DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISA Certifications Practice Tests 2024 Updated, Certified Information Systems Auditor | SPOTO

Prepare for your Certified Information Systems Auditor® (CISA®) certification with SPOTO's updated practice tests for 2024! As the gold standard for auditing, monitoring, and assessing IT and business systems, CISA certification validates your expertise in applying a risk-based approach to audit engagements.Our practice tests cover a wide range of exam questions, sample questions, online exam questions, and mock exams, ensuring you are fully prepared for the certification exam. Leverage our exam materials, exam answers, and exam simulator to enhance your exam practice and preparation.Achieve success and showcase your expertise with SPOTO's professional and comprehensive CISA certification exam prep resources. Start your journey to becoming a Certified Information Systems Auditor® today!
Take other online exams

Question #1
Who is responsible for the overall direction, costs, and timetables for systems-development projects?
A. The project sponsor
B. The project steering committee
C. Senior management
D. The project team leader
View answer
Correct Answer: A

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
An IS auditor has completed a service level management audit related to order management services provided by a third party. Which of the following is the MOST significant finding?
A. The third party has offshore support arrangements
B. Penalties for missing service levels are limited
C. The service level agreement does not define how availability is measured
D. Service desk support is not available outside the company’s business hours
View answer
Correct Answer: C
Question #3
Which of the following is a detective control?
A. Procedures for authorizing transactions
B. Echo checks in telecommunications
C. A router rule restricting a service
D. Programmed edit checks
View answer
Correct Answer: B
Question #4
A substantive test to verify that tape library inventory records are accurate is:
A. determining whether bar code readers are installed
B. determining whether the movement of tapes is authorized
C. conducting a physical count of the tape inventory
D. checking if receipts and issues of tapes are accurately recorded
View answer
Correct Answer: A
Question #5
Which of the following is a mechanism for mitigating risks?
A. Security and control practices
B. Property and liability insurance
C. Audit and certification
D. Contracts and service level agreements (SLAs)
View answer
Correct Answer: B
Question #6
John has been hired to fill a new position in one of the well-known financial institute. The position is for IS auditor. He has been assigned to complete IS audit of one of critical financial system. Which of the following should be the first step for John to be perform during IS audit planning?
A. Perform risk assessment
B. Determine the objective of the audit
C. Gain an understanding of the business process
D. Assign the personnel resource to audit
View answer
Correct Answer: D
Question #7
Which of the following BEST reduces the likelihood of leakage of private information via email?
A. Strong user authentication protocols
B. Email encryption
C. Prohibition on the personal use of email
D. User awareness training
View answer
Correct Answer: B
Question #8
An information security team has discovered that users are sharing a login account to an application with sensitive information, in violation of the access policy. Business management indicates that the practice creates operational efficiencies. The information security manager’s BEST course of action should be to:
A. modify the policy
B. present the risk to senior management
C. enforce the policy
D. create an exception for the deviation
View answer
Correct Answer: C
Question #9
Following the discovery of inaccuracies in a data warehouse, an organization has implemented data profiling, cleansing, and handling filters to enhance the quality of data obtained from connected sources. Which type of control has been applied?
A. Preventive control
B. Corrective control
C. Compensating control
D. Detective control
View answer
Correct Answer: B
Question #10
When auditing the IT governance of an organization planning to outsource a critical financial application to a cloud vendor, the MOST important consideration for the auditor should be:
A. the cost of the outsourced system
B. the inclusion of a service termination clause
C. alignment with industry standards
D. alignment with business requirements
View answer
Correct Answer: B
Question #11
Which of the following is the GREATEST concern associated with control self-assessments?
A. Employees may have insufficient awareness of controls
B. Controls may not be assessed objectively
C. Communication between operational management and senior management may not be effective
D. The assessment may not provide sufficient assurance to stakeholders
View answer
Correct Answer: B
Question #12
Which of the following IS audit findings should be of GREATEST concern when preparing to migrate to a new core system using a direct cut-over?
A. Incomplete test cases for some critical reports
B. Informal management approval to go live
C. Lack of a rollback strategy for the system go-live
D. Plans to use some workarounds for an extended period after go-live
View answer
Correct Answer: A
Question #13
Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?
A. To operate third-party hosted applications
B. To install and manage operating systems
C. To establish a network and security architecture
D. To develop and integrate its applications
View answer
Correct Answer: B
Question #14
An IS auditor is reviewing access to an application to determine whether the 10 most recent “new user” forms were correctly authorized. This is an example of:
A. variable sampling
B. substantive testing
D. stop-or-go sampling
View answer
Correct Answer: D
Question #15
What type of risk is associated with authorized program exits (trap doors)?
A. Business risk
B. Audit risk
C. Detective risk
D. Inherent risk
View answer
Correct Answer: A
Question #16
Which of the following is the MOST important function to be performed by IS management when a service has been outsourced?
A. Ensuring that invoices are paid to the provider
B. Participating in systems design with the provider
C. Renegotiating the provider's fees
D. Monitoring the outsourcing provider's performance
View answer
Correct Answer: B
Question #17
Which of the following is a management technique that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality?
A. Function point analysis
B. Critical path methodology
C. Rapid application development
D. Program evaluation review technique
View answer
Correct Answer: C
Question #18
Which of the following should be performed immediately after a computer security incident has been detected and analyzed by an incident response team?
A. Assess the impact of the incident on critical systems
B. Categorize the incident
C. Eradicate the component that caused the incident
D. Contain the incident before it spreads
View answer
Correct Answer: B
Question #19
Which of the following BEST limits the impact of server failures in a distributed environment?
A. Redundant pathways
B. Clustering
C. Dial backup lines
D. Standby power
View answer
Correct Answer: D
Question #20
What should be a security manager’s PRIMARY objective in the event of a security incident?
A. Identify the source of the breach and how it was perpetrated
B. Contain the threat and restore operations in a timely manner
C. Ensure that normal operations are not disrupted
D. Identify lapses in operational control effectiveness
View answer
Correct Answer: D
Question #21
Which of the following is MOST likely to be included in an enterprise information security policy?
A. Password composition requirements
B. Consequences of noncompliance
C. Audit trail review requirements
D. Security monitoring strategy
View answer
Correct Answer: D
Question #22
isk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a _________________ risk assessment is more appropriate. Fill in the blanks.
A. Quantitative; qualitative
B. Qualitative; quantitativeC
D. Quantitative; subjective
View answer
Correct Answer: A
Question #23
Change control for business application systems being developed using prototyping could be complicated by the:
A. iterative nature of prototyping
B. rapid pace of modifications in requirements and design
C. emphasis on reports and screens
D. lack of integrated tools
View answer
Correct Answer: A
Question #24
Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?
A. Ad-hoc monitoring of firewall activity
B. Potential back doors to the firewall software
C. Misconfiguration on the firewall rules
D. Use of stateful firewalls with default configuration
View answer
Correct Answer: C
Question #25
The phases and deliverables of a system development life cycle (SDLC) project should be determined:
A. during the initial planning stages of the project
B. after early planning has been completed, but before work has begun
C. throughout the work stages, based on risks and exposures
D. only after all risks and exposures have been identified and the IS auditor has recommended appropriate controls
View answer
Correct Answer: B
Question #26
The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:
A. confirm that the auditors did not overlook any important issues
B. gain agreement on the findings
C. receive feedback on the adequacy of the audit procedures
D. test the structure of the final presentation
View answer
Correct Answer: D
Question #27
What is the primary security concern for EDI environments?
A. Transaction authentication
B. Transaction completeness
C. Transaction accuracy
D. Transaction authorization
View answer
Correct Answer: D
Question #28
An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
A. Increasing the frequency of risk-based IS audits for each business entity
B. Revising IS audit plans to focus on IT changes introduced after the split
C. Conducting an audit of newly introduced IT policies and procedures
D. Developing a risk-based plan considering each entity’s business processes
View answer
Correct Answer: D
Question #29
Which of the following cloud computing service model provides a way to rent operating systems, storage and network capacity over the Internet?
A. Software as a service
B. Data as a service
C. Platform as a service
D. Infrastructure as a service
View answer
Correct Answer: D
Question #30
Which of the following is the GREATEST concern with conducting penetration testing on an internally developed application in the production environment?
A. The testing could create application availability issues
B. The testing may identify only known operating system vulnerabilities
C. The issues identified during the testing may require significant remediation efforts
View answer
Correct Answer: B
Question #31
Which of the following would be the MOST important information to include in a business case for an information security project in a highly regulated industry?
A. Industry comparison analysis
B. Critical audit findings
C. Compliance risk assessment
D. Number of reported security incidents
View answer
Correct Answer: A
Question #32
An IS steering committee should:
A. include a mix of members from different departments and staff levels
B. ensure that IS security policies and procedures have been executed properly
C. have formal terms of reference and maintain minutes of its meetings
D. be briefed about new trends and products at each meeting by a vendor
View answer
Correct Answer: B
Question #33
Which of the following is the MOST important driver when developing an effective information security strategy?
A. Security audit reports
B. Benchmarking reports
C. Information security standards
D. Compliance requirements
View answer
Correct Answer: B
Question #34
The editing/validation of data entered at a remote site would be performed MOST effectively at the:
A. central processing site after running the application system
B. central processing sire during the running of the application system
C. remote processing site after transmission of the data to the central processing site
D. remote processing site prior to transmission of the data to the central processing site
View answer
Correct Answer: A
Question #35
Which of the following could an IS auditor recommend to improve the estimated resources required in system development?
A. Business areas involvement
B. Prototyping
C. Function point analysis
D. CASE tools
View answer
Correct Answer: B
Question #36
Following a recent acquisition, an information security manager has been requested the outstanding risk reported early in the acquisition process. Which of the following would be the manager’s BEST course of action?
A. Perform a vulnerability assessment of the acquired company’s infrastructure
B. Re-evaluate the risk treatment plan for the outstanding risk
C. Re-assess the outstanding risk of the acquired company
D. Add the outstanding risk to the acquiring organization’s risk registry
View answer
Correct Answer: C
Question #37
The information in the knowledge base can be expressed in several ways. Which of the following way uses questionnaires to lead the user through a series of choices until a conclusion is reached?
A. Decision tree
B. Rules
C. Semantic nets
D. Knowledge interface
View answer
Correct Answer: A
Question #38
Which of the following would BEST assist an information security manager in gaining strategic support from executive management?
A. Research on trends in global information security breaches
B. Risk analysis specific to the organization
C. Annual report of security incidents within the organization
D. Rating of the organization’s security based on international standards
View answer
Correct Answer: A
Question #39
An organization has developed mature risk management practices that are followed across all departments. What is the MOST effective way for the audit team to leverage this risk management maturity?
A. Facilitating audit risk identification and evaluation workshops
B. Implementing risk responses on management’s behalf
C. Providing assurances to management regarding risk
D. Integrating the risk register for audit planning purposes
View answer
Correct Answer: C
Question #40
Effective IT governance will ensure that the IT plan is consistent with the organization's:
A. business plan
B. audit plan
C. security plan
D. investment plan
View answer
Correct Answer: D
Question #41
The objective of concurrency control in a database system is to: D.
A. restrict updating of the database to authorized users
B. prevent integrity problems when two processes attempt to update the same data at the same time
C. prevent inadvertent or unauthorized disclosure of data in the database
View answer
Correct Answer: D
Question #42
Which of the following would be an INAPPROPRIATE activity for a network administrator?
A. Analyzing network security incidents
B. Prioritizing traffic between subnets
C. Modifying a router configuration
D. Modifying router log files
View answer
Correct Answer: B
Question #43
A validated patch to address a new vulnerability that may affect a mission-critical server has been released. What should be done immediately?
A. Add mitigating controls
B. Check the server’s security and install the patch
C. Conduct an impact analysis
D. Take the server off-line and install the patch
View answer
Correct Answer: D
Question #44
Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)?
A. Function point analysis
B. Earned value analysis
C. Cost budget
D. Program Evaluation and Review Technique
View answer
Correct Answer: C
Question #45
Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project?
A. System owners
B. System users
C. System designers
D. System builders
View answer
Correct Answer: C
Question #46
The MOST important reason why an IT risk assessment should be updated on a regular basis is to:
A. utilize IT resources in a cost-effective manner
B. comply with data classification changes
C. comply with risk management policies
D. react to changes in the IT environment
View answer
Correct Answer: C
Question #47
Within a security governance framework, which of the following is the MOST important characteristic of the information security committee? The committee:
A. conducts frequent reviews of the security policy
B. includes a mix of members from all levels of management
C. has a clearly defined charter and meeting protocols
D. has established relationships with external professionals
View answer
Correct Answer: B
Question #48
When reviewing a hardware maintenance program, an IS auditor should assess whether:
A. the schedule of all unplanned maintenance is maintained
B. it is in line with historical trends
C. it has been approved by the IS steering committee
D. the program is validated against vendor specifications
View answer
Correct Answer: B
Question #49
When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations’ business objectives by determining if IS:
A. has all the personnel and equipment it needs
B. plans are consistent with management strategy
C. uses its equipment and personnel efficiently and effectively
D. has sufficient excess capacity to respond to changing directions
View answer
Correct Answer: D
Question #50
The directory system of a database-management system describes:
A. The access method to the data
B. The location of data AND the access method
C. The location of data
D. Neither the location of data NOR the access method
View answer
Correct Answer: B
Question #51
Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?
A. Maintaining system console logs in electronic format
B. Ensuring bisynchronous capabilities on all transmission lines
C. Using a database management system (DBMS) to dynamically back-out partially processed transactions
D. Rotating backup copies of transaction files offsite
View answer
Correct Answer: C
Question #52
An organization has performance metrics to track how well IT resources are being used, but there has been little progress on meeting the organization’s goals. Which of the following would be MOST helpful to determine the underlying reason?
A. Conducting a root cause analysis
B. Re-evaluating organizational goals
C. Re-evaluating key performance indicators (KPIs)
D. Conducting a business impact analysis (BIA)
View answer
Correct Answer: C
Question #53
The decision to accept an IT control risk related to data quality should be the responsibility of the:
A. information security team
B. chief information officer
C. business owner
D. IS audit manager
View answer
Correct Answer: B
Question #54
Which of the following is the dominating objective of BCP and DRP?
A. To protect human life
B. To mitigate the risk and impact of a business interruption
C. To eliminate the risk and impact of a business interruption
D. To transfer the risk and impact of a business interruption
View answer
Correct Answer: B
Question #55
Which of the following represents the GREATEST potential risk in an EDI environment?
A. Transaction authorization
B. Loss or duplication of EDI transmissions
C. Transmission delay
D. Deletion or manipulation of transactions prior to or after establishment of application controls
View answer
Correct Answer: A
Question #56
An organization is using a single account shared by personnel for its social networking marketing page. Which of the following is the BEST method to maintain accountability over the account?
A. Reviewing access rights on a periodic basis
B. Integrating the account with a single sign-on
C. Regular monitoring of proxy server logs
D. Implementing an account password check-out process
View answer
Correct Answer: B
Question #57
A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?
A. Industry standards
B. The business impact analysis
C. The business objectives
D. Previous audit recommendations
View answer
Correct Answer: C
Question #58
To create a digital signature in a message using asymmetric encryption, it is necessary to:
A. first use a symmetric algorithm for the authentication sequence
B. encrypt the authentication sequence using a public key
C. transmit the actual digital signature in unencrypted clear text
D. encrypt the authentication sequence using a private key
View answer
Correct Answer: C
Question #59
Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious?
A. Sensitive data can be read by operators
B. Data can be amended without authorization
C. Unauthorized report copies can be printed
D. Output can be lost in the event of system failure
View answer
Correct Answer: C
Question #60
Which of the following INCORRECTLY describes the layer functions of the LAN or WAN Layer of the TCP/IP model?
A. Combines packets into bytes and bytes into frame
B. Providers logical addressing which routers use for path determination
C. Provide address to media using MAC address
D. Performs only error detection
View answer
Correct Answer: B
Question #61
To help ensure the accuracy and completeness of end-user computing output, it is MOST important to include strong:
A. reconciliation controls
B. change management controls
C. access management controls
D. documentation controls
View answer
Correct Answer: A
Question #62
Which of the following is the BEST way to detect software license violations?
A. Implementing a corporate policy on copyright infringements and software use
B. Requiring that all PCs be diskless workstations
C. Installing metering software on the LAN so applications can be accessed through the metered software
D. Regularly scanning PCs in use to ensure that unauthorized copies of software have not been loaded on the PC
View answer
Correct Answer: S
Question #63
When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST?
A. The project budget
B. The critical path for the project
C. The length of the remaining tasks
D. The personnel assigned to other tasks
View answer
Correct Answer: B
Question #64
A company is planning to implement a new administrative system at many sites. The new system contains four integrated modules. Which of the following implementation approaches would be MOST appropriate?
A. Parallel implementation module by module
B. Pilot run of the new system
C. Full implementation of the new system
D. Parallel run at all locations
View answer
Correct Answer: C
Question #65
An IS auditor has completed a review of an outsourcing agreement and has identified IT governance issues. Which of the following is the MOST effective and efficient way of communicating the issues at a meeting with senior management?
A. Present a completed report and discuss the details
B. Provide a detailed report in advance and open the floor to questions
C. Present an overview highlighting the key findings
D. Provide a plan of action and milestones
View answer
Correct Answer: B
Question #66
Which of the following is MOST important for an organization to complete when planning a new marketing platform that targets advertising based on customer behavior?
A. Data privacy impact assessment
B. Data quality assessment
C. Cross-border data transfer assessment
D. Security vulnerability assessment
View answer
Correct Answer: D
Question #67
To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:
A. schedule the audits and monitor the time spent on each audit
B. train the IS audit staff on current technology used in the company
C. develop the audit plan on the basis of a detailed risk assessment
D. monitor progress of audits and initiate cost control measures
View answer
Correct Answer: B
Question #68
An information security manager has observed multiple exceptions for a number of different security controls. Which of the following should be the information security manager’s FIRST course of action?
A. Design mitigating controls for the exceptions
B. Prioritize the risk and implement treatment options
C. Inform respective risk owners of the impact of exceptions
D. Report the noncompliance to the board of directors
View answer
Correct Answer: A
Question #69
A CEO requests access to corporate documents from a mobile device that does not comply with organizational policy. The information security manager should FIRST:
A. evaluate the business risk
B. evaluate a third-party solution
C. initiate an exception approval process
D. deploy additional security controls
View answer
Correct Answer: B
Question #70
A company converted its payroll system from an external service to an internal package. Payroll processing in April was run in parallel. To validate the completeness of data after the conversion, which of the following comparisons from the old to the new system would be MOST effective?
A. Turnaround time for payroll processing
B. Employee counts and year-to-date payroll totals
C. Master file employee data to payroll journals
D. Cut-off dates and overwrites for a sample of employees
View answer
Correct Answer: D
Question #71
Which of the following is an example of a preventive control in an accounts payable system?
A. The system only allows payments to vendors who are included in the system’s master vendor list
B. Policies and procedures are clearly communicated to all members of the accounts payable department
C. The system produces daily payment summary reports that staff use to compare against invoice totals
D. Backups of the system and its data are performed on a nightly basis and tested periodically
View answer
Correct Answer: B
Question #72
The PRIMARY reason an IS auditor performs a functional walkthrough during the preliminary phase of an audit assignment is to:
A. understand the business process
B. comply with auditing standards
C. identify control weakness
D. plan substantive testing
View answer
Correct Answer: C
Question #73
In which of the following database model is the data organized into a tree-like structure, implying a single parent for each record?
A. Hierarchical database model
B. Network database model
C. Relational database model
D. Object-relational database model
View answer
Correct Answer: D
Question #74
What is the most effective means of determining that controls are functioning properly within an operating system?
A. Interview with computer operator
B. Review of software control features and/or parameters
C. Review of operating system manual
D. Interview with product vendor
View answer
Correct Answer: C
Question #75
Which of the following provides the best evidence of the adequacy of a security awareness program?
A. The number of stakeholders including employees trained at various levels
B. Coverage of training at all locations across the enterprise
C. The implementation of security devices from different vendors
D. Periodic reviews and comparison with best practices
View answer
Correct Answer: B
Question #76
Which of the following would be the GREATEST risk associated with a new chat feature on a retailer’s website?
A. Productivity loss
B. Reputational damage
C. Data loss
D. System downtime
View answer
Correct Answer: A
Question #77
In attribute sampling, what is the relationship between expected error rate and sample size?
A. The expected error rate does not affect the sample size
B. The greater the expected error rate, the smaller the sample size
C. The greater the expected error rate, the grater the sample size
D. The greater the sample size, the lower the expected error rate
View answer
Correct Answer: B
Question #78
Which of the following would be the MOST effective control to mitigate unintentional misuse of authorized access?
A. Regular monitoring of user access logs
B. Annual sign-off of acceptable use policy
C. Security awareness training
D. Formalized disciplinary action
View answer
Correct Answer: D
Question #79
Which of the following is MOST important to consider when developing a bring your own device (BYOD) policy?
A. Supported operating systems
B. Procedure for accessing the network
C. Application download restrictions
D. Remote wipe procedures
View answer
Correct Answer: A
Question #80
When developing a security architecture, which of the following steps should be executed FIRST?
A. Developing security procedures
B. Defining a security policy
C. Specifying an access control methodology
D. Defining roles and responsibilities
View answer
Correct Answer: C
Question #81
What process uses test data as part of a comprehensive test of program controls in a continuous online manner?
A. Test data/deck
B. Base-case system evaluation
C. Integrated test facility (ITF)
D. Parallel simulation
View answer
Correct Answer: D
Question #82
Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
A. Applicable laws and regulations
B. End user access rights
C. Business requirements
D. Classification of data
View answer
Correct Answer: C
Question #83
When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with:
A. analysis
B. evaluation
C. preservation
D. disclosure
View answer
Correct Answer: A
Question #84
Which of the following should be the PRIMARY reason to establish a social media policy for all employees?
A. To publish acceptable messages to be used by employees when posting
B. To raise awareness and provide guidance about social media risks
C. To restrict access to social media during business hours to maintain productivity
D. To prevent negative public social media postings and comments
View answer
Correct Answer: B
Question #85
Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?
A. Periodic update of incident response process documentation
B. Periodic reporting of cybersecurity incidents to key stakeholders
C. Periodic tabletop exercises involving key stakeholders
D. Periodic cybersecurity training for staff involved in incident response
View answer
Correct Answer: A
Question #86
When information security management is receiving an increased number of false positive incident reports, which of the following is MOST important to review?
A. The security awareness programs
B. Post-incident analysis results
C. The risk management processes
D. Firewall logs
View answer
Correct Answer: C
Question #87
During an internal audit review of an HR recruitment system implementation, the IS auditor notes a number of defects were unresolved at the time the system went live. Which of the following is the auditor’s MOST important task prior to formulating an audit opinion?
A. Identify the root cause of the defects to confirm severity
B. Review the user acceptance test results
C. Verify risk acceptance by the project steering committee
D. Confirm the timeline for migration of the defects
A. perform a post-implementation review
B. analyze load-testing results
C. review acceptance-testing results
D. perform a pre-implementation review
View answer
Correct Answer: B
Question #88
Following best practices, formal plans for implementation of new information systems are developed during the:
A. development phase
B. design phase
D. deployment phase
View answer
Correct Answer: D
Question #89
Which of the following is the PRIMARY reason for database optimization in an environment with a high volume of transactions?
A. Improving availability
B. Maintaining integrity
C. Preventing data leakage
D. Improving performance
View answer
Correct Answer: A
Question #90
Which of the following software development methodology uses minimal planning and in favor of rapid prototyping?
A. Agile Developments
B. Software prototyping
C. Rapid application development
D. Component based development
View answer
Correct Answer: C
Question #91
When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?
A. Project plan
B. Requirements analysis
C. Implementation plan
D. Project budget provisions
View answer
Correct Answer: C
Question #92
A large organization is considering a policy that would allow employees to bring their own smartphones into the organizational environment. The MOST important concern to the information security manager should be the:
A. lack of a device management solution
B. decrease in end user productivity
C. impact on network capacity
D. higher costs in supporting end users
View answer
Correct Answer: A
Question #93
Which of the following is the PRIMARY responsibility of an organization’s information security function?
A. Reviewing unauthorized attempts to access sensitive files
B. Managing the organization’s security procedures
C. Approving access to data files
D. Installing network security programs
View answer
Correct Answer: D
Question #94
By evaluating application development projects against the capability maturity model (CMM), an IS auditor should be able to verify that:
A. reliable products are guaranteed
B. programmers' efficiency is improved
C. security requirements are designed
D. predictable software processes are followed
View answer
Correct Answer: B
Question #95
Which of the following processes is the FIRST step in establishing an information security policy?
A. Security controls evaluation
B. Business risk assessment
C. Review of current global standards
D. Information security audit
View answer
Correct Answer: D
Question #96
When should an application-level edit check to verify that availability of funds was completed at the electronic funds transfer (EFT) interface?
A. Before transaction completion
B. Immediately after an EFT is initiated
C. During run-to-run total testing
D. Before an EFT is initiated
View answer
Correct Answer: B
Question #97
Which of the following term related to network performance refers to the maximum rate that information can be transferred over a network?
A. Bandwidth
B. Throughput
C. Latency
D. Jitter
View answer
Correct Answer: B
Question #98
Which of the following layer of an enterprise data flow architecture is concerned with transporting information between the various layers?
A. Data preparation layer
B. Desktop Access Layer
C. Application messaging layer
D. Data access layer
View answer
Correct Answer: D
Question #99
An organization is choosing key performance indicators (KPIs) for its information security management. Which of the following KPIs would provide stakeholders with the MOST useful information about whether information security risk is being managed?
A. Time from initial reporting of an incident to appropriate escalation
B. Time from identifying a security threat to implementing a solution
C. The number of security controls implemented
D. The number of security incidents during the past quarter
View answer
Correct Answer: C
Question #100
Which of the following would provide the STRONGEST indication that senior management commitment to information security is lacking within an organization?
A. Inconsistent enforcement of information security policies
B. A reduction in information security investment
C. A high of information security risk acceptance
D. The information security manager reports to the chief risk officer
View answer
Correct Answer: D
Question #101
When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs due to scope creep?
A. Problem management
B. Quality management
C. Change management
D. Risk management
View answer
Correct Answer: C
Question #102
D. What is the purpose of a hypervisor?
A. Monitoring the performance of virtual machines
B. Cloning virtual machines
C. Deploying settings to multiple machines simultaneously
D. Running the virtual machine environment
View answer
Correct Answer: D
Question #103
The PRIMARY purpose of asset valuation for the management of information security is to:
A. eliminate the least significant assets
B. provide a basis for asset classification
C. determine the value of each asset
D. prioritize risk management activities
View answer
Correct Answer: B
Question #104
An IS auditor reviewing the acquisition of new equipment would consider which of the following to be a significant weakness?
A. Staff involved in the evaluation were aware of the vendors being evaluated
B. Independent consultants prepared the request for proposal (RFP) documents
C. Evaluation criteria were finalized after the initial assessment of responses
D. The closing date for responses was extended after a request from potential vendors
View answer
Correct Answer: A
Question #105
Which of the following is the process of feeding test data into two systems – the modified system and alternative system and comparing the result?
A. Parallel Test
B. Black box testing
C. Regression Testing
D. Pilot Testing
View answer
Correct Answer: B
Question #106
Which of the following term in business continuity determines the maximum tolerable amount of time that is needed to verify the system and/or data integrity?
A. RPO
B. RTO
C. WRT
D. MTD
View answer
Correct Answer: A
Question #107
Which of the following is MOST useful to include in a report to senior management on a regular basis to demonstrate the effectiveness of the information security program?
A. Critical success factors (CSFs)
B. Key risk indicators (KRIs)
C. Capability maturity models
D. Key performance indicators (KPIs)
View answer
Correct Answer: B
Question #108
Which of the following is the BEST way to achieve high availability and fault tolerance for an e-business system?
A. Network diversity
B. Storage area network
C. Robust systems architecture
D. Secure offsite backup storage
View answer
Correct Answer: A
Question #109
An audit committee is reviewing an annual IT risk assessment. Which of the following is the BEST justification for the audits selected?
A. Likelihood of an IT process failure
B. Key IT general process controls
C. Applications impacted
D. Underlying business risks D Which of the following access control situations represents the MOST serious control weakness?
A. Computer operators have access to system level flowcharts
B. Programmers have access to development hardware
C. End users have access to program development tools
D. System developers have access to production data
View answer
Correct Answer: C
Question #110
An organization’s marketing department has requested access to cloud-based collaboration sites for exchanging media files with external marketing companies. As a result, the information security manager has been asked to perform a risk assessment. Which of the following should be the MOST important consideration?
A. The information to be exchanged
B. Methods for transferring the information
C. Reputations of the external marketing companies
D. The security of the third-party cloud provider
View answer
Correct Answer: D
Question #111
An organization has detected sensitive data leakage caused by an employee of a third-party contractor. What is the BEST course of action to address this issue?
A. Include security requirements in outsourcing contracts
B. Activate the organization’s incident response plan
C. Limit access to the third-party contractor
D. Terminate the agreement with the third-party contractor
View answer
Correct Answer: D
Question #112
What is the PRIMARY objective of performing a vulnerability assessment following a business system update?
A. Update the threat landscape
B. Review the effectiveness of controls
C. Determine operational losses
D. Improve the change control process
View answer
Correct Answer: D
Question #113
The operations team of an organization has reported an IS security attack. Which of the following should be the NEXT step for the security incident response team?
A. Document lessons learned
B. Prioritize resources for corrective action
C. Perform a damage assessment
D. Report results to management
View answer
Correct Answer: A
Question #114
Which of the following activities should occur after a business impact analysis (BIA)?
A. Identify threats to the IT environment
B. Identify critical applications
C. Analyze recovery options
D. Review the computing and user environment
View answer
Correct Answer: C
Question #115
An intruder accesses an application server and makes changes to the system log. Which of the following would enable the identification of the changes?
A. Mirroring the system log on another server
B. Simultaneously duplicating the system log on a write-once disk
C. Write-protecting the directory containing the system log
D. Storing the backup of the system log offsite
View answer
Correct Answer: A
Question #116
Which of the following is protocol data unit (PDU) of network interface layer in TCP/IP model?
A. Data
B. Segment
C. Packet
D. Frame
View answer
Correct Answer: A
Question #117
Which of the following is a detective control that can be used to uncover unauthorized access to information systems?
A. Requiring long and complex passwords for system access
B. Implementing a security information and event management (SIEM) system
C. Requiring internal audit to perform periodic reviews of system access logs
D. Protecting access to the data center with multifactor authentication
View answer
Correct Answer: B
Question #118
A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process?
A. Whether key controls are in place to protect assets and information resources
B. If the system addresses corporate customer requirements
C. Whether the system can meet the performance goals (time and resources)
D. Whether owners have been identified who will be responsible for the process
View answer
Correct Answer: C
Question #119
Which of the following service is a distributed database that translate host name to IP address to IP address to host name?
A. DNS
B. FTP
C. SSH
D. SMTP
View answer
Correct Answer: B
Question #120
An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:
A. correlation of semantic characteristics of the data migrated between the two systems
B. correlation of arithmetic characteristics of the data migrated between the two systems
C. correlation of functional characteristics of the processes between the two systems
D. relative efficiency of the processes between the two systems
View answer
Correct Answer: D
Question #121
When implementing an upgraded ERP system, which of the following is the MOST important consideration for a go-live decision?
A. Test cases
B. Rollback strategy
C. Business case
D. Post-implementation review objectives
View answer
Correct Answer: A
Question #122
Which of the following is the BEST approach for determining the maturity level of an information security program?
A. Review internal audit results
B. Engage a third-party review
C. Perform a self-assessment
D. Evaluate key performance indicators (KPIs)
View answer
Correct Answer: B
Question #123
Which of the following BEST enables effective closure of noncompliance issues?
A. Insuring against the risk
B. Performing control self-assessments
C. Capturing issues in a risk register
D. Executing an approved mitigation plan
View answer
Correct Answer: D
Question #124
An organization is MOST at risk from a new worm being introduced through the intranet when:
A. executable code is run from inside the firewall
B. system software does not undergo integrity checks
C. hosts have static IP addresses
D. desktop virus definition files are not up to date
View answer
Correct Answer: D

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: