DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Expert-Designed CISA Practice Tests 2024, Certified Information Systems Auditor | SPOTO

Mock tests play a pivotal role in preparing for the CISA certification exam, offering several key advantages. These comprehensive practice tests simulate the actual exam environment, allowing candidates to familiarize themselves with the format, timing, and difficulty level of real exam questions. By practicing with mock tests, candidates can identify their strengths and weaknesses, enabling them to focus their study efforts more effectively. Mock tests also help improve time management skills as candidates learn to allocate the right amount of time to each question. Additionally, mock tests provide immediate feedback on performance, highlighting areas that need improvement and guiding ongoing study efforts. With access to SPOTO's comprehensive CISA practice tests and exam resources, candidates can enhance their exam readiness and boost their confidence to excel in the certification exam.
Take other online exams

Question #1
Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:
A. ensure the employee maintains a good quality of life, which will lead to greater productivity
B. reduce the opportunity for an employee to commit an improper or illegal act
C. provide proper cross-training for another employee
D. eliminate the potential disruption caused when an employee takes vacation one day at a time
View answer
Correct Answer: C

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
Which of the following biometrics methods provides the HIGHEST accuracy and is LEAST accepted by users?
A. Palm Scan
B. Hand Geometry
C. Fingerprint
D. Retina scan
View answer
Correct Answer: D
Question #3
How is the risk of improper file access affected upon implementing a database system?
A. Risk varies
B. Risk is reduced
C. Risk is not affected
D. Risk is increased
View answer
Correct Answer: A
Question #4
Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?
A. inheritance
B. Dynamic warehousing
C. Encapsulation
D. Polymorphism
View answer
Correct Answer: A
Question #5
Assessing IT risks is BEST achieved by:
A. evaluating threats associated with existing IT assets and IT projects
B. using the firm's past actual loss experience to determine current exposure
C. reviewing published loss statistics from comparable organizations
D. reviewing IT control weaknesses identified in audit reports
View answer
Correct Answer: A
Question #6
Which of the following is an estimation technique where the results can be measure by the functional size of an information system based on the number and complexity of input, output, interface and queries?
A. Functional Point analysis
B. Gantt Chart
C. Time box management
D. Critical path methodology
View answer
Correct Answer: C
Question #7
When participating in a systems-development project, an IS auditor should focus on system controls rather than ensuring that adequate and complete documentation exists for all projects. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #8
Which of the following level in CMMI model focuses on process innovation and continuous optimization?
A. Level 4
B. Level 5
C. Level 3
D. Level 2
View answer
Correct Answer: C
Question #9
An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor's MAIN concern should be that the:
A. complexity and risks associated with the project have been analyzed
B. resources needed throughout the project have been determined
C. project deliverables have been identified
D. a contract for external parties involved in the project has been completed
View answer
Correct Answer: C
Question #10
An IS auditor reviews an organizational chart PRIMARILY for:
A. an understanding of workflows
B. investigating various communication channels
C. understanding the responsibilities and authority of individuals
D. investigating the network connected to different employees
View answer
Correct Answer: A
Question #11
Which of the following method is recommended by security professional to PERMANENTLY erase sensitive data on magnetic media?
A. Degaussing
B. Overwrite every sector of magnetic media with pattern of 1's and 0's
C. Format magnetic media
D. Delete File allocation table
View answer
Correct Answer: A
Question #12
Effective IT governance will ensure that the IT plan is consistent with the organization's:
A. business plan
B. audit plan
C. security plan
D. investment plan
View answer
Correct Answer: C
Question #13
Which of the following technique is NOT used by a preacher against a Private Branch Exchange (PBX)?
A. Eavesdropping
B. Illegal call forwarding
C. Forwarding a user's to an unused or disabled number
D. SYN Flood
View answer
Correct Answer: A
Question #14
William has been assigned a changeover task. He has to break the older system into deliverable modules. Initially, the first module of the older system is phased out using the first module of a new system. Then, the second module of the old system is phased out, using the second module of the newer system and so forth until reaching the last module. Which of the following changeover system William needs to implement?
A. Parallel changeover
B. Phased changeover
C. Abrupt changeover
D. Pilot changeover
View answer
Correct Answer: B
Question #15
What are trojan horse programs?
A. A common form of internal attack
B. Malicious programs that require the aid of a carrier program such as email
C. Malicious programs that can run independently and can propagate without the aid of a carrier program such as email
D. A common form of Internet attack
View answer
Correct Answer: D
Question #16
Which of the following layer of an enterprise data flow architecture represents subset of information from the core Data Warehouse selected and organized to meet the needs of a particular business unit or business line?
A. Data preparation layer
B. Desktop Access Layer
C. Data Mart layer
D. Data access layer
View answer
Correct Answer: C
Question #17
Which of the following statement correctly describes difference between SSL and S/HTTP?
A. Both works at application layer of OSI model
B. SSL works at transport layer where as S/HTTP works at application layer of OSI model
C. Both works at transport layer
D. S/HTTP works at transport layer where as SSL works at the application layer of OSI model
View answer
Correct Answer: A
Question #18
Which of the following device in Frame Relay WAN technique is generally customer owned device that provides a connectivity between company's own network and the frame relays network?
A. DTE
B. DCE
C. DME
D. DLE
View answer
Correct Answer: B
Question #19
Which of the following would normally be the MOST reliable evidence for an auditor?
A. A confirmation letter received from a third party verifying an account balance
B. Assurance from line management that an application is working as designed
C. Trend data obtained from World Wide Web (Internet) sources
D. Ratio analysts developed by the IS auditor from reports supplied by line management
View answer
Correct Answer: D
Question #20
The phases and deliverables of a system development life cycle (SDLC) project should be determined:
A. during the initial planning stages of the project
B. after early planning has been completed, but before work has begun
C. throughout the work stages, based on risks and exposures
D. only after all risks and exposures have been identified and the IS auditor has recommended appropriate controls
View answer
Correct Answer: D
Question #21
Which of the following is an advantage of prototyping?
A. The finished system normally has strong internal controls
B. Prototype systems can provide significant time and cost savings
C. Change control is often less complicated with prototype systems
D. it ensures that functions or extras are not added to the intended system
View answer
Correct Answer: C
Question #22
When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that:
A. increases in quality can be achieved, even if resource allocation is decreased
B. increases in quality are only achieved if resource allocation is increased
C. decreases in delivery time can be achieved, even if resource allocation is decreased
D. decreases in delivery time can only be achieved if quality is decreased
View answer
Correct Answer: A
Question #23
D.
D.
View answer
Correct Answer: A
Question #24
A poor choice of passwords and transmission over unprotected communications lines are examples of:
A. vulnerabilities
B. threats
C. probabilities
D. impacts
View answer
Correct Answer: C
Question #25
An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?
A. That an audit clause is present in all contracts
B. That the SLA of each contract is substantiated by appropriate KPIs
C. That the contractual warranties of the providers support the business needs of the organization
D. That at contract termination, support is guaranteed by each outsourcer for new outsourcers
View answer
Correct Answer: D
Question #26
What influences decisions regarding criticality of assets?
A. The business criticality of the data to be protected
B. Internal corporate politics
C. The business criticality of the data to be protected, and the scope of the impact upon the organization as a whole
D. The business impact analysis
View answer
Correct Answer: A
Question #27
Which of the following is an advantage of an integrated test facility (ITF)?
A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction
B. Periodic testing does not require separate test processes
C. It validates application systems and tests the ongoing operation of the system
D. The need to prepare test data is eliminated
View answer
Correct Answer: D
Question #28
Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls
View answer
Correct Answer: A
Question #29
For which of the following applications would rapid recovery be MOST crucial?
A. Point-of-sale system
B. Corporate planning
C. Regulatory reporting
D. Departmental chargeback
View answer
Correct Answer: A
Question #30
Which of the following type of testing validate functioning of the application under test with other system, where a set of data is transferred from one system to another?
A. Interface testing
B. Unit Testing
C. System Testing
D. Final acceptance testing
View answer
Correct Answer: A
Question #31
Most access violations are:
A. Accidental
B. Caused by internal hackers
C. Caused by external hackers
D. Related to Internet
View answer
Correct Answer: B
Question #32
During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?
A. Dumping the memory content to a file
B. Generating disk images of the compromised system
C. Rebooting the system
D. Removing the system from the network
View answer
Correct Answer: B
Question #33
Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of which of the following?
A. IT strategic plan
B. Business continuity plan
C. Business impact analysis
D. Incident response plan
View answer
Correct Answer: D
Question #34
What is a common vulnerability, allowing denial-of-service attacks?
A. Assigning access to users according to the principle of least privilege
B. Lack of employee awareness of organizational security policies
C. Improperly configured routers and router access lists
D. Configuring firewall access rules
View answer
Correct Answer: B
Question #35
To reduce the possibility of losing data during processing, the FIRST point at which control totals should be implemented is:
A. during data preparation
B. in transit to the computer
C. between related computer runs
D. during the return of the data to the user department
View answer
Correct Answer: A
Question #36
Which of the following is the MOST important element for the successful implementation of IT governance?
A. Implementing an IT scorecard
B. Identifying organizational strategies
C. Performing a risk assessment
D. Creating a formal security policy
View answer
Correct Answer: A
Question #37
The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:
A. rules
B. decision trees
C. semantic nets
D. dataflow diagrams
View answer
Correct Answer: A
Question #38
Which of the following risks could result from inadequate software baselining?
A. Scope creep
B. Sign-off delays
C. Software integrity violations
D. inadequate controls
View answer
Correct Answer: A
Question #39
Structured programming is BEST described as a technique that:
A. provides knowledge of program functions to other programmers via peer reviews
B. reduces the maintenance time of programs by the use of small-scale program modules
C. makes the readable coding reflect as closely as possible the dynamic execution of the program
D. controls the coding and testing of the high-level functions of the program in the development process
View answer
Correct Answer: A
Question #40
Which of the following statement INCORRECTLY describes anti-malware? A .................................................................................................................................................................................................................................................... 2 B ................................................................................................................................................................................................
C. 2 andD
View answer
Correct Answer: B
Question #41
Establishing data ownership is an important first step for which of the following processes?
A. Assigning user access privileges
B. Developing organizational security policies
C. Creating roles and responsibilities
D. Classifying data
View answer
Correct Answer: B
Question #42
Which of the following help(s) prevent an organization's systems from participating in a distributed denial-of-service (DDoS) attack?
A. Inbound traffic filtering
B. Using access control lists (ACLs) to restrict inbound connection attempts
C. Outbound traffic filtering
D. Recentralizing distributed systems
View answer
Correct Answer: A
Question #43
Which of the following is a characteristic of timebox management?
A. Not suitable for prototyping or rapid application development (RAD)
B. Eliminates the need for a quality process
C. Prevents cost overruns and delivery delays
D. Separates system and user acceptance testing
View answer
Correct Answer: C
Question #44
Which of the following is the most important element in the design of a data warehouse?
A. Quality of the metadata
B. Speed of the transactions
C. Volatility of the data
D. Vulnerability of the system
View answer
Correct Answer: A
Question #45
Which of the following type of computer has highest processing speed?
A. Supercomputers
B. Midrange servers
C. Personal computers
D. Thin client computers
View answer
Correct Answer: D
Question #46
Which of the following is protocol data unit (PDU) of network interface layer in TCP/IP model?
A. Data
B. Segment
C. Packet
D. Frame
View answer
Correct Answer: A
Question #47
Which of the following should be of MOST concern to an IS auditor?
A. Lack of reporting of a successful attack on the network
B. Failure to notify police of an attempted intrusion
C. Lack of periodic examination of access rights
D. Lack of notification to the public of an intrusion
View answer
Correct Answer: C
Question #48
Which of the following is an advantage of the top-down approach to software testing?
A. Interface errors are identified early
B. Testing can be started before all programs are complete
C. it is more effective than other testing approaches
D. Errors in critical modules are detected sooner
View answer
Correct Answer: B
Question #49
Identify the correct sequence which needs to be followed as a chain of event in regards to evidence handling in computer forensics?
A. Identify, Analyze, preserve and Present
B. Analyze, Identify, preserve and present
C. Preserve, Identify, Analyze and Present
D. Identify, Preserve, Analyze and Present
View answer
Correct Answer: A
Question #50
Which of the following type of lock uses a magnetic or embedded chip based plastic card key or token entered into a sensor/reader to gain access?
A. Bolting door locks
B. Combination door lock
C. Electronic door lock
D. Biometric door lock
View answer
Correct Answer: D
Question #51
Which of the following software development methodology uses minimal planning and in favor of rapid prototyping?
A. Agile Developments
B. Software prototyping
C. Rapid application development
D. Component based development
View answer
Correct Answer: D
Question #52
An IS auditor is reviewing a project that is using an Agile software development approach. Which of the following should the IS auditor expect to find?
A. Use a process-based maturity model such as the capability maturity model (CMM)
B. Regular monitoring of task-level progress against schedule
C. Extensive use of software development tools to maximize team productivity
D. Postiteration reviews that identify lessons learned for future use in the project
View answer
Correct Answer: B
Question #53
Which of the following is the PRIMARY purpose for conducting parallel testing?
A. To determine if the system is cost-effective
B. To enable comprehensive unit and system testing
C. To highlight errors in the program interfaces with files
D. To ensure the new system meets user requirements
View answer
Correct Answer: C
Question #54
The initial step in establishing an information security program is the:
A. development and implementation of an information security standards manual
B. performance of a comprehensive security control review by the IS auditor
C. adoption of a corporate information security policy statement
D. purchase of security access control software
View answer
Correct Answer: C
Question #55
An organization having a number of offices across a wide geographical area has developed a disaster recovery plan (DRP). Using actual resources, which of the following is the MOST cost-effective test of the DRP?
A. Full operational test
B. Preparedness test
C. Paper test
D. Regression test
View answer
Correct Answer: A
Question #56
In which of the following payment mode, the payer creates payment transfer instructions, signs it digitally and sends it to issuer?
A. Electronic Money Model
B. Electronics Checks model
C. Electronic transfer model
D. Electronic withdraw model
View answer
Correct Answer: C
Question #57
Hamid needs to shift users from using the application from the existing (Old) system to the replacing (new) system. His manager Lily has suggested he uses an approach in which the newer system is changed over from the older system on a cutoff date and time and the older system is discontinued once the changeover to the new system takes place. Which of the following changeover approach is suggested by Lily?
A. Parallel changeover
B. Phased changeover
C. Abrupt changeover
D. Pilot changeover
View answer
Correct Answer: C
Question #58
Proper segregation of duties prevents a computer operator (user) from performing security administration duties. True or false?
A. True
B. False
View answer
Correct Answer: D
Question #59
What type of risk is associated with authorized program exits (trap doors)?
A. Business risk
B. Audit risk
C. Detective risk
D. Inherent risk
View answer
Correct Answer: A
Question #60
Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability
B. the magnitude of the impact should a threat source successfully exploit the vulnerability
C. the likelihood of a given threat source exploiting a given vulnerability
D. the collective judgment of the risk assessment team
View answer
Correct Answer: B
Question #61
An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort?
A. Program evaluation review technique (PERT)
B. Counting source lines of code (SLOC)
C. Function point analysis
D. White box testing
View answer
Correct Answer: B
Question #62
Whenever an application is modified, what should be tested to determine the full impact of the change?
A. Interface systems with other applications or systems
B. The entire program, including any interface systems with other applications or systems
C. All programs, including interface systems with other applications or systems
D. Mission-critical functions and any interface systems with other applications or systems
View answer
Correct Answer: A
Question #63
Which of the following attack could be avoided by creating more security awareness in the organization and provide adequate security knowledge to all employees?
A. surf attack
B. Traffic analysisC
D. Interrupt attack
View answer
Correct Answer: C
Question #64
When assessing the design of network monitoring controls, an IS auditor should FIRST review network:
A. topology diagrams
B. bandwidth usage
C. traffic analysis reports
D. bottleneck locations
View answer
Correct Answer: A
Question #65
The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure:
A. integrity
B. authenticity
C. authorization
D. nonrepudiation
View answer
Correct Answer: D
Question #66
A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of:
A. validation controls
B. internal credibility checks
C. clerical control procedures
D. automated systems balancing
View answer
Correct Answer: A
Question #67
Which of the following statement is NOT true about Voice-Over IP (VoIP)? VoIP uses circuit switching technology Lower cost per call or even free calls, especially for long distance call Lower infrastructure cost VoIP is a technology where voice traffic is carried on top of existing data infrastructure
A. VoIP uses circuit switching technology
B. Lower cost per call or even free calls, especially for long distance call
C. Lower infrastructure cost
D. VoIP is a technology where voice traffic is carried on top of existing data infrastructure
View answer
Correct Answer: A
Question #68
Which of the following is the GREATEST risk to the effectiveness of application system controls?
A. Removal of manual processing steps
B. inadequate procedure manuals
C. Collusion between employees
D. Unresolved regulatory compliance issues
View answer
Correct Answer: C
Question #69
Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project?
A. System owners
B. System users
C. System designers
D. System builders
View answer
Correct Answer: C
Question #70
The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate fraud
D.
View answer
Correct Answer: C
Question #71
Which of the following network configuration options contains a direct link between any two host machines?
A. Bus
B. Ring
C. Star
D. Completely connected (mesh)
View answer
Correct Answer: B
Question #72
Which of the following is MOST likely to result from a business process reengineering (BPR) Project?
A. An increased number of people using technology
B. Significant cost saving, through a reduction the complexity of information technology
C. A weaker organizational structures and less accountability
D. Increased information protection (IP) risk will increase
View answer
Correct Answer: A
Question #73
What type of cryptosystem is characterized by data being encrypted by the sender using the recipient's public key, and the data then being decrypted using the recipient's private key?
A. With public-key encryption, or symmetric encryption
B. With public-key encryption, or asymmetric encryption
C. With shared-key encryption, or symmetric encryption
D. With shared-key encryption, or asymmetric encryption
View answer
Correct Answer: B
Question #74
Which of the following is the PRIMARY objective of an IT performance measurement process?
A. Minimize errors
B. Gather performance data
C. Establish performance baselines
D. Optimize performance
View answer
Correct Answer: A
Question #75
While implementing an invoice system, Lily has implemented a database control which checks that new transactions are matched to those previously input to ensure that they have not already been entered. Which of the following control is implemented by Lily?
A. Range Check
B. Duplicate Check
C. Existence check
D. Reasonableness check
View answer
Correct Answer: B
Question #76
During the system testing phase of an application development project the IS auditor should review the:
A. conceptual design specifications
B. vendor contract
C. error reports
D. program change requests
View answer
Correct Answer: B
Question #77
Which of the following is the process of repeating a portion of a test scenario or test plan to ensure that changes in information system have not introduced any errors?
A. Parallel Test
B. Black box testing
C. Regression Testing
D. Pilot Testing
View answer
Correct Answer: C
Question #78
From a control perspective, the key element in job descriptions is that they:
A. provide instructions on how to do the job and define authority
B. are current, documented and readily available to the employee
C. communicate management's specific job performance expectations
D. establish responsibility and accountability for the employee's actions
View answer
Correct Answer: C
Question #79
How does the SSL network protocol provide confidentiality?
A. Through symmetric encryption such as RSA
B. Through asymmetric encryption such as Data Encryption Standard, or DES
C. Through asymmetric encryption such as Advanced Encryption Standard, or AES
D. Through symmetric encryption such as Data Encryption Standard, or DES
View answer
Correct Answer: C
Question #80
The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?
A. Test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module
View answer
Correct Answer: A
Question #81
Which of the following can help detect transmission errors by appending specially calculated bits onto the end of each segment of data?
A. Redundancy check
B. Completeness check
C. Accuracy check
D. Parity check
View answer
Correct Answer: A
Question #82
The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:
A. financial results
B. customer satisfaction
C. internal process efficiency
D. innovation capacity
View answer
Correct Answer: C
Question #83
Which of the following is used to evaluate biometric access controls?
A. FAR
B. EER
C. ERR
D. FRR
View answer
Correct Answer: A

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: