DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISA Exam Practice Made Easy: Latest Mock Exams, Certified Information Systems Auditor | SPOTO

Welcome to SPOTO's CISA Exam Practice Made Easy: Latest Mock Exams for 2024! The Certified Information Systems Auditor® (CISA®) certification sets the benchmark for excellence in auditing, IT systems assessment, and risk-based audit methodologies. Our latest mock exams are designed to simplify your exam preparation, offering a realistic test environment to sharpen your skills. With SPOTO's practice tests, you gain a competitive advantage by honing your exam techniques and familiarity with exam questions. Prepare confidently with our professionally curated content, tailored to the latest exam trends and requirements. Join SPOTO today and streamline your path to CISA certification success!
Take other online exams

Question #1
An organization has shifted from a bottom-up approach to a top-down approach in the development of IT policies. This should result in:
A. a synthesis of existing operational policies
B. greater consistency across the organization
C. greater adherence to best practices
D. a more comprehensive risk assessment plan
View answer
Correct Answer: B

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
Which of the following is the BEST source for describing the objectives of an organization’s information systems?
A. Business process owners
B. End users
C. IT management
D. Information security management
View answer
Correct Answer: D
Question #3
In a follow-up audit, an IS auditor notes that management has addressed the original findings in a different way than originally agreed upon. The auditor should FIRST:
A. mark the recommendation as satisfied and close the finding
B. verify if management’s action mitigates the identified risk
C. re-perform the audit to assess the changed control environment
D. escalate the deviation to the audit committee
View answer
Correct Answer: D
Question #4
An organization uses two data centers. Which of the following would BEST address the organization’s need for high resiliency?
A. The data centers act as mirrored sites
B. Each data center is recoverable via tape backups
C. A hot site is used for the second site
View answer
Correct Answer: D
Question #5
An IS auditor is assessing risk associated with peer-to-peer file sharing within an organization. Which of the following should be of GREATEST concern?
A. File-sharing policies have not been reviewed since last year
B. Only some employees are required to attend security awareness training
C. Not all devices are running antivirus programs
D. The organization does not have an efficient patch management process
View answer
Correct Answer: C
Question #6
Which of the following exploit vulnerabilities to cause loss or damage to the organization and its assets?
A. Exposures
B. Threats
C. Hazards
D. Insufficient controls
View answer
Correct Answer: C
Question #7
Which of the following is the BEST way to facilitate proper follow-up for audit findings?
A. Schedule a follow-up audit for two weeks after the initial audit was completed
B. Conduct a surprise audit to determine whether remediation is in progress
C. Conduct a follow-up audit when findings escalate to incidents
D. Schedule a follow-up audit based on remediation due dates
View answer
Correct Answer: D
Question #8
The MOST important reason for documenting all aspects of a digital forensic investigation is that documentation:
A. provides traceability for independent investigation by third parties
B. ensures compliance with corporate incident response policies
C. ensures the process will be repeatable in future investigations
D. meets IT audit documentation standards
View answer
Correct Answer: C
Question #9
What is the BEST approach to mitigate the risk of a phishing attack?
A. implement an intrusion detection system (IDS)
B. Assess web site security
C. Strong authentication
D. User education
View answer
Correct Answer: D
Question #10
An IS auditor has obtained a large data set containing multiple fields and non-numeric data for analysis. Which of the following activities will MOST improve the quality of conclusions derived from the use of a data analytics tool for this audit?
A. Data anonymization
B. Data classification
C. Data stratification
D. Data preparation
View answer
Correct Answer: C
Question #11
The MOST important reason to use a centralized mechanism to identify information security incidents is to:
A. prevent unauthorized changes to networks
B. comply with corporate policies
C. detect potential fraud
D. detect threats across environments
View answer
Correct Answer: C
Question #12
When consolidating several applications from two outdated servers onto one new server, which of the following is the GREATEST concern?
A. Increased software licensing cost
B. Maintenance requires more coordination
C. Decreased utilization of capacity
D. Increased network traffic
View answer
Correct Answer: C
Question #13
What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks?
A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized
B. The contingency plan for the organization cannot effectively test controlled access practices
C. Access cards, keys and pads can be easily duplicated allowing easy compromise of the control
D. Removing access for those who are no longer authorized is complex
View answer
Correct Answer: D
Question #14
Business process re-engineering often results in ___________________ automation, which results in ____________ number of people using technology. Fill in the blanks.
A. Increased; a greater
B. Increased; a fewer
C. Less; a fewer
D. Increased; the same
View answer
Correct Answer: D
Question #15
Which of the following is the BEST approach to make strategic information security decisions?
A. Establish regular information security status reporting
B. Establish business unit security working groups
C. Establish periodic senior management meetingsEstablish an information security steering committee An organization which uses external cloud services extensively is concerned with risk monitoring and timely response
A. the availability of continuous technical support
B. internal security standards are in place
D.
View answer
Correct Answer: B
Question #16
What is the recommended initial step for an IS auditor to implement continuous-monitoring systems?
A. Document existing internal controls
B. Perform compliance testing on internal controls
C. Establish a controls-monitoring steering committee
D. Identify high-risk areas within the organization
View answer
Correct Answer: A
Question #17
What protects an application purchaser's ability to fix or change an application in case the application vendor goes out of business?
A. Assigning copyright to the organization
B. Program back doors
C. Source code escrow
D. Internal programming expertise
View answer
Correct Answer: B
Question #18
What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?
A. Software escrow was not negotiated
B. An operational level agreement (OLA) was not negotiated
C. The contract does not contain a right-to-audit clause
D. Several vendor deliverables missed the commitment date
View answer
Correct Answer: C
Question #19
Which of the following ensures confidentiality of information sent over the internet?
A. Digital signature
B. Digital certificate
C. Online Certificate Status Protocol
D. Private key cryptosystem
View answer
Correct Answer: B
Question #20
When reviewing print systems spooling, an IS auditor is MOST concerned with which of the following vulnerabilities?
A. The potential for unauthorized deletion of report copies
B. The potential for unauthorized modification of report copies
C. The potential for unauthorized printing of report copies
D. The potential for unauthorized editing of report copies
View answer
Correct Answer: B
Question #21
An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers-one filled with CO2, the other filled with halon. Which of the following should be given the HIGHEST priority in the auditor's report?
A. The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer
B. Both fire suppression systems present a risk of suffocation when used in a closed room
C. The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires involving solid combustibles (paper)
D. The documentation binders should be removed from the equipment room to reduce potential risks
View answer
Correct Answer: A
Question #22
Which of the following would BEST enable effective decision-making?
A. Annualized loss estimates determined from past security events
B. A universally applied list of generic threats impacts, and vulnerabilities
C. Formalized acceptance of risk analysis by business management
D. A consistent process to analyze new and historical information risk
View answer
Correct Answer: B
Question #23
Which of the following security control is intended to avoid an incident from occurring?
A. Deterrent
B. Preventive
C. Corrective
D. Recovery
View answer
Correct Answer: B
Question #24
An existing system is being replaced with a new application package. User acceptance testing should ensure that:
A. data from the old system has been converted correctly
B. the new system functions as expected
C. the new system is better that the old system
D. there is a business need for the new system
View answer
Correct Answer: D
Question #25
John had implemented a validation check on the marital status field of a payroll record. A payroll record contains a field for marital status and acceptable status code are M for Married or S for Single. If any other code is entered, record should be rejected. Which of the following data validation control was implemented by John?
A. Range Check
B. Validity Check
C. Existence check
D. Reasonableness check
View answer
Correct Answer: D
Question #26
Which of the following are the PRIMARY considerations when determining the timing of remediation testing?
A. The level of management and business commitment to implementing agreed action plans
B. The difficulty of scheduling resources and availability of management for a follow-up engagement
C. The availability and competencies of control owners for implementing the agreed action
D. The significance of the reported findings and the impact if corrective actions are not taken
View answer
Correct Answer: A
Question #27
Which of the following is MOST important to the successful implementation of an information security governance framework across the organization?
A. The existing organizational security culture
B. Security management processes aligned with security objectives
C. Organizational security controls deployed in line with regulations
D. Security policies that adhere to industry best practices
View answer
Correct Answer: D
Question #28
The IS auditor has identified a potential fraud perpetrated by the network administrator. The IS auditor should:
A. issue a report to ensure a timely resolution
B. review the audit finding with the audit committee prior to any other discussions
C. perform more detailed tests prior to disclosing the audit results
D. share the potential audit finding with the security administrator
View answer
Correct Answer: B
Question #29
The BEST way to obtain funding from senior management for a security awareness program is to:
A. meet regulatory requirements
B. produce an impact analysis report of potential breaches
C. demonstrate that the program will adequately reduce risk
D. produce a report of organizational risks
View answer
Correct Answer: A
Question #30
When the inherent risk of a business activity is lower than the acceptable risk level, the BEST course of action would be to:
A. implement controls to mitigate the risk
B. report compliance to management
C. review the residual risk level
D. monitor for business changes
View answer
Correct Answer: D
Question #31
An IS auditor reviewed the business case for a proposed investment to virtualize an organization’s server infrastructure. Which of the following is MOST likely to be included among the benefits in the project proposal?
A. Fewer operating system licenses
B. Better efficiency of logical resources
C. Reduced hardware footprint
D. Less memory and storage space
View answer
Correct Answer: C
Question #32
Which of the following should be an information security manager’s MOST important consideration when conducting a physical security review of a potential outsourced data center?
A. Environmental factors of the surrounding location
B. Proximity to law enforcement
C. Availability of network circuit connections
D. Distance of the data center from the corporate office
View answer
Correct Answer: A
Question #33
An IS auditor reviewing the threat assessment for a data center would be MOST concerned if:
A. all identified threats relate to external entities
B. some of the identified threats are unlikely to occur
C. neighboring organizations’ operations have been included
D. the exercise was completed by local management
View answer
Correct Answer: D
Question #34
An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important?
A. The tools used to conduct the test
B. Certifications held by the IS auditor
C. Permission from the data owner of the server
D. An intrusion detection system (IDS) is enabled
View answer
Correct Answer: B
Question #35
Which of the following is the INCORRECT “layer - protocol" mapping within the TCP/IP model?
A. Application layer – NFS
B. Transport layer – TCP
C. Network layer – UDP
D. LAN or WAN interface layer – point-to-point protocol
View answer
Correct Answer: C
Question #36
An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important?
A. False-acceptance rate (FAR)
B. Equal-error rate (EER)
C. False-rejection rate (FRR)
D. False-identification rate (FIR)
View answer
Correct Answer: B
Question #37
Which of the following would prevent accountability for an action performed, thus allowing nonrepudiation?
A. Proper authentication
B. Proper identification AND authentication
C. Proper identification
D. Proper identification, authentication, AND authorization
View answer
Correct Answer: A
Question #38
What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network?
A. Malicious code could be spread across the network
B. VPN logon could be spoofed
C. Traffic could be sniffed and decrypted
D. VPN gateway could be compromised
View answer
Correct Answer: D
Question #39
Which of the following would be of GREATEST concern to an IS auditor evaluating governance over open source development components?
A. The development project has gone over budget and time
B. The open source development components do not meet industry best practices
C. The software is not analyzed for compliance with organizational requirements
D. Existing open source policies have not been approved in over a year
View answer
Correct Answer: A
Question #40
An organization is considering whether to allow employees to use personal computing devices for business purposes. To BEST facilitate senior management’s decision, the information security manager should:
A. perform a cost-benefit analysis
B. map the strategy to business objectives
C. conduct a risk assessment
D. develop a business case
View answer
Correct Answer: C
Question #41
An internal IS auditor discovers that a service organization did not notify its customers following a data breach. Which of the following should the auditor do FIRST?
A. Notify audit management of the finding
B. Report the finding to regulatory authorities
C. Notify the service organization’s customers
D. Require the service organization to notify its customers
View answer
Correct Answer: D
Question #42
After an external IS audit, which of the following should be IT management’s MAIN consideration when determining the prioritization of follow-up activities?
A. The amount of time since the initial audit was completed
B. The materiality of the reported findings
C. The availability of the external auditors
D. The scheduling of major changes in the control environment
View answer
Correct Answer: B
Question #43
What determines the strength of a secret key within a symmetric key cryptosystem?
A. A combination of key length, degree of permutation, and the complexity of the data- encryption algorithm that uses the key
B. A combination of key length, initial input vectors, and the complexity of the data- encryption algorithm that uses the key
C. A combination of key length and the complexity of the data-encryption algorithm that uses the key
D. Initial input vectors and the complexity of the data-encryption algorithm that uses the key
View answer
Correct Answer: C
Question #44
An IS auditor finds that confidential company data has been inadvertently leaked through social engineering. The MOST effective way to help prevent a recurrence of this issue is to implement:
A. penalties to staff for security policy breaches
B. a third-party intrusion prevention solution
C. a security awareness program
D. data loss prevention (DLP) software
View answer
Correct Answer: C
Question #45
Identify the payment model from description presented below: A users write an electronic check, which is digitally signed with instruction to pay. This is transferred to another user, who then deposits the electronic check with the issuer. The issuer will verify payer's signature on the payment and transfer the fund from the payer's account to the payee's account.
A. Electronic Money Model
B. Electronics Checks model
C. Electronic transfer model
D. Electronic withdraw model
View answer
Correct Answer: A
Question #46
Which of the following step of PDCA request a corrective actions on significant differences between the actual versus the planned result?
A. Plan
B. Do
C. Check
D. Act
View answer
Correct Answer: B
Question #47
Which of the following is the MOST important reason to use statistical sampling?
A. The results are more defensible
B. It ensures that all relevant cases are covered
C. It reduces time required for testing
D. The results can reduce error rates
View answer
Correct Answer: A
Question #48
A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it?
A. Rewrite the hard disk with random Os and Is
B. Low-level format the hard disk
C. Demagnetize the hard disk
D. Physically destroy the hard disk
View answer
Correct Answer: B
Question #49
Which of the following should be the MOST important consideration when implementing an information security framework?
A. Compliance requirements
B. Audit findings
C. Technical capabilities
D. Risk appetite
View answer
Correct Answer: A
Question #50
Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized?
A. Risk Mitigation
B. Risk Acceptance
C. Risk Avoidance
D. Risk transfer
View answer
Correct Answer: C
Question #51
Which of the following should be of GREATEST concern to an IS auditor reviewing actions taken during a forensic investigation?
A. The investigation report does not indicate a conclusion
B. An image copy of the attacked system was not taken
C. The proper authorities were not notified
D. The handling procedures of the attacked system are not documented
View answer
Correct Answer: C
Question #52
A firm is considering using biometric fingerprint identification on all PCs that access critical datA. This requires:
A. that a registration process is executed for all accredited PC users
B. the full elimination of the risk of a false acceptance
C. the usage of the fingerprint reader be accessed by a separate password
D. assurance that it will be impossible to gain unauthorized access to critical data
View answer
Correct Answer: D
Question #53
A manufacturing company is implementing application software for its sales and distribution system. Which of the following is the MOST important reason for the company choose a centralized online database?
A. Enhanced data redundancy
B. Elimination of multiple points of failure
C. Elimination of the need for data normalization
D. Enhanced integrity controls
View answer
Correct Answer: A
Question #54
Intrusion detection systems (IDSs) can:
A. substitute for a firewall
B. compensate for weak authentication mechanisms
C. conduct investigations of attacks from within the network
D. provide information to enhance the security infrastructure
View answer
Correct Answer: B
Question #55
Which of the following should be the PRIMARY objective of the information security incident response process?
A. Minimizing negative impact to critical operations
B. Communicating with internal and external parties
C. Classifying incidents
D. Conducting incident triage
View answer
Correct Answer: B
Question #56
Which of the following should the IS auditor use to BEST determine whether a project has met its business objectives?
A. Earned-value analysis
B. Completed project plan
C. Issues log with resolutions
D. Benefits realization document
View answer
Correct Answer: D
Question #57
Which of the following is the MOST important consideration when investigating a security breach of an e-commerce application?
A. Chain of custody
B. Skill set of the response team
C. Notifications to law enforcement
D. Procedures to analyze evidence
View answer
Correct Answer: B
Question #58
Which of the following term in business continuity determines the maximum acceptable amount of data loss measured in time?
A. RPO
B. RTO
C. WRT
D. MTD
View answer
Correct Answer: B
Question #59
Which of the following is a benefit of a risk-based approach to audit planning? Audit:
A. scheduling may be performed months in advance
B. budgets are more likely to be met by the IS audit staff
C. staff will be exposed to a variety of technologies
D. resources are allocated to the areas of highest concern
View answer
Correct Answer: A
Question #60
Which of the following layer of an enterprise data flow architecture is concerned with the assembly and preparation of data for loading into data marts?
A. Data preparation layer
B. Desktop Access Layer
C. Data Mart layer
D. Data access layer
View answer
Correct Answer: D
Question #61
Which of the following presents the GREATEST concern when implementing data flow across borders?
A. Software piracy laws
B. National privacy laws
C. Political unrest
D. Equipment incompatibilities
View answer
Correct Answer: A
Question #62
The MOST important objective of security awareness training for business staff is to:
A. understand intrusion methods
B. reduce negative audit findings
C. increase compliance
View answer
Correct Answer: C
Question #63
Which of the following cloud deployment model is provisioned for open use by the general public?
A. Private Cloud
B. Community Cloud
C. Public Cloud
D. Hybrid Cloud
View answer
Correct Answer: C
Question #64
Which of the following is MOST likely to result from compliance testing?
A. Comparison of data with physical counts
B. Confirmation of data with outside sources
C. Identification of errors due to processing mistakes
D. Discovery of controls that have not been applied
View answer
Correct Answer: C
Question #65
Which of the following would be the GREATEST cause for concern when data are sent over the Internet using HTTPS protocol?
A. Presence of spyware in one of the ends
B. The use of a traffic sniffing tool
C. The implementation of an RSA-compliant solution
D. A symmetric cryptography is used for transmitting data
View answer
Correct Answer: B
Question #66
An IS auditor is evaluating the completeness of privacy procedures involving personally identifiable information (PII). Which of the following is MOST important for the auditor to verify is included in the procedures?
A. Regulatory requirements for protecting PII
B. The organization’s definition of PII
C. Encryption requirements for transmitting PII externally
D. A description of how PII is masked within key systems
View answer
Correct Answer: A
Question #67
Which of the following is the BEST reason to certify an organization to an international security standard?
A. The certification covers enterprise security end-to-end
B. The certification reduces information security risk
C. The certification ensures that optimal controls are in place
D. The certification delivers value to stakeholders
View answer
Correct Answer: D
Question #68
Which of the following step of PDCA implement the plan, execute the process and make product?
A. Plan
B. Do
C. Check
D. Act
View answer
Correct Answer: D
Question #69
Which of the following is the MOST critical characteristic of a biometric system?
A. Registration time
B. Throughput rate
C. Accuracy
D. Ease of use
View answer
Correct Answer: B
Question #70
The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures:
A. information assets are overprotected
B. a basic level of protection is applied regardless of asset value
C. appropriate levels of protection are applied to information assets
D. an equal proportion of resources are devoted to protecting all information assets
View answer
Correct Answer: A
Question #71
What is the MOST effective way to ensure security policies and procedures are up-to-date?
A. Verify security requirements are being identified and consistently applied
B. Align the organization’s security practices with industry standards and best practice
C. Define and document senior management’s vision for the direction of the security
D. Prevent security documentation audit issues from being raised
View answer
Correct Answer: B
Question #72
The effectiveness of an information security governance framework will BEST be enhanced if:
A. consultants review the information security governance framework
B. a culture of legal and regulatory compliance is promoted by management
C. IS auditors are empowered to evaluate governance activities
D. risk management is built into operational and strategic activities
View answer
Correct Answer: D
Question #73
An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if:
A. IDS sensors are placed outside of the firewall
B. a behavior-based IDS is causing many false alarms
C. a signature-based IDS is weak against new types of attacks
D. the IDS is used to detect encrypted traffic
View answer
Correct Answer: A
Question #74
Which of the following is NOT an example of corrective control?
A. OS Upgrade
B. Backup and restore
C. Contingency planning
D. System Monitoring
View answer
Correct Answer: D
Question #75
In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the:
A. major IT initiatives
B. links to operational tactical plans
C. allocation of IT staff
D. project management methodologies used
View answer
Correct Answer: A
Question #76
An organization is in the process of deciding whether to allow a bring your own device (BYOD) program. If approved, which of the following should be the FIRST control required before implementation?
A. Device baseline configurations
B. Device registration
C. An acceptable use policy
D. An awareness program
View answer
Correct Answer: S
Question #77
An organization was severely impacted after an advanced persistent threat (APT) attack. Afterwards, it was found that the initial breach happened a month prior to the attack. Management’s GREATEST concern should be:
A. results of the past internal penetration test
B. the effectiveness of monitoring processes
C. the installation of critical security patches
D. external firewall policies
View answer
Correct Answer: B
Question #78
Which of the following is the MOST important consideration for an organization when strategizing to comply with privacy regulations?
A. Ensuring there are staff members with in-depth knowledge of the privacy regulations
B. Ensuring up-to-date knowledge of where customer data is saved
C. Ensuring regularly updated contracts with third parties that process customer data
D. Ensuring appropriate access to information systems containing privacy information
View answer
Correct Answer: B
Question #79
A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement:
A. a formal request for proposal (RFP) process
B. an information asset acquisition policy
C. asset life cycle management
D. business development procedures
View answer
Correct Answer: C
Question #80
Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be:
A. physically separated from the data center and not subject to the same risks
B. given the same level of protection as that of the computer data center
C. outsourced to a reliable third party
D. equipped with surveillance capabilities
View answer
Correct Answer: C
Question #81
A multinational organization is integrating its existing payroll system with a human resource information system. Which of the following should be of GREATEST concern to the IS auditor?
A. System documentation
B. Currency conversion
C. Application interfaces
D. Scope creep
View answer
Correct Answer: A
Question #82
Which of the following is the MOST effective way to ensure security policies are relevant to organizational business practices?
A. Leverage security steering committee contribution
B. Obtain senior management sign-off
C. Integrate industry best practices
D. Conduct an organization-wide security audit
View answer
Correct Answer: D
Question #83
Which of the following control provides an alternative measure of control?
A. Deterrent
B. Preventive
C. Detective
D. Compensating
View answer
Correct Answer: D
Question #84
An information security manager learns that a departmental system is out of compliance with the information security policy’s authentication requirements. Which of the following should be the information security manager’s FIRST course of action?
A. Isolate the noncompliant system from the rest of the network
B. Submit the issue to the steering committee for escalation
C. Request risk acceptance from senior management
D. Conduct an impact analysis to quantify the associated risk
View answer
Correct Answer: B
Question #85
The network of an organization has been the victim of several intruders' attacks. Which of the following measures would allow for the early detection of such incidents?
A. Antivirus software
B. Hardening the servers
C. Screening routers
D. Honeypots
View answer
Correct Answer: D
Question #86
Which of the following should be the FIRST step when drafting an incident response plan for a new cyber-attack scenario?
A. Schedule response testing
B. Create a new incident response team
C. Create a reporting template
D. Identify relevant stakeholders
View answer
Correct Answer: C
Question #87
Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?
A. To identify data at rest and data in transit for encryption
B. To prevent confidential data loss
C. To comply with legal and regulatory requirements
D. To provide options to individuals regarding use of their data
View answer
Correct Answer: C
Question #88
Which of the following is the GREATEST risk of cloud computing?
A. Reduced performance
B. Disclosure of data
C. Lack of scalability
D. Inflexibility
View answer
Correct Answer: D
Question #89
Which of the following testing procedure is used by an auditor to check whether a firm is following the rules and regulations applicable to an activity or practice?
A. Compliance testing
B. Sanity testing
C. Recovery testing
D. Substantive testing
View answer
Correct Answer: A
Question #90
Following a risk assessment, new countermeasures have been approved by management. Which of the following should be performed NEXT?
A. Schedule the target end date for implementation activities
B. Budget the total cost of implementation activities
C. Develop an implementation strategy
D. Calculate the residual risk for each countermeasure
View answer
Correct Answer: B
Question #91
A design company has multiple name and address file for its customers in several of its independent systems. Which of the following is the BEST control to ensure that the customer name and address agree across all files?
A. Use of hash totals on customer records
B. Periodic review of each master file by management
C. Matching of records and review of exception reports
D. Use of authorized master file change forms
View answer
Correct Answer: B
Question #92
Which of the following layer of an enterprise data flow architecture is concerned with basic data communication?
A. Data preparation layer
B. Desktop Access Layer
C. Internet/Intranet layer
D. Data access layer
View answer
Correct Answer: B
Question #93
An IS auditor is planning on utilizing attribute sampling to determine the error rate for health care claims processed. Which of the following factors will cause the sample size to decrease?
A. Population size increase
B. Expected error rate increase
C. Acceptable risk level decrease
D. Tolerate error rate increase
View answer
Correct Answer: A
Question #94
An IT governance framework provides an organization with:
A. a basis for directing and controlling IT
B. assurance that there will be IT cost reductions
C. organizational structures to enlarge the market share through IT
D. assurance that there are surplus IT investments
View answer
Correct Answer: A
Question #95
An organization’s disposal policy emphasizes obtaining maximum value for surplus IT media. The IS auditor should obtain assurance that:
A. the media is returned to the vendor for credit
B. any existing data is removed before disposal
C. identification labels are removed
D. the media is recycled to other groups within the organization
View answer
Correct Answer: D
Question #96
What should the information security manager do FISRT when end users express that new security controls are too restrictive?
A. Perform a risk assessment on modifying the control environment
B. Perform a cost-benefit analysis on modifying the control environment
C. Conduct a business impact analysis (BIA)
D. Obtain process owner buy-in to remove the controls
View answer
Correct Answer: B
Question #97
During a follow-up audit, an IS auditor concludes that a previously identified issue has not been adequately remediated. The auditee insists the risk has been addressed. The auditor should:
A. recommend an independent assessment by a third party
B. report the disagreement according to established procedures
C. follow-up on the finding next year
D. accept the auditee’s position and close the finding
View answer
Correct Answer: A
Question #98
An organization’s HR department would like to outsource its employee management system to a cloud-hosted solution due to features and cost savings offered. Management has identified this solution as a business need and wants to move forward. What should be the PRIMARY role of information security in this effort?
A. Ensure a security audit is performed of the service provider
B. Ensure the service provider has the appropriate certifications
C. Determine how to securely implement the solution
D. Explain security issues associated with the solution to management
View answer
Correct Answer: D
Question #99
During a business process re-engineering (BPR) program, IT can assist with:
A. total cost of ownership
B. focusing on value-added tasks
C. segregation of duties
D. streamlining of tasks
View answer
Correct Answer: A
Question #100
After observing suspicious activities in a server, a manager requests a forensic analysis. Which of the following findings should be of MOST concern to the investigator?
A. Server is a member of a workgroup and not part of the server domain
B. Guest account is enabled on the server
C. Recently, 100 users were created in the server
D. Audit logs are not enabled for the server
View answer
Correct Answer: B
Question #101
An organization is deciding whether to outsource its customer relationship management systems to a provider located in another country. Which of the following should be the PRIMARY influence in the outsourcing decision?
A. Time zone differences
B. The service provider’s disaster recovery plan
C. Cross-border privacy laws
D. Current geopolitical conditions
View answer
Correct Answer: B
Question #102
The BEST test to determine whether an application’s internal security controls are configured in compliance with the organization’s security standards is an evaluation of the:
A. availability and frequency of security reports
B. intrusion detection system (IDS) logs
C. application’s user accounts and passwords
D. business application’s security parameter settings
View answer
Correct Answer: D
Question #103
Which of the following is the BEST approach for performing a business impact analysis (BIA) of a supply-chain management application?
A. Circulating questionnaires to key internal stakeholders
B. Interviewing groups of key stakeholders
C. Accepting IT personnel’s view of business issues
D. Reviewing the organization’s policies and procedures
View answer
Correct Answer: C
Question #104
A sender of an e-mail message applies a digital signature to the digest of the message. This action provides assurance of the:
A. date and time stamp of the message
B. identity of the originating computer
C. confidentiality of the message's content
D. authenticity of the sender
View answer
Correct Answer: C
Question #105
Which of the following human resources management practices BEST leads to the detection of fraudulent activity?
A. Background checks
B. Time reporting
C. Employee code of ethics
D. Mandatory time off
View answer
Correct Answer: C
Question #106
To effectively classify data, which of the following MUST be determined?
A. Data controls
B. Data ownership
C. Data users
D. Data volume
View answer
Correct Answer: D
Question #107
During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor’s NEXT step should be to:
A. determine the reason why access rights have not been revoked
B. recommend a control to automatically update access rights
C. direct management to revoke current access rights
D. determine if access rights are in violation of software licenses
View answer
Correct Answer: A
Question #108
Which of the following will identify a deviation in the information security management process from generally accepted standards of good practices?
A. Gap analysis
B. Risk assessment
C. Business impact analysis (BIA)
D. Penetration testing
View answer
Correct Answer: A
Question #109
Which of the following is MOST important for an effective control self-assessment program?
A. Determining the scope of the assessment
B. Evaluating changes to the risk environment
C. Understanding the business process
D. Performing detailed test procedures
View answer
Correct Answer: S
Question #110
Which of the following is the MOST important control to implement when senior managers use smartphones to access sensitive company information?
A. Mandatory virtual private network (VPN) connectivity
B. Centralized device administration
C. Strong passwords
D. Anti-malware on the devices
View answer
Correct Answer: C
Question #111
Which of the following is a ITU-T standard protocol suite for packet switched wide area network communication?
A. Point-to-point protocol
B. X
C. Frame Relay
D. ISDN
View answer
Correct Answer: D
Question #112
Which of the following is the PRIMARY advantage of having an established information security governance framework in place when an organization is adopting emerging technologies?
A. An emerging technologies strategy would be in place
B. A cost-benefit analysis process would be easier to perform
C. An effective security risk management process is established
D. End-user acceptance of emerging technologies has been established
View answer
Correct Answer: A
Question #113
The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
A. Technology risk
B. Inherent risk
C. Detection risk
D. Control risk
View answer
Correct Answer: C
Question #114
As IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?
A. Identify whether any compensating controls exist
B. Report a potential segregation of duties (SoD) violation
C. Determine whether another database administrator could make the changes
D. Ensure a change management process is followed prior to implementation
View answer
Correct Answer: B
Question #115
Which of the following is the GREATEST threat to Voice-over Internet Protocol (VoIP) related to privacy release?
A. Incorrect routing
B. Eavesdropping
C. Call recording Denial of service
View answer
Correct Answer: B
Question #116
The information security function in a large organization is MOST effective when:
A. decentralized as close to the user as possible
B. the function reports directly to the IS operations manager
C. partnered with the IS development team to determine access rights
D. established at a corporate-wide level
View answer
Correct Answer: B
Question #117
Which of the following should be of GREATEST concern to an IS auditor conducting an audit of incident response procedures?
A. End users have not completed security awareness training
B. Senior management is not involved in the incident response process
C. There is no procedure in place to learn from previous security incidents
D. Critical incident response events are not recorded in a centralized repository
View answer
Correct Answer: B
Question #118
Which of the following is the BEST IS audit strategy?
A. Perform audits based on impact and probability of error and failure
B. Cycle general control and application audits over a two-year period
C. Conduct general control audits annually and application audits in alternating years
D. Limit audits to new application system developments
View answer
Correct Answer: A
Question #119
Which of the following is the BEST type of backup to minimize the associated time and media?
A. Differential
B. Incremental
C. Mirror
D. Compressed full
View answer
Correct Answer: B
Question #120
The PRIMARY purpose of a security information and event management (SIEM) system is to:
A. identify potential incidents
B. provide status of incidents
C. resolve incidents
D. track ongoing incidents
View answer
Correct Answer: D
Question #121
Internal audit reports should be PRIMARILY written for and communicated to:
A. audit management, as they are responsible for the quality of the audit
B. external auditors, as they provide an opinion on the financial statements
C. auditees, as they will eventually have to implement the recommendations
D. senior management, as they should be informed about the identified risks
View answer
Correct Answer: A
Question #122
Which of the following would create the GREATEST risk when migrating a critical legacy system to a new system?
A. Using agile development methodology
B. Following a phased approach
C. Following a direct cut-over approach
D. Maintaining parallel systems
View answer
Correct Answer: B
Question #123
The risk of communication failure in an e-commerce environment is BEST minimized through the use of:
A. alternative or diverse routing
B. compression software to minimize transmission duration
C. a packet filtering firewall to reroute messages
D. functional or message acknowledgments
View answer
Correct Answer: B
Question #124
Which of the following would BEST support 24/7 availability?
A. Daily backup
B. offsite storage
C. Mirroring
D. Periodic testing
View answer
Correct Answer: D
Question #125
Which of the following is the BEST approach to identify noncompliance issues with legal, regulatory, and contractual requirements?
A. Vulnerability assessment
B. Risk assessment
C. Business impact analysis (BIA)
D. Gap analysis
View answer
Correct Answer: B
Question #126
Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to server performance will be prevented?
A. Anticipating current service level agreements (SLAs) will remain unchanged
B. Prorating the current processing workloads
C. Negotiating agreements to acquire required cloud services
D. Duplicating existing disk drive systems to improve redundancy and data storage B In a typical SDLC, which group is PRIMARILY responsible for confirming compliance with requirements?
A. Steering committee
B. Risk management
C. Quality assurance
D. Internal audit
View answer
Correct Answer: C
Question #127
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data are accurately entered into the system?
A. Reasonableness checks for each cost type
B. Validity checks, preventing entry of character data
C. Display back of project detail after entry
D. Reconciliation of total amounts by project
View answer
Correct Answer: C
Question #128
An IS auditor discovers instances where software with the same license key is deployed to multiple workstations, in breach of the licensing agreement. Which of the following is the auditor’s BEST recommendation?
A. Evaluate the business case for funding of additional licenses
B. Require business owner approval before granting software access
C. Remove embedded keys from offending packages
D. Implement software licensing monitoring to manage duplications
View answer
Correct Answer: D
Question #129
Which of the following is the PRIMARY role of a data custodian?
A. Processing information
B. Securing information
C. Classifying information
D. Validating information
View answer
Correct Answer: C
Question #130
After identifying potential security vulnerabilities, what should be the IS auditor's next step?
A. To evaluate potential countermeasures and compensatory controls
B. To implement effective countermeasures and compensatory controls
C. To perform a business impact analysis of the threats that would exploit the vulnerabilities
D. To immediately advise senior management of the findings
View answer
Correct Answer: D
Question #131
A multinational organization is introducing a security governance framework. The information security manager’s concern is that regional security practices differ. Which of the following should be evaluated FIRST?
A. Local regulatory requirements
B. Local IT requirements
C. Cross-border data mobility
D. Corporate security objectives
View answer
Correct Answer: A
Question #132
Which of the following should be the PRIMARY consideration for IT management when selecting a new information security tool that monitors suspicious file access patterns?
A. Integration with existing architecture
B. Ease of support and troubleshooting
C. Data correlation and visualization capabilities
D. Ability to contribute to key performance indicator data
View answer
Correct Answer: B
Question #133
After implementing an information security governance framework, which of the following would provide the BEST information to develop an information security project plan?
A. Balanced scorecard
B. Recent audit results
C. Risk heat map
D. Gap analysis
View answer
Correct Answer: D
Question #134
What is an effective control for granting temporary access to vendors and external support personnel?
A. Creating user accounts that automatically expire by a predetermined date
B. Creating permanent guest accounts for temporary use
C. Creating user accounts that restrict logon access to certain hours of the day
D. Creating a single shared vendor administrator account on the basis of least-privileged access
View answer
Correct Answer: A
Question #135
A previously agreed-upon recommendation was not implemented because the auditee no longer agrees with the original findings. The IS auditor’s FIRST course of action should be to:
A. exclude the finding in the follow-up audit report
B. escalate the disagreement to the audit committee
C. assess the reason for the disagreement
D. require implementation of the original recommendation
View answer
Correct Answer: C
Question #136
As part of an international expansion plan, an organization has acquired a company located in another jurisdiction. Which of the following would be the BEST way to maintain an effective information security program?
A. Determine new factors that could influence the information security strategy
B. Implement the current information security program in the acquired company
C. Merge the two information security programs to establish continuity
D. Ensure information security is included in any change control efforts
View answer
Correct Answer: A
Question #137
When installing an intrusion detection system (IDS), which of the following is MOST important?
A. Properly locating it in the network architecture
B. Preventing denial-of-service (DoS) attacks
C. Identifying messages that need to be quarantined
D. Minimizing the rejection errors
View answer
Correct Answer: C
Question #138
Which of the following could be used to evaluate the effectiveness of IT operations?
A. Total cost of ownership
B. Net present value
C. Balanced scorecard
D. Internal rate of return
View answer
Correct Answer: B
Question #139
What is the first step in a business process re-engineering project?
A. Identifying current business processes
B. Forming a BPR steering committee
C. Defining the scope of areas to be reviewedD
View answer
Correct Answer: B
Question #140
An IS auditor has discovered that a cloud-based application was not included in an application inventory that was used to confirm the scope of an audit. The business process owner explained that the application will be audited by a third party in the next year. The auditor’s NEXT step should be to:
A. evaluate the impact of the cloud application on the audit scope
B. revise the audit scope to include the cloud-based application
C. review the audit report when performed by the third party
D. report the control deficiency to senior management
View answer
Correct Answer: D
Question #141
What is the MOST important business concern when an organization is about to migrate a mission-critical application to a virtual environment?
A. The organization’s experience with virtual applications
B. Adequacy of the fallback procedures
C. Confidentiality of network traffic
D. Adequacy of the virtual architecture
View answer
Correct Answer: D
Question #142
Which of the following is not a common method of multiplexing data?
A. Analytical multiplexing
B. Time-division multiplexing
C. Asynchronous time-division multiplexing
D. Frequency division multiplexing
View answer
Correct Answer: A
Question #143
Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?
A. Preventive
B. Deterrent
C. Corrective
D. Detective
View answer
Correct Answer: A
Question #144
Who should be responsible for network security operations?
A. Business unit managers
B. Security administrators
C. Network administrators
D. IS auditors
View answer
Correct Answer: A
Question #145
Which of the following would BEST enable alignment of IT with business objectives?
A. Leveraging an IT framework
B. Completing an IT risk assessment
C. Adopting industry best practices
D. Monitoring key performance indicators (KPIs)
View answer
Correct Answer: D
Question #146
Management decided to accept the residual risk of an audit finding and not take the recommended actions. The internal audit team believes the acceptance is inappropriate and has discussed the situation with executive management. After this discussion, there is still disagreement regarding the decision. Which of the following is the BEST course of action by internal audit?
A. Report this matter to the audit committee without notifying executive management
B. Document in the audit report that management has accepted the residual risk and take no further actions
C. Report the issue to the audit committee in a joint meeting with executive management for resolution
D. Schedule another meeting with executive management to convince them of taking action as recommended
View answer
Correct Answer: D
Question #147
Which of the following component of an expert system allows the expert to enter knowledge into the system without the traditional mediation of a software engineer?
A. Decision tree
B. Rules
C. Semantic nets
D. Knowledge interface
View answer
Correct Answer: B
Question #148
Why is a clause for requiring source code escrow in an application vendor agreement important?
A. To segregate systems development and live environments
B. To protect the organization from copyright disputes
C. To ensure that sufficient code is available when needed
D. To ensure that the source code remains available even if the application vendor goes out of business
View answer
Correct Answer: D
Question #149
An IS auditor observes that routine backups of operational databases are taking longer than before. Which of the following would MOST effectively help to reduce backup and recovery times for operational databases?
A. Utilizing database technologies to achieve efficiencies
B. Using solid storage device (SSD) media
C. Requiring a combination of weekly full backups and daily differential backups
D. Archiving historical data in accordance with the data retention policy
View answer
Correct Answer: B
Question #150
Which of the following procedures would BEST contribute to the reliability of information in a data warehouse?
A. Retaining only current data
B. Storing only a single type of data
C. Maintaining archive data
D. Maintaining current metadata
View answer
Correct Answer: D
Question #151
Which of the following provides the BEST single-factor authentication?
A. Biometrics
B. Password
C. Token
D. PIN
View answer
Correct Answer: A
Question #152
Which of the following property of the core date warehouse layer of an enterprise data flow architecture uses common attributes to access a cross section of an information in the warehouse?
A. Drill up
B. Drill down
C. Drill across
D. Historical Analysis
View answer
Correct Answer: A
Question #153
An organization is implementing the use of mobile devices that will connect to sensitive corporate applications. Which of the following is the BEST recommendation to mitigate risk of data leakage?
A. Remote data wipe
B. GPS tracking software
C. Encrypted RFID tags
D. Data encryption
View answer
Correct Answer: B
Question #154
An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?
A. Improve the change management process
B. Perform a configuration review
C. Establish security metrics
D. Perform a penetration test
View answer
Correct Answer: B
Question #155
A start-up company acquiring servers for its order-taking system is unable to predict the volume of transactions. Which of the following is MOST important for the company to consider?
A. Scalability
B. Configuration
C. Optimization
D. Compatibility
View answer
Correct Answer: C
Question #156
An advantage of installing a thin client architecture in a local area network (LAN) is that this would:
A. stabilize network bandwidth requirements
B. facilitate the updating of software versions
C. ensure application availability when the server is down
D. reduce the risk of a single point of failure
View answer
Correct Answer: D

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: