The IS Auditor Perspective Trap
The most important principle for CISA questions is that they test knowledge from the perspective of an IS auditor — not an IT professional, not a security engineer, not a business analyst or operations manager. When a question asks what you should do in a specific situation, the correct answer is what a competent IS auditor would do, which is often different from what an IT professional or business manager would consider optimal.
The IS auditor perspective involves consistent priorities that appear throughout the examination: independence comes before helpfulness; risk-based thinking comes before procedural compliance; governance accountability comes before technical solution; and verified evidence comes before management representation. Questions that offer options ranging from "help management implement the solution" to "assess the controls and report findings to management" will almost always have the latter as the correct answer — because it reflects the auditor's role rather than the IT professional's role.
The "Best" Answer Trap
CISA questions typically ask for the "best" or "most important" action — not just a correct one. Multiple answer options may be technically accurate; the trap is selecting a correct action that is not the best action in the specific scenario described. Understanding the hierarchy of IS audit priorities helps navigate these questions: prevention is generally preferred over detection, detection over correction; governance oversight is generally more important than procedural compliance; addressing root cause is generally more valuable than addressing symptoms.
When multiple options appear reasonable, identify the option that reflects the highest-level governance priority. If one option involves reporting to the audit committee and another involves reporting to management, the audit committee option is usually preferred for significant findings — because the audit committee represents independent governance oversight. If one option involves implementing a control and another involves assessing whether a control is needed, assessment typically precedes implementation in the IS auditor's professional sequence.
The Risk vs. Control Confusion Trap
A common source of incorrect answers is confusing risk with control. CISA questions frequently present scenarios involving both — and the correct answer depends on correctly identifying whether the question is about a risk (a potential negative outcome) or a control (a mechanism to prevent or detect that outcome). Keeping this distinction clear when reading question stems prevents a significant category of errors that candidates make not from lack of knowledge but from imprecise reading.
The Compensating Control Trap
Questions about compensating controls are a consistent CISA examination topic and a frequent source of errors. The key principle is that a compensating control must provide equivalent risk mitigation to the primary control it replaces, achieved through a different mechanism. A control that reduces risk somewhat but not to the level the primary control would provide is a risk acceptance decision, not a compensating control. Evaluate compensating control questions against this equivalence standard — if the described compensating control does not fully mitigate the risk the primary control would have addressed, it is inadequate regardless of how reasonable it sounds in isolation.
CISA exam success comes from internalising the IS auditor perspective so thoroughly that you approach every question from that viewpoint automatically. Candidates who are thinking "what would I do as an IT professional" rather than "what would a competent IS auditor do" will consistently be drawn toward the plausible wrong answer.
The Sequential Steps Trap
Many CISA questions involve scenarios where an auditor has discovered something during fieldwork and must decide what to do next. The trap is selecting an action that would eventually be appropriate but skips a required earlier step in the professional sequence. IS auditors assess before they recommend, verify before they conclude, and communicate informally before they report formally. Questions asking "what should the auditor do first?" or "what is the auditor's most appropriate next step?" require careful attention to the sequence, not just the destination.
Examination Strategy
The CISA exam consists of 150 questions to be completed in four hours. Effective time management is essential — approximately 90 seconds per question on first pass, with difficult questions marked for review and revisited with remaining time rather than resolved through prolonged deliberation during the initial pass. When genuinely uncertain between two options, apply the IS auditor perspective test: which option reflects what a professionally grounded IS auditor with appropriate independence and risk-based orientation would do? That question alone resolves the majority of close calls correctly.