DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Latest ISACA CISA Exam Questions for Effective Exam Preparation

Certified Information Systems Auditor® (CISA®) is world-renowned as the standard of achievement for those who audit, control, monitor, and assess an organization’s IT and business systems. If you are a mid-career professional, CISA can showcase your expertise and assert your ability to apply a risk-based approach to planning, executing, and reporting on audit engagements. SPOTO ISACA CISA exam questions offer numerous advantages for successful certification. They include comprehensive exam questions and answers, covering essential test questions in the exam format. The exam preparation materials provided by SPOTO are designed to enhance your understanding and mastery of key concepts. With access to SPOTO's study materials and exam resources, you can effectively prepare and pass the CISA exam. Additionally, SPOTO offers mock exams to simulate real exam conditions, allowing you to assess your readiness and improve your performance to pass successfully.
Take other online exams

Question #1
A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?
A. IT operator
B. System administration
C. Emergency support
D. Database administration
View answer
Correct Answer: B
Question #2
A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
A. the provider has alternate service locations
B. the contract includes compensation for deficient service levels
C. the provider's information security controls are aligned with the company's
D. the provider adheres to the company's data retention policies
View answer
Correct Answer: C
Question #3
An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions.Which of the following is MOST important for the auditor to confirm when sourcing the population data?
A. The data is taken directly from the system
B. There is no privacy information in the data
C. The data can be obtained in a timely manner
D. The data analysis tools have been recently updated
View answer
Correct Answer: A
Question #4
Which of the following is MOST important when planning a network audit?
A. Determination of IP range in use
B. Analysis of traffic content
C. Isolation of rogue access points
D. Identification of existing nodes
View answer
Correct Answer: D
Question #5
An audit has identified that business units have purchased cloud-based applications without IPs support.What is the GREATEST risk associated with this situation?
A. The applications are not included in business continuity plans (BCFs)
B. The applications may not reasonably protect data
C. The application purchases did not follow procurement policy
D. The applications could be modified without advanced notice
View answer
Correct Answer: B
Question #6
Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?
A. IT strategies are communicated to all Business stakeholders
B. Organizational strategies are communicated to the chief information officer (CIO)
C. Business stakeholders are Involved In approving the IT strategy
D. The chief information officer (CIO) is involved In approving the organizational strategies
View answer
Correct Answer: C
Question #7
Which of the following demonstrates the use of data analytics for a loan origination process?
A. Evaluating whether loan records are included in the batch file and are validated by the servicing system
B. Comparing a population of loans input in the origination system to loans booked on the servicing system
C. Validating whether reconciliations between the two systems are performed and discrepancies are investigated
D. Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure
View answer
Correct Answer: B
Question #8
Which of the following is MOST critical for the effective implementation of IT governance?
A. Strong risk management practices
B. Internal auditor commitment
C. Supportive corporate culture
D. Documented policies
View answer
Correct Answer: C
Question #9
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
A. Apply single sign-on for access control
B. Implement segregation of duties
C. Enforce an internal data access policy
D. Enforce the use of digital signatures
View answer
Correct Answer: C
Question #10
Which of the following is MOST important to consider when scheduling follow-up audits?
A. The efforts required for independent verification with new auditors
B. The impact if corrective actions are not taken
C. The amount of time the auditee has agreed to spend with auditors
D. Controls and detection risks related to the observations
View answer
Correct Answer: B
Question #11
Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?
A. Analysis of industry benchmarks
B. Identification of organizational goals
C. Analysis of quantitative benefits
D. Implementation of a balanced scorecard
View answer
Correct Answer: B
Question #12
An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported The auditee has stated that it will take six months until the software is running on the current version.Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
A. Verify all patches have been applied to the software system's outdated version
B. Close all unused ports on the outdated software system
C. Segregate the outdated software system from the main network
D. Monitor network traffic attempting to reach the outdated software system
View answer
Correct Answer: D
Question #13
In an online application which of the following would provide the MOST information about the transaction audit trail?
A. File layouts
B. Data architecture
C. System/process flowchart
D. Source code documentation
View answer
Correct Answer: C
Question #14
A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal dat
A. An IS auditor has been asked to determine the organization's level of exposure In the affected country
B. Developing an inventory of all business entities that exchange personal data with the affected jurisdiction
C. Identifying data security threats in the affected jurisdiction
D. Reviewing data classification procedures associated with the affected jurisdiction
E. Identifying business processes associated with personal data exchange with the affected jurisdiction
View answer
Correct Answer: D
Question #15
An IS auditor follows up on a recent security incident and finds the incident response was not adequate.Which of the following findings should be considered MOST critical?
A. The security weakness facilitating the attack was not identified
B. The attack was not automatically blocked by the intrusion detection system (IDS)
C. The attack could not be traced back to the originating person
D. Appropriate response documentation was not maintained
View answer
Correct Answer: A
Question #16
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST
A. perform a business impact analysis (BIA)
B. issue an intermediate report to management
C. evaluate the impact on current disaster recovery capability
D. conduct additional compliance testing
View answer
Correct Answer: C
Question #17
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
A. compare the organization's strategic plan against industry best practice
B. interview senior managers for their opinion of the IT function
C. ensure an IT steering committee is appointed to monitor new IT projects
D. evaluate deliverables of new IT initiatives against planned business services
View answer
Correct Answer: D
Question #18
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?
A. Service management standards are not followed
B. Expected time to resolve incidents is not specified
C. Metrics are not reported to senior management
D. Prioritization criteria are not defined
View answer
Correct Answer: B
Question #19
Which of the following would BEST help lo support an auditors conclusion about the effectiveness of an implemented data classification program?
A. Purchase of information management tools
B. Business use cases and scenarios
C. Access rights provisioned according to scheme
D. Detailed data classification scheme
View answer
Correct Answer: D
Question #20
Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?
A. Circuit gateway
B. Application level gateway
C. Packet filtering router
D. Screening router
View answer
Correct Answer: B
Question #21
Which of the following BEST describes an audit risk?
A. The company is being sued for false accusations
B. The financial report may contain undetected material errors
C. Employees have been misappropriating funds
D. Key employees have not taken vacation for 2 years
View answer
Correct Answer: D
Question #22
Which of the following should an IS auditor expect to see in a network vulnerability assessment?
A. Misconfiguration and missing updates
B. Malicious software and spyware
C. Zero-day vulnerabilities
D. Security design flaws
View answer
Correct Answer: A
Question #23
Which of the following findings from an IT governance review should be of GREATEST concern?
A. The IT budget is not monitored
B. All IT services are provided by third parties
C. IT value analysis has not been completed
D. IT supports two different operating systems
View answer
Correct Answer: C
Question #24
Which of the following is the BEST reason to implement a data retention policy?
A. To limit the liability associated with storing and protecting information
B. To document business objectives for processing data within the organization
C. To assign responsibility and ownership for data protection outside IT
D. To establish a recovery point detective (RPO) for (toaster recovery procedures
View answer
Correct Answer: A
Question #25
An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons.Which of the following should the auditor recommend be performed FIRST?
A. Implement a process to actively monitor postings on social networking sites
B. Adjust budget for network usage to include social media usage
C. Use data loss prevention (DLP) tools on endpoints
D. implement policies addressing acceptable usage of social media during working hours
View answer
Correct Answer: D
Question #26
Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?
A. Statement of work (SOW)
B. Nondisclosure agreement (NDA)
C. Service level agreement (SLA)
D. Privacy agreement
View answer
Correct Answer: D
Question #27
During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:
A. allocation of resources during an emergency
B. frequency of system testing
C. differences in IS policies and procedures
D. maintenance of hardware and software compatibility
View answer
Correct Answer: D
Question #28
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available.What should the auditor recommend be done FIRST?
A. Implement a new system that can be patched
B. Implement additional firewalls to protect the system
C. Decommission the server
D. Evaluate the associated risk
View answer
Correct Answer: D
Question #29
Which of the following is MOST important with regard to an application development acceptance test?
A. The programming team is involved in the testing process
B. All data files are tested for valid information before conversion
C. User management approves the test design before the test is started
D. The quality assurance (QA) team is in charge of the testing process
View answer
Correct Answer: B
Question #30
Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?
A. Reviewing the parameter settings
B. Reviewing the system log
C. Interviewing the firewall administrator
D. Reviewing the actual procedures
View answer
Correct Answer: D
Question #31
Which of the following is a challenge in developing a service level agreement (SLA) for network services?
A. Establishing a well-designed framework for network servirces
B. Finding performance metrics that can be measured properly
C. Ensuring that network components are not modified by the client
D. Reducing the number of entry points into the network
View answer
Correct Answer: B
Question #32
Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
A. Carbon dioxide
B. FM-200
C. Dry pipe
D. Halon
View answer
Correct Answer: C
Question #33
Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
A. Perimeter firewall
B. Data loss prevention (DLP) system
C. Web application firewall
D. Network segmentation
View answer
Correct Answer: D
Question #34
A data breach has occurred due lo malware.Which of the following should be the FIRST course of action?
A. Notify the cyber insurance company
B. Shut down the affected systems
C. Quarantine the impacted systems
D. Notify customers of the breach
View answer
Correct Answer: C
Question #35
Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
A. The person who collected the evidence is not qualified to represent the case
B. The logs failed to identify the person handling the evidence
C. The evidence was collected by the internal forensics team
D. The evidence was not fully backed up using a cloud-based solution prior to the trial
View answer
Correct Answer: B
Question #36
An IS auditor should ensure that an application's audit trail:
A. has adequate security
B. logs ail database records
C. Is accessible online
D. does not impact operational efficiency
View answer
Correct Answer: D
Question #37
Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?
A. Securing information assets in accordance with the classification assigned
B. Validating that assets are protected according to assigned classification
C. Ensuring classification levels align with regulatory guidelines
D. Defining classification levels for information assets within the organization
View answer
Correct Answer: B
Question #38
Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:
A. business impact analysis (BIA)
B. threat and risk assessment
C. business continuity plan (BCP)
D. disaster recovery plan (DRP)
View answer
Correct Answer: C
Question #39
Which of the following should be the FIRST step in managing the impact of a recently discovered zero-day attack?
A. stimating potential damage
B. dentifying vulnerable assets
C. valuating the likelihood of attack
D. ssessing the impact of vulnerabilities
View answer
Correct Answer: B
Question #40
An IS auditor is reviewing an organization's primary router access control list.Which of the following should result in a finding?
A. There are conflicting permit and deny rules for the IT group
B. The network security group can change network address translation (NAT)
C. Individual permissions are overriding group permissions
D. There is only one rule per group with access privileges
View answer
Correct Answer: C
Question #41
Which of the following BEST enables the timely identification of risk exposure?
A. External audit review
B. Internal audit review
C. Control self-assessment (CSA)
D. Stress testing
View answer
Correct Answer: C
Question #42
Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?
A. Business interruption due to remediation
B. IT budgeting constraints
C. Availability of responsible IT personnel
D. Risk rating of original findings
View answer
Correct Answer: D
Question #43
Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?
A. Ensure sufficient audit resources are allocated,
B. Communicate audit results organization-wide
C. Ensure ownership is assigned
D. Test corrective actions upon completion
View answer
Correct Answer: C
Question #44
Which of the following is the BEST way to ensure that an application is performing according to its specifications?
A. Unit testing
B. Pilot testing
C. System testing
D. Integration testing
View answer
Correct Answer: D
Question #45
Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?
A. Review of program documentation
B. Use of test transactions
C. Interviews with knowledgeable users
D. Review of source code
View answer
Correct Answer: B
Question #46
Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?
A. Process and resource inefficiencies
B. Irregularities and illegal acts
C. Noncompliance with organizational policies
D. Misalignment with business objectives
View answer
Correct Answer: D
Question #47
After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
A. Verifying that access privileges have been reviewed
B. investigating access rights for expiration dates
C. Updating the continuity plan for critical resources
D. Updating the security policy
View answer
Correct Answer: A
Question #48
During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk.What should the auditor do FIRST?
A. Ask management why the regulatory changes have not been Included
B. Discuss potential regulatory issues with the legal department
C. Report the missing regulatory updates to the chief information officer (CIO)
D. Exclude recent regulatory changes from the audit scope
View answer
Correct Answer: A
Question #49
Which of the following backup schemes is the BEST option when storage media is limited?
A. Real-time backup
B. Virtual backup
C. Differential backup
D. Full backup
View answer
Correct Answer: C
Question #50
An organization with many desktop PCs is considering moving to a thin client architecture.Which of the following is the MAJOR advantage?
A. The security of the desktop PC is enhanced
B. Administrative security can be provided for the client
C. Desktop application software will never have to be upgraded
D. System administration can be better managed
View answer
Correct Answer: C
Question #51
Which of the following should an IS auditor consider FIRST when evaluating firewall rules?
A. The organization's security policy
B. The number of remote nodes
C. The firewalls' default settings
D. The physical location of the firewalls
View answer
Correct Answer: A
Question #52
Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
A. The job scheduler application has not been designed to display pop-up error messages
B. Access to the job scheduler application has not been restricted to a maximum of two staff members
C. Operations shift turnover logs are not utilized to coordinate and control the processing environment
D. Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor
View answer
Correct Answer: D
Question #53
Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?
A. Mobile device tracking program
B. Mobile device upgrade program
C. Mobile device testing program
D. Mobile device awareness program
View answer
Correct Answer: D
Question #54
Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?
A. Portfolio management
B. Business plans
C. Business processes
D. IT strategic plans
View answer
Correct Answer: D
Question #55
An organization has virtualized its server environment without making any other changes to the network or security infrastructure.Which of the following is the MOST significant risk?
A. Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications
B. Vulnerability in the virtualization platform affecting multiple hosts
C. Data center environmental controls not aligning with new configuration
D. System documentation not being updated to reflect changes in the environment
View answer
Correct Answer: B
Question #56
An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system- generated.Which of the following should be the GREATEST concern?
A. Availability of the user list reviewed
B. Confidentiality of the user list reviewed
C. Source of the user list reviewed
D. Completeness of the user list reviewed
View answer
Correct Answer: C
Question #57
While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level.What is the MOST effective way for the organization to improve this situation?
A. Use automatic document classification based on content
B. Have IT security staff conduct targeted training for data owners
C. Publish the data classification policy on the corporate web portal
D. Conduct awareness presentations and seminars for information classification policies
View answer
Correct Answer: D
Question #58
Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?
A. Historical privacy breaches and related root causes
B. Globally accepted privacy best practices
C. Local privacy standards and regulations
D. Benchmark studies of similar organizations
View answer
Correct Answer: C
Question #59
An IS auditor finds that one employee has unauthorized access to confidential dat
A. The IS auditor's BEST recommendation should be to:
B. reclassify the data to a lower level of confidentiality
C. require the business owner to conduct regular access reviews
D. implement a strong password schema for users
E. recommend corrective actions to be taken by the security administrator
View answer
Correct Answer: B
Question #60
Which of the following would be MOST useful when analyzing computer performance?
A. uning of system software to optimize resource usage
B. perations report of user dissatisfaction with response time
C. tatistical metrics measuring capacity utilization
D. eport of off-peak utilization and response time
View answer
Correct Answer: B
Question #61
An incorrect version of source code was amended by a development team. This MOST likely indicates a weakness in:
A. incident management
B. quality assurance (QA)
C. change management
D. project management
View answer
Correct Answer: C
Question #62
Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?
A. Have an independent party review the source calculations
B. Execute copies of EUC programs out of a secure library
C. implement complex password controls
D. Verify EUC results through manual calculations
View answer
Correct Answer: B
Question #63
One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:
A. basis for allocating indirect costs
B. cost of replacing equipment
C. estimated cost of ownership
D. basis for allocating financial resources
View answer
Correct Answer: D
Question #64
During an audit of a multinational bank's disposal process, an IS auditor notes several findings.Which of the following should be the auditor's GREATEST concern?
A. Backup media are not reviewed before disposal
B. Degaussing is used instead of physical shredding
C. Backup media are disposed before the end of the retention period
D. Hardware is not destroyed by a certified vendor
View answer
Correct Answer: C
Question #65
Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software?
A. Assign the security risk analysis to a specially trained member of the project management office
B. Deploy changes in a controlled environment and observe for security defects
C. Include a mandatory step to analyze the security impact when making changes
D. Mandate that the change analyses are documented in a standard format
View answer
Correct Answer: C
Question #66
An IT balanced scorecard is the MOST effective means of monitoring:
A. governance of enterprise IT
B. control effectiveness
C. return on investment (ROI)
D. change management effectiveness
View answer
Correct Answer: A
Question #67
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?
A. Guest operating systems are updated monthly
B. The hypervisor is updated quarterly
C. A variety of guest operating systems operate on one virtual server
D. Antivirus software has been implemented on the guest operating system only
View answer
Correct Answer: D
Question #68
Which of the following documents should specify roles and responsibilities within an IT audit organization?
A. Organizational chart
B. Audit charier
C. Engagement letter
D. Annual audit plan
View answer
Correct Answer: A
Question #69
Which of the following is the BEST way to ensure that an application is performing according to its specifications?
A. ilot testing
B. ystem testing
C. ntegration testing
D. nit testing
View answer
Correct Answer: C
Question #70
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
A. Incident monitoring togs
B. The ISP service level agreement
C. Reports of network traffic analysis
D. Network topology diagrams
View answer
Correct Answer: D
Question #71
Which of the following should be the FIRST step in the incident response process for a suspected breach?
A. Inform potentially affected customers of the security breach
B. Notify business management of the security breach
C. Research the validity of the alerted breach
D. Engage a third party to independently evaluate the alerted breach
View answer
Correct Answer: C
Question #72
During an audit of a financial application, it was determined that many terminated users' accounts were not disabled.Which of the following should be the IS auditor's NEXT step?
A. Perform substantive testing of terminated users' access rights
B. Perform a review of terminated users' account activity
C. Communicate risks to the application owner
D. Conclude that IT general controls ate ineffective
View answer
Correct Answer: B
Question #73
Which of the following is an audit reviewer's PRIMARY role with regard to evidence?
A. Ensuring unauthorized individuals do not tamper with evidence after it has been captured
B. Ensuring evidence is sufficient to support audit conclusions
C. Ensuring appropriate statistical sampling methods were used
D. Ensuring evidence is labeled to show it was obtained from an approved source
View answer
Correct Answer: B
Question #74
Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?
A. Lack of appropriate labelling
B. Lack of recent awareness training
C. Lack of password protection
D. Lack of appropriate data classification
View answer
Correct Answer: D
Question #75
A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification.Which of the following is the IS auditors BEST recommendation to facilitate compliance with the regulation?
A. Establish key performance indicators (KPls) for timely identification of security incidents
B. Engage an external security incident response expert for incident handling
C. Enhance the alert functionality of the intrusion detection system (IDS)
D. Include the requirement in the incident management response plan
View answer
Correct Answer: C
Question #76
Which of the following metrics would BEST measure the agility of an organization's IT function?
A. Average number of learning and training hours per IT staff member
B. Frequency of security assessments against the most recent standards and guidelines
C. Average time to turn strategic IT objectives into an agreed upon and approved initiative
D. Percentage of staff with sufficient IT-related skills for the competency required of their roles
View answer
Correct Answer: C
Question #77
An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart.Which of the following roles within the chart would provide this information?
A. Consulted
B. Informed
C. Responsible
D. Accountable
View answer
Correct Answer: D
Question #78
Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?
A. Background checks
B. User awareness training
C. Transaction log review
D. Mandatory holidays
View answer
Correct Answer: C
Question #79
In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?
A. Discovery
B. Attacks
C. Planning
D. Reporting
View answer
Correct Answer: A
Question #80
Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?
A. To optimize system resources
B. To follow system hardening standards
C. To optimize asset management workflows
D. To ensure proper change control
View answer
Correct Answer: D
Question #81
An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents.Which of the following observations should be of MOST concern to the auditor?
A. Training was not provided to the department that handles intellectual property and patents
B. Logging and monitoring for content filtering is not enabled
C. Employees can share files with users outside the company through collaboration tools
D. The collaboration tool is hosted and can only be accessed via an Internet browser
View answer
Correct Answer: B
Question #82
What is the MAIN reason to use incremental backups?
A. To improve key availability metrics
B. To reduce costs associates with backups
C. To increase backup resiliency and redundancy
D. To minimize the backup time and resources
View answer
Correct Answer: D
Question #83
Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?
A. Real-time audit software
B. Performance data
C. Quality assurance (QA) reviews
D. Participative management techniques
View answer
Correct Answer: A
Question #84
What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?
A. Senior management's request
B. Prior year's audit findings
C. Organizational risk assessment
D. Previous audit coverage and scope
View answer
Correct Answer: C
Question #85
Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
A. ntity integrity
B. vailability integrity
C. eferential integrity
D. ata integrity
View answer
Correct Answer: D
Question #86
Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?
A. Information security program plans
B. Penetration test results
C. Risk assessment results
D. Industry benchmarks
View answer
Correct Answer: C
Question #87
A system development project is experiencing delays due to ongoing staff shortages.Which of the following strategies would provide the GREATEST assurance of system quality at implementation?
A. Implement overtime pay and bonuses for all development staff
B. Utilize new system development tools to improve productivity
C. Recruit IS staff to expedite system development
D. Deliver only the core functionality on the initial target date
View answer
Correct Answer: C
Question #88
Which of the following data would be used when performing a business impact analysis (BIA)?
A. Projected impact of current business on future business
B. Cost-benefit analysis of running the current business
C. Cost of regulatory compliance
D. Expected costs for recovering the business
View answer
Correct Answer: A
Question #89
Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?
A. Segregation of duties between staff ordering and staff receiving information assets
B. Complete and accurate list of information assets that have been deployed
C. Availability and testing of onsite backup generators
D. Knowledge of the IT staff regarding data protection requirements
View answer
Correct Answer: B
Question #90
An organization has recently implemented a Voice-over IP (VoIP) communication system.Which ot the following should be the IS auditor's PRIMARY concern?
A. A single point of failure for both voice and data communications
B. Inability to use virtual private networks (VPNs) for internal traffic
C. Lack of integration of voice and data communications
D. Voice quality degradation due to packet toss
View answer
Correct Answer: A
Question #91
An IS auditor is examining a front-end subledger and a main ledger.Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?
A. Double-posting of a single journal entry
B. Inability to support new business transactions
C. Unauthorized alteration of account attributes
D. Inaccuracy of financial reporting
View answer
Correct Answer: D
Question #92
Which of the following provides the BEST providence that outsourced provider services are being properly managed?
A. The service level agreement (SLA) includes penalties for non-performance
B. Adequate action is taken for noncompliance with the service level agreement (SLA)
C. The vendor provides historical data to demonstrate its performance
D. Internal performance standards align with corporate strategy
View answer
Correct Answer: B
Question #93
Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
A. Annual sign-off of acceptable use policy
B. Regular monitoring of user access logs
C. Security awareness training
D. Formalized disciplinary action
View answer
Correct Answer: C
Question #94
Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?
A. Implementing two-factor authentication
B. Restricting access to transactions using network security software
C. implementing role-based access at the application level
D. Using a single menu tor sensitive application transactions
View answer
Correct Answer: C
Question #95
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
A. the access control system's log settings
B. how the latest system changes were implemented
C. the access control system's configuration
D. the access rights that have been granted
View answer
Correct Answer: D
Question #96
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization.Which of the following is MOST effective in detecting such an intrusion?
A. Periodically reviewing log files
B. Configuring the router as a firewall
C. Using smart cards with one-time passwords
D. Installing biometrics-based authentication
View answer
Correct Answer: A
Question #97
Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?
A. Analyze whether predetermined test objectives were met
B. Perform testing at the backup data center
C. Evaluate participation by key personnel
D. Test offsite backup files
View answer
Correct Answer: A
Question #98
Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?
A. Analyzing risks posed by new regulations
B. Designing controls to protect personal data
C. Defining roles within the organization related to privacy
D. Developing procedures to monitor the use of personal data
View answer
Correct Answer: A
Question #99
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit.What should the auditor consider the MOST significant concern?
A. Attack vectors are evolving for industrial control systems
B. There is a greater risk of system exploitation
C. Disaster recovery plans (DRPs) are not in place
D. Technical specifications are not documented
View answer
Correct Answer: C
Question #100
Which of the following security risks can be reduced by a property configured network firewall?
A. SQL injection attacks
B. Denial of service (DoS) attacks
C. Phishing attacks
D. Insider attacks
View answer
Correct Answer: B
Question #101
Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?
A. Program coding standards have been followed
B. Acceptance test criteria have been developed
C. Data conversion procedures have been establish
D. The design has been approved by senior management
View answer
Correct Answer: B
Question #102
For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:
A. attributes for system passwords
B. security training prior to implementation
C. security requirements for the new application
D. the firewall configuration for the web server
View answer
Correct Answer: C
Question #103
An IS auditor learns the organization has experienced several server failures in its distributed environment.Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
A. Redundant pathways
B. Clustering
C. Failover power
D. Parallel testing
View answer
Correct Answer: B
Question #104
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
A. Implementing the remediation plan
B. Partially completing the CSA
C. Developing the remediation plan
D. Developing the CSA questionnaire
View answer
Correct Answer: D
Question #105
Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?
A. Periodic vendor reviews
B. Dual control
C. Independent reconciliation
D. Re-keying of monetary amounts
E. Engage an external security incident response expert for incident handling
View answer
Correct Answer: B
Question #106
Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees.What is the MOST important task before implementing any associated email controls?
A. Require all employees to sign nondisclosure agreements (NDAs)
B. Develop an acceptable use policy for end-user computing (EUC)
C. Develop an information classification scheme
D. Provide notification to employees about possible email monitoring
View answer
Correct Answer: A
Question #107
An organization was recently notified by its regulatory body of significant discrepancies in its reporting dat
A. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program
B. Data with customer personal information
C. Data reported to the regulatory body
D. Data supporting financial statements
E. Data impacting business objectives
View answer
Correct Answer: A
Question #108
During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:
A. application test cases
B. acceptance testing
C. cost-benefit analysis
D. project plans
View answer
Correct Answer: A
Question #109
Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?
A. Compliance with action plans resulting from recent audits
B. Compliance with local laws and regulations
C. Compliance with industry standards and best practice
D. Compliance with the organization's policies and procedures
View answer
Correct Answer: B
Question #110
An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:
A. refuse the assignment to avoid conflict of interest
B. use the knowledge of the application to carry out the audit
C. inform audit management of the earlier involvement
D. modify the scope of the audit
View answer
Correct Answer: C
Question #111
Which of the following BEST Indicates that an incident management process is effective?
A. Decreased time for incident resolution
B. Increased number of incidents reviewed by IT management
C. Decreased number of calls lo the help desk
D. Increased number of reported critical incidents
View answer
Correct Answer: A
Question #112
Which of the following represents the HIGHEST level of maturity of an information security program?
A. A training program is in place to promote information security awareness
B. A framework is in place to measure risks and track effectiveness
C. Information security policies and procedures are established
D. The program meets regulatory and compliance requirements
View answer
Correct Answer: A
Question #113
An organization allows employees to retain confidential data on personal mobile devices.Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
A. Require employees to attend security awareness training
B. Password protect critical data files
C. Configure to auto-wipe after multiple failed access attempts
D. Enable device auto-lock function
View answer
Correct Answer: C
Question #114
Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
A. Monitor access to stored images and snapshots of virtual machines
B. Restrict access to images and snapshots of virtual machines
C. Limit creation of virtual machine images and snapshots
D. Review logical access controls on virtual machines regularly
View answer
Correct Answer: A
Question #115
Providing security certification for a new system should include which of the following prior to the system's implementation?
A. End-user authorization to use the system in production
B. External audit sign-off on financial controls
C. Testing of the system within the production environment
D. An evaluation of the configuration management practices
View answer
Correct Answer: A
Question #116
Stress testing should ideally be earned out under a:
A. test environment with production workloads
B. production environment with production workloads
C. production environment with test data
D. test environment with test data
View answer
Correct Answer: A
Question #117
An IS auditor is conducting a review of a data center.Which of the following observations could indicate an access control Issue?
A. Security cameras deployed outside main entrance
B. Antistatic mats deployed at the computer room entrance
C. Muddy footprints directly inside the emergency exit
D. Fencing around facility is two meters high
View answer
Correct Answer: C
Question #118
An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email.Which of the following metrics BEST indicates the effectiveness of awareness training?
A. The number of users deleting the email without reporting because it is a phishing email
B. The number of users clicking on the link to learn more about the sender of the email
C. The number of users forwarding the email to their business unit managers
D. The number of users reporting receipt of the email to the information security team
View answer
Correct Answer: D
Question #119
Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:
A. the patches were updated
B. The logs were monitored
C. The network traffic was being monitored
D. The domain controller was classified for high availability
View answer
Correct Answer: A
Question #120
Which of the following is a social engineering attack method?
A. An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door
B. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone
C. A hacker walks around an office building using scanning tools to search for a wireless network to gain access
D. An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties
View answer
Correct Answer: B
Question #121
Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
A. Availability of the site in the event of multiple disaster declarations
B. Coordination with the site staff in the event of multiple disaster declarations
C. Reciprocal agreements with other organizations
D. Complete testing of the recovery plan
View answer
Correct Answer: A
Question #122
Which of the following is the BEST metric to measure the alignment of IT and business strategy?
A. Level of stakeholder satisfaction with the scope of planned IT projects
B. Percentage of enterprise risk assessments that include IT-related risk
C. Percentage of stat satisfied with their IT-related roles
D. Frequency of business process capability maturity assessments
View answer
Correct Answer: B
Question #123
An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:
A. recommend that the option to directly modify the database be removed immediately
B. recommend that the system require two persons to be involved in modifying the database
C. determine whether the log of changes to the tables is backed up
D. determine whether the audit trail is secured and reviewed
View answer
Correct Answer: D
Question #124
Which of the following features of a library control software package would protect against unauthorized updating of source code?
A. Required approvals at each life cycle step
B. Date and time stamping of source and object code
C. Access controls for source libraries
D. Release-to-release comparison of source code
View answer
Correct Answer: B
Question #125
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
A. deleted data cannot easily be retrieved
B. deleting the files logically does not overwrite the files' physical data
C. backup copies of files were not deleted as well
D. deleting all files separately is not as efficient as formatting the hard disk
View answer
Correct Answer: B
Question #126
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another.Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
A. Preserving the same data classifications
B. Preserving the same data inputs
C. Preserving the same data structure
D. Preserving the same data interfaces
View answer
Correct Answer: C
Question #127
During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?
A. Leverage the work performed by external audit for the internal audit testing
B. Ensure both the internal and external auditors perform the work simultaneously
C. Request that the external audit team leverage the internal audit work
D. Roll forward the general controls audit to the subsequent audit year
View answer
Correct Answer: B
Question #128
An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house.Which of the following findings should be the IS auditor's GREATEST concern?
A. The cost of outsourcing is lower than in-house development
B. The vendor development team is located overseas
C. A training plan for business users has not been developed
D. The data model is not clearly documented
View answer
Correct Answer: D
Question #129
Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?
A. Ensure that paper documents arc disposed security
B. Implement an intrusion detection system (IDS)
C. Verify that application logs capture any changes made
D. Validate that all data files contain digital watermarks
View answer
Correct Answer: D
Question #130
Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?
A. Ensuring that audit trails exist for transactions
B. Restricting access to update programs to accounts payable staff only
C. Including the creator's user ID as a field in every transaction record created
D. Restricting program functionality according to user security profiles
View answer
Correct Answer: D
Question #131
An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production.Which of the following is the MOST significant risk from this situation?
A. Loss of application support
B. Lack of system integrity
C. Outdated system documentation
D. Developer access 1o production
View answer
Correct Answer: B

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: