DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Boost Your Performance in the ISACA CISA Exam with Realistic Mock Tests

Certified Information Systems Auditor® (CISA®) is globally recognized as the benchmark of achievement for professionals who audit, control, monitor, and assess IT and business systems within organizations. For mid-career professionals, obtaining CISA certification demonstrates expertise in applying a risk-based approach to audit engagements. SPOTO's ISACA CISA exam questions provide significant advantages for successful certification. These include comprehensive exam questions and answers, covering essential test questions in the exam format. SPOTO's exam preparation materials are designed to enhance understanding and mastery of key concepts, ensuring thorough preparation for the exam. With access to SPOTO's study materials and exam resources, candidates can effectively prepare and pass the CISA exam with confidence. Furthermore, SPOTO offers mock exams to simulate real exam conditions, enabling candidates to assess readiness and improve performance to achieve a successful pass.
Take other online exams

Question #1
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?
A. The BCP's contact information needs to be updated
B. The BCP is not version controlled
C. The BCP has not been approved by senior management
D. The BCP has not been tested since it was first issued
View answer
Correct Answer: D

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
Which of the following is the BEST way for an organization to mitigate the risk associated with third- party application performance?
A. Ensure the third party allocates adequate resources to meet requirements
B. Use analytics within the internal audit function
C. Conduct a capacity planning exercise
D. Utilize performance monitoring tools to verify service level agreements (SLAs)
View answer
Correct Answer: D
Question #3
During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period.Which of the following is the auditor's MOST important course of action?
A. Document the finding and present it to management
B. Determine if a root cause analysis was conducted
C. Confirm the resolution time of the incidents
D. Validate whether all incidents have been actioned
View answer
Correct Answer: B
Question #4
An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:
A. failure to maximize the use of equipment
B. unanticipated increase in business s capacity needs
C. cost of excessive data center storage capacity
D. impact to future business project funding
View answer
Correct Answer: B
Question #5
Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?
A. Identify approved data workflows across the enterprise
B. Conduct a threat analysis against sensitive data usage
C. Create the DLP pcJc
D. Conduct a data inventory and classification exercise
View answer
Correct Answer: D
Question #6
If enabled within firewall rules, which of the following services would present the GREATEST risk?
A. Simple mail transfer protocol (SMTP)
B. Simple object access protocol (SOAP)
C. Hypertext transfer protocol (HTTP)
D. File transfer protocol (FTP)
View answer
Correct Answer: D
Question #7
An organization is considering allowing users to connect personal devices to the corporate network.Which of the following should be done FIRST?
A. Conduct security awareness training
B. Implement an acceptable use policy
C. Create inventory records of personal devices
D. Configure users on the mobile device management (MDM) solution
View answer
Correct Answer: B
Question #8
Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?
A. The IS auditor provided consulting advice concerning application system best practices
B. The IS auditor participated as a member of the application system project team, but did not have operational responsibilities
C. The IS auditor designed an embedded audit module exclusively for auditing the application system
D. The IS auditor implemented a specific control during the development of the application system
View answer
Correct Answer: D
Question #9
Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?
A. Findings from prior audits
B. Results of a risk assessment
C. An inventory of personal devices to be connected to the corporate network
D. Policies including BYOD acceptable user statements
View answer
Correct Answer: D
Question #10
Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
A. Legal and compliance requirements
B. Customer agreements
C. Data classification
D. Organizational policies and procedures
View answer
Correct Answer: D
Question #11
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization.Which of the following is MOST effective in detecting such an intrusion?
A. Using smart cards with one-time passwords
B. Periodically reviewing log files
C. Configuring the router as a firewall
D. Installing biometrics-based authentication
View answer
Correct Answer: C
Question #12
An organization allows its employees lo use personal mobile devices for work.Which of the following would BEST maintain information security without compromising employee privacy?
A. Installing security software on the devices
B. Partitioning the work environment from personal space on devices
C. Preventing users from adding applications
D. Restricting the use of devices for personal purposes during working hours
View answer
Correct Answer: B
Question #13
The GREATEST benefit of using a polo typing approach in software development is that it helps to:
A. minimize scope changes to the system
B. decrease the time allocated for user testing and review
C. conceptualize and clarify requirements
D. Improve efficiency of quality assurance (QA) testing
View answer
Correct Answer: C
Question #14
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
A. Encryption of the spreadsheet
B. Version history
C. Formulas within macros
D. Reconciliation of key calculations
View answer
Correct Answer: D
Question #15
An IS auditor has found that an organization is unable to add new servers on demand in a cost- efficient manner.Which of the following is the auditor's BEST recommendation?
A. Increase the capacity of existing systems
B. Upgrade hardware to newer technology
C. Hire temporary contract workers for the IT function
D. Build a virtual environment
View answer
Correct Answer: D
Question #16
An organization has outsourced its data processing function to a service provider.Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?
A. Assessment of the personnel training processes of the provider
B. Adequacy of the service provider's insurance
C. Review of performance against service level agreements (SLAs)
D. Periodic audits of controls by an independent auditor
View answer
Correct Answer: D
Question #17
Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?
A. Limiting access to the data files based on frequency of use
B. Obtaining formal agreement by users to comply with the data classification policy
C. Applying access controls determined by the data owner
D. Using scripted access control lists to prevent unauthorized access to the server
View answer
Correct Answer: C
Question #18
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions.Which of the following is MOST important for the organization to ensure?
A. The policy includes a strong risk-based approach
B. The retention period allows for review during the year-end audit
C. The retention period complies with data owner responsibilities
D. The total transaction amount has no impact on financial reporting
View answer
Correct Answer: C
Question #19
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
A. Rollback strategy
B. Test cases
C. Post-implementation review objectives
D. Business case
View answer
Correct Answer: D
Question #20
An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime?
A. utover
B. hased
C. ilot
D. arallel
View answer
Correct Answer: C
Question #21
Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?
A. Data conversion was performed using manual processes
B. Backups of the old system and data are not available online
C. Unauthorized data modifications occurred during conversion
D. The change management process was not formally documented
View answer
Correct Answer: C
Question #22
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation ol a new system?
A. Comparing code between old and new systems
B. Running historical transactions through the new system
C. Reviewing quality assurance (QA) procedures
D. Loading balance and transaction data to the new system
View answer
Correct Answer: B
Question #23
Which of the following is the BEST method to safeguard data on an organization's laptop computers?
A. Disabled USB ports
B. Full disk encryption
C. Biometric access control
D. Two-factor authentication
View answer
Correct Answer: C
Question #24
The implementation of an IT governance framework requires that the board of directors of an organization:
A. Address technical IT issues
B. Be informed of all IT initiatives
C. Have an IT strategy committee
D. Approve the IT strategy
View answer
Correct Answer: D
Question #25
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?
A. Full test results
B. Completed test plans
C. Updated inventory of systems
D. Change management processes
View answer
Correct Answer: A
Question #26
Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?
A. Rotating backup copies of transaction files offsite
B. Using a database management system (DBMS) to dynamically back-out partially processed transactions
C. Maintaining system console logs in electronic formal
D. Ensuring bisynchronous capabilities on all transmission lines
View answer
Correct Answer: D
Question #27
Which of the following is the BEST data integrity check?
A. Counting the transactions processed per day
B. Performing a sequence check
C. Tracing data back to the point of origin
D. Preparing and running test data
View answer
Correct Answer: C
Question #28
Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?
A. The exceptions are likely to continue indefinitely
B. The exceptions may result in noncompliance
C. The exceptions may elevate the level of operational risk
D. The exceptions may negatively impact process efficiency
View answer
Correct Answer: B
Question #29
Which of the following is MOST important when implementing a data classification program?
A. Understanding the data classification levels
B. Formalizing data ownership
C. Developing a privacy policy
D. Planning for secure storage capacity
View answer
Correct Answer: B
Question #30
Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?
A. Blocking attachments in IM
B. Blocking external IM traffic
C. Allowing only corporate IM solutions
D. Encrypting IM traffic
View answer
Correct Answer: C
Question #31
Cross-site scripting (XSS) attacks are BEST prevented through:
A. application firewall policy settings
B. a three-tier web architecture
C. secure coding practices
D. use of common industry frameworks
View answer
Correct Answer: C
Question #32
Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?
A. Rotate job duties periodically
B. Perform an independent audit
C. Hire temporary staff
D. Implement compensating controls
View answer
Correct Answer: D
Question #33
What is the BEST control to address SQL injection vulnerabilities?
A. Unicode translation
B. Secure Sockets Layer (SSL) encryption
C. Input validation
D. Digital signatures
View answer
Correct Answer: C
Question #34
Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?
A. Short key length
B. Random key generation
C. Use of symmetric encryption
D. Use of asymmetric encryption
View answer
Correct Answer: A
Question #35
An IS auditor concludes that an organization has a quality security policy.Which of the following is MOST important to determine next? The policy must be:
A. well understand by all employees
B. based on industry standards
C. developed by process owners
D. updated frequently
View answer
Correct Answer: A
Question #36
Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?
A. Inability to utilize the site when required
B. Inability to test the recovery plans onsite
C. Equipment compatibility issues at the site
D. Mismatched organizational security policies
View answer
Correct Answer: B
Question #37
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
A. IT steering committee minutes
B. Business objectives
C. Alignment with the IT tactical plan
D. Compliance with industry best practice
View answer
Correct Answer: B
Question #38
Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?
A. Prepare detailed plans for each business function
B. Involve staff at all levels in periodic paper walk-through exercises
C. Regularly update business impact assessments
D. Make senior managers responsible for their plan sections
View answer
Correct Answer: B
Question #39
Which of the following is MOST important to ensure when developing an effective security awareness program?
A. Training personnel are information security professionals
B. Phishing exercises are conducted post-training
C. Security threat scenarios are included in the program content
D. Outcome metrics for the program are established
View answer
Correct Answer: D
Question #40
An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code.What is the auditor's BEST recommendation for the organization?
A. Analyze a new application that moots the current re
B. Perform an analysis to determine the business risk
C. Bring the escrow version up to date
D. Develop a maintenance plan to support the application using the existing code
View answer
Correct Answer: C
Question #41
In response to an audit finding regarding a payroll application, management implemented a new automated control.Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?
A. Approved test scripts and results prior to implementation
B. Written procedures defining processes and controls
C. Approved project scope document
D. A review of tabletop exercise results
View answer
Correct Answer: B
Question #42
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
A. Conduct periodic on-site assessments using agreed-upon criteria
B. Periodically review the service level agreement (SLA) with the vendor
C. Conduct an unannounced vulnerability assessment of vendor's IT systems
D. Obtain evidence of the vendor's control self-assessment (CSA)
View answer
Correct Answer: C
Question #43
An IS auditor notes that IT and the business have different opinions on the availability of their application servers.Which of the following should the IS auditor review FIRST in order to understand the problem?
A. The exact definition of the service levels and their measurement
B. The alerting and measurement process on the application servers
C. The actual availability of the servers as part of a substantive test
D. The regular performance-reporting documentation
View answer
Correct Answer: A
Question #44
Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
A. Independent reconciliation
B. Re-keying of wire dollar amounts
C. Two-factor authentication control
D. System-enforced dual control
View answer
Correct Answer: D
Question #45
An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?
A. Review system and error logs to verify transaction accuracy
B. Review input and output control reports to verify the accuracy of the system decisions
C. Review signed approvals to ensure responsibilities for decisions of the system are well defined
D. Review system documentation to ensure completeness
View answer
Correct Answer: B
Question #46
During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?
A. Review sign-off documentation
B. Review the source code related to the calculation
C. Re-perform the calculation with audit software
D. Inspect user acceptance lest (UAT) results
View answer
Correct Answer: C
Question #47
An externally facing system containing sensitive data is configured such that users have either read- only or administrator rights. Most users of the system have administrator access.Which of the following is the GREATEST risk associated with this situation?
A. Users can export application logs
B. Users can view sensitive data
C. Users can make unauthorized changes
D. Users can install open-licensed software
View answer
Correct Answer: C
Question #48
When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?
A. Implementation plan
B. Project budget provisions
C. Requirements analysis
D. Project plan
View answer
Correct Answer: C
Question #49
Which of the following BEST helps to ensure data integrity across system interfaces?
A. Environment segregation
B. Reconciliation
C. System backups
D. Access controls
View answer
Correct Answer: D
Question #50
Which of the following is MOST helpful for measuring benefits realization for a new system?
A. Function point analysis
B. Balanced scorecard review
C. Post-implementation review
D. Business impact analysis (BIA)
View answer
Correct Answer: A
Question #51
Which of the following MUST be completed as part of the annual audit planning process?
A. Business impact analysis (BIA)
B. Fieldwork
C. Risk assessment
D. Risk control matrix
View answer
Correct Answer: C
Question #52
Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?
A. Assignment of responsibility for each project to an IT team member
B. Adherence to best practice and industry approved methodologies
C. Controls to minimize risk and maximize value for the IT portfolio
D. Frequency of meetings where the business discusses the IT portfolio
View answer
Correct Answer: D
Question #53
Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
A. Expected deliverables meeting project deadlines
B. Sign-off from the IT team
C. Ongoing participation by relevant stakeholders
D. Quality assurance (OA) review
View answer
Correct Answer: B
Question #54
During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?
A. There are documented compensating controls over the business processes
B. The risk acceptances were previously reviewed and approved by appropriate senior management
C. The business environment has not significantly changed since the risk acceptances were approved
D. The risk acceptances with issues reflect a small percentage of the total population
View answer
Correct Answer: B
Question #55
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed.Who should be accountable for managing these risks?
A. Enterprise risk manager
B. Project sponsor
C. Information security officer
D. Project manager
View answer
Correct Answer: D
Question #56
Which of the following would be an appropriate role of internal audit in helping to establish an organization's privacy program?
A. Analyzing risks posed by new regulations
B. Developing procedures to monitor the use of personal data
C. Defining roles within the organization related to privacy
D. Designing controls to protect personal data
View answer
Correct Answer: A
Question #57
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
A. Metrics denoting the volume of monthly job failures are reported and reviewed by senior management
B. Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP)
C. Jobs are scheduled and a log of this activity is retained for subsequent review
D. Job failure alerts are automatically generated and routed to support personnel
View answer
Correct Answer: D
Question #58
Which of the following is a corrective control?
A. Separating equipment development testing and production
B. Verifying duplicate calculations in data processing
C. Reviewing user access rights for segregation
D. Executing emergency response plans
View answer
Correct Answer: D
Question #59
What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?
A. To address the overall risk associated with the activity under review
B. To identify areas with relatively high probability of material problems
C. To help ensure maximum use of audit resources during the engagement
D. To help prioritize and schedule auditee meetings
View answer
Correct Answer: B
Question #60
What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?
A. Perform background verification checks
B. Review third-party audit reports
C. Implement change management review
D. Conduct a privacy impact analysis
View answer
Correct Answer: D
Question #61
During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations.What is the auditor's BEST course of action?
A. Notify the chair of the audit committee
B. Notify the audit manager
C. Retest the control
D. Close the audit finding
View answer
Correct Answer: B
Question #62
Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?
A. Risk identification
B. Risk classification
C. Control self-assessment (CSA)
D. Impact assessment
View answer
Correct Answer: D
Question #63
During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing.Which of the following should the IS auditor identity as the associated risk?
A. The use of the cloud negatively impacting IT availably
B. Increased need for user awareness training
C. Increased vulnerability due to anytime, anywhere accessibility
D. Lack of governance and oversight for IT infrastructure and applications
View answer
Correct Answer: C
Question #64
When an intrusion into an organization network is deleted, which of the following should be done FIRST?
A. Block all compromised network nodes
B. Contact law enforcement
C. Notify senior management
D. Identity nodes that have been compromised
View answer
Correct Answer: D
Question #65
Which of the following application input controls would MOST likoly detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
A. Limit check
B. Parity check
C. Reasonableness check
D. Validity check
View answer
Correct Answer: C
Question #66
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
A. Availability of IS audit resources
B. Remediation dates included in management responses
C. Peak activity periods for the business
D. Complexity of business processes identified in the audit
View answer
Correct Answer: C
Question #67
During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?
A. Require documentation that the finding will be addressed within the new system
B. Schedule a meeting to discuss the issue with senior management
C. Perform an ad hoc audit to determine if the vulnerability has been exploited
D. Recommend the finding be resolved prior to implementing the new system
View answer
Correct Answer: C
Question #68
Which of the following is necessary for effective risk management in IT governance?
A. Local managers are solely responsible for risk evaluation
B. IT risk management is separate from corporate risk management
C. Risk management strategy is approved by the audit committee
D. Risk evaluation is embedded in management processes
View answer
Correct Answer: D
Question #69
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
A. reflect current practices
B. include new systems and corresponding process changes
C. incorporate changes to relevant laws
D. be subject to adequate quality assurance (QA)
View answer
Correct Answer: D
Question #70
The PRIMARY role of a control self-assessment (CSA) facilitator is to:
A. conduct interviews to gain background information
B. focus the team on internal controls
C. report on the internal control weaknesses
D. provide solutions for control weaknesses
View answer
Correct Answer: B
Question #71
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
A. Available resources for the activities included in the action plan
B. A management response in the final report with a committed implementation date
C. A heal map with the gaps and recommendations displayed in terms of risk
D. Supporting evidence for the gaps and recommendations mentioned in the audit report
View answer
Correct Answer: B
Question #72
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
A. the Internet
B. the demilitarized zone (DMZ)
C. the organization's web server
D. the organization's network
View answer
Correct Answer: D
Question #73
An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities.Which of the following is the BEST recommendation by the IS auditor?
A. Improve the change management process
B. Establish security metrics
C. Perform a penetration test
D. Perform a configuration review
View answer
Correct Answer: D
Question #74
An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.
A. phishing
B. denial of service (DoS)
C. structured query language (SQL) injection
D. buffer overflow
View answer
Correct Answer: D
Question #75
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?
A. The DRP has not been formally approved by senior management
B. The DRP has not been distributed to end users
C. The DRP has not been updated since an IT infrastructure upgrade
D. The DRP contains recovery procedures for critical servers only
View answer
Correct Answer: C
Question #76
During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:
A. note the noncompliance in the audit working papers
B. issue an audit memorandum identifying the noncompliance
C. include the noncompliance in the audit report
D. determine why the procedures were not followed
View answer
Correct Answer: D
Question #77
A post-implementation review was conducted by issuing a survey to users.Which of the following should be of GREATEST concern to an IS auditor?
A. The survey results were not presented in detail lo management
B. The survey questions did not address the scope of the business case
C. The survey form template did not allow additional feedback to be provided
D. The survey was issued to employees a month after implementation
View answer
Correct Answer: B
Question #78
A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:
A. evaluate replacement systems and performance monitoring software
B. restrict functionality of system monitoring software to security-related events
C. re-install the system and performance monitoring software
D. use analytical tools to produce exception reports from the system and performance monitoring software
View answer
Correct Answer: B
Question #79
Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?
A. Write access to production program libraries
B. Write access to development data libraries
C. Execute access to production program libraries
D. Execute access to development program libraries
View answer
Correct Answer: A
Question #80
An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor.Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?
A. Service level agreement (SLA)
B. Hardware change management policy
C. Vendor memo indicating problem correction
D. An up-to-date RACI chart
View answer
Correct Answer: A
Question #81
A third-party consultant is managing the replacement of an accounting system.Which of the following should be the IS auditor's GREATEST concern?
A. Data migration is not part of the contracted activities
B. The replacement is occurring near year-end reporting
C. The user department will manage access rights
D. Testing was performed by the third-party consultant
View answer
Correct Answer: C
Question #82
An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release.Which of the following should the IS auditor review FIRST?
A. Capacity management plan
B. Training plans
C. Database conversion results
D. Stress testing results
View answer
Correct Answer: D
Question #83
An employee loses a mobile device resulting in loss of sensitive corporate dat
A. Which o( the following would have BEST prevented data leakage?
B. Data encryption on the mobile device
C. Complex password policy for mobile devices
D. The triggering of remote data wipe capabilities
E. Awareness training for mobile device users
View answer
Correct Answer: A
Question #84
Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?
A. Requirements may become unreasonable
B. The policy may conflict with existing application requirements
C. Local regulations may contradict the policy
D. Local management may not accept the policy
View answer
Correct Answer: C
Question #85
During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?
A. Require the auditee to address the recommendations in full
B. Adjust the annual risk assessment accordingly
C. Evaluate senior management's acceptance of the risk
D. Update the audit program based on management's acceptance of risk
View answer
Correct Answer: B
Question #86
Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?
A. Reversing the hash function using the digest
B. Altering the plaintext message
C. Deciphering the receiver's public key
D. Obtaining the sender's private key
View answer
Correct Answer: D
Question #87
In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?
A. Configure data quality alerts to check variances between the data warehouse and the source system
B. Require approval for changes in the extract/Transfer/load (ETL) process between the two systems
C. Include the data warehouse in the impact analysis (or any changes m the source system
D. Restrict access to changes in the extract/transfer/load (ETL) process between the two systems
View answer
Correct Answer: B
Question #88
Which of the following BEST facilitates the legal process in the event of an incident?
A. Right to perform e-discovery
B. Advice from legal counsel
C. Preserving the chain of custody
D. Results of a root cause analysis
View answer
Correct Answer: C
Question #89
An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company.Which of the following would be MOST helpful In determining the effectiveness of the framework?
A. Sell-assessment reports of IT capability and maturity
B. IT performance benchmarking reports with competitors
C. Recent third-party IS audit reports
D. Current and previous internal IS audit reports
View answer
Correct Answer: C
Question #90
An IS auditor suspects an organization's computer may have been used to commit a crime.Which of the following is the auditor's BEST course of action?
A. Examine the computer to search for evidence supporting the suspicions
B. Advise management of the crime after the investigation
C. Contact the incident response team to conduct an investigation
D. Notify local law enforcement of the potential crime before further investigation
View answer
Correct Answer: C
Question #91
Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?
A. Restricting evidence access to professionally certified forensic investigators
B. Documenting evidence handling by personnel throughout the forensic investigation
C. Performing investigative procedures on the original hard drives rather than images of the hard drives
D. Engaging an independent third party to perform the forensic investigation
View answer
Correct Answer: B
Question #92
Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?
A. To determine whether project objectives in the business case have been achieved
B. To ensure key stakeholder sign-off has been obtained
C. To align project objectives with business needs
D. To document lessons learned to improve future project delivery
View answer
Correct Answer: A
Question #93
Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?
A. Media recycling policy
B. Media sanitization policy
C. Media labeling policy
D. Media shredding policy
View answer
Correct Answer: A
Question #94
An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?
A. Implementing risk responses on management's behalf
B. Integrating the risk register for audit planning purposes
C. Providing assurances to management regarding risk
D. Facilitating audit risk identification and evaluation workshops
View answer
Correct Answer: B
Question #95
In a RAO model, which of the following roles must be assigned to only one individual?
A. Responsible
B. Informed
C. Consulted
D. Accountable
View answer
Correct Answer: D
Question #96
Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?
A. nsure ownership is assigned
B. est corrective actions upon completion
C. nsure sufficient audit resources are allocated
D. ommunicate audit results organization-wide
View answer
Correct Answer: A
Question #97
A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
A. Continuous 24/7 support must be available
B. The vendor must have a documented disaster recovery plan (DRP) in place
C. Source code for the software must be placed in escrow
D. The vendor must train the organization's staff to manage the new software
View answer
Correct Answer: C
Question #98
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
A. Data from the source and target system may be intercepted
B. Data from the source and target system may have different data formats
C. Records past their retention period may not be migrated to the new system
D. System performance may be impacted by the migration
View answer
Correct Answer: A
Question #99
What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?
A. it facilitates easier audit follow-up
B. it enforces action plan consensus between auditors and auditees
C. it establishes accountability for the action plans
D. it helps to ensure factual accuracy of findings
View answer
Correct Answer: C
Question #100
Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
A. The organization's systems inventory is kept up to date
B. Vulnerability scanning results are reported to the CISO
C. The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities
D. Access to the vulnerability scanning tool is periodically reviewed
View answer
Correct Answer: B
Question #101
During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:
A. Future compatibility of the application
B. Proposed functionality of the application
C. Controls incorporated into the system specifications
D. Development methodology employed
View answer
Correct Answer: C
Question #102
Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse formal?
A. Testing
B. Replication
C. Staging
D. Development
View answer
Correct Answer: C
Question #103
Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
A. Cost of projects divided by total IT cost
B. Expected return divided by total project cost
C. Net present value (NPV) of the portfolio
D. Total cost of each project
View answer
Correct Answer: C
Question #104
Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?
A. The end-to-end process is understood and documented
B. Roles and responsibilities are defined for the business processes in scope
C. A benchmarking exercise of industry peers who use RPA has been completed
D. A request for proposal (RFP) has been issued to qualified vendors
View answer
Correct Answer: B
Question #105
An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format.Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?
A. Data masking
B. Data tokenization
C. Data encryption
D. Data abstraction
View answer
Correct Answer: A
Question #106
An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities.Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
A. Increasing the frequency of risk-based IS audits for each business entity
B. Developing a risk-based plan considering each entity's business processes
C. Conducting an audit of newly introduced IT policies and procedures
D. Revising IS audit plans to focus on IT changes introduced after the split
View answer
Correct Answer: D
Question #107
Which of the following would be a result of utilizing a top-down maturity model process?
A. A means of benchmarking the effectiveness of similar processes with peers
B. A means of comparing the effectiveness of other processes within the enterprise
C. Identification of older, more established processes to ensure timely review
D. Identification of processes with the most improvement opportunities
View answer
Correct Answer: D
Question #108
In order to be useful, a key performance indicator (KPI) MUST
A. be approved by management
B. be measurable in percentages
C. be changed frequently to reflect organizational strategy
D. have a target value
View answer
Correct Answer: C
Question #109
Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
A. System flowchart
B. Data flow diagram
C. Process flowchart
D. Entity-relationship diagram
View answer
Correct Answer: C
Question #110
Which of the following is the BEST justification for deferring remediation testing until the next audit?
A. The auditor who conducted the audit and agreed with the timeline has left the organization
B. Management's planned actions are sufficient given the relative importance of the observations
C. Auditee management has accepted all observations reported by the auditor
D. The audit environment has changed significantly
View answer
Correct Answer: D
Question #111
When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
A. a risk management process
B. an information security framework
C. past information security incidents
D. industry best practices
View answer
Correct Answer: B
Question #112
Which of the following should an IS auditor be MOST concerned with during a post-implementation review?
A. The system does not have a maintenance plan
B. The system contains several minor defects
C. The system deployment was delayed by three weeks
D. The system was over budget by 15%
View answer
Correct Answer: A
Question #113
An IS audit reveals that an organization is not proactively addressing known vulnerabilities.Which of the following should the IS auditor recommend the organization do FIRST?
A. Verify the disaster recovery plan (DRP) has been tested
B. Ensure the intrusion prevention system (IPS) is effective
C. Assess the security risks to the business
D. Confirm the incident response team understands the issue
View answer
Correct Answer: C
Question #114
Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
A. Audit charter
B. IT steering committee
C. Information security policy
D. Audit best practices
View answer
Correct Answer: A
Question #115
An IS auditor is reviewing an organization's information asset management process.Which of the following would be of GREATEST concern to the auditor?
A. The process does not require specifying the physical locations of assets
B. Process ownership has not been established
C. The process does not include asset review
D. Identification of asset value is not included in the process
View answer
Correct Answer: B
Question #116
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system.What is the BEST control to ensure that data is accurately entered into the system?
A. Reconciliation of total amounts by project
B. Validity checks, preventing entry of character data
C. Reasonableness checks for each cost type
D. Display back of project detail after entry
View answer
Correct Answer: A
Question #117
Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
A. Assurance that the new system meets functional requirements
B. More time for users to complete training for the new system
C. Significant cost savings over other system implemental or approaches
D. Assurance that the new system meets performance requirements
View answer
Correct Answer: A
Question #118
Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?
A. The certificate revocation list has not been updated
B. The PKI policy has not been updated within the last year
C. The private key certificate has not been updated
D. The certificate practice statement has not been published
View answer
Correct Answer: A
Question #119
An organizations audit charier PRIMARILY:
A. describes the auditors' authority to conduct audits
B. defines the auditors' code of conduct
C. formally records the annual and quarterly audit plans
D. documents the audit process and reporting standards
View answer
Correct Answer: A
Question #120
The decision to accept an IT control risk related to data quality should be the responsibility of the:
A. information security team
B. IS audit manager
C. chief information officer (CIO)
D. business owner
View answer
Correct Answer: D
Question #121
The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
A. Technology risk
B. Detection risk
C. Control risk
D. Inherent risk
View answer
Correct Answer: B
Question #122
Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?
A. File level encryption
B. File Transfer Protocol (FTP)
C. Instant messaging policy
D. Application level firewalls
View answer
Correct Answer: D
Question #123
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
A. Review IT staff job descriptions for alignment
B. Develop quarterly training for each IT staff member
C. Identify required IT skill sets that support key business processes
D. Include strategic objectives m IT staff performance objectives
View answer
Correct Answer: C
Question #124
A review of an organization's IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.
A. A formal request for proposal (RFP) process
B. Business case development procedures
C. An information asset acquisition policy
D. Asset life cycle management
View answer
Correct Answer: D
Question #125
Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?
A. CCTV recordings are not regularly reviewed
B. CCTV cameras are not installed in break rooms
C. CCTV records are deleted after one year
D. CCTV footage is not recorded 24 x 7
View answer
Correct Answer: A
Question #126
Which of the following should be done FIRST when planning a penetration test?
A. Execute nondisclosure agreements (NDAs)
B. Determine reporting requirements for vulnerabilities
C. Define the testing scope
D. Obtain management consent for the testing
View answer
Correct Answer: D
Question #127
An IS auditor is planning an audit of an organization's accounts payable processes.Which of the following controls is MOST important to assess in the audit?
A. Segregation of duties between issuing purchase orders and making payments
B. Segregation of duties between receiving invoices and setting authorization limits
C. Management review and approval of authorization tiers
D. Management review and approval of purchase orders
View answer
Correct Answer: A
Question #128
Which of the following is MOST important to include in forensic data collection and preservation procedures?
A. Assuring the physical security of devices
B. Preserving data integrity
C. Maintaining chain of custody
D. Determining tools to be used
View answer
Correct Answer: B
Question #129
Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?
A. Developing and communicating test procedure best practices to audit teams
B. Developing and implementing an audit data repository
C. Decentralizing procedures and Implementing periodic peer review
D. Centralizing procedures and implementing change control
View answer
Correct Answer: D
Question #130
An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality.Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
A. The current business capabilities delivered by the legacy system
B. The proposed network topology to be used by the redesigned system
C. The data flows between the components to be used by the redesigned system
D. The database entity relationships within the legacy system
View answer
Correct Answer: A
Question #131
Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?
A. To ensure that older versions are availability for reference
B. To ensure that only the latest approved version of the application is used
C. To ensure compatibility different versions of the application
D. To ensure that only authorized users can access the application
View answer
Correct Answer: B
Question #132
An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:
A. review recent changes to the system
B. verify completeness of user acceptance testing (UAT)
C. verify results to determine validity of user concerns
D. review initial business requirements
View answer
Correct Answer: C
Question #133
Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?
A. Effectiveness of the security program
B. Security incidents vs
C. Total number of hours budgeted to security
D. Total number of false positives
View answer
Correct Answer: A
Question #134
Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?
A. The IT strategy is modified in response to organizational change
B. The IT strategy is approved by executive management
C. The IT strategy is based on IT operational best practices
D. The IT strategy has significant impact on the business strategy
View answer
Correct Answer: A
Question #135
While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:
A. re-prioritize the original issue as high risk and escalate to senior management
B. schedule a follow-up audit in the next audit cycle
C. postpone follow-up activities and escalate the alternative controls to senior audit management
D. determine whether the alternative controls sufficiently mitigate the risk
View answer
Correct Answer: D
Question #136
An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers.Which of the following controls is MOSTimportant for the auditor to confirm is in place?
A. The default configurations have been changed
B. All tables in the database are normalized
C. The service port used by the database server has been changed
D. The default administration account is used after changing the account password
View answer
Correct Answer: A
Question #137
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
A. Utilize a network-based firewall
B. Conduct regular user security awareness training
C. Perform domain name system (DNS) server security hardening
D. Enforce a strong password policy meeting complexity requirements
View answer
Correct Answer: C
Question #138
Malicious program code was found in an application and corrected prior to release into production.After the release, the same issue was reported.Which of the following is the IS auditor's BEST recommendation?
A. Ensure corrected program code is compiled in a dedicated server
B. Ensure change management reports are independently reviewed
C. Ensure programmers cannot access code after the completion of program edits
D. Ensure the business signs off on end-to-end user acceptance test (UAT) results
View answer
Correct Answer: A
Question #139
Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?
A. Restricting program functionality according to user security profiles
B. Restricting access to update programs to accounts payable staff only
C. Including the creators user ID as a field in every transaction record created
D. Ensuring that audit trails exist for transactions
View answer
Correct Answer: A
Question #140
What is MOST important to verify during an external assessment of network vulnerability?
A. Update of security information event management (SIEM) rules
B. Regular review of the network security policy
C. Completeness of network asset inventory
D. Location of intrusion detection systems (IDS)
View answer
Correct Answer: C
Question #141
Which of the following is a detective control?
A. Programmed edit checks for data entry
B. Backup procedures
C. Use of pass cards to gain access to physical facilities
D. Verification of hash totals
View answer
Correct Answer: D
Question #142
An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur.Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?
A. Assign responsibility for improving data quality
B. Invest in additional employee training for data entry
C. Outsource data cleansing activities to reliable third parties
D. Implement business rules to validate employee data entry
View answer
Correct Answer: D
Question #143
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
A. the organization's web server
B. the demilitarized zone (DMZ)
C. the organization's network
D. the Internet
View answer
Correct Answer: C
Question #144
An IS auditor assessing the controls within a newly implemented call center would First
A. gather information from the customers regarding response times and quality of service
B. review the manual and automated controls in the call center
C. test the technical infrastructure at the call center
D. evaluate the operational risk associated with the call center
View answer
Correct Answer: D
Question #145
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground.Which approach has been adopted?
A. Risk avoidance
B. Risk transfer
C. Risk acceptance
D. Risk reduction
View answer
Correct Answer: A
Question #146
Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
A. Lessons learned were implemented
B. Management approved the PIR report
C. The review was performed by an external provider
D. Project outcomes have been realized
View answer
Correct Answer: D
Question #147
Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?
A. An increase in the number of identified false positives
B. An increase in the number of detected Incidents not previously identified
C. An increase in the number of unfamiliar sources of intruders
D. An increase in the number of internally reported critical incidents
View answer
Correct Answer: B
Question #148
An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding.Which of two following is the MOST reliable follow-up procedure?
A. Review the documentation of recant changes to implement sequential order numbering
B. Inquire with management if the system has been configured and tested to generate sequential order numbers
C. Inspect the system settings and transaction logs to determine if sequential order numbers are generated
D. Examine a sample of system generated purchase orders obtained from management
View answer
Correct Answer: C
Question #149
What is the Most critical finding when reviewing an organization's information security management?
A. No dedicated security officer
B. No official charier for the information security management system
C. No periodic assessments to identify threats and vulnerabilities
D. No employee awareness training and education program
View answer
Correct Answer: D
Question #150
Which of the following is MOST important to ensure when planning a black box penetration test?
A. The management of the client organization is aware of the testing
B. The test results will be documented and communicated to management
C. The environment and penetration test scope have been determined
D. Diagrams of the organization's network architecture are available
View answer
Correct Answer: A
Question #151
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision.Which of the following should be the IS auditor's NEXT course of action?
A. Accept management's decision and continue the follow-up
B. Report the issue to IS audit management
C. Report the disagreement to the board
D. Present the issue to executive management
View answer
Correct Answer: B
Question #152
Which of the following is the BEST way to mitigate the impact of ransomware attacks?
A. Invoking the disaster recovery plan (DRP)
B. Backing up data frequently
C. Paying the ransom
D. Requiring password changes for administrative accounts
View answer
Correct Answer: B
Question #153
What Is the BEST method to determine if IT resource spending is aligned with planned project spending?
A. Earned value analysis (EVA)
B. Return on investment (ROI) analysis
C. Gantt chart
D. Critical path analysis
View answer
Correct Answer: A

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: