DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Comprehensive CISA Exam Test Questions & Answers, Certified Information Systems Auditor | SPOTO

Mock tests are an indispensable tool for preparing for the CISA certification exam, offering numerous advantages. These tests provide a simulated exam environment, allowing candidates to familiarize themselves with the format, timing, and difficulty level of real exam questions. By practicing with mock tests, candidates can identify their strengths and weaknesses, enabling them to tailor their study approach accordingly. Mock tests also help improve time management skills as candidates learn to allocate the appropriate amount of time to each question. Furthermore, mock tests offer immediate feedback on performance, highlighting areas that require further attention and guiding ongoing study efforts. With access to a comprehensive range of CISA exam test questions and answers through SPOTO, candidates can enhance their exam readiness and increase their chances of success.
Take other online exams

Question #1
What uses questionnaires to lead the user through a series of choices to reach a conclusion?
A. Logic trees
B. Decision trees
C. Decision algorithms
D. Logic algorithms
View answer
Correct Answer: B

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
Which of the following is often used as a detection and deterrent control against Internet attacks?
A. Honeypots
B. CCTV
C. VPN
D. VLAN
View answer
Correct Answer: B
Question #3
What is a callback system?
A. It is a remote-access system whereby the remote-access server immediately calls the user back at a predetermined number if the dial-in connection fails
B. It is a remote-access system whereby the user's application automatically redials the remote access server if the initial connection attempt fails
C. It is a remote-access control whereby the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server's configuration database
D. It is a remote-access control whereby the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently allows the user to call back at an approved number for a limited period of time
View answer
Correct Answer: B
Question #4
While planning an audit, an assessment of risk should be made to provide:
A. reasonable assurance that the audit will cover material items
B. definite assurance that material items will be covered during the audit work
C. reasonable assurance that all items will be covered by the audit
D. sufficient assurance that all items will be covered during the audit work
View answer
Correct Answer: B
Question #5
A database administrator is responsible for:
A. defining data ownership
B. establishing operational standards for the data dictionary
C. creating the logical and physical database
D. establishing ground rules for ensuring data integrity and security
View answer
Correct Answer: A
Question #6
Which of the following is the INCORRECT “layer - protocol" mapping within the TCP/IP model?
A. Application layer – NFS
B. Transport layer – TCP
C. Network layer – UDP
D. LAN or WAN interface layer – point-to-point protocol
View answer
Correct Answer: B
Question #7
Which of the following is the initial step in creating a firewall policy?
A. A cost-benefit analysis of methods for securing the applications
B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally accessed
D. Creation of an applications traffic matrix showing protection methods
View answer
Correct Answer: D
Question #8
Which of the following term in business continuity determines the maximum tolerable amount of time needed to bring all critical systems back online after disaster occurs?
A. RPO
B. RTO
C. WRT
D. MTD
View answer
Correct Answer: A
Question #9
Responsibility for the governance of IT should rest with the:
A. IT strategy committee
B. chief information officer (CIO)
C. audit committee
D. board of directors
View answer
Correct Answer: A
Question #10
Which of the following cryptography is based on practical application of the characteristics of the smallest “grains” of light, the photon, the physical laws governing their generation and propagation and detection?
A. Quantum Cryptography
B. Elliptical Curve Cryptography (ECC)
C. Symmetric Key Cryptography
D. Asymmetric Key Cryptography
View answer
Correct Answer: A
Question #11
When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?
A. There could be a question regarding the legal jurisdiction
B. Having a provider abroad will cause excessive costs in future audits
C. The auditing process will be difficult because of the distance
D. There could be different auditing norms
View answer
Correct Answer: D
Question #12
The quality of the metadata produced from a data warehouse is ________________ in the warehouse’s design.
A. Often hard to determine because the data is derived from a heterogeneous data environment
B. The most important consideration
C. Independent of the quality of the warehoused databases
D. Of secondary importance to data warehouse content
View answer
Correct Answer: D
Question #13
Which of the following best characterizes “worms”?
A. Malicious programs that can run independently and can propagate without the aid of a carrier program such as email
B. Programming code errors that cause a program to repeatedly dump data
C. Malicious programs that require the aid of a carrier program such as email
D. Malicious programs that masquerade as common applications such as screensavers or macro- enabled Word documents
View answer
Correct Answer: A
Question #14
An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should:
A. report that the control is operating effectively since deactivation happens within the time frame stated in the IS policy
B. verify that user access rights have been granted on a need-to-have basis
C. recommend changes to the IS policy to ensure deactivation of user IDs upon termination
D. recommend that activity logs of terminated users be reviewed on a regular basis
View answer
Correct Answer: A
Question #15
Whenever business processes have been re-engineered, the IS auditor attempts to identify and quantify the impact of any controls that might have been removed, or controls that might not work as effectively after business process changes. True or false?
A. True
B. False
View answer
Correct Answer: C
Question #16
After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:
A. expand activities to determine whether an investigation is warranted
B. report the matter to the audit committee
C. report the possibility of fraud to top management and ask how they would like to be proceed
D. consult with external legal counsel to determine the course of action to be taken
View answer
Correct Answer: C
Question #17
Which of the following is an attribute of the control self-assessment (CSA) approach?
A. Broad stakeholder involvement
B. Auditors are the primary control analysts
C. Limited employee participation
D. Policy driven
View answer
Correct Answer: B
Question #18
Library control software restricts source code to:
A. Read-only access
B. Write-only access
C. Full access
D. Read-write access
View answer
Correct Answer: C
Question #19
What kind of protocols does the OSI Transport Layer of the TCP/IP protocol suite provide to ensure reliable communication?
A. Nonconnection-oriented protocols
B. Connection-oriented protocols
C. Session-oriented protocols
D. Nonsession-oriented protocols
View answer
Correct Answer: A
Question #20
Which of the following PBX feature supports shared extensions among several devices, ensuring that only one device at a time can use an extension?
A. Call forwarding
B. Privacy release
C. Tenanting
D. Voice mail
View answer
Correct Answer: B
Question #21
Who is ultimately responsible for providing requirement specifications to the software- development team?
A. The project sponsor
B. The project members
C. The project leader
D. The project steering committee
View answer
Correct Answer: C
Question #22
Which of the following statement correctly describes the differences between tunnel mode and transport mode of the IPSec protocol?
A. In transport mode the ESP is encrypted where as in tunnel mode the ESP and its header's are encrypted
B. In tunnel mode the ESP is encrypted where as in transport mode the ESP and its header's are encrypted
C. In both modes (tunnel and transport mode) the ESP and its header's are encrypted
D. There is no encryption provided when using ESP or AH
View answer
Correct Answer: A
Question #23
Why is a clause for requiring source code escrow in an application vendor agreement important?
A. To segregate systems development and live environments
B. To protect the organization from copyright disputes
C. To ensure that sufficient code is available when needed
D. To ensure that the source code remains available even if the application vendor goes out of business
View answer
Correct Answer: A
Question #24
Why is the WAP gateway a component warranting critical concern and review for the IS auditor when auditing and testing controls enforcing message confidentiality?
A. WAP is often configured by default settings and is thus insecure
B. WAP provides weak encryption for wireless traffic
C. WAP functions as a protocol-conversion gateway for wireless TLS to Internet SSL
D. WAP often interfaces critical IT systems
View answer
Correct Answer: A
Question #25
What is an acceptable mechanism for extremely time-sensitive transaction processing?
A. Off-site remote journaling
B. Electronic vaulting
C. Shadow file processing
D. Storage area network
View answer
Correct Answer: B
Question #26
An IS auditor usually places more reliance on evidence directly collected. What is an example of such evidence?
A. Evidence collected through personal observation
B. Evidence collected through systems logs provided by the organization's security administration
C. Evidence collected through surveys collected from internal staff
D. Evidence collected through transaction reports provided by the organization's IT administration
View answer
Correct Answer: B
Question #27
Why does an IS auditor review an organization chart?
A. To optimize the responsibilities and authority of individuals
B. To control the responsibilities and authority of individuals
C. To better understand the responsibilities and authority of individuals
D. To identify project sponsors
View answer
Correct Answer: A
Question #28
The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?
A. Utilization of an intrusion detection system to report incidents
B. Mandating the use of passwords to access all software
C. Installing an efficient user log system to track the actions of each user
D. Training provided on a regular basis to all current and new employees
View answer
Correct Answer: C
Question #29
Proper segregation of duties prohibits a system analyst from performing quality-assurance functions. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #30
A transaction journal provides the information necessary for detecting unauthorized ___________ (fill in the blank) from a terminal.
A. Deletion
B. Input
C. Access
D. Duplication
View answer
Correct Answer: A
Question #31
What benefit does using capacity-monitoring software to monitor usage patterns and trends provide to management?
A. The software can dynamically readjust network traffic capabilities based upon current usage
B. The software produces nice reports that really impress management
C. It allows users to properly allocate resources and ensure continuous efficiency of operations
D. It allows management to properly allocate resources and ensure continuous efficiency of operations
View answer
Correct Answer: D
Question #32
An IS auditor evaluates the test results of a modification to a system that deals with payment computation. The auditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit?
A. Design further tests of the calculations that are in error
B. Identify variables that may have caused the test results to be inaccurate
C. Examine some of the test cases to confirm the results
D. Document the results and prepare a report of findings, conclusions and recommendations
View answer
Correct Answer: B
Question #33
Which of the following is a sophisticated computer based switch that can be thought of as essentially a small in-house phone company for the organization?
A. Private Branch Exchange
B. Virtual Local Area Network
C. Voice over IP
D. Dial-up connection
View answer
Correct Answer: B
Question #34
Which of the following can help detect transmission errors by appending specially calculated bits onto the end of each segment of data?
A. Redundancy check
B. Completeness check
C. Accuracy check
D. Parity check
View answer
Correct Answer: B
Question #35
An IS auditor should carefully review the functional requirements in a system-development project to ensure that the project is designed to:
A. Meet business objectives
B. Enforce data security
C. Be culturally feasible
D. Be financially feasible
View answer
Correct Answer: A
Question #36
Which of the following PBX feature allows a PBX to be configured so that incoming calls are distributed to the next available agent or placed on-hold until one become available?
A. Automatic Call distribution
B. Call forwarding
C. Tenanting
D. Voice mail
View answer
Correct Answer: C
Question #37
Who is responsible for providing adequate physical and logical security for IS program, data and equipment?
A. Data Owner
B. Data User
C. Data Custodian
D. Security Administrator
View answer
Correct Answer: A
Question #38
Who is responsible for restricting and monitoring access of a data user?
A. Data Owner
B. Data User
C. Data Custodian
D. Security Administrator
View answer
Correct Answer: D
Question #39
With the objective of mitigating the risk and impact of a major business interruption, a disaster recovery plan should endeavor to reduce the length of recovery time necessary, as well as costs associated with recovery. Although DRP results in an increase of pre-and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #40
Which of the following is normally a responsibility of the chief security officer (CSO)?
A. Periodically reviewing and evaluating the security policy
B. Executing user application and software testing and evaluation
C. Granting and revoking user access to IT resources
D. Approving access to data and applications
View answer
Correct Answer: A
Question #41
Which of the following is BEST characterized by unauthorized modification of data before or during systems data entry?
A. Data diddling
B. Skimming
C. Data corruption
D. Salami attack
View answer
Correct Answer: A
Question #42
An IS auditor is performing an audit of a network operating system. Which of the following is a user feature the IS auditor should review?
A. Availability of online network documentation
B. Support of terminal access to remote hosts
C. Handling file transfer between hosts and interuser communications
D. Performance management, audit and control
View answer
Correct Answer: A
Question #43
An IS auditor performing a review of an application's controls would evaluate the:
A. efficiency of the application in meeting the business processes
B. impact of any exposures discovered
C. business processes served by the application
D. application's optimization
View answer
Correct Answer: D
Question #44
Which of the following term related to network performance refers to the variation in the time of arrival of packets on the receiver of the information?
A. Bandwidth
B. Throughput
C. Latency
D. Jitter
View answer
Correct Answer: C
Question #45
Data edits are implemented before processing and are considered which of the following?
A. Deterrent integrity controls
B. Detective integrity controls
C. Corrective integrity controls
D. Preventative integrity controls
View answer
Correct Answer: B
Question #46
Why does the IS auditor often review the system logs?
A. To get evidence of password spoofing
B. To get evidence of data copy activities
C. To determine the existence of unauthorized access to data by a user or program
D. To get evidence of password sharing
View answer
Correct Answer: D
Question #47
An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?
A. User acceptance testing (UAT) occur for all reports before release into production
B. Organizational data governance practices be put in place
C. Standard software tools be used for report development
D. Management sign-off on requirements for new reports
View answer
Correct Answer: C
Question #48
When developing a risk-based audit strategy, an IS auditor conduct a risk assessment to ensure that:
A. controls needed to mitigate risks are in place
B. vulnerabilities and threats are identified
C. audit risks are considered
D. a gap analysis is appropriate
View answer
Correct Answer: A
Question #49
Who assumes ownership of a systems-development project and the resulting system?
A. User management
B. Project steering committee
C. IT management
D. Systems developers
View answer
Correct Answer: B
Question #50
The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the:
A. IT budget
B. existing IT environment
C. business plan
D. investment plan
View answer
Correct Answer: B
Question #51
Which of the following are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem?
A. Expert systems
B. Neural networks
C. Integrated synchronized systems
D. Multitasking applications
View answer
Correct Answer: A
Question #52
What increases encryption overhead and cost the most?
A. A long symmetric encryption key
B. A long asymmetric encryption key
C. A long Advance Encryption Standard (AES) key
D. A long Data Encryption Standard (DES) key
View answer
Correct Answer: C
Question #53
Which of the following is of greatest concern to the IS auditor?
A. Failure to report a successful attack on the network
B. Failure to prevent a successful attack on the network
C. Failure to recover from a successful attack on the network
D. Failure to detect a successful attack on the network
View answer
Correct Answer: A
Question #54
When should plans for testing for user acceptance be prepared?
A. In the requirements definition phase of the systems-development project
B. In the feasibility phase of the systems-development project
C. In the design phase of the systems-development project
D. In the development phase of the systems-development project
View answer
Correct Answer: A
Question #55
Who is responsible for implementing cost-effective controls in an automated system?
A. Security policy administrators
B. Business unit management
C. Senior management
D. Board of directors
View answer
Correct Answer: A
Question #56
In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:
A. identify and assess the risk assessment process used by management
B. identify information assets and the underlying systems
C. disclose the threats and impacts to management
D. identify and evaluate the existing controls
View answer
Correct Answer: A
Question #57
Which of the following malware technical fool’s malware by appending section of themselves to files – somewhat in the same way that file malware append themselves?
A. Scanners
B. Active Monitors
C. Immunizer
D. Behavior blocker
View answer
Correct Answer: B
Question #58
What type of fire-suppression system suppresses fire via water that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities?
A. A dry-pipe sprinkler system
B. A deluge sprinkler system
C. A wet-pipe system
D. A halon sprinkler system
View answer
Correct Answer: D
Question #59
How can minimizing single points of failure or vulnerabilities of a common disaster best be controlled?
A. By implementing redundant systems and applications onsite
B. By geographically dispersing resources
C. By retaining onsite data backup in fireproof vaults
D. By preparing BCP and DRP documents for commonly identified disasters
View answer
Correct Answer: B
Question #60
An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when:
A. the probability of error must be objectively quantified
B. the auditor wishes to avoid sampling risk
C. generalized audit software is unavailable
D. the tolerable error rate cannot be determined
View answer
Correct Answer: C
Question #61
During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:
A. create the procedures document
B. terminate the audit
C. conduct compliance testing
D. identify and evaluate existing practices
View answer
Correct Answer: A
Question #62
Which of the following protocol is used for electronic mail service?
A. DNS
B. FTP
C. SSH
D. SMTP
View answer
Correct Answer: D
Question #63
Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department?
A. Allocating resources
B. Keeping current with technology advances
C. Conducting control self-assessment
D. Evaluating hardware needs
View answer
Correct Answer: B
Question #64
An IS auditor is reviewing access to an application to determine whether the 10 most recent “new user” forms were correctly authorized. This is an example of:
A. variable sampling
B. substantive testing
C. compliance testing
D. stop-or-go sampling
View answer
Correct Answer: B
Question #65
Which of the following type of lock uses a magnetic or embedded chip based plastic card key or token entered into a sensor/reader to gain access?
A. Bolting door locks
B. Combination door lock
C. Electronic door lock
D. Biometric door lock
View answer
Correct Answer: A
Question #66
Who is accountable for maintaining appropriate security measures over information assets?
A. Data and systems owners
B. Data and systems users
C. Data and systems custodians
D. Data and systems auditors
View answer
Correct Answer: B
Question #67
The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?
A. Inherent
B. Detection
C. Control
D. Business
View answer
Correct Answer: B
Question #68
In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential anomalies in user or system behavior. Which of the following tools are MOST suitable for performing that task?
A. CASE tools
B. Embedded data collection tools
C. Heuristic scanning tools
D. Trend/variance detection tools
View answer
Correct Answer: C
Question #69
An IS auditor is evaluating a corporate network for a possible penetration by employees. Which of the following findings should give the IS auditor the GREATEST concern?
A. There are a number of external modems connected to the network
B. Users can install software on their desktops
C. Network monitoring is very limited
D. Many user IDs have identical passwords
View answer
Correct Answer: D
Question #70
________ (fill in the blank) is/are are ultimately accountable for the functionality, reliability, and security within IT governance.
A. Data custodians
B. The board of directors and executive officers
C. IT security administration
D. Business unit managers
View answer
Correct Answer: A
Question #71
The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate fraud
B. the systematic collection of evidence after a system irregularity
C. to assess the correctness of an organization's financial statements
D. to determine that there has been criminal activity
View answer
Correct Answer: B
Question #72
Which of the following statement INCORRECTLY describes anti-malware?
A. 2
B. 3
C. 2 and 3
D. None of the choices listed
View answer
Correct Answer: A
Question #73
Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit
D. Difference estimation
View answer
Correct Answer: C

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: