DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Master CISA Certification Questions & Study Resources, Certified Information Systems Auditor | SPOTO

Mock tests are a crucial component of preparing for the latest CISA certification exam, offering several key advantages. These practice tests simulate the real exam environment, allowing candidates to become familiar with the format, timing, and difficulty level of actual exam questions. By practicing with mock tests, candidates can identify their strengths and weaknesses, enabling them to focus their study efforts more effectively. Mock tests also help improve time management skills, as candidates learn to allocate the appropriate amount of time to each question. Additionally, mock tests provide immediate feedback on performance, highlighting areas that require further attention and guiding ongoing study efforts. With access to SPOTO's latest CISA practice tests and exam dumps for 2024, candidates can enhance their exam preparation and increase their chances of success.
Take other online exams

Question #1
Which of the following type of network service maps Domain Names to network IP addresses or network IP addresses to Domain Names?
A. DHCP
B. DNS
C. Directory Service
D. Network Management
View answer
Correct Answer: B
Question #2
Which of the following would be BEST prevented by a raised floor in the computer machine room?
A. Damage of wires around computers and servers
B. A power failure from static electricity
C. Shocks from earthquakes
D. Water flood damage
View answer
Correct Answer: C
Question #3
When reviewing an implementation of a VoIP system over a corporate WAN, an IS auditor should expect to find:
A. an integrated services digital network (ISDN) data link
B. traffic engineering
C. wired equivalent privacy (WEP) encryption of data
D. analog phone terminals
View answer
Correct Answer: C
Question #4
Which of the following penetration tests would MOST effectively evaluate incident handling and response capabilities of an organization?
A. Targeted testing
B. External testing
C. internal testing
D. Double-blind testing
View answer
Correct Answer: C
Question #5
When using a universal storage bus (USB) flash drive to transport confidential corporate data to an offsite location, an effective control would be to:
A. carry the flash drive in a portable safe
B. assure management that you will not lose the flash drive
C. request that management deliver the flash drive by courier
D. encrypt the folder containing the data with a strong key
View answer
Correct Answer: A
Question #6
Which of the following types of firewalls provide the GREATEST degree and granularity of control?
A. Screaming router
B. Packet filter
C. Application gateway
D. Circuit gateway
View answer
Correct Answer: C
Question #7
Which of the following cloud deployment model operates solely for an organization?
A. Private Cloud
B. Community Cloud
C. Public Cloud
D. Hybrid Cloud
View answer
Correct Answer: A
Question #8
The MAIN purpose for periodically testing offsite facilities is to:
A. protect the integrity of the data in the database
B. eliminate the need to develop detailed contingency plans
C. ensure the continued compatibility of the contingency facilities
D. ensure that program and system documentation remains current
View answer
Correct Answer: D
Question #9
What would be the MOST effective control for enforcing accountability among database users accessing sensitive information?
A. implement a log management process
B. implement a two-factor authentication
C. Use table views to access sensitive data
D. Separate database and application servers
View answer
Correct Answer: A
Question #10
An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following: -The existing disaster recovery plan was compiled two years earlier by a systems analyst in the organization's IT department using transaction flow projections from the operations department. -The plan was presented to the deputy CEO for approval and formal issue, but it is still awaiting their attention. - the plan has never been updated, tested or circulated to key man
A. the deputy CEO be censured for their failure to approve the plan
B. a board of senior managers is set up to review the existing plan
C. the existing plan is approved and circulated to all key management and staff
D. a manager coordinates the creation of a new or revised plan within a defined time limit
View answer
Correct Answer: C
Question #11
Which of the following is a telecommunication device that translates data from digital to analog form and back to digital?
A. Multiplexer
B. Modem
C. Protocol converter
D. Concentrator
View answer
Correct Answer: B
Question #12
Which of the following function in traditional EDI process manipulates and routes data between the application system and the communication handler?
A. Communication handler
B. EDI Interface
C. Application System
D. EDI Translator
View answer
Correct Answer: A
Question #13
Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with an organization's change control procedures?
A. Review software migration records and verify approvals
B. identify changes that have occurred and verify approvals
C. Review change control documentation and verify approvals
D. Ensure that only appropriate staff can migrate changes into production
View answer
Correct Answer: A
Question #14
Which of the following method of expressing knowledge base consist of a graph in which nodes represent physical or conceptual objects and the arcs describes the relationship between nodes?
A. Decision tree
B. Rules
C. Semantic nets
D. Knowledge interface
View answer
Correct Answer: D
Question #15
In which of the following payment mode, an issuer attempts to emulate physical cash by creating digital certificates, which are purchased by users who redeem them with the issuer at a later date?
A. Electronic Money Model
B. Electronics Checks model
C. Electronic transfer model
D. Electronic withdraw model
View answer
Correct Answer: C
Question #16
In the 2c area of the diagram, there are three hubs connected to each other. What potential risk might this indicate?
A. Virus attack
B. Performance degradation
C. Poor management controls
D. Vulnerability to external hackers
View answer
Correct Answer: C
Question #17
Which of the following BEST ensures that effective change management is in place in an IS environment?
A. User authorization procedures for application access are well established
B. User-prepared detailed test criteria for acceptance testing of the software
C. Adequate testing was carried out by the development team
D. Access to production source and object programs is well controlled
View answer
Correct Answer: A
Question #18
John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk provided by an IS auditor?
A. Risk Mitigation
B. Risk Acceptance
C. Risk Avoidance
D. Risk transfer
View answer
Correct Answer: A
Question #19
During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the:
A. event error log generated at the disaster recovery site
B. disaster recovery test plan
C. disaster recovery plan (DRP)
D. configurations and alignment of the primary and disaster recovery sites
View answer
Correct Answer: D
Question #20
An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?
A. Access control requirements
B. Hardware configurations
C. Perimeter network security diagram
D. Help desk availability
View answer
Correct Answer: B
Question #21
The MOST effective control for reducing the risk related to phishing is:
A. centralized monitoring of systems
B. including signatures for phishing in antivirus software
C. publishing the policy on antiphishing on the intranet
D. security training for all users
View answer
Correct Answer: D
Question #22
To prevent unauthorized entry to the data maintained in a dial-up, fast response system, an IS auditor should recommend:
A. online terminals are placed in restricted areas
B. online terminals are equipped with key locks
C. ID cards are required to gain access to online terminals
D. online access is terminated after a specified number of unsuccessful attempts
View answer
Correct Answer: B
Question #23
IS management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend:
A. upgrading to a level 5 RAID
B. increasing the frequency of onsite backups
C. reinstating the offsite backups
D. establishing a cold site in a secure location
View answer
Correct Answer: D
Question #24
An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error, and are not rolled back. Which of the following transaction processing features has been violated?
A. Consistency
B. Isolation
C. Durability
D. Atomicity
View answer
Correct Answer: D
Question #25
In which of the following payment mode, the payer creates payment transfer instructions, signs it digitally and sends it to issuer?
A. Electronic Money Model
B. Electronics Checks model
C. Electronic transfer model
D. Electronic withdraw model
View answer
Correct Answer: B
Question #26
One major improvement in WPA over WEP is the use of a protocol which dynamically changes keys as the system is used. What protocol is this?
A. SKIP
B. RKIP
C. OKIP
D. EKIPE
F. None of the choices
View answer
Correct Answer: A
Question #27
An IS auditor finds that, at certain times of the day, the data warehouse query performance decreases significantly. Which of the following controls would it be relevant for the IS auditor to review?
B. C
A. Permanent table-space allocation Commitment and rollback controls User spool and database limit controls
D. Read/write access log controls
View answer
Correct Answer: D
Question #28
In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future scalability?
A. Appliances
B. Operating system-based
C. Host-based
D. Demilitarized
View answer
Correct Answer: D
Question #29
A lower recovery time objective (RTO) results in:
A. higher disaster tolerance
B. higher cost
C. wider interruption windows
D. more permissive data loss
View answer
Correct Answer: A
Question #30
An IS auditor has completed a network audit. Which of the following is the MOST significant logical security finding?
A. Network workstations are not disabled automatically after a period of inactivity
B. Wiring closets are left unlocked
C. Network operating manuals and documentation are not properly secured
D. Network components are not equipped with an uninterruptible power supply
View answer
Correct Answer: B
Question #31
Identify the INCORRECT statement from below mentioned testing types
A. Recovery Testing – Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems
B. Load Testing – Testing an application with large quantities of data to evaluate its performance during peak hour
C. Volume testing – Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process
D. Stress Testing – Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process
View answer
Correct Answer: A
Question #32
Who is responsible for reviewing the result and deliverables within and at the end of each phase, as well as confirming compliance with requirements?
A. Project Sponsor
B. Quality Assurance
C. User Management
D. Senior Management
View answer
Correct Answer: B
Question #33
Which of the following would be considered an essential feature of a network management system? A graphical interface to map the network topology
B. Capacity to interact with the Internet to solve the problems
C. Connectivity to a help desk for advice on difficult issues
D. An export facility for piping data to spreadsheets
View answer
Correct Answer: B
Question #34
When reviewing the configuration of network devices, an IS auditor should FIRST identify:
A. the best practices for the type of network devices deployed
B. whether components of the network are missing
C. the importance of the network device in the topology
D. whether subcomponents of the network are being used appropriately
View answer
Correct Answer: B
Question #35
Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation?
A. Assess the impact of patches prior to installation
B. Ask the vendors for a new software version with all fixes included
C. install the security patch immediately
D. Decline to deal with these vendors in the future
View answer
Correct Answer: A
Question #36
During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the:
A. responsibility for maintaining the business continuity plan
B. criteria for selecting a recovery site provider
C. recovery strategy
D. responsibilities of key personnel
View answer
Correct Answer: B
Question #37
Which of the following layer of an OSI model ensures that messages are delivered error-free, in sequence, and with no losses or duplications?
A. Application layer
B. Presentation layer
C. Session layer
D. Transport layer
View answer
Correct Answer: A
Question #38
An organization transmits large amounts of data from one internal system to another. The IS auditor is reviewing the quality of the data at the originating point. Which of the following should the auditor verify FIRST?
A. The data has been encrypted
B. The data transformation is accurate
C. The data extraction process is completed
D. The source data is accurate
View answer
Correct Answer: B
Question #39
Performance of a biometric measure is usually referred to in terms of (Choose three.):
A. failure to reject rate
B. false accept rate
C. false reject rate
D. failure to enroll rate
E. None of the choices
View answer
Correct Answer: C
Question #40
Talking about biometric authentication, which of the following is often considered as a mix of both physical and behavioral characteristics?
A. Voice
B. Finger measurement
C. Body measurement
D. Signature
E. None of the choices
View answer
Correct Answer: A
Question #41
Which of the following audit risk is related to material error exist that would not be prevented or detected on timely basis by the system of internal controls?
A. Inherent Risk
B. Control Risk
C. Detection Risk
D. Overall Audit Risk
View answer
Correct Answer: B
Question #42
Which of the following control helps to identify an incident’s activities and potentially an intruder?
A. Deterrent
B. Preventive
C. Detective
D. Compensating
View answer
Correct Answer: C
Question #43
Which of the following component of an expert system enables the expert system to collect data from nonhuman sources, such as measurement instruments in a power plant?
A. Decision tree
B. Rules
C. Semantic nets
D. Data interface
View answer
Correct Answer: D
Question #44
In which of the following WAN message transmission technique does two network nodes establish a dedicated communications channel through the network before the nodes may communicate?
A. Message Switching
B. Packet switching
C. Circuit switching
D. Virtual Circuits
View answer
Correct Answer: B
Question #45
One advantage of managing an entire collection of projects as a portfolio is that it highlights the need to:
A. identify dependencies between projects
B. inform users about all ongoing projects
C. manage the risk of each individual project
D. manage the quality of each project
A. role based
B. discretionary
C. mandatory
D. lattice based
View answer
Correct Answer: A
Question #46
In wireless communication, which of the following controls allows the device receiving the communications to verify that the received communications have not been altered in transit?
A. Device authentication and data origin authentication
B. Wireless intrusion detection (IDS) and prevention systems (IPS)
C. The use of cryptographic hashes
D. Packet headers and trailers
View answer
Correct Answer: C
Question #47
Which of the following cloud deployment model can be shared by several organizations?
A. Private Cloud\
B. Community Cloud
C. Public Cloud
D. Hybrid Cloud
View answer
Correct Answer: B
Question #48
Hamid needs to shift users from using the application from the existing (Old) system to the replacing (new) system. His manager Lily has suggested he uses an approach in which the newer system is changed over from the older system on a cutoff date and time and the older system is discontinued once the changeover to the new system takes place. Which of the following changeover approach is suggested by Lily?
A. Parallel changeover
B. Phased changeover
C. Abrupt changeover
D. Pilot changeover
View answer
Correct Answer: C
Question #49
Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility?
A. verify compatibility with the hot site
B. Review the implementation report
C. Perform a walk-through of the disaster recovery plan
D. Update the IS assets inventory
View answer
Correct Answer: B
Question #50
Which of the following testing procedure is used by the auditor during accounting audit to check errors in balance sheet and other financial documentation?
A. Compliance testing
B. Sanity testing
C. Recovery testing
D. Substantive testing
View answer
Correct Answer: D
Question #51
When reviewing system parameters, an IS auditor's PRIMARY concern should be that:
A. they are set to meet security and performance requirements
B. changes are recorded in an audit trail and periodically reviewed
C. changes are authorized and supported by appropriate documents
D. access to parameters in the system is restricted
View answer
Correct Answer: A
Question #52
Which of the following is the MOST reasonable option for recovering a noncritical system?
A. Warm site
B. Mobile site
C. Hot site
D. Cold site
View answer
Correct Answer: C
Question #53
Inadequate programming and coding practices introduce the risk of:
A. phishing
B. buffer overflow exploitation
C. SYN flood
D. brute force attacks
View answer
Correct Answer: D
Question #54
An organization has established three IS processing environments: development, test, and production. The MAJOR reason for separating the development and test environments is to:
A. obtain segregation of duties between IS staff and end users
B. limit the user’s access rights to the test environment
C. perform testing in a stable environment
D. protect the programs under development from unauthorized testing
View answer
Correct Answer: D
Question #55
Email required for business purposes is being stored on employees’ personal devices. Which of the following is an IS auditor’s BEST recommendation?
A. Implement an email containerization solution on personal devices
B. Prohibit employees from storing company email on personal devices
C. Ensure antivirus to utilize passwords on personal devices
D. Require employees to utilize passwords on personal devices
View answer
Correct Answer: A
Question #56
Am advantage of the use of hot sites as a backup alternative is that:
A. the costs associated with hot sites are low
B. hot sites can be used for an extended amount of time
C. hot sites can be made ready for operation within a short period of time
D. they do not require that equipment and systems software be compatible with the primary site
View answer
Correct Answer: C
Question #57
Which of the following correctly describe the potential problem of deploying Wi-Fi Protected Access to secure your wireless network?
A. potential compatibility problems with wireless network interface cards
B. potential compatibility problems with wireless access points
C. potential performance problems with wireless network interface cards
D. potential performance problems with wireless access points
E. None of the choices
View answer
Correct Answer: A
Question #58
Which of the following intrusion detection systems (IDSs) monitors the general patterns of activity and traffic on a network and creates a database?
A. Signature-based
B. Neural networks-based
C. Statistical-based
D. Host-based
View answer
Correct Answer: A
Question #59
Which of the following would effectively verify the originator of a transaction?
A. Using a secret password between the originator and the receiver
B. Encrypting the transaction with the receiver's public key
C. Using a portable document format (PDF) to encapsulate transaction content
D. Digitally signing the transaction with the source's private key
View answer
Correct Answer: D
Question #60
Which of the following function in traditional EDI process is used for transmitting and receiving electronic documents between trading partners via dial up lines, public switched network or VAN?
A. Communication handler
B. EDI Interface
C. Application System
D. EDI Translator
View answer
Correct Answer: D
Question #61
Which of the following audit combines financial and operational audit steps?
A. Compliance Audit
B. Financial Audit
C. Integrated Audit
D. Forensic audit
View answer
Correct Answer: C
Question #62
When providing a vendor with data containing personally identifiable information (PII) for offsite testing, the data should be:
A. current
B. encrypted
C. sanitized
D. backed up
View answer
Correct Answer: D
Question #63
Which of the following statement INCORRECTLY describes the Control self-assessment (CSA) approach?
A. CSA is policy or rule driven
B. CSA Empowered/accountable employees
C. CSA focuses on continuous improvement/learning curve
D. In CSA, Staffs at all level, in all functions, are the primary control analyst
View answer
Correct Answer: A
Question #64
As part of the IEEE 802.11 standard ratified in September 1999, WEP uses which stream cipher for confidentiality?
A. CRC-32
B. CRC-64
C. DES
D. 3DES
E. RC4
F. RC5
G. None of the choices
View answer
Correct Answer: BCD
Question #65
To ensure message integrity, confidentiality and non-repudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against:
A. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the receiver's public key
B. B
C. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receiver's public key
D. the entire message, enciphering the message digest using the sender's private key and enciphering the message using the receiver's public key
View answer
Correct Answer: B
Question #66
Statistical sampling is NOT based on which of the following audit sample techniques?
A. Haphazard Sampling
B. Random Sampling
C. Cell Sampling
D. Fixed interval sampling
View answer
Correct Answer: A
Question #67
An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls?
A. Allow changes to be made only with the DBA user account
B. Make changes to the database after granting access to a normal user account
C. Use the DBA user account to make changes, log the changes and review the change log the following day
D. Use the normal user account to make changes, log the changes and review the change log the following day
View answer
Correct Answer: D
Question #68
Which of the following fourth generation language is a development tools to generate lower level programming languages?
A. Query and report generator
B. Embedded database 4GLs
C. Relational database 4GL
D. Application generators
View answer
Correct Answer: B
Question #69
An organization wants to reuse company-provided smartphones collected from staff leaving the organization. Which of the following would be the BEST recommendation?
A. The memory cards of the smartphones should be replaced
B. Smartphones should not be reused, but physically destroyed
C. Data should be securely deleted from the smartphones
D. The SIM card and telephone number should be changed
View answer
Correct Answer: C
Question #70
Who is responsible for ensuring that system controls and supporting processes provides an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures?
A. Project Sponsor
B. Security Officer
C. User Management
D. Senior Management
View answer
Correct Answer: B
Question #71
Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption?
A. Computation speed Ability to support digital signatures
C. Simpler key distribution
D. Greater strength for a given key length
View answer
Correct Answer: A
Question #72
Which of the following audit include specific tests of control to demonstrate adherence to specific regulatory or industry standard?
A. Compliance Audit
B. Financial Audit
C. Operational Audit
D. Forensic audit
View answer
Correct Answer: A
Question #73
For an auditor, it is very important to understand the different forms of project organization and their implication in the control of project management activities. In which of the following project organization form is management authority shared between the project manager and the department head?
A. Influence project organization
B. Pure project organization
C. Matrix project organization
D. Forward project organization
View answer
Correct Answer: C
Question #74
Which of the following audit risk is related to material errors or misstatements that have occurred that will not be detected by an IS auditor?
A. Inherent Risk
B. Control Risk
C. Detection Risk
D. Overall Audit Risk
View answer
Correct Answer: C
Question #75
Which of the following is not a common method of multiplexing data?
A. Analytical multiplexing
B. Time-division multiplexing
C. Asynchronous time-division multiplexing
D. Frequency division multiplexing
View answer
Correct Answer: A
Question #76
B. Which of the following is MOST directly affected by network performance monitoring tools?
A. Integrity
B. Availability
C. Completeness
D. Confidentiality
View answer
Correct Answer: A
Question #77
To verify that the correct version of a data file was used for a production run, an IS auditor should review:
A. operator problem reports
B. operator work schedules
C. system logs
D. output distribution reports
View answer
Correct Answer: B
Question #78
Which of the following layer of an OSI model encapsulates packets into frames?
A. Transport Layer
B. Network Layer
C. Data Link Layer
D. Physical Layer
View answer
Correct Answer: C
Question #79
What are the different types of Audits?
A. Compliance, financial, operational, forensic and integrated
B. Compliance, financial, operational, G9 and integrated
C. Compliance, financial, SA1, forensic and integrated
D. Compliance, financial, operational, forensic and capability
View answer
Correct Answer: A
Question #80
Who provides the funding to the project and works closely with the project manager to define critical success factor (CSF)?
A. Project Sponsor
B. Security Officer
C. User Management
D. Senior Management
View answer
Correct Answer: A
Question #81
Which of the following layer of an enterprise data flow architecture is concerned with the assembly and preparation of data for loading into data marts?
A. Data preparation layer
B. Desktop Access Layer
C. Data Mart layer
D. Data access layer
View answer
Correct Answer: C
Question #82
Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization’s data loss prevention (DLP) controls?
A. Verify that confidential files cannot be transmitted to a personal USB device
View answer
Correct Answer: D
Question #83
The MAIN criterion for determining the severity level of a service disruption incident is:
A. cost of recovery
B. negative public opinion
C. geographic location
D. downtime
View answer
Correct Answer: D
Question #84
Which device acting as a translator is used to connect two networks or applications from layer 4 up to layer 7 of the ISO/OSI Model?
A. Bridge
B. Repeater
C. Router
D. Gateway
View answer
Correct Answer: D
Question #85
Which of the following would be of MOST concern to an IS auditor reviewing a virtual private network (VPN) implementation? Computers on the network that are located:
A. on the enterprise's internal network
C. in employees’ homes
D. at the enterprise’s remote offices
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: