DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISA Certification Pracatice Questions & Mock Tests, Certified Information Systems Auditor | SPOTO

Elevate your CISA certification readiness with SPOTO's comprehensive practice questions and mock tests. Our meticulously crafted materials cover a wide range of topics, including sample questions, online exam questions, and full-length mock exams, ensuring you're thoroughly prepared for the real test. Identify knowledge gaps and reinforce key concepts through detailed explanations and performance analysis. Access regularly updated exam materials, including free test dumps and exam questions and answers, to stay aligned with the latest objectives. Simulate the actual testing environment with our realistic exam simulator, featuring timed practice tests. Unlock your auditing potential and achieve certification success with SPOTO's proven CISA practice resources.
Take other online exams

Question #1
A local area network (LAN) administrator normally would be restricted from:
A. having end-user responsibilities
B. reporting to the end-user manager
C. having programming responsibilities
D. being responsible for LAN security administration
View answer
Correct Answer: B

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
What is an initial step in creating a proper firewall policy?
A. Assigning access to users according to the principle of least privilege
B. Determining appropriate firewall hardware and software
C. Identifying network applications such as mail, web, or FTP servers
D. Configuring firewall access rules
View answer
Correct Answer: B
Question #3
An IS auditor should expect the responsibility for authorizing access rights to production data and systems to be entrusted to the:
A. process owners
B. system administrators
C. security administrator
D. data owners
View answer
Correct Answer: B
Question #4
Which of the following should be included in an organization's IS security policy?
A. A list of key IT resources to be secured
B. The basis for access authorization
C. Identity of sensitive security features
D. Relevant software security features
View answer
Correct Answer: A
Question #5
What would an IS auditor expect to find in the console log?
A. Evidence of password spoofing
B. System errors
C. Evidence of data copy activities
D. Evidence of password sharing
View answer
Correct Answer: A
Question #6
An IS auditor reviewing a new application for compliance with information privacy principles should be the MOST concerned with:
A. nonrepudiation
B. collection limitation
C. availability
D. awareness
View answer
Correct Answer: B
Question #7
In the process of evaluating program change controls, an IS auditor would use source code comparison software to:
A. examine source program changes without information from IS personnel
B. detect a source program change made between acquiring a copy of the source and the comparison run
C. confirm that the control copy is the current version of the production program
D. ensure that all changes made in the current source copy are detected
View answer
Correct Answer: A
Question #8
Which of the following BEST restricts users to those functions needed to perform their duties?
A. Application level access control
B. Data encryption
C. Disabling floppy disk drives
D. Network monitoring device
View answer
Correct Answer: D
Question #9
A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy:
A. payroll reports should be compared to input forms
B. gross payroll should be recalculated manually
C. checks (cheques) should be compared to input forms
D. checks (cheques) should be reconciled with output reports
View answer
Correct Answer: C
Question #10
Which of the following reduces the potential impact of social engineering attacks?
A. Compliance with regulatory requirements
B. Promoting ethical understanding
C. Security awareness programs
C.
D. Effective performance incentives
View answer
Correct Answer: C
Question #11
An IS auditor is conducting a pre-implementation review to determine a new system’s production readiness. The auditor’s PRIMARY concern should be whether:
A. the project adhered to the budget and target date
B. users were involved in the quality assurance (QA) testing
C. there are unresolved high-risk items
D. benefits realization has been evidenced
View answer
Correct Answer: C
Question #12
During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?
A. Inherent risk
B. Sampling risk
C. Control risk
D. Detection risk
View answer
Correct Answer: D
Question #13
The human resources (HR) department has developed a system to allow employees to enroll in benefits via a web site on the corporate Intranet. Which of the following would protect the confidentiality of the data?
A. SSL encryption
B. Two-factor authentication
C. Encrypted session cookies
D. IP address verification
View answer
Correct Answer: A
Question #14
The MOST likely explanation for a successful social engineering attack is:
A. that computers make logic errors
B. that people make judgment errors
C. the computer knowledge of the attackers
D. the technological sophistication of the attack method
View answer
Correct Answer: A
Question #15
Which of the following would MOST effectively reduce social engineering incidents?
A. Security awareness training
B. increased physical security measures
C. E-mail monitoring policy
D. intrusion detection systems
View answer
Correct Answer: B
Question #16
An IS auditor examining the configuration of an operating system to verify the controls should review the: transaction logs.
B. authorization tables
C. parameter settings
D. routing tables
View answer
Correct Answer: C
Question #17
The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed?
A. Reliability and quality of service (QoS)
B. Means of authentication
C. Privacy of voice transmissions
D. Confidentiality of data transmissions
View answer
Correct Answer: B
Question #18
A database administrator has detected a performance problem with some tables which could be solved through denormalization. This situation will increase the risk of:
A. concurrent access
B. deadlocks
C. unauthorized access to data
D. a loss of data integrity
View answer
Correct Answer: B
Question #19
An IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a vendor product to address this vulnerability. The IS auditor has failed to exercise:
A. professional independence
B. organizational independence
C. technical competence
D. professional competence
View answer
Correct Answer: B
Question #20
Which of the following would provide the BEST evidence of successfully completed batch uploads?
A. Sign-off on the batch journal
B. Using sequence controls
C. Enforcing batch cut-off times
D. Reviewing process logs
View answer
Correct Answer: B
Question #21
An IS auditor is performing a network security review of a telecom company that provides Internet connection services to shopping malls for their wireless customers. The company uses Wireless Transport Layer Security (WTLS) and Secure Sockets Layer (SSL) technology for protecting their customer's payment information. The IS auditor should be MOST concerned if a hacker:
A. compromises the Wireless Application Protocol (WAP) gateway
B. installs a sniffing program in front of the server
C. steals a customer's PDA
D. listens to the wireless transmission
View answer
Correct Answer: D
Question #22
When an employee is terminated from service, the MOST important action is to:
A. hand over all of the employee's files to another designated employee
B. complete a backup of the employee's work
C. notify other employees of the termination
D. disable the employee's logical access
View answer
Correct Answer: A
Question #23
When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify?
A. The risks associated with the use of the products are periodically assessed
B. The latest version of software is listed for each product
C. Due to licensing issues the list does not contain open source software
D. After hours’ support is offered
View answer
Correct Answer: A
Question #24
Which of the following BEST describes the role of a directory server in a public key infrastructure (PKI)?
A. Encrypts the information transmitted over the network
B. Makes other users' certificates available to applications
C. Facilitates the implementation of a password policy
D. Stores certificate revocation lists (CRLs)
View answer
Correct Answer: C
Question #25
A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?
A. Review a sample of PCRs for proper approval throughout the program change process
B. Trace a sample of program changes from the log to completed PCR forms
C. Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date
D. Trace a sample of complete PCR forms to the log of all program changes
View answer
Correct Answer: C
Question #26
During the requirements definition phase for a database application, performance is listed as a top priority. To access the DBMS files, which of the following technologies should be recommended for optimal I/O performance?
A. Storage area network (SAN)
B. Network Attached Storage (NAS)
C. Network file system (NFS v2)
D. Common Internet File System (CIFS)
View answer
Correct Answer: C
Question #27
Which of the following presents an inherent risk with no distinct identifiable preventive controls?
A. Piggybacking
B. Viruses
C. Data diddling
D. Unauthorized application shutdown
View answer
Correct Answer: A
Question #28
When reviewing procedures for emergency changes to programs, the IS auditor should verify that the procedures:
A. allow changes, which will be completed using after-the-fact follow-up
B. allow undocumented changes directly to the production library
C. do not allow any emergency changes
D. allow programmers permanent access to production programs
View answer
Correct Answer: D
Question #29
To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that:
A. the company policy be changed
B. passwords are periodically changed
C. an automated password management tool be used
D. security awareness training is delivered
View answer
Correct Answer: C
Question #30
An IS auditor is performing a post-implementation review of a system deployed two years ago. Which of the following findings should be of MOST concern to the auditor?
A. Maintenance costs were not included in the project lifecycle costs
B. Benefits as stated in the business case have not been realized
C. Workarounds due to remaining defects had to be used longer than anticipated
D. The system has undergone several change requests to further extend functionality
View answer
Correct Answer: B
Question #31
During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely:
A. review access control configuration
B. evaluate interface testing
C. review detailed design documentation
D. evaluate system testing
View answer
Correct Answer: C
Question #32
D.
D.
View answer
Correct Answer: D
Question #33
Sam is the security Manager of a financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks?
A. Risk Mitigation
B. Risk Acceptance
C. Risk Avoidance
D. Risk transfer
View answer
Correct Answer: B
Question #34
An information security policy stating that 'the display of passwords must be masked or suppressed' addresses which of the following attack methods?
A. Piggybacking
B. Dumpster diving
C. Shoulder surfing
D. Impersonation
View answer
Correct Answer: D
Question #35
Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an organization’s incident response process?
A. Past incident response actions
B. Incident response staff experience and qualifications
C. Results from management testing of incident response procedures
D. Incident response roles and responsibilities
View answer
Correct Answer: C
Question #36
A virtual private network (VPN) provides data confidentiality by using:
A. Secure Sockets Layer (SSL)
B. Tunneling
C. Digital signatures
D. Phishing
View answer
Correct Answer: B
Question #37
Which of the following would MOST effectively control the usage of universal storage bus (USB) storage devices?
A. Policies that require instant dismissal if such devices are found
B. Software for tracking and managing USB storage devices
C. Administratively disabling the USB port
D. Searching personnel for USB storage devices at the facility's entrance
View answer
Correct Answer: A
Question #38
The PRIMARY objective of service-level management (SLM) is to:
A. define, agree, record and manage the required levels of service
B. ensure that services are managed to deliver the highest achievable level of availability
C. keep the costs associated with any service at a minimum
D. monitor and report any legal noncompliance to business management
View answer
Correct Answer: A
Question #39
Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network?
A. The use of diskless workstations
B. Periodic checking of hard drives
C. The use of current antivirus software
D. policies that result in instant dismissal if violated
View answer
Correct Answer: B
Question #40
When conducting a review of security incident management, an IS auditor found there are no defined escalation processes. All incidents are managed by the service desk. Which of the following should be the auditor’s PRIMARY concern?
A. Inefficient use of service desk resources
B. Management’s lack of high impact incidents
C. Delays in resolving low priority trouble tickets
D. Management’s inability to follow up on incident resolution
View answer
Correct Answer: B
Question #41
Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions?
A. Parity check
B. Echo check
C. Block sum check
D. Cyclic redundancy check
View answer
Correct Answer: D
Question #42
An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?
A. Pilot
B. Parallel
C. Direct cutover
D. Phased
View answer
Correct Answer: D
Question #43
Which of the following would prevent unauthorized changes to information stored in a server's log?
A. Write-protecting the directory containing the system log
B. Writing a duplicate log to another server
C. Daily printing of the system log
D. Storing the system log in write-once media
View answer
Correct Answer: B
Question #44
The PRIMARY objective of a logical access control review is to:
A. review access controls provided through software
B. ensure access is granted per the organization's authorities
C. walk through and assess the access provided in the IT environment
D. provide assurance that computer hardware is adequately protected against abuse
View answer
Correct Answer: A
Question #45
Which of the following are BEST suited for continuous auditing?
A. Manual transactions
B. Irregular transactions
C. Low-value transactions
D. Real-time transactions
View answer
Correct Answer: D
Question #46
Which of the following is the BEST way to satisfy a two-factor user authentication?
A. A smart card requiring the user's PIN
B. User ID along with password
C. Iris scanning plus fingerprint scanning
D. A magnetic card requiring the user's PIN
View answer
Correct Answer: A
Question #47
During an audit of an organization’s incident management process, an IS auditor learns that the security operations team includes detailed reports of recent attacks in its communications to employees. Which of the following is the GREATEST concern with this situation?
A. Employees may fail to understand the severity of the threats
B. The reports may be too complex for a nontechnical audience
C. Employees may misuse the information in the reports
D. There is not a documented procedure to communicate the reports
View answer
Correct Answer: C
Question #48
To ensure authentication, confidentiality and integrity of a message, the sender should encrypt the hash of the message with the sender's:
A. public key and then encrypt the message with the receiver's private key
B. private key and then encrypt the message with the receiver's public key
C. public key and then encrypt the message with the receiver's public key
D. private key and then encrypt the message with the receiver's private key
View answer
Correct Answer: A
Question #49
When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected on the network?
A. Use the IP address of an existing file server or domain controller
B. Pause the scanning every few minutes to allow thresholds to reset
C. Conduct the scans during evening hours when no one is logged-in
D. Use multiple scanning tools since each tool has different characteristics
View answer
Correct Answer: B
Question #50
Which of the following BEST ensures the integrity of a server's operating system?
A. Protecting the server in a secure location
B. Setting a boot password
C. Hardening the server configuration
D. Implementing activity logging
View answer
Correct Answer: A
Question #51
Which of the following reports should an IS auditor use to check compliance with a service level agreements (SLA) requirement for uptime?
A. Utilization reports
B. Hardware error reports
C. System logs
D. Availability reports
View answer
Correct Answer: D
Question #52
When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the:
A. establishment of a review board
B. creation of a security unit
C. effective support of an executive sponsor
D. selection of a security process owner
View answer
Correct Answer: D
Question #53
What topology provides the greatest redundancy of routes and the greatest network fault tolerance?
A. A star network topology
B. A mesh network topology with packet forwarding enabled at each host
C. A bus network topology
D. A ring network topology
View answer
Correct Answer: B
Question #54
An IS auditor is conducting a review of a healthcare organization’s IT policies for handling medical records. Which of the following is MOST important to verify?
A. A documented policy approval process is in place
B. Policy writing standards are consistent
C. The policies comply with regulatory requirements
D. IT personnel receive ongoing policy training
View answer
Correct Answer: C
Question #55
When using an integrated test facility (ITF), an IS auditor should ensure that:
A. production data are used for testing
B. test data are isolated from production data
C. a test data generator is used
D. master files are updated with the test data
View answer
Correct Answer: D
Question #56
A benefit of quality of service (QoS) is that the:
A. entire network's availability and performance will be significantly improved
B. telecom carrier will provide the company with accurate service-level compliance reports
C. participating applications will have guaranteed service levels
D. communications link will be supported by security controls to perform secure online transactions
View answer
Correct Answer: B
Question #57
When segregation of duties concerns exists between IT support staff and end users, what would be suitable compensating control? C.
A. Restricting physical access to computing equipment
B. Reviewing transaction and application logs Performing background checks prior to hiring IT staff
D. Locking user sessions after a specified period of inactivity
View answer
Correct Answer: D
Question #58
An IS auditor finds that client requests were processed multiple times when received from different independent departmental databases, which are synchronized weekly. What would be the BEST recommendation?
A. increase the frequency for data replication between the different department systems to ensure timely updates
B. Centralize all request processing in one department to avoid parallel processing of the same request
C. Change the application architecture so that common data are held in just one shared database for all departments
D. implement reconciliation controls to detect duplicates before orders are processed in the systems
View answer
Correct Answer: A
Question #59
Which of the following should an IS auditor determine FIRST when evaluating additional hardware required to support the acquisition of a new accounting system?
A. A training program has been developed to support the new accounting system
B. The supplier has experience supporting accounting systems
C. The hardware specified will be compliant with the current IT strategy
D. The hardware will be installed in a secure and environmentally controlled area
View answer
Correct Answer: C
Question #60
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
A. Peak activity periods for the business
B. Remediation dates included in management responses
C. Availability of IS audit resources
D. Complexity of business processes identified in the audit
View answer
Correct Answer: D
Question #61
A company has decided to implement an electronic signature scheme based on public key infrastructure. The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is:
A. use of the user's electronic signature by another person if the password is compromised
B. forgery by using another user's private key to sign a message with an electronic signature
C. impersonation of a user by substitution of the user's public key with another person's public key
D. forgery by substitution of another person's private key on the computer
View answer
Correct Answer: B
Question #62
The purpose of code signing is to provide assurance that:
A. the software has not been subsequently modified
B. the application can safely interface with another signed application
C. the signer of the application is trusted
D. the private key of the signer has not been compromised
View answer
Correct Answer: D
Question #63
Which of the following is an analytical review procedure for a payroll system?
A. Performing penetration attempts on the payroll system
B. Evaluating the performance of the payroll system, using benchmarking software
C. Performing reasonableness tests by multiplying the number of employees by the average wage rate
D. Testing hours reported on time sheets
View answer
Correct Answer: C
Question #64
Which of the following is NOT an example of preventive control?
A. Physical access control like locks and door
B. User login screen which allows only authorize user to access website
C. Encrypt the data so that only authorize user can view the same
D. Duplicate checking of a calculations
View answer
Correct Answer: C
Question #65
An organization developed a comprehensive three-year IT strategic plan. Halfway into the plan, a major legislative change impacting the organization is enacted. Which of the following should be management’s NEXT course of action?
A. Develop specific procedural documentation related to the changed legislation
B. Assess the legislation to determine whether are required to the strategic IT plan
C. Perform a risk management of the legislative changes
D. Develop a new IT strategic plan that encompasses the new legislation
View answer
Correct Answer: A
Question #66
Which of the following aspects of symmetric key encryption influenced the development of asymmetric encryption?
A. Processing power
B. Volume of data
C. Key distribution
D. Complexity of the algorithm
View answer
Correct Answer: A
Question #67
The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all:
A. outgoing traffic with IP source addresses externa! to the network
B. incoming traffic with discernible spoofed IP source addresses
C. incoming traffic with IP options set
D. incoming traffic to critical hosts
View answer
Correct Answer: A
Question #68
An IS audit manager has been asked to perform a quality review on an audit that the same manager also supervised. Which of the following is the manager’s BEST response to this situation?
A. Notify the audit committee of the situation
B. Escalate the situation to senior audit leadership
C. Determine whether audit evidence supports audit conclusions
D. Discuss with the audit team to understand how conclusions were reached
View answer
Correct Answer: A
Question #69
An organization has outsourced its help desk. Which of the following indicators would be the best to include in the SLA?
A. Overall number of users supported
B. Percentage of incidents solved in the first call
C. Number of incidents reported to the help desk
D. Number of agents answering the phones
View answer
Correct Answer: A
Question #70
Minimum password length and password complexity verification are examples of:
A. detection controls
B. control objectives
C. audit objectives
D. control procedures
View answer
Correct Answer: A
Question #71
During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?
A. Recommend redesigning the change management process
B. Gain more assurance on the findings through root cause analysis
C. Recommend that program migration be stopped until the change process is documented
D. Document the finding and present it to management
View answer
Correct Answer: A
Question #72
When evaluating the controls of an EDI application, an IS auditor should PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time
B. application interface failure
C. improper transaction authorization
D. no validated batch totals
View answer
Correct Answer: A
Question #73
Which of the following will help detect changes made by an intruder to the system log of a server?
A. Mirroring the system log on another server
B. Simultaneously duplicating the system log on a write-once disk
C. Write-protecting the directory containing the system log
D. Storing the backup of the system log offsite
View answer
Correct Answer: A
Question #74
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm for potential software vulnerabilities?
A. The hypervisor is updated quarterly
B. Guest operating systems are updated monthly
C. Antivirus software has been implemented on the guest operating system only
D. A variety of guest operating systems operate on one virtual server
View answer
Correct Answer: C
Question #75
An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that:
A. nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity
B. access cards are not labeled with the organization's name and address to facilitate easy return of a lost card
C. card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards
D. the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure
View answer
Correct Answer: A
Question #76
A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment?
A. Reviewing logs frequently
B. Testing and validating the rules
C. Training a local administrator at the new location
D. Sharing firewall administrative duties
View answer
Correct Answer: A
Question #77
An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk?
A. Kerberos
B. Vitality detection
C. Multimodal biometrics
D. Before-image/after-image logging
View answer
Correct Answer: C
Question #78
Audit management has just completed the annual audit plan for the upcoming year, which consists entirely of high-risk processes. However, it is determined that there are insufficient resources to execute the plan. What should be done NEXT?
A. Remove audits from the annual plan to better match the number of resources available
B. Reduce the scope of the audits to better match the number of resources available
C. Present the annual plan to the audit committee and ask for more resources
D. Review the audit plan and defer some audits to the subsequent year
View answer
Correct Answer: C
Question #79
What is the PRIMARY benefit to executive management when audit, risk, and security functions are aligned?
A. More efficient incident handling
B. Reduced number of assurance reports
C. More effective decision making
D. More timely risk reporting
View answer
Correct Answer: D
Question #80
Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to:
A. change the company's security policy
B. educate users about the risk of weak passwords
C. build in validations to prevent this during user creation and password change
D. require a periodic review of matching user ID and passwords for detection and correction
View answer
Correct Answer: C
Question #81
An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture?
A. A Secure Sockets Layer (SSL) has been implemented for user authentication and remote administration of the firewall
B. Firewall policies are updated on the basis of changing requirements
C. inbound traffic is blocked unless the traffic type and connections have been specifically permitted
D. The firewall is placed on top of the commercial operating system with all installation options
View answer
Correct Answer: A
Question #82
Which of the following is a general operating system access control function?
A. Creating database profiles
B. Verifying user authorization at a field level
C. Creating individual accountability
D. Logging database access activities for monitoring access violation
View answer
Correct Answer: B
Question #83
Reevaluation of risk is MOST critical when there is:
A. resistance to the implementation of mitigating controls
B. a change in security policy Explanation/Reference:
C. a management request for updated security reportsa change in the threat landscape D
View answer
Correct Answer: A
Question #84
When auditing a quality assurance plan, an IS auditor should be MOST concerned if the:
A. quality assurance function is separate from the programming function
B. SDLC is coupled with the quality assurance plan
C. quality assurance function is periodically reviewed by internal audit
D. scope of quality assurance activities is undefined
View answer
Correct Answer: D
Question #85
To assist an organization in planning for IT investments, an IS auditor should recommend the use of:
A. project management tools
B. an object-oriented architecture
C. tactical planning
D. enterprise architecture (EA)
View answer
Correct Answer: B
Question #86
During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?
A. Postpone the audit until the agreement is documented
B. Report the existence of the undocumented agreement to senior management
C. Confirm the content of the agreement with both departments
D. Draft a service level agreement (SLA) for the two departments
View answer
Correct Answer: B
Question #87
In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?
A. Approve and document the change the next business day
B. Limit developer access to production to a specific timeframe
C. Obtain secondary approval before releasing to production
D. Disable the compiler option in the production machine
View answer
Correct Answer: B
Question #88
Which of the following is a control over component communication failure/errors?
A. Restricting operator access and maintaining audit trails
B. Monitoring and reviewing system engineering activity
C. Providing network redundancy
D. Establishing physical barriers to the data transmitted over the network
View answer
Correct Answer: A
Question #89
An IS auditor is involved with a project and finds an IT project stakeholder wants to make a change that could affect both the project scope and schedule. Which of the following would be the MOST appropriate action for the project manager with respect to the change request?
A. Recommend to the project sponsor whether to approve the change
B. Modify the project plan as a result of the change
C. Evaluate the impact of the change
D. Ignore out-of-scope requests
View answer
Correct Answer: C
Question #90
An IS auditor notes that IDS log entries related to port scanning are not being analyzed. This lack of analysis will MOST likely increase the risk of success of which of the following attacks?
A. Denial-of-service
B. Replay
C. Social engineering
D. Buffer overflow
View answer
Correct Answer: C
Question #91
A large insurance company is about to replace a major financial application. Which of the following is the IS auditor’s PRIMARY focus when conducting the preimplementation review?
A. Procedure updates Explanation/Reference:
B. Migration of dataC
A. Monitor and notify IT staff of critical patches
B. Evaluate patch management training
C. Perform regular audits on the implementation of critical patches
D. Assess the patch management process
View answer
Correct Answer: C
Question #92
When evaluating whether the expected benefits of a project have been achieved, it is MOST important for an IS auditor to review:
A. post-implementation issues
B. quality assurance results
C. the project schedule
D. the business case
View answer
Correct Answer: D
Question #93
Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program?
A. A system downtime log
B. Vendors' reliability figures
C. Regularly scheduled maintenance log
D. A written preventive maintenance schedule
View answer
Correct Answer: C

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: