DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Optimize Your CISA Exam Prep, Practice Tests, Certified Information Systems Auditor | SPOTO

To optimize your CISA exam preparation, leveraging mock tests is a strategic approach that can significantly enhance your chances of success. Mock exams provide a simulated testing environment where you can practice answering exam questions under timed conditions, similar to the actual exam scenario. This experience helps you become familiar with the exam format, question types, and overall difficulty level.By engaging in mock tests, you gain insights into your readiness levels, identify areas for improvement, and fine-tune your exam strategy. Accessing a diverse range of exam questions, sample questions, and online exam simulations through SPOTO's resources enables comprehensive preparation. Utilize practice tests, exam dumps, and exam simulators to reinforce your knowledge, refine your exam skills, and boost your confidence for the Certified Information Systems Auditor (CISA) exam.
Take other online exams

Question #1
Which of the following term related to network performance refers to the number of corrupted bits expressed as a percentage or fraction of the total sent?
A. Bandwidth
B. Throughput
C. Latency
D. Error Rate
View answer
Correct Answer: D
Question #2
Which of the following is a guiding best practice for implementing logical access controls?
A. Implementing the Biba Integrity Model
B. Access is granted on a least-privilege basis, per the organization's data owners
C. Implementing the Take-Grant access control model
D. Classifying data according to the subject’s requirements
View answer
Correct Answer: A
Question #3
Which of the following INCORRECTLY describes the layer function of the Application Layer within the TCP/IP model?
A. Provides user interface
B. Perform data processing such as encryption, encoding, etc
C. Provides reliable delivery
D. Keeps separate the data of different applications
View answer
Correct Answer: D
Question #4
Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department?
A. Allocating resources
B. Keeping current with technology advances
C. Conducting control self-assessment
D. Evaluating hardware needs
View answer
Correct Answer: B
Question #5
What is a reliable technique for estimating the scope and cost of a software-development project?
A. Function point analysis (FPA)
B. Feature point analysis (FPA)
C. GANTT
D. PERT
View answer
Correct Answer: C
Question #6
When auditing a proxy-based firewall, an IS auditor should:
A. verify that the firewall is not dropping any forwarded packets
B. review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC) and IP addresses
C. verify that the filters applied to services such as HTTP are effective
D. test whether routing information is forwarded by the firewall
View answer
Correct Answer: D
Question #7
An IS auditor reviewing an organization's IT strategic plan should FIRST review:
A. the existing IT environment
B. the business plan
C. the present IT budget
D. current technology trends
View answer
Correct Answer: C
Question #8
What control detects transmission errors by appending calculated bits onto the end of each segment of data?
A. Reasonableness check
B. Parity check
C. Redundancy check
D. Check digits
View answer
Correct Answer: C
Question #9
In order to properly protect against unauthorized disclosure of sensitive data, how should hard disks be sanitized?
A. The data should be deleted and overwritten with binary 0s
B. The data should be demagnetized
C. The data should be low-level formatted
D. The data should be deleted
View answer
Correct Answer: A
Question #10
Proper segregation of duties does not prohibit a quality control administrator from also being responsible for change control and problem management. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #11
During a post-incident review of a security breach, what type of analysis should an IS auditor expect to be performed by the organization's information security team?
A. Gap analysis
B. Business impact analysis (BIA)
C. Qualitative risk analysis
D. Root cause analysis
View answer
Correct Answer: D
Question #12
Which of the following provides the BEST single-factor authentication?
A. Biometrics
B. Password
C. Token
D. PIN
View answer
Correct Answer: D
Question #13
An IS auditor is auditing the infrastructure of an organization that hosts critical applications withing a virtual environment. Which of the following is MOST important for the auditor to focus on?
A. The ability to copy and move virtual machines in real time
B. The controls in place to prevent compromise of the host
C. Issues arising from system management of a virtual infrastructure
D. Qualifications of employees managing the applications
View answer
Correct Answer: A
Question #14
Following an acquisition, it was decided that legacy applications subject to compliance requirements will continue to be used until they can be phased out. The IS auditor needs to determine where there are control redundancies and where gaps may exist. Which of the following activities would be MOST helpful in making this determination?
A. Control self-assessments
B. Risk assessment
C. Control testing
D. Control mapping
View answer
Correct Answer: C
Question #15
Which of the following types of transmission media provide the BEST security against unauthorized access?
A. Copper wire
B. Twisted pair
C. Fiberoptic cables
D. Coaxial cables
View answer
Correct Answer: C
Question #16
What is an initial step in creating a proper firewall policy?
A. Assigning access to users according to the principle of least privilege
B. Determining appropriate firewall hardware and software
C. Identifying network applications such as mail, web, or FTP servers
D. Configuring firewall access rules
View answer
Correct Answer: B
Question #17
Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the following would provide the MOST assurance to the IS auditor that management is adequately balancing the needs of the business with the need to manage risk?
A. Established criteria exist for accepting and approving risk
B. Identified risk is reported into the organization’s risk committee
C. Potential impact and likelihood is adequately documented
D. A communication plan exists for informing parties impacted by the risk
View answer
Correct Answer: A
Question #18
In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:
A. implementation
B. compliance
C. documentation
D. sufficiency
View answer
Correct Answer: B
Question #19
What process is used to validate a subject’s identity?
A. Identification
B. Nonrepudiation
C. Authorization
D. Authentication
View answer
Correct Answer: A
Question #20
An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?
A. References from other customers
B. Service level agreement (SLA) template
C. Maintenance agreement
D. Conversion plan
View answer
Correct Answer: D
Question #21
Which of the following is the BEST practice to ensure that access authorizations are still valid?
A. information owner provides authorization for users to gain access
B. identity management is integrated with human resource processes
C. information owners periodically review the access controls
D. An authorization matrix is used to establish validity of access
View answer
Correct Answer: D
Question #22
At the completion of a system development project, a post project review should include which of the following?
A. Assessing risks that may lead to downtime after the production release
B. Identifying lessons learned that may be applicable to future projects
C. Verifying the controls in the delivered system are working
D. Ensuring that test data are deleted
View answer
Correct Answer: A
Question #23
Which of the following provides the framework for designing and developing logical access controls?
A. Information systems security policy
B. Access control lists
C. Password management
D. System configuration files
View answer
Correct Answer: B
Question #24
When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those:
A. whose sum of activity time is the shortest
B. that have zero slack time
C. that give the longest possible completion time
D. whose sum of slack time is the shortest
View answer
Correct Answer: D
Question #25
When storing data archives off-site, what must be done with the data to ensure data completeness?
A. The data must be normalized
B. The data must be validated
C. The data must be parallel-tested
D. The data must be synchronized
View answer
Correct Answer: B
Question #26
In a client-server architecture, a domain name service (DNS) is MOST important because it provides the:
A. address of the domain server
B. resolution service for the name/address
C. IP addresses for the internet
D. domain name system
View answer
Correct Answer: A
Question #27
An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities. What would be the next task?
A. Report the risks to the CIO and CEO immediately
B. Examine e-business application in development
C. Identify threats and likelihood of occurrence
D. Check the budget available for risk management
View answer
Correct Answer: C
Question #28
What is often assured through table link verification and reference checks?
A. Database integrity
B. Database synchronization
C. Database normalcy
D. Database accuracy
View answer
Correct Answer: C
Question #29
When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:
A. incorporates state of the art technology
B. addresses the required operational controls
C. articulates the IT mission and vision
D. specifies project management practices
View answer
Correct Answer: C
Question #30
A top-down approach to the development of operational policies will help ensure:
A. that they are consistent across the organization
B. that they are implemented as a part of risk assessment
C. compliance with all policies
D. that they are reviewed periodically
View answer
Correct Answer: B
Question #31
Network environments often add to the complexity of program-to-program communication, making the implementation and maintenance of application systems more difficult. True or false?
A. True
B. False
View answer
Correct Answer: D
Question #32
A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?
A. IS auditor
B. Database administrator
C. Project manager
D. Data owner
View answer
Correct Answer: C
Question #33
Which of the following INCORRECTLY describes the layer functions of the LAN or WAN Layer of the TCP/IP model?
A. Combines packets into bytes and bytes into frame
B. Providers logical addressing which routers use for path determination
C. Provide address to media using MAC address
D. Performs only error detection
View answer
Correct Answer: C
Question #34
A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization's data?
A. Introduce a secondary authentication method such as card swipe
B. Apply role-based permissions within the application system
C. Have users input the ID and password for each database transaction
D. Set an expiration period for the database password embedded in the program
View answer
Correct Answer: B
Question #35
Above almost all other concerns, what often results in the greatest negative impact on the implementation of new application software?
A. Failing to perform user acceptance testing
B. Lack of user training for the new system
C. Lack of software documentation and run manuals
D. Insufficient unit, module, and systems testing
View answer
Correct Answer: B
Question #36
To mitigate the risk of exposing data through application programming interface (API) queries, which of the following design considerations is MOST important?
A. Data minimalization
B. Data quality
C. Data retention
D. Data integrity
View answer
Correct Answer: A
Question #37
Which of the following is an effective method for controlling downloading of files via FTP?
A. An application-layer gateway, or proxy firewall, but not stateful inspection firewalls
B. An application-layer gateway, or proxy firewall
C. A circuit-level gateway
D. A first-generation packet-filtering firewall
View answer
Correct Answer: B
Question #38
What supports data transmission through split cable facilities or duplicate cable facilities?
A. Diverse routing
B. Dual routing
C. Alternate routing
D. Redundant routing
View answer
Correct Answer: D
Question #39
When should reviewing an audit client's business plan be performed relative to reviewing an organization's IT strategic plan?
A. Reviewing an audit client's business plan should be performed before reviewing an organization's IT strategic plan
B. Reviewing an audit client's business plan should be performed after reviewing an organization's IT strategic plan
C. Reviewing an audit client's business plan should be performed during the review of an organization's IT strategic plan
D. Reviewing an audit client's business plan should be performed without regard to an organization's IT strategic plan
View answer
Correct Answer: A
Question #40
The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can:
A. make unauthorized changes to the database directly, without an audit trail
B. make use of a system query language (SQL) to access information
C. remotely access the database
D. update data without authentication
View answer
Correct Answer: C
Question #41
An advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions. True or false?
A. True
B. False
View answer
Correct Answer: C
Question #42
Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy?
A. Review the parameter settings
B. Interview the firewall administrator
C. Review the actual procedures
D. Review the device's log file for recent attacks
View answer
Correct Answer: D
Question #43
An IS auditor invited to a development project meeting notes that no project risks have been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risks and that, if risks do start impacting the project, a risk manager will be hired. The appropriate response of the IS auditor would be to:
A. stress the importance of spending time at this point in the project to consider and document risks, and to develop contingency plans
B. accept the project manager's position as the project manager is accountable for the outcome of the project
C. offer to work with the risk manager when one is appointed
D. inform the project manager that the IS auditor will conduct a review of the risks at the completion of the requirements definition phase of the project
View answer
Correct Answer: A
Question #44
Failure in which of the following testing stages would have the GREATEST impact on the implementation of new application software?
A. System testing
B. Acceptance testing
C. Integration testing
D. Unit testing
View answer
Correct Answer: D
Question #45
During the audit of a database server, which of the following would be considered the GREATEST exposure?
A. The password does not expire on the administrator account
B. Default global security settings for the database remain unchanged
C. Old data have not been purged
D. Database activity is not fully logged
View answer
Correct Answer: A
Question #46
In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future scalability?
A. Appliances
B. Operating system-based
C. Host-based
D. Demilitarized
View answer
Correct Answer: A
Question #47
Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an EFT system?
A. Three users with the ability to capture and verify their own messages
B. Five users with the ability to capture and send their own messages
C. Five users with the ability to verify other users and to send their own messages
D. Three users with the ability to capture and verify the messages of other users and to send their own messages
View answer
Correct Answer: C
Question #48
What is an edit check to determine whether a field contains valid data?
A. Completeness check
B. Accuracy check
C. Redundancy check
D. Reasonableness check
View answer
Correct Answer: C
Question #49
During the audit of an acquired software package, an IS auditor learned that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST:
A. test the software for compatibility with existing hardware
B. perform a gap analysis
C. review the licensing policy
D. ensure that the procedure had been approved
View answer
Correct Answer: B
Question #50
To minimize the cost of a software project, quality management techniques should be applied:
A. as close to their writing (i
B. primarily at project start-up to ensure that the project is established in accordance with organizational governance standards
C. continuously throughout the project with an emphasis on finding and fixing defects primarily during testing to maximize the defect detection rate
D. mainly at project close-down to capture lessons learned that can be applied to future projects
View answer
Correct Answer: B
Question #51
Which of the following are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem?
A. Expert systems
B. Neural networks
C. Integrated synchronized systems
D. Multitasking applications
View answer
Correct Answer: B
Question #52
Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations?
A. Security incident summaries
B. Vendor best practices
C. CERT coordination center
D. Significant contracts
View answer
Correct Answer: A
Question #53
Which of the following is protocol data unit (PDU) of network interface layer in TCP/IP model?
A. Data
B. Segment
C. Packet
D. Frame
View answer
Correct Answer: C
Question #54
What determines the strength of a secret key within a symmetric key cryptosystem?
A. A combination of key length, degree of permutation, and the complexity of the data- encryption algorithm that uses the key
B. A combination of key length, initial input vectors, and the complexity of the data- encryption algorithm that uses the key
C. A combination of key length and the complexity of the data-encryption algorithm that uses the key
D. Initial input vectors and the complexity of the data-encryption algorithm that uses the key
View answer
Correct Answer: B
Question #55
Documentation of a business case used in an IT development project should be retained until:
A. the end of the system's life cycle
B. the project is approved
C. user acceptance of the system
D. the system is in production
View answer
Correct Answer: A
Question #56
Which of the following should be considered FIRST when implementing a risk management program?
A. An understanding of the organization's threat, vulnerability and risk profile
B. An understanding of the risk exposures and the potential consequences of compromise
C. A determination of risk management priorities based on potential consequences
D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level
View answer
Correct Answer: C
Question #57
A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:
A. compute the amortization of the related assets
B. calculate a return on investment (ROI)
C. apply a qualitative approach
D. spend the time needed to define exactly the loss amount
View answer
Correct Answer: B
Question #58
The logical exposure associated with the use of a checkpoint restart procedure is:
A. denial of service
B. an asynchronous attack
C. wire tapping
D. computer shutdown
View answer
Correct Answer: A
Question #59
A small organization does not have enough employees to implement adequate segregation of duties in accounts payable. Which of the following is the BEST compensating control to mitigate the risk associated with this situation?
A. Regular reconciliation of key transactions approved by a supervisor
B. Supervisory review of logs to detect changes in vendors
C. Review of transactions exceeding a specific threshold
D. Rotation of duties among existing personnel
View answer
Correct Answer: C
Question #60
Which of the following is the GREATEST risk to the effectiveness of application system controls?
A. Removal of manual processing steps
B. inadequate procedure manuals
C. Collusion between employees
D. Unresolved regulatory compliance issues
View answer
Correct Answer: C
Question #61
Which of the following database model allow many-to-many relationships in a tree-like structure that allows multiple parents?
A. Hierarchical database model
B. Network database model
C. Relational database model
D. Object-relational database model
View answer
Correct Answer: B
Question #62
Which of the following provides the BEST evidence that network filters are functioning?
A. Reviewing network configuration rules
B. Reviewing network filtering policy
C. Performing network port scans
D. Analyzing network performance
View answer
Correct Answer: D
Question #63
Which type of major BCP test only requires representatives from each operational area to meet to review the plan?
A. Parallel
B. Preparedness
C. Walk-thorough
D. Paper
View answer
Correct Answer: D
Question #64
Who is ultimately responsible and accountable for reviewing user access to systems?
A. Systems security administrators
B. Data custodians
C. Data owners
D. Information systems auditors
View answer
Correct Answer: B
Question #65
To prevent unauthorized entry to the data maintained in a dial-up, fast response system, an IS auditor should recommend:
A. online terminals are placed in restricted areas
B. online terminals are equipped with key locks
C. ID cards are required to gain access to online terminals
D. online access is terminated after a specified number of unsuccessful attempts
View answer
Correct Answer: C
Question #66
Receiving an EDI transaction and passing it through the communication's interface stage usually requires:
A. translating and unbundling transactions
B. routing verification procedures
C. passing data to the appropriate application system
D. creating a point of receipt audit log
View answer
Correct Answer: A
Question #67
There are many known weaknesses within an Intrusion Detection System (IDS). Which of the following is NOT a limitation of an IDS?
A. Weakness in the identification and authentication scheme
B. Application level vulnerability
D. Detect zero day attack
View answer
Correct Answer: C
Question #68
Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks?
A. Session keys are dynamic
B. Private symmetric keys are used
C. Keys are static and shared
D. Source addresses are not encrypted or authenticated
View answer
Correct Answer: A
Question #69
Identify the INCORRECT statement related to network performance below?
A. Bandwidth - Bandwidth commonly measured in bits/second is the maximum rate that information can be transferred
B. Latency - Latency the actual rate that information is transferred
C. Jitter - Jitter variation in the time of arrival at the receiver of the information
D. Error Rate - Error rate the number of corrupted bits expressed as a percentage or fraction of the total sent
View answer
Correct Answer: D
Question #70
In a client-server system, which of the following control techniques is used to inspect activity from known or unknown users?
A. Diskless workstations
B. Data encryption techniques
C. Network monitoring devices
D. Authentication systems
View answer
Correct Answer: D
Question #71
Accountability for the maintenance of appropriate security measures over information assets resides with the:
A. security administrator
B. systems administrator
C. data and systems owners
D. systems operations group
View answer
Correct Answer: A
Question #72
Which of the following is MOST important for an IS auditor to consider when auditing a vulnerability scanning software solution?
A. The scanning software was purchased from an approved vendor
C. The scanning software covers critical systems
D. The scanning software is cost-effective
View answer
Correct Answer: C
Question #73
How often should a Business Continuity Plan be reviewed?
A. At least once a month
B. At least every six months
C. At least once a year
D. At least Quarterly
View answer
Correct Answer: B
Question #74
An IS auditor examining the configuration of an operating system to verify the controls should review the:
A. transaction logs
B. authorization tables
C. parameter settings
D. routing tables
View answer
Correct Answer: A
Question #75
An IS auditor has identified the lack of an authorization process for users of an application. The IS auditor's main concern should be that:
A. more than one individual can claim to be a specific user
B. there is no way to limit the functions assigned to users
C. user accounts can be shared
D. users have a need-to-know privilege
View answer
Correct Answer: C
Question #76
Which of the following is NOT a disadvantage of Single Sign On (SSO)?
A. Support for all major operating system environment is difficult
B. The cost associated with SSO development can be significant
C. SSO could be single point of failure and total compromise of an organization asset
D. SSO improves an administrator's ability to manage user's account and authorization to all associated system
View answer
Correct Answer: A
Question #77
Which of the following protocols would be involved in the implementation of a router and an interconnectivity device monitoring system?
A. Simple Network Management Protocol
B. File Transfer Protocol
C. Simple Mail Transfer Protocol
D. Telnet
View answer
Correct Answer: D
Question #78
Function Point Analysis (FPA) provides an estimate of the size of an information system based only on the number and complexity of a system's inputs and outputs. True or false?
A. True
B. False
View answer
Correct Answer: A
Question #79
The output of the risk management process is an input for making:
A. business plans
B. audit charters
C. security policy decisions
D. software design decisions
View answer
Correct Answer: A
Question #80
When reviewing the implementation of a LAN, an IS auditor should FIRST review the:
A. node list
B. acceptance test report
C. network diagram
D. user's list
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: