DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

CISA Practice Tests, Mock Tests & Study Resources, Certified Information Systems Auditor | SPOTO

Mock tests are invaluable tools for CISA certification exam preparation, offering several key advantages. These tests simulate the real exam environment, providing candidates with a chance to experience the format, timing, and difficulty level of actual exam questions. By practicing with mock tests, candidates can identify their strengths and weaknesses, allowing them to focus their study efforts more effectively. Mock tests also help improve time management skills, as candidates learn to allocate the right amount of time to each question. Additionally, mock tests offer immediate feedback on performance, highlighting areas that need improvement and guiding further study. With access to a wide range of mock tests covering various topics, candidates can build confidence and readiness to ace the CISA exam. SPOTO's CISA Practice Tests, Mock Tests & Study Resources are designed to support candidates in their exam preparation journey.

Take other online exams
Question #1
The PRIMARY benefit of implementing a security program as part of a security governance framework is the:
A. alignment of the IT activities with IS audit recommendations
B. enforcement of the management of security risks
C. implementation of the chief information security officer's (CISO) recommendations
D. reduction of the cost for IT security
View answer
Correct Answer: B
Question #2
What is often the most difficult part of initial efforts in application development?
A. Configuring software
B. Planning security
C. Determining time and resource requirements
D. Configuring hardware
View answer
Correct Answer: C
Question #3
When reviewing an active project, an IS auditor observed that, because of a reduction in anticipated benefits and increased costs, the business case was no longer valid. The IS auditor should recommend that the:
A. project be discontinued
B. business case be updated and possible corrective actions be identified
C. project be returned to the project sponsor for reapproval
D. project be completed and the business case be updated later
View answer
Correct Answer: C
Question #4
Which of the following control make sure that input data comply with predefined criteria maintained in computerized table of possible values?
A. Range Check
B. Table lookups
C. Existence check
D. Reasonableness check
View answer
Correct Answer: B
Question #5
Processing controls ensure that data is accurate and complete, and is processed only through which of the following?
A. Documented routines
B. Authorized routines
C. Accepted routines
D. Approved routines
View answer
Correct Answer: D
Question #6
Which of the following BEST characterizes a mantrap or deadman door, which is used as a deterrent control for the vulnerability of piggybacking?
A. A monitored double-doorway entry system
B. A monitored turnstile entry system
C. A monitored doorway entry system
D. A one-way door that does not allow exit after entry
View answer
Correct Answer: B
Question #7
What is a data validation edit control that matches input data to an occurrence rate? Choose the BEST answer.
A. Accuracy check
B. Completeness check
C. Reasonableness check
D. Redundancy check
View answer
Correct Answer: A
Question #8
An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that:
A. users may prefer to use contrived data for testing
B. unauthorized access to sensitive data may result
C. error handling and credibility checks may not be fully proven
D. the full functionality of the new process may not necessarily be tested
View answer
Correct Answer: C
Question #9
Which of the following term in business continuity determines the maximum tolerable amount of time that is needed to verify the system and/or data integrity?
A. RPO
B. RTO
C. WRT
D. MTD
View answer
Correct Answer: A
Question #10
A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative?
A. Issues of privacy
B. Wavelength can be absorbed by the human body
C. RFID tags may not be removable
D. RFID eliminates line-of-sight reading
View answer
Correct Answer: A
Question #11
As an IS auditor it is very important to understand the importance of job scheduling. Which of the following statement is NOT true about job scheduler or job scheduling software?
A. Job information is set up only once, which increase the probability of an error
B. Records are maintained of all job success and failures
C. Reliance on operator is reduced
D. Job dependencies are defined so that if a job fails, subsequent jobs relying on its output will not be processed
View answer
Correct Answer: D
Question #12
Which of the following software development methods is based on iterative and incremental development, where requirements and solutions evolve through collaboration between self-organizing, cross-functional teams?
A. Agile Development
B. Software prototyping
C. Rapid application development
D. Component based development
View answer
Correct Answer: C
Question #13
Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?
A. Time zone differences could impede communications between IT teams
B. Telecommunications cost could be much higher in the first year
C. Privacy laws could prevent cross-border flow of information
D. Software development may require more detailed specifications
View answer
Correct Answer: B
Question #14
In computer forensic which of the following describe the process that converts the information extracted into a format that can be understood by investigator?
A. Investigation
B. Interrogation
C. Reporting
D. Extraction
View answer
Correct Answer: D
Question #15
Which of the following data validation control validates input data against predefined range values?
A. Range Check
B. Table lookups
C. Existence check
D. Reasonableness check
View answer
Correct Answer: A
Question #16
Following best practices, formal plans for implementation of new information systems are developed during the:
A. development phase
B. design phase
C. testing phase
D. deployment phase
View answer
Correct Answer: C
Question #17
Which of the following method should be recommended by security professional to erase the data on the magnetic media that would be reused by another employee?
A. Degaussing
B. Overwrite every sector of magnetic media with pattern of 1's and 0's
C. Format magnetic media
D. Delete File allocation table
View answer
Correct Answer: D
Question #18
Which of the following provides the strongest authentication for physical access control?
A. Sign-in logs
B. Dynamic passwords
C. Key verification
D. Biometrics
View answer
Correct Answer: A
Question #19
Which of the following ACID property in DBMS requires that each transaction is "all or nothing"?
A. Atomicity
B. Consistency
C. Isolation
D. Durability
View answer
Correct Answer: B
Question #20
Library control software restricts source code to:
A. Read-only access
B. Write-only access
C. Full access
D. Read-write access
View answer
Correct Answer: D
Question #21
Which of the following attack is MOSTLY performed by an attacker to steal the identity information of a user such as credit card number, passwords, etc?
A. Smurf attack
B. Traffic analysisC
D. Interrupt attack
View answer
Correct Answer: D
Question #22
Within IPSEC which of the following defines security parameters which should be applied between communicating parties such as encryption algorithms, key initialization vector, life span of keys, etc?
A. Security Parameter Index (SPI)
B. Security Association (SA)
C. Encapsulation Security Payload (ESP)
D. Authentication Header (AH)
View answer
Correct Answer: A
Question #23
The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?
A. Test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module
View answer
Correct Answer: A
Question #24
An IS auditor is performing an audit of a remotely managed server backup. The IS auditor reviews the logs for one day and finds one case where logging on a server has failed with the result that backup restarts cannot be confirmed. What should the auditor do?
A. Issue an audit finding
B. Seek an explanation from IS management
C. Review the classifications of data held on the server
D. Expand the sample of logs reviewed
View answer
Correct Answer: A
Question #25
An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for:
A. documentation of staff background checks
B. independent audit reports or full audit access
C. reporting the year-to-year incremental cost reductions
D. reporting staff turnover, development or training
View answer
Correct Answer: D
Question #26
A hardware control that helps to detect errors when data are communicated from one computer to another is known as a:
A. duplicate check
B. table lookup
C. validity check
D. parity check
View answer
Correct Answer: A
Question #27
The PRIMARY purpose of audit trails is to:
A. improve response time for users
B. establish accountability and responsibility for processed transactions
C. improve the operational efficiency of the system
D. provide useful information to auditors who may wish to track transactions
View answer
Correct Answer: A
Question #28
Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?
A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports
B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables
C. Extrapolation of the overall end date based on completed work packages and current resources
D. Calculation of the expected end date based on current resources and remaining available project budget
View answer
Correct Answer: B
Question #29
An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely:
A. evaluate the record retention plans for off-premises storage
B. interview programmers about the procedures currently being followed
C. compare utilization records to operations schedules
D. review data file access records to test the librarian function
View answer
Correct Answer: A
Question #30
Which of the following is BEST characterized by unauthorized modification of data before or during systems data entry?
A. Data diddling
B. Skimming
C. Data corruption
D. Salami attack
View answer
Correct Answer: A
Question #31
Which of the following does a lack of adequate security controls represent?
A. Threat
B. Asset
C. Impact
D. Vulnerability
View answer
Correct Answer: B
Question #32
While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor's PRIMARY concern should be that the:
A. requirement for protecting confidentiality of information could be compromised
B. contract may be terminated because prior permission from the outsourcer was not obtained
C. other service provider to whom work has been outsourced is not subject to audit
D. outsourcer will approach the other service provider directly for further work
View answer
Correct Answer: B
Question #33
With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor?
A. Outsourced activities are core and provide a differentiated advantage to the organization
B. Periodic renegotiation is specified in the outsourcing contract
C. The outsourcing contract fails to cover every action required by the arrangement
D. Similar activities are outsourced to more than one vendor
View answer
Correct Answer: A
Question #34
Company.com has contracted with an external consulting firm to implement a commercial financial system to replace its existing in-house developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern?
A. Acceptance testing is to be managed by users
B. A quality plan is not part of the contracted deliverables
C. Not all business functions will be available on initial implementation
D. Prototyping is being used to confirm that the system meets business requirements
View answer
Correct Answer: A
Question #35
Which of the following statements pertaining to IPSec is incorrect?
A. A security association has to be defined between two IPSec systems in order for bi-directional communication to be established
B. Integrity and authentication for IP datagrams are provided by AH
C. ESP provides for integrity, authentication and encryption to IP datagram’s
D. In transport mode, ESP only encrypts the data payload of each packet
View answer
Correct Answer: C
Question #36
An organization is implementing an enterprise resource planning (ERP) application to meet its business objectives. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results?
A. Project sponsor
B. System development project team (SPDT)
C. Project steering committee
D. User project team (UPT)
View answer
Correct Answer: C
Question #37
Which of the following layer of an enterprise data flow architecture does the scheduling of the tasks necessary to build and maintain the Data Warehouse (DW) and also populates Data Marts?
A. Data preparation layer
B. Desktop Access Layer
C. Warehouse management layer
D. Data access layer
View answer
Correct Answer: C
Question #38
Before implementing controls, management should FIRST ensure that the controls:
A. satisfy a requirement in addressing a risk issue
B. do not reduce productivity
C. are based on a cost-benefit analysis
D. are detective or corrective
View answer
Correct Answer: A
Question #39
Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card?
A. Intrusion detection systems
B. Data mining techniques
C. Firewalls
D. Packet filtering routers
View answer
Correct Answer: D
Question #40
Which of the following testing method examines internal structure or working of an application?
A. White-box testing
B. Parallel Test
C. Regression Testing
D. Pilot Testing
View answer
Correct Answer: A
Question #41
Which of the following is the INCORRECT “layer - protocol data unit (PDU)" mapping within the TCP/IP model?
A. Application layer – Data
B. Transport layer – Segment
C. Network layer – Frame
D. Physical layer – bits
View answer
Correct Answer: D
Question #42
Which of the following statement correctly describes the difference between black box testing and white box testing?
A. Black box testing focuses on functional operative effectiveness where as white box assesses the effectiveness of software program logic
B. White box testing focuses on functional operative effectiveness where as black box assesses the effectiveness of software program logic
C. White box and black box testing focuses on functional operative effectiveness of an information systems without regard to any internal program structure
D. White box and black box testing focuses on the effectiveness of the software program logic
View answer
Correct Answer: A
Question #43
An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk?
A. Pilot
B. Parallel
C. Direct cutover
D. Phased
View answer
Correct Answer: B
Question #44
During the development of an application, the quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be:
A. increased maintenance
B. improper documentation of testing
C. inadequate functional testing
D. delays in problem resolution
View answer
Correct Answer: B
Question #45
Which of the following is a standard secure email protection protocol?
A. S/MIME
B. SSH
C. SET
D. S/HTTP
View answer
Correct Answer: D
Question #46
An IS auditor is reviewing an IT security risk management program. Measures of security risk should:
A. address all of the network risks
B. be tracked over time against the IT strategic plan
C. take into account the entire IT environment
D. result in the identification of vulnerability tolerances
View answer
Correct Answer: D
Question #47
An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review:
A. the controls already in place
B. the effectiveness of the controls in place
C. the mechanism for monitoring the risks related to the assets
D. the threats/vulnerabilities affecting the assets
View answer
Correct Answer: A
Question #48
An appropriate control for ensuring the authenticity of orders received in an EDI application is to:
A. acknowledge receipt of electronic orders with a confirmation message
B. perform reasonableness checks on quantities ordered before filling orders
C. verify the identity of senders and determine if orders correspond to contract terms
D. encrypt electronic orders
View answer
Correct Answer: C
Question #49
The quality of the metadata produced from a data warehouse is ________________ in the warehouse’s design.
A. Often hard to determine because the data is derived from a heterogeneous data environment
B. The most important consideration
C. Independent of the quality of the warehoused databases
D. Of secondary importance to data warehouse content
View answer
Correct Answer: A
Question #50
Which of the following is the INCORRECT Layer to Protocol mapping used in the DOD TCP/IP model?
A. Application layer – Telnet
B. Transport layer – ICMP
C. Internet layer – IP
D. Network Access layer – Ethernet
View answer
Correct Answer: B
Question #51
Which of the following layer from an enterprise data flow architecture captures all data of interest to an organization and organize it to assist in reporting and analysis?
A. Desktop access layer
B. Data preparation layer
C. Core data warehouse
D. Data access layer
View answer
Correct Answer: C
Question #52
Which of the following is the PRIMARY advantage of using computer forensic software for investigations?
A. The preservation of the chain of custody for electronic evidence
B. Time and cost savings
C. Efficiency and effectiveness
D. Ability to search for violations of intellectual property rights
View answer
Correct Answer: D
Question #53
In planning an audit, the MOST critical step is the identification of the:
A. areas of high risk
B. skill sets of the audit staff
C. test steps in the audit
D. time allotted for the audit
View answer
Correct Answer: C
Question #54
An IS auditor is using a statistical sample to inventory the tape library. What type of test would this be considered?
A. Substantive
B. Compliance
C. Integrated
D. Continuous audit
View answer
Correct Answer: A
Question #55
An IS auditor evaluating logical access controls should FIRST:
A. document the controls applied to the potential access paths to the system
B. test controls over the access paths to determine if they are functional
C. evaluate the security environment in relation to written policies and practices
D. obtain an understanding of the security risks to information processing
View answer
Correct Answer: C
Question #56
Which of the following protocol is developed jointly by VISA and Master Card to secure payment transactions among all parties involved in credit card transactions on behalf of cardholders and merchants?
A. S/MIME
B. SSH
C. SET
D. S/HTTP
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.