DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISA Exam Essentials: Exam Questions & Practice Tests, Certified Information Systems Auditor | SPOTO

Welcome to SPOTO's CISA Exam Essentials: Exam Questions & Practice Tests for 2024! The Certified Information Systems Auditor® (CISA®) certification is globally recognized for its standards in auditing, IT systems assessment, and risk-based audit methodologies. Our practice tests are designed to simulate real exam scenarios, providing you with a valuable advantage in your certification journey. Benefit from our extensive range of exam materials, including sample questions, mock exams, and online exam questions, meticulously crafted for accuracy. Prepare effectively with our exam dumps, exam answers, and exam simulator to enhance your exam practice and preparation. Join SPOTO today and showcase your expertise with confidence!

Take other online exams

Question #1
Who assumes ownership of a systems-development project and the resulting system?
A. User management
B. Project steering committee
C. IT management
D. Systems developers
View answer
Correct Answer: C

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
A poor choice of passwords and transmission over unprotected communications lines are examples of:
A. vulnerabilitie
B. threat
C. probabilitie
D. impact
View answer
Correct Answer: D
Question #3
Which of the following is a benefit of using callback devices?
A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
View answer
Correct Answer: A
Question #4
After identifying potential security vulnerabilities, what should be the IS auditor's next step?
A. To evaluate potential countermeasures and compensatory controls
B. To implement effective countermeasures and compensatory controls
C. To perform a business impact analysis of the threats that would exploit the vulnerabilities
D. To immediately advise senior management of the findings
View answer
Correct Answer: B
Question #5
What is a primary high-level goal for an auditor who is reviewing a system development project?
A. To ensure that programming and processing environments are segregated
B. To ensure that proper approval for the project has been obtained
C. To ensure that business objectives are achieved
D. To ensure that projects are monitored and administrated effectively
View answer
Correct Answer: B
Question #6
The PRIMARY purpose of audit trails is to:
A. improve response time for user
B. establish accountability and responsibility for processed transaction
C. improve the operational efficiency of the syste
D. provide useful information to auditors who may wish to track transactions
View answer
Correct Answer: B
Question #7
Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan?
A. Yes, because an IS auditor will evaluate the adequacy of the service bureau's plan and assist their company in implementing a complementary pla
B. Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contrac
C. No, because the backup to be provided should be specified adequately in the contrac
D. No, because the service bureau's business continuity plan is proprietary informatio
View answer
Correct Answer: B
Question #8
What is an effective countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off? Choose the BEST answer.
A. Employee security awareness training
B. Administrator alerts
C. Screensaver passwords
D. Close supervision
View answer
Correct Answer: C
Question #9
The PRIMARY objective of implementing corporate governance by an organization's management is to:
A. provide strategic directio
B. control business operation
C. align IT with busines
D. implement best practice
View answer
Correct Answer: B
Question #10
Which of the following uses a prototype that can be updated continually to meet changing user or business requirements?
A. PERT
B. Rapid application development (RAD)
C. Function point analysis (FPA)
D. GANTT
View answer
Correct Answer: B
Question #11
Establishing the level of acceptable risk is the responsibility of:
A. quality assurance managemen
B. senior business managemen
C. the chief information office
D. the chief security office
View answer
Correct Answer: C
Question #12
An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:
A. a backup server be available to run ETCS operations with up-to-date dat
B. a backup server be loaded with all the relevant software and dat
C. the systems staff of the organization be trained to handle any even
D. source code of the ETCS application be placed in escro
View answer
Correct Answer: A
Question #13
Though management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should:
A. include the statement of management in the audit repor
B. identify whether such software is, indeed, being used by the organizatio
C. reconfirm with management the usage of the softwar
D. discuss the issue with senior management since reporting this could have a negative impact on the organizatio
View answer
Correct Answer: D
Question #14
Which of the following provide(s) near-immediate recoverability for time-sensitive systems and transaction processing?
A. Automated electronic journaling and parallel processing
B. Data mirroring and parallel processing
C. Data mirroring
D. Parallel processing
View answer
Correct Answer: A
Question #15
Organizations should use off-site storage facilities to maintain _________________ (fill in the blank) of current and critical information within backup files. Choose the BEST answer.
A. Confidentiality
B. Integrity
C. Redundancy
D. Concurrency
View answer
Correct Answer: C
Question #16
Data flow diagrams are used by IS auditors to:
A. order data hierarchicall
B. highlight high-level data definition
C. graphically summarize data paths and storag
D. portray step-by-step details of data generatio
View answer
Correct Answer: D
Question #17
An IS auditor is reviewing a project to implement a payment system between a parent bank and a subsidiary. The IS auditor should FIRST verify that the:
A. technical platforms between the two companies are interoperabl
B. parent bank is authorized to serve as a service provide
C. security features are in place to segregate subsidiary trade
D. subsidiary can join as a co-owner of this payment syste
View answer
Correct Answer: A
Question #18
Which of the following reduces the potential impact of social engineering attacks?
A. Compliance with regulatory requirements
B. Promoting ethical understanding
C. Security awareness programs
D. Effective performance incentives
View answer
Correct Answer: A
Question #19
An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort?
A. Program evaluation review technique (PERT)
B. Counting source lines of code (SLOC)
C. Function point analysis
D. White box testing
View answer
Correct Answer: A
Question #20
An IS auditor is performing an audit of a network operating system. Which of the following is a user feature the IS auditor should review?
A. Availability of online network documentation
B. Support of terminal access to remote hosts
C. Handling file transfer between hosts and interuser communications
D. Performance management, audit and control
View answer
Correct Answer: A
Question #21
Of the three major types of off-site processing facilities, what type is characterized by at least providing for electricity and HVAC?
A. Cold site
B. Alternate site
C. Hot site
D. Warm site
View answer
Correct Answer: C
Question #22
The extent to which data will be collected during an IS audit should be determined based on the:
A. availability of critical and required informatio
B. auditor's familiarity with the circumstance
C. auditee's ability to find relevant evidenc
D. purpose and scope of the audit being don
View answer
Correct Answer: B
Question #23
If a programmer has update access to a live system, IS auditors are more concerned with the programmer's ability to initiate or modify transactions and the ability to access production than with the programmer's ability to authorize transactions. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #24
What is essential for the IS auditor to obtain a clear understanding of network management?
A. Security administrator access to systems
B. Systems logs of all hosts providing application services
C. A graphical map of the network topology
D. Administrator access to systems
View answer
Correct Answer: A
Question #25
In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:
A. identify and assess the risk assessment process used by managemen
B. identify information assets and the underlying system
C. disclose the threats and impacts to managemen
D. identify and evaluate the existing control
View answer
Correct Answer: B
Question #26
When reviewing print systems spooling, an IS auditor is MOST concerned with which of the following vulnerabilities?
A. The potential for unauthorized deletion of report copies
B. The potential for unauthorized modification of report copies
C. The potential for unauthorized printing of report copies
D. The potential for unauthorized editing of report copies
View answer
Correct Answer: C
Question #27
Which of the following is the MOST important element for the successful implementation of IT governance?
A. Implementing an IT scorecard
B. Identifying organizational strategies
C. Performing a risk assessment
D. Creating a formal security policy
View answer
Correct Answer: D
Question #28
Which of the following would BEST provide assurance of the integrity of new staff?
A. Background screening
B. References
C. Bonding
D. Qualifications listed on a resume
View answer
Correct Answer: A
Question #29
What often results in project scope creep when functional requirements are not defined as well as they could be?
A. Inadequate software baselining
B. Insufficient strategic planning
C. Inaccurate resource allocation
D. Project delays
View answer
Correct Answer: C
Question #30
Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation?
A. Process maturity
B. Performance indicators
C. Business risk
D. Assurance reports
View answer
Correct Answer: A
Question #31
Why does the IS auditor often review the system logs?
A. To get evidence of password spoofing
B. To get evidence of data copy activities
C. To determine the existence of unauthorized access to data by a user or program
D. To get evidence of password sharing
View answer
Correct Answer: D
Question #32
Involvement of senior management is MOST important in the development of:
A. strategic plan
B. IS policie
C. IS procedure
D. standards and guideline
View answer
Correct Answer: C
Question #33
Allowing application programmers to directly patch or change code in production programs increases risk of fraud. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #34
Which of the following is a continuity plan test that uses actual resources to simulate a system crash to cost-effectively obtain evidence about the plan's effectiveness?
A. Paper test
B. Post test
C. Preparedness test
D. Walk-through
View answer
Correct Answer: C
Question #35
The success of control self-assessment (CSA) highly depends on:
A. having line managers assume a portion of the responsibility for control monitorin
B. assigning staff managers the responsibility for building, but not monitoring, control
C. the implementation of a stringent control policy and rule-driven control
D. the implementation of supervision and the monitoring of controls of assigned dutie
View answer
Correct Answer: D
Question #36
An IS auditor reviewing an organization's IT strategic plan should FIRST review:
A. the existing IT environmen
B. the business pla
C. the present IT budge
D. current technology trend
View answer
Correct Answer: C
Question #37
If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, what should the auditor do? Choose the BEST answer.
A. Lack of IT documentation is not usually material to the controls tested in an IT audi
B. The auditor should at least document the informal standards and policie
C. Furthermore, the IS auditor should create formal documented policies to be implemente
D. The auditor should at least document the informal standards and policies, and test for complianc
E. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemente
F. The auditor should at least document the informal standards and policies, and test for complianc G
View answer
Correct Answer: A
Question #38
To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is:
A. during data preparatio
B. in transit to the compute
C. between related computer run
D. during the return of the data to the user departmen
View answer
Correct Answer: C
Question #39
When should plans for testing for user acceptance be prepared? Choose the BEST answer.
A. In the requirements definition phase of the systems-development project
B. In the feasibility phase of the systems-development project
C. In the design phase of the systems-development project
D. In the development phase of the systems-development project
View answer
Correct Answer: A
Question #40
Which of the following is the GREATEST risk to the effectiveness of application system controls?
A. Removal of manual processing steps
B. inadequate procedure manuals
C. Collusion between employees
D. Unresolved regulatory compliance issues
View answer
Correct Answer: C
Question #41
Which of the following could lead to an unintentional loss of confidentiality? Choose the BEST answer.
A. Lack of employee awareness of a company's information security policy
B. Failure to comply with a company's information security policy
C. A momentary lapse of reason
D. Lack of security policy enforcement procedures
View answer
Correct Answer: C
Question #42
Which of the following is an effective method for controlling downloading of files via FTP? Choose the BEST answer.
A. An application-layer gateway, or proxy firewall, but not stateful inspection firewalls
B. An application-layer gateway, or proxy firewall
C. A circuit-level gateway
D. A first-generation packet-filtering firewall
View answer
Correct Answer: A
Question #43
Although BCP and DRP are often implemented and tested by middle management and end users, the ultimate responsibility and accountability for the plans remain with executive management, such as the _______________. (fill-in-the-blank)
A. Security administrator
B. Systems auditor
C. Board of directors
D. Financial auditor
View answer
Correct Answer: C
Question #44
What can be used to help identify and investigate unauthorized transactions? Choose the BEST answer.
A. Postmortem review
B. Reasonableness checks
C. Data-mining techniques
D. Expert systems
View answer
Correct Answer: B
Question #45
Which of the following should be considered FIRST when implementing a risk management program?
A. An understanding of the organization's threat, vulnerability and risk profile
B. An understanding of the risk exposures and the potential consequences of compromise
C. A determination of risk management priorities based on potential consequences
D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level
View answer
Correct Answer: C
Question #46
An IS auditor is using a statistical sample to inventory the tape library. What type of test would this be considered?
A. Substantive
B. Compliance
C. Integrated
D. Continuous audit
View answer
Correct Answer: D
Question #47
A hub is a device that connects:
A. two LANs using different protocol
B. a LAN with a WA
C. a LAN with a metropolitan area network (MAN)
D. two segments of a single LA
View answer
Correct Answer: D
Question #48
An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee's desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management?
A. Stricter controls should be implemented by both the organization and the cleaning agenc
B. No action is required since such incidents have not occurred in the pas
C. A clear desk policy should be implemented and strictly enforced in the organizatio
D. A sound backup policy for all important office documents should be implemente
View answer
Correct Answer: B
Question #49
Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration?
A. Function point analysis
B. PERT chart
C. Rapid application development
D. Object-oriented system development
View answer
Correct Answer: B
Question #50
In order to properly protect against unauthorized disclosure of sensitive data, how should hard disks be sanitized?
A. The data should be deleted and overwritten with binary 0
B. The data should be demagnetize
C. The data should be low-level formatte
D. The data should be delete
View answer
Correct Answer: C
Question #51
Off-site data backup and storage should be geographically separated so as to ________________ (fill in the blank) the risk of a widespread physical disaster such as a hurricane or earthquake.
A. Accept
B. Eliminate
C. Transfer
D. Mitigate
View answer
Correct Answer: B
Question #52
Using the OSI reference model, what layer(s) is/are used to encrypt data?
A. Transport layer
B. Session layer
C. Session and transport layers
D. Data link layer
View answer
Correct Answer: A
Question #53
A data administrator is responsible for:
A. maintaining database system softwar
B. defining data elements, data names and their relationshi
C. developing physical database structure
D. developing data dictionary system softwar
View answer
Correct Answer: C
Question #54
When two or more systems are integrated, input/output controls must be reviewed by an IS auditor in the:
A. systems receiving the output of other system
B. systems sending output to other system
C. systems sending and receiving dat
D. interfaces between the two system
View answer
Correct Answer: C
Question #55
Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?
A. Response
B. Correction
C. Detection
D. Monitoring
View answer
Correct Answer: B
Question #56
When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those:
A. whose sum of activity time is the shortes
B. that have zero slack tim
C. that give the longest possible completion tim
D. whose sum of slack time is the shortes
View answer
Correct Answer: C
Question #57
What is the most common purpose of a virtual private network implementation?
A. A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Interne
B. A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a dedicated T1 connectio
C. A virtual private network (VPN) helps to secure access within an enterprise when communicating over a dedicated T1 connection between network segments within the same facilit
D. A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a wireless connectio
View answer
Correct Answer: C
Question #58
Which of the following will BEST ensure the successful offshore development of business applications?
A. Stringent contract management practices
B. Detailed and correctly applied specifications
C. Awareness of cultural and political differences
D. Postimplementation reviews
View answer
Correct Answer: A
Question #59
At the completion of a system development project, a postproject review should include which of the following?
A. Assessing risks that may lead to downtime after the production release
B. Identifying lessons learned that may be applicable to future projects
C. Verifying the controls in the delivered system are working
D. Ensuring that test data are deleted
View answer
Correct Answer: D
Question #60
Ideally, stress testing should be carried out in a:
A. test environment using test dat
B. production environment using live workload
C. test environment using live workload
D. production environment using test dat
View answer
Correct Answer: A
Question #61
______________ risk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a ______________ risk assessment is more appropriate. Fill in the blanks.
A. Quantitative; qualitative
B. Qualitative; quantitative
C. Residual; subjective
D. Quantitative; subjective
View answer
Correct Answer: B
Question #62
Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy?
A. Review the parameter setting
B. Interview the firewall administrato
C. Review the actual procedure
D. Review the device's log file for recent attack
View answer
Correct Answer: A
Question #63
What does PKI use to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions?
A. A combination of public-key cryptography and digital certificates and two-factor authentication
B. A combination of public-key cryptography and two-factor authentication
C. A combination of public-key cryptography and digital certificates
D. A combination of digital certificates and two-factor authentication
View answer
Correct Answer: C
Question #64
Which of the following activities performed by a database administrator (DBA) should be performed by a different person?
A. Deleting database activity logs
B. Implementing database optimization tools
C. Monitoring database usage
D. Defining backup and recovery procedures
View answer
Correct Answer: A
Question #65
The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:
A. confirm that the auditors did not overlook any important issue
B. gain agreement on the finding
C. receive feedback on the adequacy of the audit procedure
D. test the structure of the final presentatio
View answer
Correct Answer: D
Question #66
The BEST method of proving the accuracy of a system tax calculation is by:
A. detailed visual review and analysis of the source code of the calculation programs
B. recreating program logic using generalized audit software to calculate monthly total
C. preparing simulated transactions for processing and comparing the results to predetermined result
D. automatic flowcharting and analysis of the source code of the calculation program
View answer
Correct Answer: B
Question #67
If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further:
A. Documentation development
B. Comprehensive integration testing
C. Full unit testing
D. Full regression testing
View answer
Correct Answer: D
Question #68
To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses?
A. O/S and hardware refresh frequencies
B. Gain-sharing performance bonuses
C. Penalties for noncompliance
D. Charges tied to variable cost metrics
View answer
Correct Answer: C
Question #69
An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?
A. User acceptance testing (UAT) occur for all reports before release into production
B. Organizational data governance practices be put in place
C. Standard software tools be used for report development
D. Management sign-off on requirements for new reports
View answer
Correct Answer: D
Question #70
Which of the following is a data validation edit and control?
A. Hash totals
B. Reasonableness checks
C. Online access controls
D. Before and after image reporting
View answer
Correct Answer: C
Question #71
An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:
A. the controls already in plac
B. the effectiveness of the controls in plac
C. the mechanism for monitoring the risks related to the asset
D. the threats/vulnerabilities affecting the asset
View answer
Correct Answer: D
Question #72
During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:
A. ask the auditee to sign a release form accepting full legal responsibilit
B. elaborate on the significance of the finding and the risks of not correcting i
C. report the disagreement to the audit committee for resolutio
D. accept the auditee's position since they are the process owner
View answer
Correct Answer: D
Question #73
Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations?
A. Security incident summaries
B. Vendor best practices
C. CERT coordination center
D. Significant contracts
View answer
Correct Answer: A
Question #74
What type(s) of firewalls provide(s) the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic?
A. A first-generation packet-filtering firewall
B. A circuit-level gateway
C. An application-layer gateway, or proxy firewall, and stateful-inspection firewalls
D. An application-layer gateway, or proxy firewall, but not stateful-inspection firewalls
View answer
Correct Answer: B
Question #75
Which of the following are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem? Choose the BEST answer.
A. Expert systems
B. Neural networks
C. Integrated synchronized systems
D. Multitasking applications
View answer
Correct Answer: C
Question #76
What is an acceptable recovery mechanism for extremely time-sensitive transaction processing?
A. Off-site remote journaling
B. Electronic vaulting
C. Shadow file processing
D. Storage area network
View answer
Correct Answer: D
Question #77
Which of the following is a function of an IS steering committee?
A. Monitoring vendor-controlled change control and testing
B. Ensuring a separation of duties within the information's processing environment
C. Approving and monitoring major projects, the status of IS plans and budgets
D. Liaising between the IS department and the end users
View answer
Correct Answer: C
Question #78
A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a:
A. reasonableness chec
B. parity chec
C. redundancy chec
D. check digit
View answer
Correct Answer: D
Question #79
What should regression testing use to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors?
A. Contrived data
B. Independently created data
C. Live data
D. Data from previous tests
View answer
Correct Answer: A
Question #80
Which of the following forms of evidence for the auditor would be considered the MOST reliable?
A. An oral statement from the auditee
B. The results of a test performed by an IS auditor
C. An internally generated computer accounting report
D. A confirmation letter received from an outside source
View answer
Correct Answer: A
Question #81
In an EDI process, the device which transmits and receives electronic documents is the:
A. communications handle
B. EDI translato
C. application interfac
D. EDI interfac
View answer
Correct Answer: A

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: