DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

2024 CISA Exam Prep: Practice Tests & Study Materials, Certified Information Systems Auditor | SPOTO

Prepare for success in the Certified Information Systems Auditor® (CISA®) exam with SPOTO's comprehensive exam prep resources! As the gold standard for auditing, monitoring, and assessing IT and business systems, CISA certification validates your expertise in applying a risk-based approach to audit engagements.Our practice tests and study materials are meticulously designed to enhance your exam readiness. Dive into our collection of exam questions, sample questions, exam materials, and exam answers. Leverage our exam simulator and practice tests to refine your skills and boost your confidence for the exam.At SPOTO, we understand the importance of staying updated with emerging technologies. Our resources are tailored to equip you with the knowledge and skills needed to navigate complex audit scenarios in today's dynamic IT landscape.Prepare effectively and achieve success in your CISA exam with SPOTO's trusted exam prep resources!
Take other online exams

Question #1
Function Point Analysis (FPA) provides an estimate of the size of an information system based only on the number and complexity of a system's inputs and outputs. True or false?
A. True
B. False
View answer
Correct Answer: C
Question #2
When reviewing an organization's strategic IT plan an IS auditor should expect to find:
A. an assessment of the fit of the organization's application portfolio with business objectives
B. actions to reduce hardware procurement cost
C. a listing of approved suppliers of IT contract resources
D. a description of the technical architecture for the organization's network perimeter security
View answer
Correct Answer: C
Question #3
To support an organization's goals, an IS department should have:
A. a low-cost philosophy
B. long- and short-range plans
C. leading-edge technology
D. plans to acquire new hardware and software
View answer
Correct Answer: B
Question #4
A technical lead who was working on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is accessible to the whole team. What would be of GREATEST concern if discovered during a forensic investigation?
A. Audit logs are not enabled for the system
B. A logon ID for the technical lead still exists
C. Spyware is installed on the system
D. A Trojan is installed on the system
View answer
Correct Answer: D
Question #5
Which of the following is the BEST method for determining the criticality of each application system in the production environment?
A. interview the application programmers
B. Perform a gap analysis
C. Review the most recent application audits
D. Perform a business impact analysis
View answer
Correct Answer: A
Question #6
What is the BEST backup strategy for a large database with data supporting online sales?
A. Weekly full backup with daily incremental backup
B. Daily full backup
C. Clustered servers
D. Mirrored hard disks
View answer
Correct Answer: D
Question #7
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls
View answer
Correct Answer: A
Question #8
When auditing a proxy-based firewall, an IS auditor should:
A. verify that the firewall is not dropping any forwarded packets
B. review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC) and IP addresses
C. verify that the filters applied to services such as HTTP are effective
D. test whether routing information is forwarded by the firewall
View answer
Correct Answer: C
Question #9
To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review:
A. the IT infrastructure
B. organizational policies, standards and procedures
C. legal and regulatory requirements
D. the adherence to organizational policies, standards and procedures
View answer
Correct Answer: A
Question #10
An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?
A. Log all table update transactions
B. implement before-and-after image reporting
C. Use tracing and tagging
D. implement integrity constraints in the database
View answer
Correct Answer: A
Question #11
Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget?
A. A hot site maintained by the business
B. A commercial cold site
C. A reciprocal arrangement between its offices
D. A third-party hot site
View answer
Correct Answer: B
Question #12
Which of the following is the BEST performance criterion for evaluating the adequacy of an organization's security awareness training?
A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection
B. Job descriptions contain clear statements of accountability for information security
C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts
D. No actual incidents have occurred that have caused a loss or a public embarrassment
View answer
Correct Answer: C
Question #13
Which of the following would an IS auditor consider to be the MOST important to review when conducting a business continuity audit?
A. A hot site contracted and available as needed
B. A business continuity manual is available and current
C. insurance coverage is adequate and premiums are current
D. Media backups are performed on a timely basis and stored offsite
View answer
Correct Answer: D
Question #14
The success of control self-assessment (CSA) highly depends on:
A. having line managers assume a portion of the responsibility for control monitoring
B. assigning staff managers the responsibility for building, but not monitoring, controls
C. the implementation of a stringent control policy and rule-driven controls
D. the implementation of supervision and the monitoring of controls of assigned duties
View answer
Correct Answer: B
Question #15
A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines (ATMs). Which of the following would be the BEST contingency plan for the communications processor?
A. Reciprocal agreement with another organization
B. Alternate processor in the same location
C. Alternate processor at another network node
D. Installation of duplex communication links
View answer
Correct Answer: A
Question #16
The responsibility for authorizing access to application data should be with the:
A. data custodian
B. database administrator (DBA)
C. data owner
D. security administrator
View answer
Correct Answer: B
Question #17
In what way is a common gateway interface (CGI) MOST often used on a webserver? Consistent way for transferring data to the application program and back to the user
B. Computer graphics imaging method for movies and TV
C. Graphic user interface for web design
D. interface to access the private gateway domain
View answer
Correct Answer: B
Question #18
Which of the following fire suppression systems is MOST appropriate to use in a data center environment?
A. Wet-pipe sprinkler system
B. Dry-pipe sprinkler system
C. FM-200system
D. Carbon dioxide-based fire extinguishers
View answer
Correct Answer: A
Question #19
Which of the following is the BEST method for preventing the leakage of confidential information in a laptop computer?
A. Encrypt the hard disk with the owner's public key
B. Enable the boot password (hardware-based password)
C. Use a biometric authentication device
D. Use two-factor authentication to logon to the notebook
View answer
Correct Answer: D
Question #20
Which of the following results in a denial-of-service attack?
A. Brute force attack
B. Ping of death
C. Leapfrog attack
D. Negative acknowledgement (NAK) attack
View answer
Correct Answer: C
Question #21
Establishing the level of acceptable risk is the responsibility of:
A. quality assurance management
B. senior business management
C. the chief information officer
D. the chief security officer
View answer
Correct Answer: C
Question #22
Which of the following is widely accepted as one of the critical components in networking management?
A. Configuration management
B. Topological mappings
C. Application of monitoring tools
D. Proxy server troubleshooting
View answer
Correct Answer: C
Question #23
The PRIMARY objective of implementing corporate governance by an organization's management is to:
A. provide strategic direction
B. control business operations
C. align IT with business
D. implement best practices
View answer
Correct Answer: B
Question #24
The MOST important success factor in planning a penetration test is:
A. the documentation of the planned testing procedure
B. scheduling and deciding on the timed length of the test
C. the involvement of the management of the client organization
D. the qualifications and experience of staff involved in the test
View answer
Correct Answer: B
Question #25
Which of the following refers to the collection of policies and procedures for implementing controls capable of restricting access to computer software and data files?
A. Binary access control
B. System-level access control
C. Logical access control
D. Physical access controlE
F. None of the choices
View answer
Correct Answer: B
Question #26
In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:
A. isolation
B. consistency
C. atomicity
View answer
Correct Answer: A
Question #27
Which of the following would be the BEST performance indicator for the effectiveness of an incident management program?
A. Incident alert meantime
B. Average time between incidents
C. Number of incidents reported
D. Incident resolution meantime
View answer
Correct Answer: A
Question #28
If the recovery time objective (RTO) increases:
A. the disaster tolerance increases
B. the cost of recovery increases
C. a cold site cannot be used
D. the data backup frequency increases
View answer
Correct Answer: D
Question #29
What would be the major purpose of rootkit?
A. to hide evidence from system administrators
B. to encrypt files for system administrators
C. to corrupt files for system administrators
D. to hijack system sessions
E. None of the choices
View answer
Correct Answer: A
Question #30
Following best practices, formal plans for implementation of new information systems are developed during the:
A. development phase
B. design phase
D. deployment phase
View answer
Correct Answer: A
Question #31
The use of symmetric key encryption controls to protect sensitive data transmitted over a communications network requires that:
A. primary keys for encrypting the data be stored in encrypted form
B. encryption keys be changed only when a compromise is detected at both ends
C. encryption keys at one end be changed on a regular basis
D. public keys be stored in encrypted form
View answer
Correct Answer: C
Question #32
The Federal Information Processing Standards (FIPS) were developed by:
A. the United States Federal government
B. ANSI
C. ISO
D. IEEE
E. IANA
F. None of the choices
View answer
Correct Answer: A
Question #33
The cost of ongoing operations when a disaster recovery plan is in place, compared to not having a disaster recovery plan, will MOST likely:
A. increase
B. decrease
C. remain the same
D. be unpredictable
View answer
Correct Answer: A
Question #34
An IS auditor reviewing an organization's data file control procedures finds that transactions are applied to the most current files, while restart procedures use earlier versions. The IS auditor should recommend the implementation of:
A. source documentation retention
B. data file security
C. version usage control
D. one-for-one checking
View answer
Correct Answer: B
Question #35
When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next:
A. recommend that the database be normalized
C. review the stored procedures
D. review the justification
View answer
Correct Answer: D
Question #36
The Federal Information Processing Standards (FIPS) are primarily for use by (Choose two.):
A. all non-military government agencies
B. US government contractors
C. all military government agenciesD
E. None of the choices
View answer
Correct Answer: B
Question #37
Which of the following satisfies a two-factor user authentication?
A. Iris scanning plus fingerprint scanning
B. Terminal ID plus global positioning system (GPS)
C. A smart card requiring the user's PIN
D. User ID along with password
View answer
Correct Answer: B
Question #38
Which of the following is a practice that should be incorporated into the plan for testing disaster recovery procedures?
A. Invite client participation
B. involve all technical staff
C. Rotate recovery managers
D. install locally-stored backup
View answer
Correct Answer: D
Question #39
Which of the following typically consists of a computer, some real looking data and/or a network site that appears to be part of a production network but which is in fact isolated and well prepared?
A. honeypot
B. superpot
C. IDS
D. IPS
E. firewall
F. None of the choices
View answer
Correct Answer: A
Question #40
In the context of effective information security governance, the primary objective of value delivery is to:
A. optimize security investments in support of business objectives
B. implement a standard set of security practices
C. institute a standards-based solution
D. implement a continuous improvement culture
View answer
Correct Answer: D
Question #41
The BEST method of proving the accuracy of a system tax calculation is by:
A. detailed visual review and analysis of the source code of the calculation programs
B. recreating program logic using generalized audit software to calculate monthly totals
C. preparing simulated transactions for processing and comparing the results to predetermined results
D. automatic flowcharting and analysis of the source code of the calculation programs
View answer
Correct Answer: B
Question #42
An organization has been recently downsized, in light of this, an IS auditor decides to test logical access controls. The IS auditor's PRIMARY concern should be that:
A. all system access is authorized and appropriate for an individual's role and responsibilities
B. management has authorized appropriate access for all newly-hired individuals
C. only the system administrator has authority to grant or modify access to individuals
D. access authorization forms are used to grant or modify access to individuals
View answer
Correct Answer: A
Question #43
In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?
A. Optimized
B. Managed
C. Defined
D. Repeatable
View answer
Correct Answer: D
Question #44
From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is:
A. a big bang deployment after proof of concept
B. prototyping and a one-phase deployment
C. a deployment plan based on sequenced phases
D. to simulate the new infrastructure before deployment
View answer
Correct Answer: C
Question #45
Which of the following reduces the potential impact of social engineering attacks?
A. Compliance with regulatory requirements
B. Promoting ethical understanding
C. Security awareness programs
D. Effective performance incentives
View answer
Correct Answer: B
Question #46
An organization has a number of branches across a wide geographical area. To ensure that all aspects of the disaster recovery plan are evaluated in a cost effective manner, an IS auditor should recommend the use of a:
A. data recovery test
B. full operational test
C. posttest
D. preparedness test
View answer
Correct Answer: A
Question #47
Depending on the complexity of an organization's business continuity plan (BCP), the plan may be developed as a set of more than one plan to address various aspects of business continuity and disaster recovery, in such an environment, it is essential that:
A. each plan is consistent with one another
B. all plans are integrated into a single plan
C. each plan is dependent on one another
D. the sequence for implementation of all plans is defined
View answer
Correct Answer: D
Question #48
A live test of a mutual agreement for IT system recovery has been carried out, including a four- hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the:
A. system and the IT operations team can sustain operations in the emergency environment
B. resources and the environment could sustain the transaction load
C. connectivity to the applications at the remote site meets response time requirements
D. workflow of actual business operations can use the emergency system in case of a disaster
View answer
Correct Answer: A
Question #49
Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions?
A. Parity check Echo check Block sum check
D. Cyclic redundancy check
View answer
Correct Answer: D
Question #50
Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity?
A. Statistical-based
B. Signature-based
C. Neural network
D. Host-based
View answer
Correct Answer: C
Question #51
Which of the following would be the MOST secure firewall system?
A. Screened-host firewall
B. Screened-subnet firewall
C. Dual-homed firewall
D. Stateful-inspection firewall
View answer
Correct Answer: A
Question #52
The PRIMARY purpose of reviewing the IT strategic plan is to identify risks that may:
A. limit the ability to deliver customer requirements
B. limit the organization’s ability to achieve its objectives
C. impact operational efficiency of the IT department
View answer
Correct Answer: C
Question #53
An IS auditor examining the configuration of an operating system to verify the controls should review the:
A. transaction logs
B. authorization tables
C. parameter settings
D. routing tables
View answer
Correct Answer: A
Question #54
Which of the following could be determined by entity-relationship diagram?
A. Links between data objects
B. How the system behaves as a consequence of external events
View answer
Correct Answer: C
Question #55
During the review of a business process reengineering project, the PRIMARY concern of an IS auditor is to determine whether the new business model:
A. is aligned with industry best practices
B. is aligned with organizational goals
C. leverages benchmarking results
D. meets its key performance measures
View answer
Correct Answer: A
Question #56
A structured walk-through test of a disaster recovery plan involves:
A. representatives from each of the functional areas coming together to go over the plan
B. all employees who participate in the day-to-day operations coming together to practice executing the plan
C. moving the systems to the alternate processing site and performing processing operations
D. distributing copies of the plan to the various functional areas for review
View answer
Correct Answer: A
Question #57
Sophisticated database systems provide many layers and types of security, including (Choose three.):
A. Access control
B. Auditing
C. Encryption
D. Integrity controls
E. Compression controls
View answer
Correct Answer: B
Question #58
Talking about biometric measurement, which of the following measures the percent of invalid users who are incorrectly accepted in?
A. failure to reject rate
B. false accept rate
C. false reject rate
D. failure to enroll rate
E. None of the choices
View answer
Correct Answer: ABCD
Question #59
Gimmes often work through:
A. SMS
B. IRC chat
C. email attachment
D. news
E. file download
F. None of the choices
View answer
Correct Answer: C
Question #60
Which of the following should be an IS auditor’s BEST recommendation to prevent installation of unlicensed software on employees’ company-provided devices?
A. Enforce audit logging of software installation activities
B. Restrict software installation authority to administrative users only
C. Implement software blacklisting
D. Remove unlicensed software from end-user devices
View answer
Correct Answer: A
Question #61
When conducting a penetration test of an IT system, an organization should be MOST concerned with:
A. the confidentiality of the report
B. finding all possible weaknesses on the system
C. restoring all systems to the original state
D. logging all changes made to the production system
View answer
Correct Answer: B
Question #62
The BEST overall quantitative measure of the performance of biometric control devices is:
A. false-rejection rate
B. false-acceptance rate
C. equal-error rate
D. estimated-error rate
View answer
Correct Answer: A
Question #63
When removing a financial application system from production, which of the following is MOST important?
A. Media used by the retired system has been sanitized
B. Data retained for regulatory purposes can be retrieved
C. End-user requests for changes are recorded and tracked
D. Software license agreements are retained
A. policies and procedures of the business area being audited
B. business process supported by the system
C. availability reports associated with the cloud-based system
D. architecture and cloud environment of the system
View answer
Correct Answer: A
Question #64
B. During maintenance of a relational database, several values of the foreign key in a transaction table of a relational database have been corrupted. The consequence is that:
A. the detail of involved transactions may no longer be associated with master data, causing errors when these transactions are processed
C. the database will immediately stop execution and lose more information
D. the database will no longer accept input data
View answer
Correct Answer: B
Question #65
Adopting a service-oriented architecture would MOST likely:
A. inhibit integration with legacy systems
B. compromise application software security
C. facilitate connectivity between partners
D. streamline all internal processes
View answer
Correct Answer: A
Question #66
An organization is planning to replace its wired networks with wireless networks. Which of the following would BEST secure the wireless network from unauthorized access? Implement Wired Equivalent Privacy (WEP) Permit access to only authorized Media Access Control (MAC) addresses
C. Disable open broadcast of service set identifiers (SSID)
D. Implement Wi-Fi Protected Access (WPA) 2
View answer
Correct Answer: D
Question #67
An IS auditor is reviewing the performance outcomes of controls in an agile development project. Which of the following would provide the MOST relevant evidence for the auditor to consider?
A. Progress report of outstanding work
B. Product backlog
C. Number of failed builds
D. Composition of the scrum team A An IS auditor performing an audit of backup procedures observes that backup tapes are picked up weekly and stored offsite at a third-party hosting facility
A. Ensure that data is encrypted before leaving the facility
B. Ensure that the transport company obtains signatures for all shipments
C. Confirm that data is transported in locked tamper-evident containers
D. Confirm that data transfers are logged and recorded
View answer
Correct Answer: C
Question #68
An IS auditor finds that client requests were processed multiple times when received from different independent departmental databases, which are synchronized weekly. What would be the BEST recommendation?
A. increase the frequency for data replication between the different department systems to ensure timely updates
B.
C. Change the application architecture so that common data is held in just one shared database for all departments
D. implement reconciliation controls to detect duplicates before orders are processed in the systems
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: