DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Comprehensive CISA Practice Tests and Exam Resources, Certified Information Systems Auditor | SPOTO

Mock tests play a pivotal role in preparing for the CISA certification exam, offering several key advantages. These comprehensive practice tests simulate the actual exam environment, allowing candidates to familiarize themselves with the format, timing, and difficulty level of real exam questions. By practicing with mock tests, candidates can identify their strengths and weaknesses, enabling them to focus their study efforts more effectively. Mock tests also help improve time management skills as candidates learn to allocate the right amount of time to each question. Additionally, mock tests provide immediate feedback on performance, highlighting areas that need improvement and guiding ongoing study efforts. With access to SPOTO's comprehensive CISA practice tests and exam resources, candidates can enhance their exam readiness and boost their confidence to excel in the certification exam.
Take other online exams

Question #1
To properly evaluate the collective effect of preventative, detective, or corrective controls within a process, an IS auditor should be aware of which of the following?
A. The business objectives of the organization
B. The effect of segregation of duties on internal controls
C. The point at which controls are exercised as data flows through the system
D. Organizational control policies
View answer
Correct Answer: B
Question #2
Authentication techniques for sending and receiving data between EDI systems is crucial to prevent which of the following?
A. Unsynchronized transactions
B. Unauthorized transactions
C. Inaccurate transactions
D. Incomplete transactions
View answer
Correct Answer: A
Question #3
An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy?
A. Stateful inspection firewall
B. Web content filter
C. Web cache server
D. Proxy server
View answer
Correct Answer: B
Question #4
What can be implemented to provide the highest level of protection from external attack?
A. Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host
B. Configuring the firewall as a screened host behind a router
C. Configuring the firewall as the protecting bastion host
D. Configuring two load-sharing firewalls facilitating VPN access from external hosts to internal hosts
View answer
Correct Answer: D
Question #5
What must an IS auditor understand before performing an application audit?
A. The potential business impact of application risks
B. Application risks must first be identified
C. Relative business processes
D. Relevant application risks
View answer
Correct Answer: A
Question #6
What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)?
A. The copying of sensitive data on them
B. The copying of songs and videos on them
C. The cost of these devices multiplied by all the employees could be high
D. They facilitate the spread of malicious code through the corporate network
View answer
Correct Answer: C
Question #7
An IS auditor who is reviewing incident reports discovers that, in one instance, an important document left on an employee's desk was removed and put in the garbage by the outsourced cleaning staff. Which of the following should the IS auditor recommend to management?
A. Stricter controls should be implemented by both the organization and the cleaning agency
B. No action is required since such incidents have not occurred in the past
C. A clear desk policy should be implemented and strictly enforced in the organization
D. A sound backup policy for all important office documents should be implemented
View answer
Correct Answer: C
Question #8
A manager of a project was not able to implement all audit recommendations by the target date. The IS auditor should:
A. recommend that the project be halted until the issues are resolved
B. recommend that compensating controls be implemented
C. evaluate risks associated with the unresolved issues
D. recommend that the project manager reallocate test resources to resolve the issues
View answer
Correct Answer: C
Question #9
Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption?
A. Computation speed
B. Ability to support digital signatures
C. Simpler key distribution
D. Greater strength for a given key length
View answer
Correct Answer: A
Question #10
An off-site processing facility should be easily identifiable externally because easy identification helps ensure smoother recovery. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #11
Off-site data storage should be kept synchronized when preparing for recovery of time- sensitive data such as that resulting from which of the following?
A. Financial reporting
B. Sales reporting
C. Inventory reporting
D. Transaction processing
View answer
Correct Answer: B
Question #12
An installed Ethernet cable run in an unshielded twisted pair (UTP) network is more than 100 meters long. Which of the following could be caused by the length of the cable?
A. Electromagnetic interference (EMI)
B. Cross-talk
C. Dispersion
D. Attenuation
View answer
Correct Answer: B
Question #13
Input/output controls should be implemented for which applications in an integrated systems environment?
A. The receiving application
B. The sending application
C. Both the sending and receiving applications
D. Output on the sending application and input on the receiving application
View answer
Correct Answer: D
Question #14
Before implementing an IT balanced scorecard, an organization must:
A. deliver effective and efficient services
B. define key performance indicators
C. provide business value to IT projects
D. control IT expenses
View answer
Correct Answer: A
Question #15
Which of the following BEST describes the concept of ""defense in depth""?
A. more than one subsystem needs to be compromised to compromise the security of the system and the information it holds
B. multiple firewalls are implemented
C. multiple firewalls and multiple network OS are implemented
D. intrusion detection and firewall filtering are required
E. None of the choices
View answer
Correct Answer: D
Question #16
At a hospital, medical personal carry handheld computers which contain patient health data. These handheld computers are synchronized with PCs which transfer data from a hospital database. Which of the following would be of the most importance?
A. The handheld computers are properly protected to prevent loss of data confidentiality, in case of theft or loss
B. The employee who deletes temporary files from the local PC, after usage, is authorized to maintain PCs
C. Timely synchronization is ensured by policies and procedures
D. The usage of the handheld computers is allowed by the hospital policy
View answer
Correct Answer: B
Question #17
What is the most common reason for information systems to fail to meet the needs of users?
A. Lack of funding
B. Inadequate user participation during system requirements definition
C. Inadequate senior management participation during system requirements definition
D. Poor IT strategic planning
View answer
Correct Answer: A
Question #18
Reverse proxy technology for web servers should be deployed if:
A. http servers' addresses must be hidden
B. accelerated access to all published pages is required
C. caching is needed for fault tolerance
D. bandwidth to the user is limited
View answer
Correct Answer: B
Question #19
Which of the following should be the MOST important consideration when deciding areas of priority for IT governance implementation?
A. Process maturity
B. Performance indicators
C. Business risk
D. Assurance reports
View answer
Correct Answer: C
Question #20
An IS auditor reviewing the risk assessment process of an organization should FIRST:
A. identify the reasonable threats to the information assets
B. analyze the technical and organizational vulnerabilities
C. identify and rank the information assets
D. evaluate the effect of a potential security breach
View answer
Correct Answer: B
Question #21
To address the risk of operations staff's failure to perform the daily backup, management requires that the systems administrator sign off on the daily backup. This is an example of risk:
A. avoidance
B. transference
C. mitigation
D. acceptance
View answer
Correct Answer: A
Question #22
Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network?
A. Firewalls
B. Routers
C. Layer 2 switches
D. VLANs
View answer
Correct Answer: C
Question #23
An integrated test facility is not considered a useful audit tool because it cannot compare processing output with independently calculated data. True or false?
A. True
B. False
View answer
Correct Answer: B
Question #24
During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:
A. enrollment
B. identification
C. verification
D. storage
View answer
Correct Answer: A
Question #25
Which of the following procedures would BEST determine whether adequate recovery/restart procedures exist?
A. Reviewing program code
B. Reviewing operations documentation
C. Turning off the UPS, then the power
D. Reviewing program documentation
View answer
Correct Answer: A
Question #26
Which of the following provides the BEST evidence of an organization's disaster recovery readiness?
A. A disaster recovery plan
B. Customer references for the alternate site provider
C. Processes for maintaining the disaster recovery plan
D. Results of tests and drills
View answer
Correct Answer: D
Question #27
A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and:
A. recovery
B. retention
C. rebuilding
D. reuse
View answer
Correct Answer: A
Question #28
The reason for establishing a stop or freezing point on the design of a new system is to:
A. prevent further changes to a project in process
B. indicate the point at which the design is to be completed
C. require that changes after that point be evaluated for cost-effectiveness
D. provide the project management team with more control over the project design
View answer
Correct Answer: A
Question #29
When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST?
A. The project budget
B. The critical path for the project
C. The length of the remaining tasks
D. The personnel assigned to other tasks
View answer
Correct Answer: A
Question #30
To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:
A. control self-assessments
B. a business impact analysis
C. an IT balanced scorecard
D. business process reengineering
View answer
Correct Answer: B
Question #31
Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test?
A. Due to the limited test time window, only the most essential systems were tested
B. During the test it was noticed that some of the backup systems were defective or not working, causing the test of these systems to fail
C. The procedures to shut down and secure the original production site before starting the backup site required far more time than planned
D. Every year, the same employees perform the test
View answer
Correct Answer: A
Question #32
Which of the following is by far the most common prevention system from a network security perspective?
A. Firewall
B. IDS
C. IPS
D. Hardened OS
E. Tripwire
F. None of the choices
View answer
Correct Answer: A
Question #33
To determine who has been given permission to use a particular system resource, an IS auditor should review:
A. activity lists
B. access control lists
C. logon ID lists
D. password lists
View answer
Correct Answer: A
Question #34
Which of the following should be of MOST concern to an IS auditor reviewing the BCP?
A. The disaster levels are based on scopes of damaged functions, but not on duration
B. The difference between low-level disaster and software incidents is not clear
C. The overall BCP is documented, but detailed recovery steps are not specified
D. The responsibility for declaring a disaster is not identified
View answer
Correct Answer: D
Question #35
Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)?
A. A user from within could send a file to an unauthorized person
B. FTP services could allow a user to download files from unauthorized sources
C. A hacker may be able to use the FTP service to bypass the firewall
D. FTP could significantly reduce the performance of a DMZ server
View answer
Correct Answer: C
Question #36
The responsibility for authorizing access to a business application system belongs to the:
A. data owner
B. security administrator
C. IT security manager
D. requestor's immediate supervisor
View answer
Correct Answer: A
Question #37
What is the first step in a business process re-engineering project?
A. Identifying current business processes
B. Forming a BPR steering committee
C. Defining the scope of areas to be reviewedD
View answer
Correct Answer: A
Question #38
Which of the following would be MOST important for an IS auditor to verify when conducting a business continuity audit?
A. Data backups are performed on a timely basis
B. A recovery site is contracted for and available as needed
C. Human safety procedures are in place
D. insurance coverage is adequate and premiums are current
View answer
Correct Answer: C
Question #39
Ensuring that security and control policies support business and IT objectives is a primary objective of:
A. An IT security policies audit
B. A processing audit
C. A software audit
D. A vulnerability assessment
View answer
Correct Answer: B
Question #40
Which of the following is a characteristic of timebox management?
A. Not suitable for prototyping or rapid application development (RAD)
B. Eliminates the need for a quality process
C. Prevents cost overruns and delivery delays
D. Separates system and user acceptance testing
View answer
Correct Answer: D
Question #41
How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital network?
A. Modems convert analog transmissions to digital, and digital transmission to analog
B. Modems encapsulate analog transmissions within digital, and digital transmissions within analog
C. Modems convert digital transmissions to analog, and analog transmissions to digital
D. Modems encapsulate digital transmissions within analog, and analog transmissions within digital
View answer
Correct Answer: A
Question #42
Which of the following would be the BEST access control procedure?
A. The data owner formally authorizes access and an administrator implements the user authorization tables
B. Authorized staff implements the user authorization tables and the data owner sanctions them
C. The data owner and an IS manager jointly create and update the user authorization tables
D. The data owner creates and updates the user authorization tables
View answer
Correct Answer: A
Question #43
Of the following alternatives, the FIRST approach to developing a disaster recovery strategy would be to assess whether:
A. all threats can be completely removed
B. a cost-effective, built-in resilience can be implemented
C. the recovery time objective can be optimized
D. the cost of recovery can be minimized
View answer
Correct Answer: D
Question #44
What is used to develop strategically important systems faster, reduce development costs, and still maintain high quality?
A. Rapid application development (RAD)
B. GANTT
C. PERT
D. Decision trees
View answer
Correct Answer: D
Question #45
When segregation of duties concerns exists between IT support staff and end users, what would be suitable compensating control?
A. Restricting physical access to computing equipment
B. Reviewing transaction and application logs
C. Performing background checks prior to hiring IT staff
D. Locking user sessions after a specified period of inactivity
View answer
Correct Answer: B
Question #46
To assist an organization in planning for IT investments, an IS auditor should recommend the use of:
A. project management tools
B. an object-oriented architecture
C. tactical planning
D. enterprise architecture (EA)
View answer
Correct Answer: D
Question #47
As a driver of IT governance, transparency of IT's cost, value and risks is primarily achieved through:
A. performance measurement
B. strategic alignment
C. value delivery
D. resource management
View answer
Correct Answer: C
Question #48
Which of the following refers to the proving of mathematical theorems by a computer program?
A. Analytical theorem proving
B. Automated technology proving
C. Automated theorem processing
D. Automated theorem proving
E. None of the choices
View answer
Correct Answer: A
Question #49
While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infra structural damage. The BEST recommendation the IS auditor can provide to the organization is to ensure:
A. the salvage team is trained to use the notification system
B. the notification system provides for the recovery of the backup
C. redundancies are built into the notification system
D. the notification systems are stored in a vault
View answer
Correct Answer: A
Question #50
Which of the following acts as a decoy to detect active internet attacks?
A. Honeypots
B. Firewalls
C. Trapdoors
D. Traffic analysis
View answer
Correct Answer: A
Question #51
An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:
A. dependency on a single person
B. inadequate succession planning
C. one person knowing all parts of a system
D. a disruption of operations
View answer
Correct Answer: A
Question #52
What should IS auditors always check when auditing password files?
A. That deleting password files is protected
B. That password files are encrypted
C. That password files are not accessible over the network
D. That password files are archived
View answer
Correct Answer: A
Question #53
Which of the following kinds of function are particularly vulnerable to format string attacks?
A. C functions that perform output formatting
B. C functions that perform integer computation
C. C functions that perform real number subtraction
D. VB functions that perform integer conversion
E. SQL functions that perform string conversion
F. SQL functions that perform text conversion
View answer
Correct Answer: A
Question #54
Which of the following concerns associated with the World Wide Web would be addressed by a firewall?
A. Unauthorized access from outside the organization
B. Unauthorized access from within the organization
C. A delay in Internet connectivity
D. A delay in downloading using File Transfer Protocol (FTP)
View answer
Correct Answer: D
Question #55
Using the OSI reference model, what layer(s) is/are used to encrypt data?
A. transport layer
B. Session layer
C. Session and transport layers
D. Data link layer
View answer
Correct Answer: B
Question #56
Mitigating the risk and impact of a disaster or business interruption usually takes priority over transference of risk to a third party such as an insurer. True or false?
A. True
B. False
View answer
Correct Answer: D
Question #57
Which of the following are designed to detect network attacks in progress and assist in post- attack forensics?
A. Intrusion Detection Systems
B. Audit trails
C. System logs
D. Tripwire
E. None of the choices
View answer
Correct Answer: A
Question #58
Which of the following situations would increase the likelihood of fraud?
A. Application programmers are implementing changes to production programs
B. Application programmers are implementing changes to test programs
C. Operations support staff are implementing changes to batch schedules
D. Database administrators are implementing changes to data structures
View answer
Correct Answer: B
Question #59
An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE?
A. Controls the proliferation of multiple versions of programs
B. Expands the programming resources and aids available
C. Increases program and processing integrity
D. Prevents valid changes from being overwritten by other changes
View answer
Correct Answer: A
Question #60
Which of the following types of attack makes use of unfiltered user input as the format string parameter in the print () function of the C language?
A. buffer overflows
B. format string vulnerabilities
C. integer overflow
D. code injection
E. command injection
F. None of the choices
View answer
Correct Answer: D
Question #61
An intentional or unintentional disclosure of a password is likely to be evident within control logs. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #62
When reviewing an organization's logical access security, which of the following should be of MOST concern to an IS auditor?
A. Passwords are not shared
B. Password files are not encrypted
C. Redundant logon IDs are deleted
D. The allocation of logon IDs is controlled
View answer
Correct Answer: A
Question #63
Which of the following would prevent unauthorized changes to information stored in a server's log?
A. Write-protecting the directory containing the system log
B. Writing a duplicate log to another server
C. Daily printing of the system log
D. Storing the system log in write-once media
View answer
Correct Answer: D
Question #64
After the merger of two organizations, multiple self-developed legacy applications from both companies are to be replaced by a new common platform. Which of the following would be the GREATEST risk?
A. Project management and progress reporting is combined in a project management office which is driven by external consultants
B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach
C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems
D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs
View answer
Correct Answer: A
Question #65
The PRIMARY reason for using digital signatures is to ensure data:
A. confidentiality
B. integrity
C. availability
D. timeliness
View answer
Correct Answer: B
Question #66
The information security policy that states 'each individual must have their badge read at every controlled door' addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
View answer
Correct Answer: B
Question #67
An organization has implemented a disaster recovery plan. Which of the following steps should be carried out next?
A. Obtain senior management sponsorship
B. Identify business needs
C. Conduct a paper test
D. Perform a system restore test
View answer
Correct Answer: B
Question #68
When should systems administrators first assess the impact of applications or systems patches?
A. Within five business days following installation
B. Prior to installation
C. No sooner than five business days following installation
D. Immediately following installation
View answer
Correct Answer: A
Question #69
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls
View answer
Correct Answer: D
Question #70
For a discretionary access control to be effective, it must:
A. operate within the context of mandatory access controls
B. operate independently of mandatory access controls
C. enable users to override mandatory access controls when necessary
D. be specifically permitted by the security policy
View answer
Correct Answer: D
Question #71
Which of the following measures can protect systems files and data, respectively?
A. User account access controls and cryptography
B. User account access controls and firewall
C. User account access controls and IPS
D. IDS and cryptography
E. Firewall and cryptography
F. None of the choices
View answer
Correct Answer: D
Question #72
Which of the following would BEST provide assurance of the integrity of new staff?
A. background screening
B. References
C. Bonding
D. Qualifications listed on a resume
View answer
Correct Answer: A
Question #73
Which of the following refers to an anomalous condition where a process attempts to store data beyond the boundaries of a fixed length buffer?
A. buffer overflow
B. format string vulnerabilities
C. integer misappropriation
D. code injection
E. None of the choices
View answer
Correct Answer: D
Question #74
Which of the following is a general operating system access control function?
A. Creating database profiles
B. Verifying user authorization at a field level
C. Creating individual accountability
D. Logging database access activities for monitoring access violation
View answer
Correct Answer: B
Question #75
During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used?
A. A biometric, digitalized and encrypted parameter with the customer's public key
B. A hash of the data that is transmitted and encrypted with the customer's private key
C. A hash of the data that is transmitted and encrypted with the customer's public key
D. The customer's scanned signature encrypted with the customer's public key
View answer
Correct Answer: A
Question #76
Which of the following is a risk of cross-training?
A. Increases the dependence on one employee
B. Does not assist in succession planning
C. One employee may know all parts of a system
D. Does not help in achieving a continuity of operations
View answer
Correct Answer: C
Question #77
From a control perspective, the PRIMARY objective of classifying information assets is to:
A. establish guidelines for the level of access controls that should be assigned
B. ensure access controls are assigned to all information assets
C. assist management and auditors in risk assessment
D. identify which assets need to be insured against losses
View answer
Correct Answer: A
Question #78
The technique used to ensure security in virtual private networks (VPNs) is:
A. encapsulation
B. wrapping
C. transform
D. encryption
View answer
Correct Answer: A
Question #79
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?
A. User management coordination does not exist
B. Specific user accountability cannot be established
C. Unauthorized users may have access to originate, modify or delete data
D. Audit recommendations may not be implemented
View answer
Correct Answer: A
Question #80
A hacker could obtain passwords without the use of computer tools or programs through the technique of:
A. social engineering
B. sniffers
C. back doors
D. Trojan horses
View answer
Correct Answer: B
Question #81
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?
A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts
B. Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle
C. No recommendation is necessary since the current approach is appropriate for a medium-sized organization
D. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization's risk management
View answer
Correct Answer: C
Question #82
When developing a risk management program, what is the FIRST activity to be performed?
A. Threat assessment
B. Classification of data
C. Inventory of assets
D. Criticality analysis
View answer
Correct Answer: A
Question #83
The reliability of an application system's audit trail may be questionable if:
A. user IDs are recorded in the audit trail
B. the security administrator has read-only rights to the audit file
C. date and time stamps are recorded when an action occurs
D. users can amend audit trail records when correcting system errors
View answer
Correct Answer: D
Question #84
An information security policy stating that 'the display of passwords must be masked or suppressed' addresses which of the following attack methods?
A. Piggybacking
B. Dumpster diving
C. Shoulder surfing
D. Impersonation
View answer
Correct Answer: D
Question #85
In an online banking application, which of the following would BEST protect against identity theft?
A. Encryption of personal password
B. Restricting the user to a specific terminal
C. Two-factor authentication
D. Periodic review of access logs
View answer
Correct Answer: C
Question #86
Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to:
A. change the company's security policy
B. educate users about the risk of weak passwords
C. build in validations to prevent this during user creation and password change
D. require a periodic review of matching user ID and passwords for detection and correction
View answer
Correct Answer: A
Question #87
Which of the following would be the MOST significant audit finding when reviewing a point-of-sale (POS) system?
A. invoices recorded on the POS system are manually entered into an accounting application
B. An optical scanner is not used to read bar codes for the generation of sales invoices
C. Frequent power outages occur, resulting in the manual preparation of invoices
D. Customer credit card information is stored unencrypted on the local POS system
View answer
Correct Answer: D
Question #88
Which of the following does a lack of adequate security controls represent?
A. Threat
B. Asset
C. Impact
D. Vulnerability
View answer
Correct Answer: A
Question #89
When auditing the proposed acquisition of a new computer system, an IS auditor should FIRST establish that:
A. a clear business case has been approved by management
B. corporate security standards will be met
C. users will be involved in the implementation plan
D. the new system will meet all required user functionality
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: