DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISA Exam Questions & Study Materials, Certified Information Systems Auditor | SPOTO

Welcome to SPOTO's CISA Exam Questions & Study Materials for 2024! The Certified Information Systems Auditor® (CISA®) certification stands as a beacon of excellence in auditing, IT systems assessment, and risk-based audit methodologies. Our comprehensive study materials, including exam questions and mock tests, are tailored to prepare you effectively for the CISA exam. Utilizing mock tests offers several advantages, such as simulating real exam conditions, identifying areas for improvement, and boosting confidence levels. Join SPOTO to access high-quality exam materials, sample questions, and practice tests, ensuring a successful journey towards achieving your CISA certification. Showcase your expertise and ability to apply a risk-based approach to audit engagements with SPOTO's CISA Exam Preparation.

Take other online exams
Question #1
Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects?
A. increase the time allocated for system testing
B. implement formal software inspections
C. increase the development staff
D. Require the sign-off of all project deliverables
View answer
Correct Answer: A
Question #2
A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can:
A. Identify high-risk areas that might need a detailed review later
B. Reduce audit costs
C. Reduce audit time
D. Increase audit accuracy
View answer
Correct Answer: C
Question #3
Who should be responsible for network security operations?
A. Business unit managers
B. Security administrators
C. Network administrators
D. IS auditors
View answer
Correct Answer: C
Question #4
An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?
A. Personally delete all copies of the unauthorized softwar
B. Inform the auditee of the unauthorized software, and follow up to confirm deletio
C. Report the use of the unauthorized software and the need to prevent recurrence to auditee managemen
D. Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such us
View answer
Correct Answer: B
Question #5
A benefit of open system architecture is that it:
A. facilitates interoperabilit
B. facilitates the integration of proprietary component
C. will be a basis for volume discounts from equipment vendor
D. allows for the achievement of more economies of scale for equipmen
View answer
Correct Answer: A
Question #6
Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit
D. Difference estimation
View answer
Correct Answer: A
Question #7
Which of the following data validation edits is effective in detecting transposition and transcription errors?
A. Range check
B. Check digit
C. Validity check
D. Duplicate check
View answer
Correct Answer: B
Question #8
A sequence of bits appended to a digital document that is used to secure an e-mail sent through the Internet is called a:
A. digest signatur
B. electronic signatur
C. digital signatur
D. hash signatur
View answer
Correct Answer: B
Question #9
While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's next step?
A. Observe the response mechanis
B. Clear the virus from the networ
C. Inform appropriate personnel immediatel
D. Ensure deletion of the viru
View answer
Correct Answer: D
Question #10
The most common reason for the failure of information systems to meet the needs of users is that:
A. user needs are constantly changin
B. the growth of user requirements was forecast inaccuratel
C. the hardware system limits the number of concurrent user
D. user participation in defining the system's requirements was inadequat
View answer
Correct Answer: A
Question #11
To assist an organization in planning for IT investments, an IS auditor should recommend the use of:
A. project management tool
B. an object-oriented architectur
C. tactical plannin
D. enterprise architecture (EA)
View answer
Correct Answer: C
Question #12
Which of the following is a characteristic of timebox management?
A. Not suitable for prototyping or rapid application development (RAD)
B. Eliminates the need for a quality process
C. Prevents cost overruns and delivery delays
D. Separates system and user acceptance testing
View answer
Correct Answer: C
Question #13
When reviewing an organization's strategic IT plan an IS auditor should expect to find:
A. an assessment of the fit of the organization's application portfolio with business objective
B. actions to reduce hardware procurement cos
C. a listing of approved suppliers of IT contract resource
D. a description of the technical architecture for the organization's network perimeter securit
View answer
Correct Answer: A
Question #14
An IS auditor has imported data from the client's database. The next step-confirming whether the imported data are complete-is performed by:
A. matching control totals of the imported data to control totals of the original dat
B. sorting the data to confirm whether the data are in the same order as the original dat
C. reviewing the printout of the first 100 records of original data with the first 100 records of imported dat
D. filtering data for different categories and matching them to the original dat
View answer
Correct Answer: C
Question #15
Effective IT governance will ensure that the IT plan is consistent with the organization's:
A. business pla
B. audit pla
C. security pla
D. investment pla
View answer
Correct Answer: A
Question #16
A number of system failures are occurring when corrections to previously detected errors are resubmitted for acceptance testing. This would indicate that the maintenance team is probably not adequately performing which of the following types of testing?
A. Unit testing
B. Integration testing
C. Design walk-throughs
D. Configuration management
View answer
Correct Answer: B
Question #17
A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:
A. can identify high-risk areas that might need a detailed review late
B. allows IS auditors to independently assess ris
C. can be used as a replacement for traditional audit
D. allows management to relinquish responsibility for contro
View answer
Correct Answer: A
Question #18
A top-down approach to the development of operational policies will help ensure:
A. that they are consistent across the organizatio
B. that they are implemented as a part of risk assessmen
C. compliance with all policie
D. that they are reviewed periodicall
View answer
Correct Answer: D
Question #19
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate parties
B. Management support and approval for the implementation and maintenance of a security policy
C. Enforcement of security rules by providing punitive actions for any violation of security rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
View answer
Correct Answer: A
Question #20
What is/are used to measure and ensure proper network capacity management and availability of services? Choose the BEST answer.
A. Network performance-monitoring tools
B. Network component redundancy
C. Syslog reporting
D. IT strategic planning
View answer
Correct Answer: B
Question #21
What are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information? Choose the BEST answer.
A. Referential integrity controls
B. Normalization controls
C. Concurrency controls
D. Run-to-run totals
View answer
Correct Answer: B
Question #22
Which of the following is a risk of cross-training?
A. Increases the dependence on one employee
B. Does not assist in succession planning
C. One employee may know all parts of a system
D. Does not help in achieving a continuity of operations
View answer
Correct Answer: A
Question #23
An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities. What would be the next task?
A. Report the risks to the CIO and CEO immediately
B. Examine e-business application in development
C. Identify threats and likelihood of occurrence
D. Check the budget available for risk management
View answer
Correct Answer: A
Question #24
Which of the following is the most fundamental step in preventing virus attacks?
A. Adopting and communicating a comprehensive antivirus policy
B. Implementing antivirus protection software on users' desktop computers
C. Implementing antivirus content checking at all network-to-Internet gateways
D. Inoculating systems with antivirus code
View answer
Correct Answer: C
Question #25
How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital network?
A. Modems convert analog transmissions to digital, and digital transmission to analo
B. Modems encapsulate analog transmissions within digital, and digital transmissions within analo
C. Modems convert digital transmissions to analog, and analog transmissions to digita
D. Modems encapsulate digital transmissions within analog, and analog transmissions within digita
View answer
Correct Answer: D
Question #26
A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:
A. recover
B. retentio
C. rebuildin
D. reus
View answer
Correct Answer: A
Question #27
An organization's IS audit charter should specify the:
A. short- and long-term plans for IS audit engagements
B. objectives and scope of IS audit engagement
C. detailed training plan for the IS audit staf
D. role of the IS audit functio
View answer
Correct Answer: C
Question #28
When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST establish that:
A. a clear business case has been approved by managemen
B. corporate security standards will be me
C. users will be involved in the implementation pla
D. the new system will meet all required user functionalit
View answer
Correct Answer: C
Question #29
From a control perspective, the key element in job descriptions is that they:
A. provide instructions on how to do the job and define authorit
B. are current, documented and readily available to the employe
C. communicate management's specific job performance expectation
D. establish responsibility and accountability for the employee's action
View answer
Correct Answer: B
Question #30
Before implementing an IT balanced scorecard, an organization must:
A. deliver effective and efficient service
B. define key performance indicator
C. provide business value to IT project
D. control IT expense
View answer
Correct Answer: A
Question #31
Which of the following is a program evaluation review technique that considers different scenarios for planning and control projects?
A. Function Point Analysis (FPA)
B. GANTT
C. Rapid Application Development (RAD)
D. PERT
View answer
Correct Answer: C
Question #32
An advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #33
While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor's PRIMARY concern shouldbe that the:
A. requirement for protecting confidentiality of information could be compromise
B. contract may be terminated because prior permission from the outsourcer was not obtaine
C. other service provider to whom work has been outsourced is not subject to audi
D. outsourcer will approach the other service provider directly for further wor
View answer
Correct Answer: B
Question #34
During the requirements definition phase of a software development project, the aspects of software testing that should be addressed are developing:
A. test data covering critical application
B. detailed test plan
C. quality assurance test specification
D. user acceptance testing specification
View answer
Correct Answer: C
Question #35
Information for detecting unauthorized input from a terminal would be BEST provided by the:
A. console log printou
B. transaction journa
C. automated suspense file listin
D. user error repor
View answer
Correct Answer: C
Question #36
To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that:
A. the company policy be change
B. passwords are periodically change
C. an automated password management tool be use
D. security awareness training is delivere
View answer
Correct Answer: D
Question #37
How is the risk of improper file access affected upon implementing a database system?
A. Risk varie
B. Risk is reduce
C. Risk is not affecte
D. Risk is increase
View answer
Correct Answer: A
Question #38
IS management has decided to rewrite a legacycustomer relations system using fourth generation languages (4GLs). Which of the following risks is MOST often associated with system development using 4GLs?
A. Inadequate screen/report design facilities
B. Complex programming language subsets
C. Lack of portability across operating systems
D. Inability to perform data intensive operations
View answer
Correct Answer: D
Question #39
Function Point Analysis (FPA) provides an estimate of the size of an information system based only on the number and complexity of a system's inputs and outputs. True or false?
A. True
B. False
View answer
Correct Answer: C
Question #40
Which of the following is the initial step in creating a firewall policy?
A. A cost-benefit analysis of methods for securing the applications
B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally accessed
D. Creation of an applications traffic matrix showing protection methods
View answer
Correct Answer: B
Question #41
IT control objectives are useful to IS auditors, as they provide the basis for understanding the:
A. desired result or purpose of implementing specific control procedure
B. best IT security control practices relevant to a specific entit
C. techniques for securing informatio
D. security polic
View answer
Correct Answer: C
Question #42
A database administrator is responsible for:
A. defining data ownershi
B. establishing operational standards for the data dictionar
C. creating the logical and physical databas
D. establishing ground rules for ensuring data integrity and securit
View answer
Correct Answer: B
Question #43
What are intrusion-detection systems (IDS) primarily used for?
A. To identify AND prevent intrusion attempts to a network
B. To prevent intrusion attempts to a network
C. Forensic incident response
D. To identify intrusion attempts to a network
View answer
Correct Answer: B
Question #44
To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the:
A. enterprise data mode
B. IT balanced scorecard (BSC)
C. IT organizational structur
D. historical financial statement
View answer
Correct Answer: B
Question #45
An offsite information processing facility having electrical wiring, air conditioning and flooring, but no computer or communications equipment is a:
A. cold sit
B. warm sit
C. dial-up sit
D. duplicate processing facilit
View answer
Correct Answer: A
Question #46
What kind of testing should programmers perform following any changes to an application or system?
A. Unit, module, and full regression testing
B. Module testing
C. Unit testing
D. Regression testing
View answer
Correct Answer: B
Question #47
Rather than simply reviewing the adequacy of access control, appropriateness of access policies, and effectiveness of safeguards and procedures, the IS auditor is more concerned with effectiveness and utilization of assets. True or false?
A. True
B. False
View answer
Correct Answer: C
Question #48
What can ISPs use to implement inbound traffic filtering as a control to identify IP packets transmitted from unauthorized sources? Choose the BEST answer.
A. OSI Layer 2 switches with packet filtering enabled
B. Virtual Private Networks
C. Access Control Lists (ACL)
D. Point-to-Point Tunneling Protocol
View answer
Correct Answer: A
Question #49
The purpose of business continuity planning and disaster-recovery planning is to:
A. Transfer the risk and impact of a business interruption or disaster
B. Mitigate, or reduce, the risk and impact of a business interruption or disaster
C. Accept the risk and impact of a business
D. Eliminate the risk and impact of a business interruption or disaster
View answer
Correct Answer: A
Question #50
If a database is restored from information backed up before the last system image, which of the following is recommended?
A. The system should be restarted after the last transactio
B. The system should be restarted before the last transactio
C. The system should be restarted at the first transactio
D. The system should be restarted on the last transactio
View answer
Correct Answer: C
Question #51
An IS auditor is assigned to audit a software development project which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take?
A. Report that the organization does not have effective project managemen
B. Recommend the project manager be change
C. Review the IT governance structur
D. Review the conduct of the project and the business cas
View answer
Correct Answer: D
Question #52
To affix a digital signature to a message, the sender must first create a message digest by applying a cryptographic hashing algorithm against:
A. the entire message and thereafter enciphering the message digest using the sender's private ke
B. any arbitrary part of the message and thereafter enciphering the message digest using the sender's private ke
C. the entire message and thereafter enciphering the message using the sender's private ke
D. the entire message and thereafter enciphering the message along with the message digest using the sender's private ke
View answer
Correct Answer: C
Question #53
An IS auditor who has discovered unauthorized transactions during a review of EDI transactions is likely to recommend improving the:
A. EDI trading partner agreement
B. physical controls for terminal
C. authentication techniques for sending and receiving message
D. program change control procedure
View answer
Correct Answer: A
Question #54
Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse?
A. Accuracy of the source data
B. Credibility of the data source
C. Accuracy of the extraction process
D. Accuracy of the data transformation
View answer
Correct Answer: C
Question #55
Which of the following is a control over component communication failure/errors?
A. Restricting operator access and maintaining audit trails
B. Monitoring and reviewing system engineering activity
C. Providing network redundancy
D. Establishing physical barriers to the data transmitted over the network
View answer
Correct Answer: B
Question #56
The PRIMARY objective of an audit of IT security policies is to ensure that:
A. they are distributed and available to all staf
B. security and control policies support business and IT objective
C. there is a published organizational chart with functional description
D. duties are appropriately segregate
View answer
Correct Answer: B
Question #57
An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE?
A. Controls the proliferation of multiple versions of programs
B. Expands the programming resources and aids available
C. Increases program and processing integrity
D. Prevents valid changes from being overwritten by other changes
View answer
Correct Answer: C
Question #58
When an organization is outsourcing their information security function, which of the following should be kept in the organization?
A. Accountability for the corporate security policy
B. Defining the corporate security policy
C. Implementing the corporate security policy
D. Defining security procedures and guidelines
View answer
Correct Answer: B
Question #59
What should an IS auditor do if he or she observes that project-approval procedures do not exist?
A. Advise senior management to invest in project-management training for the staff
B. Create project-approval procedures for future project implementations
C. Assign project leaders
D. Recommend to management that formal approval procedures be adopted and documented
View answer
Correct Answer: A
Question #60
An appropriate control for ensuring the authenticity of orders received in an EDI application is to:
A. acknowledge receipt of electronic orders with a confirmation messag
B. perform reasonableness checks on quantities ordered before filling order
C. verify the identity of senders and determine if orders correspond to contract term
D. encrypt electronic order
View answer
Correct Answer: B
Question #61
Which of the following is normally a responsibility of the chief security officer (CSO)?
A. Periodically reviewing and evaluating the security policy
B. Executing user application and software testing and evaluation
C. Granting and revoking user access to IT resources
D. Approving access to data and applications
View answer
Correct Answer: B
Question #62
An IS auditor is performing an audit of a remotely managed server backup. The IS auditor reviews the logs for one day and finds one case where logging on a server has failed with the result that backup restarts cannot be confirmed. What should the auditor do?
A. Issue an audit finding
B. Seek an explanation from IS management
C. Review the classifications of data held on the server
D. Expand the sample of logs reviewed
View answer
Correct Answer: A
Question #63
Which of the following should be included in an organization's IS security policy?
A. A list of key IT resources to be secured
B. The basis for access authorization
C. Identity of sensitive security features
D. Relevant software security features
View answer
Correct Answer: D
Question #64
Proper segregation of duties does not prohibit a quality control administrator from also being responsible for change control and problem management. True or false?
A. True
B. False
View answer
Correct Answer: B
Question #65
Change control for business application systems being developed using prototyping could be complicated by the:
A. iterative nature of prototypin
B. rapid pace of modifications in requirements and desig
C. emphasis on reports and screen
D. lack of integrated tool
View answer
Correct Answer: C
Question #66
An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should:
A. conclude that the controls are inadequat
B. expand the scope to include substantive testin
C. place greater reliance on previous audit
D. suspend the audi
View answer
Correct Answer: A
Question #67
The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail:
A. destruction polic
B. security polic
C. archive polic
D. audit polic
View answer
Correct Answer: B
Question #68
What increases encryption overhead and cost the most?
A. A long symmetric encryption key
B. A long asymmetric encryption key
C. A long Advance Encryption Standard (AES) key
D. A long Data Encryption Standard (DES) key
View answer
Correct Answer: A
Question #69
Which of the following BEST ensures the integrity of a server's operating system?
A. Protecting the server in a secure location
B. Setting a boot password
C. Hardening the server configuration
D. Implementing activity logging
View answer
Correct Answer: D
Question #70
Who is ultimately responsible and accountable for reviewing user access to systems?
A. Systems security administrators
B. Data custodians
C. Data owners
D. Information systems auditors
View answer
Correct Answer: B
Question #71
Which of the following provides the strongest authentication for physical access control?
A. Sign-in logs
B. Dynamic passwords
C. Key verification
D. Biometrics
View answer
Correct Answer: A
Question #72
What is a callback system?
A. It is a remote-access system whereby the remote-access server immediately calls the user back at a predetermined number if the dial-in connection fail
B. It is a remote-access system whereby the user's application automatically redials the remoteaccess server if the initial connection attempt fail
C. It is a remote-access control whereby the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server's configuration databas
D. It is a remote-access control whereby the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently allows the user to call back at an approved number for a limited period of tim
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.