DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Dominate CISA Mock Tests & Study Materials, Certified Information Systems Auditor | SPOTO

Dominate Your CISA Exam with SPOTO's Premium Mock Tests & Study Materials! Becoming a Certified Information Systems Auditor demands extensive preparation using high-quality resources. SPOTO Club offers comprehensive exam materials containing thousands of realistic exam questions and answers, helping you identify knowledge gaps.Practice with their online exam questions, sample questions, and full-length mock exams to simulate the real test experience. Unlike outdated exam dumps, SPOTO's practice tests contain the latest exam content updated regularly. Their exam simulator replicates the actual exam environment, allowing you to master time management skills.Gain confidence for the CISA certification by accessing detailed explanations for every exam answer. Start your free test today and experience why IT professionals worldwide trust SPOTO for superior exam preparation and practice tests!

Take other online exams

Question #1
Which of the following is the BEST evidence of the maturity of an organization’s information security program?
A. The number of reported incidents has increased
B. The information security department actively monitors security operations
C. The number of reported incidents has decreased
D. IT security staff implements strict technical security controls
View answer
Correct Answer: B

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
A hub is a device that connects:
A. two LANs using different protocols
B. a LAN with a WAN
C. a LAN with a metropolitan area network (MAN)
D. two segments of a single LAN
View answer
Correct Answer: A
Question #3
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organization?
A. A program that deposits a virus on a client machine
B. Applets recording keystrokes and, therefore, passwords
C. Downloaded code that reads files on a client's hard drive
D. Applets opening connections from the client machine
View answer
Correct Answer: B
Question #4
Functional acknowledgements are used:
A. as an audit trail for EDI transactions
B. to functionally describe the IS department
C. to document user roles and responsibilities
D. as a functional description of application software
View answer
Correct Answer: C
Question #5
Which of the following uses a prototype that can be updated continually to meet changing user or business requirements?
A. PERT
B. Rapid application development (RAD)
C. Function point analysis (FPA)
D. GANTT
View answer
Correct Answer: D
Question #6
Which of the following term in business continuity defines the total amount of time that a business process can be disrupted without causing any unacceptable consequences?
A. RPO
B. RTO
C. WRT
D. MTD
View answer
Correct Answer: B
Question #7
During which of the following phases in system development would user acceptance test plans normally be prepared?
A. Feasibility study
B. Requirements definition
C. implementation planning
D. Postimplementation review
View answer
Correct Answer: B
Question #8
An IS auditor has identified the lack of an authorization process for users of an application. The IS auditor's main concern should be that:
A. more than one individual can claim to be a specific user
B. there is no way to limit the functions assigned to users
C. user accounts can be shared
D. users have a need-to-know privilege
View answer
Correct Answer: B
Question #9
An IS auditor is told by IS management that the organization has recently reached the highest level of the software capability maturity model (CMM). The software quality process MOST recently added by the organization is:
A. continuous improvement
B. quantitative quality goals
C. a documented process
D. a process tailored to specific projects
View answer
Correct Answer: C
Question #10
A. An IS auditor observes that routine backups of operational databases are taking longer than before. Which of the following would MOST effectively help to reduce backup and recovery times for operational databases? Utilizing database technologies to achieve efficiencies
B. Using solid storage device (SSD) media
C. Requiring a combination of weekly full backups and daily differential backups
D. Archiving historical data in accordance with the data retention policy
View answer
Correct Answer: A
Question #11
When responding to an ongoing denial of service (DoS) attack, an organization’s FIRST course of action should be to:
A. restore service
B. minimize impact
C. analyze the attack path
D. investigate damage
View answer
Correct Answer: D
Question #12
The MAJOR advantage of a component-based development approach is the:
A. ability to manage an unrestricted variety of data types
B. provision for modeling complex relationships
C. capacity to meet the demands of a changing environment
D. support of multiple development environments
View answer
Correct Answer: A
Question #13
During the audit of a database server, which of the following would be considered the GREATEST exposure?
A. The password does not expire on the administrator account
B. Default global security settings for the database remain unchanged
C. Old data have not been purged
D. Database activity is not fully logged
View answer
Correct Answer: C
Question #14
A decision support system (DSS):
A. is aimed at solving highly structured problems
B. combines the use of models with nontraditional data access and retrieval functions
C. emphasizes flexibility in the decision making approach of users
D. supports only structured decision making tasks
View answer
Correct Answer: A
Question #15
What type of risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist?
A. Business risk
B. Detection risk
C. Residual risk
D. Inherent risk
View answer
Correct Answer: A
Question #16
An IS auditor finds that, at certain times of the day, the data warehouse query performance decreases significantly. Which of the following controls would it be relevant for the IS auditor to review?
A. Permanent table-space allocation
B. Commitment and rollback controls
C. User spool and database limit controls
D. Read/write access log controls
View answer
Correct Answer: B
Question #17
The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it:
A. facilitates user involvement
B. allows early testing of technical features
C. facilitates conversion to the new system
D. shortens the development time frame
View answer
Correct Answer: A
Question #18
An IS auditor invited to a development project meeting notes that no project risks have been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risks and that, if risks do start impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to: stress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans.
B. accept the project manager's position as the project manager is accountable for the outcome of the project
C. offer to work with the risk manager when one is appointed
D. inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project
View answer
Correct Answer: B
Question #19
What can be used to gather evidence of network attacks?
A. Access control lists (ACL)
B. Intrusion-detection systems (IDS)
C. Syslog reporting
D. Antivirus programs
View answer
Correct Answer: D
Question #20
A business unit cannot achieve desired segregation of duties between operations and programming due to size constraints. Which of the following is MOST important for the IS auditor to identify?
A. Unauthorized user controls
B. Compensating controls
C. Controls over operational effectiveness
D. Additional control weaknesses
View answer
Correct Answer: A
Question #21
When auditing third-party service providers, an IS auditor should be concerned with which of the following?
A. Ownership of the programs and files
B. A statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster
C. A statement of due care
D. Ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster
View answer
Correct Answer: A
Question #22
Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system's database?
A. Authentication controls
B. Data normalization controls
C. Read/write access log controls
D. Commitment and rollback controls
View answer
Correct Answer: B
Question #23
A check digit is an effective edit check to:
A. Detect data-transcription errors
B. Detect data-transposition and transcription errors
C. Detect data-transposition, transcription, and substitution errors
D. Detect data-transposition errors
View answer
Correct Answer: C
Question #24
Which of the following BEST limits the impact of server failures in a distributed environment?
A. Redundant pathways
B. Clustering
C. Dial backup lines
D. Standby power
View answer
Correct Answer: B
Question #25
isk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a _________________ risk assessment is more appropriate. Fill in the blanks.
A. Quantitative; qualitative
B. Qualitative; quantitative
C. Residual; subjective
D. Quantitative; subjective
View answer
Correct Answer: C
Question #26
Several remote users have been unable to communicate with a secured network news transfer protocol (NNTP) server. Of the following, the MOST likely cause is:
A. the use of a password cracker
B. a hacker impersonating the server
C. a hacker using a sniffer
D. a replay attack by an eavesdropper
View answer
Correct Answer: C
Question #27
Which of the following will BEST ensure the successful offshore development of business applications?
A. Stringent contract management practices
B. Detailed and correctly applied specifications
C. Awareness of cultural and political differences
D. Post implementation reviews
View answer
Correct Answer: D
Question #28
An advantage of installing a thin client architecture in a local area network (LAN) is that this would:
A. stabilize network bandwidth requirements
B. facilitate the updating of software versions
C. ensure application availability when the server s down
D. reduce the risk of a single point of failure
View answer
Correct Answer: A
Question #29
To minimize the cost of a software project, quality management techniques should be applied: as close to their writing (i.e., point of origination) as possible.
B. primarily at project start-up to ensure that the project is established in accordance with organizational governance standards
C. continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate
D. mainly at project close-down to capture lessons learned that can be applied to future projects
View answer
Correct Answer: B
Question #30
When should application controls be considered within the system-development process?
A. After application unit testing
B. After application module testing
C. After applications systems testing
D. As early as possible, even in the development of the project's functional specifications
View answer
Correct Answer: D
Question #31
The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a(n):
A. Implementor
B. Facilitator
C. Developer
D. Sponsor
View answer
Correct Answer: A
Question #32
Which of the following system and data conversion strategies provides the GREATEST redundancy?
A. Direct cutover
B. Pilot study
C. Phased approach
D. Parallel run
View answer
Correct Answer: C
Question #33
An off-site processing facility should be easily identifiable externally because easy identification helps ensure smoother recovery. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #34
Which of the following cryptography options would increase overhead/cost?
A. The encryption is symmetric rather than asymmetric
B. A long asymmetric encryption key is used
C. The hash is encrypted rather than the message
View answer
Correct Answer: A
Question #35
Which of the following systems-based approaches would a financial processing company employ to monitor spending patterns to identify abnormal patterns and report them?
A. A neural network
B. Database management software
C. Management information systems
D. Computer assisted audit techniques
View answer
Correct Answer: B
Question #36
In a client-server system, which of the following control techniques is used to inspect activity from known or unknown users?
A. Diskless workstations
B. Data encryption techniques
C. Network monitoring devices
D. Authentication systems
View answer
Correct Answer: A
Question #37
Allowing application programmers to directly patch or change code in production programs increases risk of fraud. True or false?
A. True
B. False
View answer
Correct Answer: B
Question #38
What are intrusion-detection systems (IDS) primarily used for?
A. To identify AND prevent intrusion attempts to a network
B. To prevent intrusion attempts to a network
C. Forensic incident response
D. To identify intrusion attempts to a network
View answer
Correct Answer: A
Question #39
What can be used to help identify and investigate unauthorized transactions?
A. Postmortem review
B. Reasonableness checks
C. Data-mining techniques
D. Expert systems
View answer
Correct Answer: A
Question #40
Which of the following should an IS auditor review to determine user permissions that have been granted for a particular resource?
A. Systems logs
B. Access control lists (ACL)
C. Application logs
D. Error logs
View answer
Correct Answer: A
Question #41
The MAIN reason for requiring that all computer clocks across an organization be synchronized is to:
A. prevent omission or duplication of transactions
B. ensure smooth data transition from client machines to servers
C. ensure that e-mail messages have accurate time stamps
D. support the incident investigation process
View answer
Correct Answer: A
Question #42
An IS auditor finds that client requests were processed multiple times when received from different independent departmental databases, which are synchronized weekly. What would be the BEST recommendation?
A. increase the frequency for data replication between the different department systems to ensure timely updates
B. Centralize all request processing in one department to avoid parallel processing of the same request
C. Change the application architecture so that common data is held in just one shared database for all departments
D. implement reconciliation controls to detect duplicates before orders are processed in the systems
View answer
Correct Answer: D
Question #43
Which of the following is the GREATEST security threat when an organization allows remote access to a virtual private network (VPN)?
A. Client logins are subject to replay attack
B. VPN traffic could be sniffed and captured
C. Compromised VPN clients could impact the network
D. Attackers could compromise the VPN gateway
View answer
Correct Answer: D
Question #44
An IS auditor is assigned to audit a software development project which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take?
A. Report that the organization does not have effective project management
B. Recommend the project manager be changed
C. Review the IT governance structure
D. Review the conduct of the project and the business case
View answer
Correct Answer: C
Question #45
A sequence of bits appended to a digital document that is used to secure an e-mail sent through the Internet is called a:
A. digest signature
B. electronic signature
C. digital signature
D. hash signature
View answer
Correct Answer: D
Question #46
Electromagnetic emissions from a terminal represent an exposure because they:
A. affect noise pollution
B. disrupt processor functions
C. produce dangerous levels of electric current
D. can be detected and displayed
View answer
Correct Answer: A
Question #47
Run-to-run totals can verify data through which stage(s) of application processing?
A. Initial
B. Various
C. Final
D. Output
View answer
Correct Answer: B
Question #48
Which of the following is a detective control?
A. Procedures for authorizing transactions
B. Echo checks in telecommunications
C. A router rule restricting a service
D. Programmed edit checks
View answer
Correct Answer: D
Question #49
An IS auditor reviewing a database application discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor's next action?
A. Analyze the need for the structural change
B. Recommend restoration to the originally designed structure
C. Recommend the implementation of a change control process
D. Determine if the modifications were properly approved
View answer
Correct Answer: D
Question #50
Which of the following MOST effectively provides assurance of ongoing service delivery by a vendor?
A. Regular status reporting provided by the vendor
B. Short incident response time by the vendor
C. Pre-defined service and operational level agreements
D. Regular monitoring by service management team
View answer
Correct Answer: B
Question #51
A project manager of a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after 6 months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine:
A. what amount of progress against schedule has been achieved
B. if the project budget can be reduced
C. if the project could be brought in ahead of schedule
D. if the budget savings can be applied to increase the project scope
View answer
Correct Answer: A
Question #52
An employee uses a personal mobile device to access corporate data and email, but also allows friends to use it as a mobile hotspot for Internet access when not at work. The information security manager is concerned this situation may expose confidential data. The manager’s FIRST step should be to:
A. update the mobile device usage standards to address the issue and communicate to all employees
B. activate the incident response plan to mitigate the impact and stop the compromise
C. review the associated risks to determine if additional controls are needed
D. implement additional security controls that will mitigate the situation and then reassess risks
View answer
Correct Answer: C
Question #53
During an external assessment of network vulnerability, which of the following activities should be performed FIRST?
A. Collect network information
B. Implement an intrusion detection system (IDS)
C. Monitor the network
D. Review policies
View answer
Correct Answer: A
Question #54
A data breach has occurred at a third-party vendor used by an organization to outsource the processing of its customer data. What should be management’s FIRST course of action?
A. Activate the disaster recovery plan
B. Notify the insurance company of the potential claim
C. Activate the incident management process
D. Take legal action against the service provider for reputation damage
View answer
Correct Answer: D
Question #55
Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? Function point analysis
B. Earned value analysis
C. Cost budget
D. Program Evaluation and Review Technique
View answer
Correct Answer: B
Question #56
Which of the following intrusion detection systems (IDSs) monitors the general patterns of activity and traffic on a network and creates a database?
A. Signature-based
B. Neural networks-based
C. Statistical-based Host-based
View answer
Correct Answer: B
Question #57
Which of the following is the GREATEST risk of single sign-on?
A. Password carelessness by one user may render the entire infrastructure vulnerable
B. Integration of single sign-on with the rest of the infrastructure is complicated
C. It is a single point of failure for an enterprise access control process
D. One administrator maintains the single sign-on solution without segregation of duty
View answer
Correct Answer: D
Question #58
Reconciliations have identified data discrepancies between an enterprise data warehouse and a revenue system for key financial reports. What is the GREATEST risk to the organization in this situation?
A. The key financial reports may no longer be produced
B. Financial reports may be delayed
C. Undetected fraud may occur
D. Decisions may be made based on incorrect information
View answer
Correct Answer: B
Question #59
Which of the following is the GREATEST security risk associated with data migration from a legacy HR system to a cloud-based system?
A. System performance may be impacted by the migration
B. Records past their retention period may not be migrated to the new system
C. Data from the source and target system may have different data formats
D. Data from the source and target system may be intercepted
View answer
Correct Answer: C

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: