New Year Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

Free Isaca CISA Practice Exam with Questions & Answers

Questions 1

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:
A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

D.

Full operational test

Isaca CISA Premium Access
Questions 2

Which of the following is MOST important to ensure when planning a black box penetration test?

Options:
A.

The management of the client organization is aware of the testing.

B.

The test results will be documented and communicated to management.

C.

The environment and penetration test scope have been determined.

D.

Diagrams of the organization's network architecture are available.

Questions 3

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:
A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Questions 4

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

Options:
A.

Audit cycle defined in the audit plan

B.

Complexity of management's action plans

C.

Recommendation from executive management

D.

Residual risk from the findings of previous audits

Questions 5

Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

Options:
A.

Business interruption due to remediation

B.

IT budgeting constraints

C.

Availability of responsible IT personnel

D.

Risk rating of original findings

Questions 6

During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?

Options:
A.

Explain to IT management that the new control will be evaluated during follow-up

B.

Re-perform the audit before changing the conclusion.

C.

Change the conclusion based on evidence provided by IT management.

D.

Add comments about the action taken by IT management in the report.

Questions 7

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Options:
A.

Walk-through reviews

B.

Substantive testing

C.

Compliance testing

D.

Design documentation reviews

Questions 8

Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Options:
A.

Monitor access to stored images and snapshots of virtual machines.

B.

Restrict access to images and snapshots of virtual machines.

C.

Limit creation of virtual machine images and snapshots.

D.

Review logical access controls on virtual machines regularly.

Questions 9

The decision to accept an IT control risk related to data quality should be the responsibility of the:

Options:
A.

information security team.

B.

IS audit manager.

C.

chief information officer (CIO).

D.

business owner.

Questions 10

Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

Options:
A.

The lack of technical documentation to support the program code

B.

The lack of completion of all requirements at the end of each sprint

C.

The lack of acceptance criteria behind user requirements.

D.

The lack of a detailed unit and system test plan

Questions 11

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:
A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Questions 12

What is the BEST control to address SQL injection vulnerabilities?

Options:
A.

Unicode translation

B.

Secure Sockets Layer (SSL) encryption

C.

Input validation

D.

Digital signatures

Questions 13

Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

Options:
A.

Data conversion was performed using manual processes.

B.

Backups of the old system and data are not available online.

C.

Unauthorized data modifications occurred during conversion.

D.

The change management process was not formally documented

Questions 14

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

Options:
A.

Assignment of responsibility for each project to an IT team member

B.

Adherence to best practice and industry approved methodologies

C.

Controls to minimize risk and maximize value for the IT portfolio

D.

Frequency of meetings where the business discusses the IT portfolio

Questions 15

An IT balanced scorecard is the MOST effective means of monitoring:

Options:
A.

governance of enterprise IT.

B.

control effectiveness.

C.

return on investment (ROI).

D.

change management effectiveness.

Questions 16

Which of the following is a social engineering attack method?

Options:
A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Questions 17

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Options:
A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Questions 18

During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:

Options:
A.

Future compatibility of the application.

B.

Proposed functionality of the application.

C.

Controls incorporated into the system specifications.

D.

Development methodology employed.

Questions 19

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?

Options:
A.

Examine the computer to search for evidence supporting the suspicions.

B.

Advise management of the crime after the investigation.

C.

Contact the incident response team to conduct an investigation.

D.

Notify local law enforcement of the potential crime before further investigation.

Questions 20

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Options:
A.

Limiting the size of file attachments being sent via email

B.

Automatically deleting emails older than one year

C.

Moving emails to a virtual email vault after 30 days

D.

Allowing employees to store large emails on flash drives

Questions 21

An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

Options:
A.

The current business capabilities delivered by the legacy system

B.

The proposed network topology to be used by the redesigned system

C.

The data flows between the components to be used by the redesigned system

D.

The database entity relationships within the legacy system

Questions 22

Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

Options:
A.

The exceptions are likely to continue indefinitely.

B.

The exceptions may result in noncompliance.

C.

The exceptions may elevate the level of operational risk.

D.

The exceptions may negatively impact process efficiency.

Questions 23

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Options:
A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Questions 24

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

Options:
A.

Carbon dioxide

B.

FM-200

C.

Dry pipe

D.

Halon

Questions 25

An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:

Options:
A.

establish criteria for reviewing alerts.

B.

recruit more monitoring personnel.

C.

reduce the firewall rules.

D.

fine tune the intrusion detection system (IDS).

Questions 26

Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Options:
A.

Risk identification

B.

Risk classification

C.

Control self-assessment (CSA)

D.

Impact assessment

Questions 27

Which of the following MOST effectively minimizes downtime during system conversions?

Options:
A.

Phased approach

B.

Direct cutover

C.

Pilot study

D.

Parallel run

Questions 28

Secure code reviews as part of a continuous deployment program are which type of control?

Options:
A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Questions 29

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Options:
A.

Data masking

B.

Data tokenization

C.

Data encryption

D.

Data abstraction

Questions 30

The PRIMARY advantage of object-oriented technology is enhanced:

Options:
A.

efficiency due to the re-use of elements of logic.

B.

management of sequential program execution for data access.

C.

grouping of objects into methods for data access.

D.

management of a restricted variety of data types for a data object.

Questions 31

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:
A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Questions 32

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

Options:
A.

The default configurations have been changed.

B.

All tables in the database are normalized.

C.

The service port used by the database server has been changed.

D.

The default administration account is used after changing the account password.

Questions 33

An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

Options:
A.

There is not a defined IT security policy.

B.

The business strategy meeting minutes are not distributed.

C.

IT is not engaged in business strategic planning.

D.

There is inadequate documentation of IT strategic planning.

Questions 34

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Options:
A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Questions 35

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

Options:
A.

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.

Job failure alerts are automatically generated and routed to support personnel.

Questions 36

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

Options:
A.

perform a business impact analysis (BIA).

B.

issue an intermediate report to management.

C.

evaluate the impact on current disaster recovery capability.

D.

conduct additional compliance testing.

Questions 37

An organizations audit charier PRIMARILY:

Options:
A.

describes the auditors' authority to conduct audits.

B.

defines the auditors' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Questions 38

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

Options:
A.

Blocking attachments in IM

B.

Blocking external IM traffic

C.

Allowing only corporate IM solutions

D.

Encrypting IM traffic

Questions 39

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

Options:
A.

incident management.

B.

quality assurance (QA).

C.

change management.

D.

project management.

Questions 40

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

Options:
A.

Portfolio management

B.

Business plans

C.

Business processes

D.

IT strategic plans

Questions 41

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

Options:
A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

Questions 42

Coding standards provide which of the following?

Options:
A.

Program documentation

B.

Access control tables

C.

Data flow diagrams

D.

Field naming conventions

Questions 43

Which of the following is MOST important to include in forensic data collection and preservation procedures?

Options:
A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Questions 44

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?

Options:
A.

Implement a new system that can be patched.

B.

Implement additional firewalls to protect the system.

C.

Decommission the server.

D.

Evaluate the associated risk.

Questions 45

Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

Options:
A.

To determine whether project objectives in the business case have been achieved

B.

To ensure key stakeholder sign-off has been obtained

C.

To align project objectives with business needs

D.

To document lessons learned to improve future project delivery

Questions 46

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Options:
A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Questions 47

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

Options:
A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Questions 48

Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

Options:
A.

Real-time audit software

B.

Performance data

C.

Quality assurance (QA) reviews

D.

Participative management techniques

Questions 49

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

Options:
A.

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.

Ensuring evidence is sufficient to support audit conclusions

C.

Ensuring appropriate statistical sampling methods were used

D.

Ensuring evidence is labeled to show it was obtained from an approved source

Questions 50

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:

Options:
A.

review recent changes to the system.

B.

verify completeness of user acceptance testing (UAT).

C.

verify results to determine validity of user concerns.

D.

review initial business requirements.

Exam Code: CISA
Certification Provider: Isaca
Exam Name: Certified Information Systems Auditor
Last Update: Feb 11, 2025
Questions: 1338

Isaca Related Exams

How to pass Isaca CISM - Certified Information Security Manager Exam
How to pass Isaca CRISC - Certified in Risk and Information Systems Control Exam
How to pass Isaca CGEIT - Certified in the Governance of Enterprise IT Exam Exam
How to pass Isaca COBIT5 - COBIT 5 Foundation Exam Exam
How to pass Isaca CDPSE - Certified Data Privacy Solutions Engineer Exam
How to pass Isaca COBIT-2019 - COBIT 2019 Foundation Exam
How to pass Isaca NIST-COBIT-2019 - ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Exam

Isaca Free Exams

Isaca Free Exams
Examstrack offers comprehensive free resources and practice tests for Isaca exams.