DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Prepare Efficiently CISA Exam Questions, Certified Information Systems Auditor | SPOTO

Prepare efficiently for CISA exam questions with SPOTO's dedicated resources for Certified Information Systems Auditors. Incorporating mock tests into your preparation strategy offers several key advantages for mastering certification exams.Mock exams provide a simulated testing environment where you can practice with exam questions, sample questions, and online exam simulations under timed conditions. This experience helps you familiarize yourself with the exam format, improve your speed and accuracy in answering questions, and identify areas that require additional focus.Access SPOTO's comprehensive exam materials, including practice tests, exam dumps, and exam simulators, to enhance your exam readiness. Utilize mock exams to refine your exam strategy, assess your strengths and weaknesses, and optimize your preparation efforts for a successful outcome in the CISA exam.

Take other online exams

Question #1
Which of the following ensures the availability of transactions in the event of a disaster?
A. Send tapes hourly containing transactions offsite,
B. Send tapes daily containing transactions offsite
C. Capture transactions to multiple storage devices
D. Transmit transactions offsite in real time
View answer
Correct Answer: A

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
Who is responsible for implementing cost-effective controls in an automated system?
A. Security policy administrators
B. Business unit management
C. Senior management
D. Board of directors
View answer
Correct Answer: B
Question #3
An IS steering committee should:
A. include a mix of members from different departments and staff level
B. ensure that IS security policies and procedures have been executed properl
C. have formal terms of reference and maintain minutes of its meeting
D. be briefed about new trends and products at each meeting by a vendo
View answer
Correct Answer: C
Question #4
When planning an audit of a network setup, an IS auditor should give highest priority to obtaining which of the following network documentation?
A. Wiring and schematic diagram
B. Users' lists and responsibilities
C. Application lists and their details
D. Backup and recovery procedures
View answer
Correct Answer: C
Question #5
In planning an audit, the MOST critical step is the identification of the:
A. areas of high ris
B. skill sets of the audit staf
C. test steps in the audi
D. time allotted for the audi
View answer
Correct Answer: C
Question #6
Regarding a disaster recovery plan, the role of an IS auditor should include:
A. identifying critical applications
B. determining the external service providers involved in a recovery test
C. observing the tests of the disaster recovery plan
D. establishing a recovery time objective (RTO)
View answer
Correct Answer: D
Question #7
Accountability for the maintenance of appropriate security measures over information assets resides with the:
A. security administrato
B. systems administrato
C. data and systems owner
D. systems operations grou
View answer
Correct Answer: A
Question #8
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:
A. audit trail of the versioning of the work paper
B. approval of the audit phase
C. access rights to the work paper
D. confidentiality of the work paper
View answer
Correct Answer: A
Question #9
Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery objectives are the same in both plans. It is reasonable to expect that plan B projected higher:
A. downtime costs
B. resumption costs
C. recovery costs
D. walkthrough costs
View answer
Correct Answer: B
Question #10
An IS auditor should recommend the use of library control software to provide reasonable assurance that:
A. program changes have been authorize
B. only thoroughly tested programs are release
C. modified programs are automatically moved to productio
D. source and executable code integrity is maintaine
View answer
Correct Answer: A
Question #11
Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:
A. ensure the employee maintains a good quality of life, which will lead to greater productivit
B. reduce the opportunity for an employee to commit an improper or illegal ac
C. provide proper cross-training for another employe
D. eliminate the potential disruption caused when an employee takes vacation one day at a tim
View answer
Correct Answer: B
Question #12
Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster?
A. The alternate facility will be available until the original information processing facility is restored
B. User management is involved in the identification of critical systems and their associated critical recovery times
C. Copies of the plan are kept at the homes of key decision-making personnel
D. Feedback is provided to management assuring them that the business continuity plans are indeed workable and that the procedures are current
View answer
Correct Answer: B
Question #13
The use of residual biometric information to gain unauthorized access is an example of which of the following attacks?
A. Replay
B. Brute force
C. Cryptographic
D. Mimic
View answer
Correct Answer: A
Question #14
A call-back system requires that a user with an id and password call a remote server through a dial-up line, then the server disconnects and:
A. dials back to the user machine based on the user id and password using a telephone number from its databas
B. dials back to the user machine based on the user id and password using a telephone number provided by the user during this connectio
C. waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using its databas
D. waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using the sender's databas
View answer
Correct Answer: A
Question #15
Which of the following is the GREATEST concern when an organization's backup facility is at a warm site?
A. Timely availability of hardware
B. Availability of heat, humidity and air conditioning equipment
C. Adequacy of electrical power connections
D. Effectiveness of the telecommunications network
View answer
Correct Answer: B
Question #16
A hot site should be implemented as a recovery strategy when the:
A. disaster tolerance is low
B. recovery point objective (RPO) is high
C. recovery time objective (RTO) is high
D. disaster tolerance is high
View answer
Correct Answer: A
Question #17
How does the process of systems auditing benefit from using a risk-based approach to audit planning?
A. Controls testing starts earlie
B. Auditing resources are allocated to the areas of highest concer
C. Auditing risk is reduce
D. Controls testing is more thoroug
View answer
Correct Answer: C
Question #18
Which of the following does a lack of adequate security controls represent?
A. Threat
B. Asset
C. Impact
D. Vulnerability
View answer
Correct Answer: A
Question #19
Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective (RPO)?
A. Virtual tape libraries
B. Disk-based snapshots
C. Continuous data backup
D. Disk-to-tape backup
View answer
Correct Answer: D
Question #20
Which of the following would be the BEST method for ensuring that critical fields in a master record have been updated properly?
A. Field checks
B. Control totals
C. Reasonableness checks
D. A before-and-after maintenance report
View answer
Correct Answer: D
Question #21
Integer overflow occurs primarily with:
A. string formatting
B. debug operations
C. output formatting
D. input verificationsE
F. None of the choices
View answer
Correct Answer: A
Question #22
Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems?
A. Proxy server
B. Firewall installation
C. Network administrator
D. Password implementation and administration
View answer
Correct Answer: B
Question #23
Of the three major types of off-site processing facilities, what type is often an acceptable solution for preparing for recovery of noncritical systems and data?
A. Cold site
B. Hot site
C. Alternate site
D. Warm site
View answer
Correct Answer: B
Question #24
Which of the following is the MOST important consideration when defining recovery point objectives (RPOs)?
A. Minimum operating requirements
B. Acceptable data loss
C. Mean time between failures
D. Acceptable time for recovery
View answer
Correct Answer: A
Question #25
The purpose of a deadman door controlling access to a computer facility is primarily to:
A. prevent piggybacking
B. prevent toxic gases from entering the data center
C. starve a fire of oxygen
D. prevent an excessively rapid entry to, or exit from, the facility
View answer
Correct Answer: C
Question #26
Who is ultimately accountable for the development of an IS security policy?
A. The board of directors
B. Middle management
C. Security administrators
D. Network administrators
View answer
Correct Answer: A
Question #27
When should reviewing an audit client's business plan be performed relative to reviewing an organization's IT strategic plan?
A. Reviewing an audit client's business plan should be performed before reviewing an organization's IT strategic pla
B. Reviewing an audit client's business plan should be performed after reviewing an organization's IT strategic pla
C. Reviewing an audit client's business plan should be performed during the review of an organization's IT strategic pla
D. Reviewing an audit client's business plan should be performed without regard to an organization's IT strategic pla
View answer
Correct Answer: A
Question #28
Which of the following is a technique that could be used to capture network user passwords?
A. Encryption
B. Sniffing
C. Spoofing
D. Data destruction
View answer
Correct Answer: A
Question #29
Company.com has contracted with an external consulting firm to implement a commercial financial system to replace its existing in-house developed system. In reviewing the proposed development approach, which of the following would be of GREATEST concern?
A. Acceptance testing is to be managed by user
B. A quality plan is not part of the contracted deliverable
C. Not all business functions will be available on initial implementatio
D. Prototyping is being used to confirm that the system meets business requirement
View answer
Correct Answer: C
Question #30
When developing a disaster recovery plan, the criteria for determining the acceptable downtime should be the:
A. annualized loss expectancy (ALE)
B. service delivery objective
C. quantity of orphan data
D. maximum tolerable outage
View answer
Correct Answer: A
Question #31
Which of the following systems-based approaches would a financial processing company employ to monitor spending patterns to identify abnormal patterns and report them?
A. A neural network
B. Database management software
C. Management information systems
D. Computer assisted audit techniques
View answer
Correct Answer: B
Question #32
Which of the following is a mechanism for mitigating risks?
A. Security and control practices
B. Property and liability insurance
C. Audit and certification
D. Contracts and service level agreements (SLAs)
View answer
Correct Answer: A
Question #33
During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is:
A. encryption
B. callback modems
C. message authentication
D. dedicated leased lines
View answer
Correct Answer: C
Question #34
The GREATEST benefit in implementing an expert system is the:
A. capturing of the knowledge and experience of individuals in an organizatio
B. sharing of knowledge in a central repositor
C. enhancement of personnel productivity and performanc
D. reduction of employee turnover in key department
View answer
Correct Answer: A
Question #35
A transaction journal provides the information necessary for detecting unauthorized _____________ (fill in the blank) from a terminal.
A. Deletion
B. Input
C. Access
D. Duplication
View answer
Correct Answer: B
Question #36
Which of the following is an example of a passive attack initiated through the Internet?
A. Traffic analysis
B. Masquerading
C. Denial of service
D. E-mail spoofing
View answer
Correct Answer: B
Question #37
When is regression testing used to determine whether new application changes have introduced any errors in the remaining unchanged code?
A. In program development and change management
B. In program feasibility studies
C. In program development
D. In change management
View answer
Correct Answer: B
Question #38
Which of the following is the MOST robust method for disposing of magnetic media that contains confidential information?
A. Degaussing
B. Defragmenting
C. Erasing
D. Destroying
View answer
Correct Answer: C
Question #39
Which of the following should an IS auditor review to determine user permissions that have been granted for a particular resource? Choose the BEST answer.
A. Systems logs
B. Access control lists (ACL)
C. Application logs
D. Error logs
View answer
Correct Answer: B
Question #40
Which of the following goals would you expect to find in an organization's strategic plan?
A. Test a new accounting packag
B. Perform an evaluation of information technology need
C. Implement a new project planning system within the next 12 month
D. Become the supplier of choice for the product offere
View answer
Correct Answer: A
Question #41
In what way is a common gateway interface (CGI) MOST often used on a webserver?
A. Consistent way for transferring data to the application program and back to the user
B. Computer graphics imaging method for movies and TV
C. Graphic user interface for web design
D. interface to access the private gateway domain
View answer
Correct Answer: C
Question #42
The PRIMARY purpose of an IT forensic audit is:
A. to participate in investigations related to corporate frau
B. the systematic collection of evidence after a system irregularit
C. to assess the correctness of an organization's financial statements
D. to determine that there has been criminal activit
View answer
Correct Answer: B
Question #43
Which of the following can help detect transmission errors by appending specially calculated bits onto the end of each segment of data?
A. Redundancy check
B. Completeness check
C. Accuracy check
D. Parity check
View answer
Correct Answer: A
Question #44
During what process should router access control lists be reviewed?
A. Environmental review
B. Network security review
C. Business continuity review
D. Data integrity review
View answer
Correct Answer: A
Question #45
Which of the following is the GREATEST risk when storage growth in a critical file server is not managed properly?
A. Backup time would steadily increase
B. Backup operational cost would significantly increase
C. Storage operational cost would significantly increase
D. Server recovery work may not meet the recovery time objective (RTO)
View answer
Correct Answer: A
Question #46
Which of the following provides the best evidence of the adequacy of a security awareness program?
A. The number of stakeholders including employees trained at various levels
B. Coverage of training at all locations across the enterprise
C. The implementation of security devices from different vendors
D. Periodic reviews and comparison with best practices
View answer
Correct Answer: B
Question #47
Functional acknowledgements are used:
A. as an audit trail for EDI transaction
B. to functionally describe the IS departmen
C. to document user roles and responsibilitie
D. as a functional description of application softwar
View answer
Correct Answer: A
Question #48
A TCP/IP-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted?
A. Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP)
B. A digital signature with RSA has been implemented
C. Digital certificates with RSA are being used
D. Work is being completed in TCP services
View answer
Correct Answer: A
Question #49
Which of the following is used to evaluate biometric access controls?
A. FAR
B. EER
C. ERR
D. FRR
View answer
Correct Answer: B
Question #50
An accuracy measure for a biometric system is:
A. system response time
B. registration time
C. input file size
D. false-acceptance rate
View answer
Correct Answer: C
Question #51
When auditing a disaster recovery plan for a critical business area, an IS auditor finds that it does not cover all the systems. Which of the following is the MOST appropriate action for the IS auditor?
A. Alert management and evaluate the impact of not covering all systems
B. Cancel the audit
C. Complete the audit of the systems covered by the existing disaster recovery plan
D. Postpone the audit until the systems are added to the disaster recovery plan
View answer
Correct Answer: C
Question #52
The responsibilities of a disaster recovery relocation team include:
A. obtaining, packaging and shipping media and records to the recovery facilities, as well as establishing and overseeing an offsite storage schedule
B. locating a recovery site, if one has not been predetermined, and coordinating the transport of company employees to the recovery site
C. managing the relocation project and conducting a more detailed assessment of the damage to the facilities and equipment
D. coordinating the process of moving from the hot site to a new location or to the restored original location
View answer
Correct Answer: A
Question #53
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?
A. User management coordination does not exis
B. Specific user accountability cannot be establishe
C. Unauthorized users may have access to originate, modify or delete dat
D. Audit recommendations may not be implemente
View answer
Correct Answer: C
Question #54
The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called:
A. data integrity
B. authentication
C. non repudiation
D. replay protection
View answer
Correct Answer: B
Question #55
An IS auditor can verify that an organization's business continuity plan (BCP) is effective by reviewing the:
A. alignment of the BCP with industry best practices
B. results of business continuity tests performed by IS and end-user personnel
C. off-site facility, its contents, security and environmental controls
D. annual financial cost of the BCP activities versus the expected benefit of implementation of the plan
View answer
Correct Answer: C
Question #56
Ensuring that security and control policies support business and IT objectives is a primary objective of:
A. An IT security policies audit
B. A processing audit
C. A software audit
D. A vulnerability assessment
View answer
Correct Answer: D
Question #57
Which of the following intrusion detection systems (IDSs) monitors the general patterns of activity and traffic on a network and creates a database?
A. Signature-based
B. Neural networks-based
View answer
Correct Answer: B
Question #58
Which of the following situations would increase the likelihood of fraud?
A. Application programmers are implementing changes to production program
B. Application programmers are implementing changes to test program
C. Operations support staff are implementing changes to batch schedule
D. Database administrators are implementing changes to data structure
View answer
Correct Answer: C
Question #59
To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review:
A. the IT infrastructur
B. organizational policies, standards and procedure
C. legal and regulatory requirement
D. the adherence to organizational policies, standards and procedure
View answer
Correct Answer: D
Question #60
What is often the most difficult part of initial efforts in application development? Choose the BEST answer.
A. Configuring software
B. Planning security
C. Determining time and resource requirements
D. Configuring hardware
View answer
Correct Answer: D
Question #61
Due to changes in IT, the disaster recovery plan of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested?
A. Catastrophic service interruption
B. High consumption of resources
C. Total cost of the recovery may not be minimized
D. Users and recovery teams may face severe difficulties when activating the plan
View answer
Correct Answer: C
Question #62
In a contract with a hot, warm or cold site, contractual provisions should cover which of the following considerations?
A. Physical security measures
B. Total number of subscribers
C. Number of subscribers permitted to use a site at one time
D. References by other users
View answer
Correct Answer: C
Question #63
An IS auditor should review the configuration of which of the following protocols to detect unauthorized mappings between the IP address and the media access control (MAC) address?
A. Simple Object Access Protocol (SOAP)
B. Address Resolution Protocol (ARP)
C. Routing Information Protocol (RIP)
D. Transmission Control Protocol (TCP)
View answer
Correct Answer: B
Question #64
Which of the following presents an inherent risk with no distinct identifiable preventive controls?
A. Piggybacking
B. Viruses
C. Data diddling
D. Unauthorized application shutdown
View answer
Correct Answer: C
Question #65
Which of the following is a feature of an intrusion detection system (IDS)?
A. Gathering evidence on attack attempts
B. Identifying weaknesses in the policy definition
C. Blocking access to particular sites on the Internet
D. Preventing certain users from accessing specific servers
View answer
Correct Answer: C
Question #66
An IS auditor conducting an access control review in a client-server environment discovers that all printing options are accessible by all users. In this situation, the IS auditor is MOST likely to conclude that:
A. exposure is greater, since information is available to unauthorized user
B. operating efficiency is enhanced, since anyone can print any report at any tim
C. operating procedures are more effective, since information is easily availabl
D. user friendliness and flexibility is facilitated, since there is a smooth flow of information among user
View answer
Correct Answer: A
Question #67
Which of the following aspects of symmetric key encryption influenced the development of asymmetric encryption?
A. Processing power
B. Volume of data
C. Key distribution
D. Complexity of the algorithm
View answer
Correct Answer: C
Question #68
Which of the following fire-suppression methods is considered to be the most environmentally friendly?
A. Halon gas
B. Deluge sprinklers
C. Dry-pipe sprinklers
D. Wet-pipe sprinklers
View answer
Correct Answer: D
Question #69
Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?
A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports
B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables
C. Extrapolation of the overall end date based on completed work packages and current resources
D. Calculation of the expected end date based on current resources and remaining available project budget
View answer
Correct Answer: C
Question #70
An IS auditor reviewing an organization's data file control procedures finds that transactions are applied to the most current files, while restart procedures use earlier versions. The IS auditor should recommend the implementation of:
A. source documentation retentio
B. data file securit
C. version usage contro
D. one-for-one checkin
View answer
Correct Answer: B
Question #71
Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization?
A. Virtual private network
B. Dedicated line
C. Leased line
D. integrated services digital network
View answer
Correct Answer: C
Question #72
A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. in reviewing the proposed development approach, which of the following would be of GREATESTconcern?
A. Acceptance testing is to be managed by user
B. A quality plan is not part of the contracted deliverable
C. Not all business functions will be available on initial implementatio
D. Prototyping is being used to confirm that the system meets business requirement
View answer
Correct Answer: C
Question #73
The waterfall life cycle model of software development is most appropriately used when:
A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operat
B. requirements are well understood and the project is subject to time pressure
C. the project intends to apply an object-oriented design and programming approac
D. the project will involve the use of new technolog
View answer
Correct Answer: C
Question #74
The majority of software vulnerabilities result from a few known kinds of coding defects, such as (choose all that apply):
A. buffer overflows
B. format string vulnerabilities
C. integer overflow
D. code injection
E. command injection
F. None of the choices
View answer
Correct Answer: B
Question #75
Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?
A. Project database
B. Policy documents
C. Project portfolio database
D. Program organization
View answer
Correct Answer: B
Question #76
Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network?
A. Server antivirus software
B. Virus walls
C. Workstation antivirus software
D. Virus signature updating
View answer
Correct Answer: D
Question #77
During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:
A. assessment of the situation may be delayed
B. execution of the disaster recovery plan could be impacted
C. notification of the teams might not occur
D. potential crisis recognition might be ineffective
View answer
Correct Answer: B

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: