tested topics: privacy by design, data lifecycle management, consent management, and cross-border data transfer mechanisms.

1. An organisation is designing a new customer data platform. Which Privacy by Design principle BEST ensures user data is collected only when strictly necessary?

  • A) End-to-End Security
  • B) Data Minimisation (Privacy Embedded into Design)
  • C) Visibility and Transparency
  • D) Respect for User Privacy
Answer: B Data minimisation — collecting only the data necessary for the specified purpose — is a Privacy by Design (PbD) principle and a GDPR Article 5 requirement (purpose limitation and data minimisation). Engineering implementations: optional vs required form fields, JIT collection (collect when needed, not in advance), automatic deletion when no longer needed, and pseudonymisation/anonymisation where the actual identity is not required. PbD's seven principles are heavily tested on CDPSE.

2. A multinational organisation transfers personal data from the EU to a subsidiary in a country without an adequacy decision. Which mechanism is MOST appropriate to establish a lawful basis for the transfer under GDPR?

  • A) Implicit consent through use of the service
  • B) Standard Contractual Clauses (SCCs) supplemented by a Transfer Impact Assessment (TIA)
  • C) Privacy notice on the company website
  • D) Encrypting data in transit
Answer: B GDPR Chapter V governs international transfers. Without an adequacy decision (Schrems II invalidated Privacy Shield; the EU-US Data Privacy Framework restored it for the US in July 2023), organisations rely on appropriate safeguards. The 2021 revised SCCs are the most common mechanism, combined with a documented Transfer Impact Assessment evaluating local surveillance laws and supplementary measures (encryption with customer-held keys, pseudonymisation, contractual protections). Binding Corporate Rules (BCRs) are an alternative for intra-group transfers.

3. An organisation processes user health data and wants to perform analytics while protecting individual identity. Which technique provides the STRONGEST irreversibility?

  • A) Tokenisation — replace identifiers with surrogate values stored in a vault
  • B) Pseudonymisation — replace identifiers with consistent random values
  • C) Anonymisation — irreversibly remove all identifying information so re-identification is not reasonably possible
  • D) Encryption with a strong key
Answer: C Anonymisation (GDPR Recital 26) removes data from the scope of data protection law because the individual is no longer identifiable. It is irreversible by design — no key, vault, or mapping table exists. Achieving true anonymisation is technically difficult; the EU's WP29 opinion 05/2014 identifies three risk vectors: singling out, linkability, and inference. Pseudonymisation (B) and tokenisation (A) remain personal data because they can be reversed with the key/mapping. Encryption (D) is reversible by definition.

4. A user submits a Data Subject Access Request (DSAR) under GDPR. The organisation must respond within what timeframe?

  • A) 72 hours
  • B) 14 days
  • C) 30 days from receipt (one calendar month), extendable by two additional months for complex requests with notification
  • D) 90 days
Answer: C GDPR Article 12(3): controllers must respond to data subject requests without undue delay and within one month of receipt. The period may be extended by two further months when necessary (complex or numerous requests), but the controller must inform the subject within the first month including reasons for delay. The 72-hour rule (A) applies to breach notification to supervisory authorities under Article 33 — different obligation. CDPSE candidates must distinguish DSAR timelines from breach timelines.

5. An organisation deploys a machine learning model that uses customer personal data. Which control is MOST important to satisfy GDPR Article 22 (automated decision-making)?

  • A) Inform users that ML is used and provide meaningful information about the logic; provide human review on request for significant decisions
  • B) Encrypt the model artifact
  • C) Use only synthetic training data
  • D) Limit the model to predictions about new customers
Answer: A GDPR Article 22 grants individuals the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where such processing is permitted, controllers must implement safeguards: the right to obtain human intervention, to express their view, to contest the decision, and to receive meaningful information about the logic. The EU AI Act layers additional transparency, risk classification, and assessment requirements. CDPSE tests both the legal requirement and engineering implementation of explainable AI mechanisms.
Interactive · Timed · Fully explained

Interactive Practice Exam — CISA

Eighteen scenario-style items across the five CISA job-practice domains. The CISA exam is famous for testing JUDGEMENT — choosing between four plausibly correct answers based on the auditor's perspective. Every question walks through that reasoning explicitly, with citations to ISACA ITAF, COBIT, PCI DSS, ISO, and NIST.

Loading the interactive practice exam… If it does not load, ensure JavaScript is enabled.

Case study · Apply what you study

Real-World Walkthrough: The 2020 Wirecard Collapse & Audit Failure

Wirecard AG was a German DAX-30 payments processor that collapsed in June 2020 after admitting €1.9 billion of supposed trust-account cash did not exist. Auditor Ernst & Young had signed off for over a decade. The case is a textbook illustration of nearly every CISA domain — independence, evidence reliability, third-party assurance, segregation of duties, and governance.

Timeline

  • 2008–2018: Wirecard reports rapid growth in 'third-party acquiring' (TPA) operations in the Philippines, Singapore, and Dubai. Cash balances are allegedly held with trustee banks in escrow. EY confirms balances by reviewing audit-confirmation letters supplied via the trustee — never independently from the bank.
  • January 2019: Financial Times reports document forgery allegations from a Singapore whistleblower. Wirecard sues the FT. BaFin (the German regulator) opens an investigation — into the FT journalists for market manipulation, not Wirecard.
  • October 2019: Wirecard commissions a 'special audit' from KPMG. KPMG cannot verify the existence of €1 billion in TPA cash because the trustees refused to provide bank statements directly.
  • April 28, 2020: KPMG publishes a damning report — many transactions had 'no documentary evidence' that they were real. Wirecard's stock falls 26%.
  • June 18, 2020: EY refuses to sign the 2019 accounts. Wirecard admits €1.9 billion in trustee cash 'probably does not exist.' CEO Markus Braun is arrested. Stock falls 99%. Company files insolvency.
  • 2021–2024: EY Germany faces multiple lawsuits and a €500k+ professional sanction. Germany's audit oversight (APAS) finds EY breached due-care obligations. Braun's criminal trial concludes with a 2024 conviction.

Map to CISA domains

  • Domain 1 — IS Auditing Process: EY accepted audit confirmations RELAYED THROUGH the auditee instead of independently confirming with the trustee banks. CISA evidence hierarchy mandates direct independent confirmation as more reliable than auditee-supplied documents — exactly the standard that was breached.
  • Domain 1 — Professional Scepticism: Multiple red flags (whistleblowers, FT investigations, refusal to provide raw bank statements) over years should have triggered enhanced procedures. CISA Code of Professional Ethics requires due care and scepticism — not the trust the engagement team extended.
  • Domain 2 — Governance & IT Oversight: Wirecard's supervisory board had no audit-committee member with significant cybersecurity or payments-industry expertise. COBIT 2019 requires the board to have sufficient competence to oversee material risk.
  • Domain 3 — Acquisition & Development: Wirecard expanded by acquiring TPA partners with poor systems-integration controls. Acquisition due diligence (a CISA topic) should test the data-quality and reconciliation controls of the target — not just the financials.
  • Domain 4 — Operations: Cash reconciliation should be a daily automated control, not an annual audit confirmation. CISA expects auditors to TEST the reconciliation control, not just the year-end balance.
  • Domain 5 — Protection of Information Assets: SOX/equivalent ICFR controls require segregation between transaction initiation and approval. Wirecard reportedly had a small number of executives who could both originate and approve TPA payouts — a classic SoD violation hidden by lack of supporting evidence.

Five lessons CISA candidates must internalise

  1. Independent direct confirmation outranks auditee-relayed evidence — every time. If a trustee won't confirm directly, that is the audit finding.
  2. Whistleblower allegations + analyst short reports = expand procedures, not contract them. The CISA exam will frame this as a 'change in audit risk' scenario.
  3. Three-line model — operational management (1st), risk & compliance (2nd), internal audit (3rd) — must be independent in fact AND appearance. Reporting lines to the CFO are a known impairment.
  4. SOC 2 / ISAE 3402 reports on outsourced service providers are not optional for material processes. Wirecard's TPA partners had no Type II reports — that alone is a finding.
  5. Substantive AND compliance testing are required — Wirecard demonstrates the danger of relying solely on control testing without verifying the transactions themselves.

BaFin official Wirecard page → · German Bundestag Wirecard Inquiry Report →

Free & reputable only · Verified links

Helpful Materials — ISACA CISA / CISM / CRISC

Treat the ISACA Review Manual as the ground truth — the exam is written from it. Every other resource below is free and designed to drill, contextualise, or simplify what the Manual already covers.

Official & primary sources (all free)

Free practice questions

Free video & community

Adjacent free reference reading

Quick reference · Memorise before exam day

CISA Cheatsheet

High-frequency frameworks, formulas, and answer-pattern heuristics. The CISA exam rewards candidates who instantly recognise these labels.

Evidence reliability hierarchy (most → least)

  1. Auditor's direct observation & re-performance
  2. External independent confirmation (e.g., bank confirmation)
  3. Internal documents prepared/processed outside the audited function
  4. Auditor-prepared analysis from auditee data
  5. Auditee oral or written representations

Risk formulas

  • Risk = Threat × Vulnerability × Impact (or Asset Value)
  • ALE = SLE × ARO; SLE = Asset Value × Exposure Factor
  • Residual Risk = Inherent Risk − Control Effectiveness
  • Audit Risk = Inherent × Control × Detection Risk

DR test hierarchy (assurance ↑, risk ↑)

  1. Checklist (paperwork only)
  2. Walk-through / tabletop (discussion)
  3. Simulation (off-line role-play)
  4. Parallel (recovery site runs alongside primary)
  5. Full interruption (primary shut down — highest risk)

RPO vs RTO

  • RPO = max acceptable DATA LOSS (drives backup/replication frequency)
  • RTO = max acceptable DOWNTIME (drives recovery infrastructure choice)
  • MTD = Maximum Tolerable Downtime (RTO + WRT)
  • WRT = Work Recovery Time (re-keying / validation after restore)

SOC reports — pick the right one

  • SOC 1 — controls relevant to FINANCIAL reporting (SOX scope)
  • SOC 2 — controls over Security, Availability, Confidentiality, Processing Integrity, Privacy (Trust Service Criteria)
  • SOC 3 — public summary version of SOC 2
  • Type I — design of controls at a point in time
  • Type II — operating effectiveness over a period (6–12 months) — stronger

Sampling vocabulary

  • Attribute sampling — tests YES/NO compliance with a control
  • Variable sampling — tests dollar amounts / quantitative properties
  • Tolerable rate — maximum deviation the auditor will accept
  • Upper precision limit — observed rate + allowance for sampling risk; compare to tolerable rate
  • Sampling risk — risk that the sample mis-represents the population

CISA answer-pattern heuristics

  • When asked 'BEST', pick the answer that is INDEPENDENT, PROACTIVE, and RISK-BASED.
  • 'PRIMARY purpose' = the strategic, mission-aligned reason — not technical.
  • 'GREATEST concern' = the answer with the largest business impact + likelihood.
  • Process > person. Policy > ad-hoc. Preventive > detective > corrective.
  • Segregation of duties almost always trumps monitoring.

Three-line model

  • 1st line — Operational management owns risk & controls
  • 2nd line — Risk & compliance functions oversee
  • 3rd line — Internal audit provides independent assurance
  • External audit and regulators sit OUTSIDE the model.
Common questions

ISACA Certification FAQ

How hard is the CISM exam?

CISM is one of the harder management-level certifications. The exam has 150 questions in 4 hours. Questions are scenario-based and require thinking as a security manager — not a technical practitioner. The global pass rate is approximately 50–55%. Five years of work experience in information security management is required (with domain-specific waivers available for up to 2 years).

CISM vs CISSP — which should I get?

CISM (ISACA) is narrowly focused on security management, governance, and risk — preferred for CISOs and security programme managers. CISSP (ISC2) is broader, spanning both technical and managerial domains. Many senior professionals hold both. If your role is purely management/governance, start with CISM. If you want a credential spanning technical and management roles, CISSP is more versatile.

What is the CISA passing score?

CISA requires a scaled score of 450 or higher on a 200–800 scale. The exam covers five domains: IS Auditing Process (21%), Governance and Management of IT (17%), IS Acquisition, Development and Implementation (12%), IS Operations and Business Resilience (23%), and Protection of Information Assets (27%). CISA requires 5 years of IS audit, control, or security experience.

Who should pursue CRISC?

CRISC (Certified in Risk and Information Systems Control) is designed for IT and security professionals who identify, assess, and manage enterprise IT risk. It is particularly valued in GRC, internal audit, and enterprise risk management roles. CRISC requires 3 years of cumulative work experience in IT risk management and IS control across at least two CRISC domains.