Certified Information Systems Auditor
Last Update Jan 26, 2025
Total Questions : 1277
We are offering FREE CISA Isaca exam questions. All you do is to just go and sign up. Give your details, prepare CISA free exam questions and then go for complete pool of Certified Information Systems Auditor test questions that will help you more.
When reviewing a business case for a proposed implementation of a third-party system, which of the following should be an IS auditor's GREATEST concern?
During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. Which of the following is the BEST course of action in this situation?
Which of the following is the BEST indication of effective governance over IT infrastructure?
An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:
An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?
Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?
Aligning IT strategy with business strategy PRIMARILY helps an organization to:
During an external review, an IS auditor observes an inconsistent approach in classifying system criticality
within the organization. Which of the following should be recommended as the PRIMARY factor to
determine system criticality?
An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's
GREATEST concern?
What is the PRIMARY reason for an organization to classify the data stored on its internal networks?
Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?
Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
Which of the following is the PRIMARY basis on which audit objectives are established?
Which of the following biometric access controls has the HIGHEST rate of false negatives?
Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?
Which of the following would provide management with the MOST reasonable assurance that a new data warehouse will meet the needs of the
organization?
If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?
An IT strategic plan that BEST leverages IT in achieving organizational goals will include:
Which of the following is MOST important to ensure when developing an effective security awareness program?
Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?
Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?
To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?
Which of the following should be the FIRST step in a data migration project?
An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?
Which of the following is MOST critical to the success of an information security program?
An IS auditor is providing input to an RFP to acquire a financial application system. Which of the following is MOST important for the auditor to recommend?
An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?
Which of the following is the MOST effective control over visitor access to highly secured areas?
In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?
Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?
An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?
Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?
In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:
An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-circuit television (CCTV) systems located in a patient care area. Which of the following is the GREATEST concern?
Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?
An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?
A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?
Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change
management process?
Which of the following is BEST used for detailed testing of a business application's data and configuration files?
Which of the following is MOST likely to be a project deliverable of an agile software development methodology?
When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?
Which of the following should an IS auditor be MOST concerned with when a system uses RFID?
Which of the following is MOST critical to the success of an information security program?
Which of the following demonstrates the use of data analytics for a loan origination process?
An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:
During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?
Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?
Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?
Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?
Which of the following data would be used when performing a business impact analysis (BIA)?
When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:
Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?
Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:
The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:
Which of the following is the BEST method to safeguard data on an organization's laptop computers?
An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?
Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?
Secure code reviews as part of a continuous deployment program are which type of control?
Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?
Which of the following is an audit reviewer's PRIMARY role with regard to evidence?
An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?
An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:
Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?
Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?
Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?
From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?
Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?
Which of the following should an IS auditor be MOST concerned with during a post-implementation review?
Which of the following is the BEST justification for deferring remediation testing until the next audit?
Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?
An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?
Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?
Which of the following MOST effectively minimizes downtime during system conversions?
Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?
An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?
Which of the following is MOST important for an effective control self-assessment (CSA) program?
When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?
Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?
Which of the following BEST indicates the effectiveness of an organization's risk management program?
Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?
An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?
An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?
Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?
Which of the following strategies BEST optimizes data storage without compromising data retention practices?
The business case for an information system investment should be available for review until the:
A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?
Which of the following is the GREATEST benefit of adopting an Agile audit methodology?
Which of the following should be the PRIMARY focus when communicating an IS audit issue to management?
A security review focused on data loss prevention (DLP) revealed the organization has no visibility to data stored in the cloud. What is the IS auditor's BEST recommendation to address this
issue?
Which of the following findings related to segregation of duties should be of GREATEST concern to an IS auditor?
Which of the following staff should an IS auditor interview FIRST to obtain a general overview of the various technologies used across different programs?
Which of the following presents the GREATEST risk to an organization's ability to manage quality control (QC) processes?
An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?
An organization's information security policies should be developed PRIMARILY on the basis of:
When an intrusion into an organization's network is detected, which of the following should be done FIRST?
What should be an IS auditor's PRIMARY focus when reviewing a patch management procedure in an environment where availability is a top priority?
During an IS audit of a data center, it was found that programmers are allowed to make emergency fixes to operational programs. Which of the following should be the IS auditor's PRIMARY recommendation?
An IS auditor is reviewing a data conversion project. Which of the following is the auditor's BEST recommendation prior to go-live?
During an audit of payment services of a branch based in a foreign country, a large global bank's audit team identifies an opportunity to use data analytics techniques to identify abnormal payments. Which of the following is the team's MOST important course of action?
An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?
Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to existing server performance will be prevented?
Which of the following is the PRIMARY purpose of a rollback plan for a system change?
An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?
An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?
A sample for testing must include the 80 largest client balances and a random sample of the rest. What should the IS auditor recommend?
An IS auditor reviewing the system development life cycle (SDLC) finds there is no requirement for business cases. Which of the following should be offGREATEST concern to the organization?
Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?
Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?
Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?
Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?
Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor's BEST recommendation?
An IS auditor is reviewing database fields updated in real-time and displayed through other applications in multiple organizational functions. When validating business approval for these various use cases, which of the following sources of information would be the BEST starting point?
Which of the following is a PRIMARY function of an intrusion detection system (IDS)?
Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?
An IS auditor is supporting a forensic investigation. An image of affected storage media has been captured while collecting digital forensic evidence. Which of the following techniques would BEST enable an IS auditor to verify that the captured image is an exact, unchanged replica of the original media?
Which of the following is MOST important to the effectiveness of smoke detectors installed in a data processing facility?
External audits have identified recurring exceptions in the user termination process, despite similar internal audits having reported no exceptions in the past. Which of the following is the IS auditor's BEST course of action to improve the internal audit process in the future?
Which of the following tasks would cause the GREATEST segregation of duties (SoD) concern if performed by the person who reconciles the organization's device inventory?
Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?
A steering committee established to oversee an organization's digital transformation program is MOSTlikely to be involved with which of the following activities?
Which of the following controls helps to ensure that data extraction queries run by the database administrator (DBA) are monitored?
The waterfall life cycle model of software development is BEST suited for which of the following situations?
The PRIMARY reason to assign data ownership for protection of data is to establish:
Which of the following non-audit activities may impair an IS auditor's independence and objectivity?
An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of
MOST concern?
Which of the following roles is PRIMARILY responsible for mitigating the risk of benefits not being realized in an IT project?
Which of the following should be done FIRST when creating a data protection program?
During a follow-up engagement, an IS auditor confirms evidence of a problem that was not an issue in the original audit. Which of the following is the auditor's BEST course of action?
Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?
An IS auditor learns that a business owner violated the organization's security policy by creating a web page with access to production data. The auditor's NEXT step should be to:
The process of applying a hash function to a message and obtaining and ciphering a digest refers to:
Which of the following is MOST important when defining the IS audit scope?
When building or upgrading enterprise cryptographic infrastructure, which of the following is the MOST critical requirement for growing business environments?
Which type of control has been established when an organization implements a security information and event management (SIEM) system?
Which of the following is the PRIMARY reason for using a digital signature?
An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?
Which of the following is the PRIMARY benefit of monitoring IT operational logs?
Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?
Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's job scheduling practices?
Which of the following BEST indicates to an IS auditor that an organization handles emergency changes appropriately and transparently?
A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:
Which of the following is the BEST disposal method for flash drives that previously stored confidential data?
Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?
Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?
Which of the following features of a library control software package would protect against unauthorized updating of source code?
Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?
Which of the following is necessary for effective risk management in IT governance?
An IS auditor assessing the controls within a newly implemented call center would First
An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?
A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
Which of the following should be the FIRST step in the incident response process for a suspected breach?
Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?
What should an IS auditor do FIRST when management responses
to an in-person internal control questionnaire indicate a key internal
control is no longer effective?
Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?
A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?
When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.
What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?
During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?
Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?
An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:
Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''
Which of the following should an IS auditor expect to see in a network vulnerability assessment?
A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.
What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?
Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?
Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?
Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?
When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;
Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?
Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?
Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?
Which of the following BEST facilitates the legal process in the event of an incident?
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?
An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that
Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?
An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?
Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?
During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?
Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?
Which of the following is MOST important for an IS auditor to look
for in a project feasibility study?
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?
An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:
An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?
What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?
Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?
During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?
Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?
Which of the following BEST helps to ensure data integrity across system interfaces?
The PRIMARY objective of value delivery in reference to IT governance is to:
Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?
An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?
A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?
An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the
Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?
Which of the following would be the BEST criteria for monitoring an IT vendor's service levels?
As part of the architecture of virtualized environments, in a bare metal or native visualization the hypervisor runs without:
Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?
Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?
Which of the following is the BEST indicator for measuring performance of IT help desk function?
A new system development project is running late against a critical implementation deadline Which of the following is the MOST important activity?
Which of the following is the MOST important factor when an organization is developing information security policies and procedures?
An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?
Which of the following should be an IS auditor's PRIMARY focus when evaluating the response process for cybercrimes?
Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a new application system?
During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts Which of the following is the auditor's BEST course of action?
Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)
policy to help prevent data leakage?
Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves
for care?
Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?
During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data any Internet-connected web browser. Which Of the following
is the auditor’s BEST recommendation to prevent unauthorized access?
Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?
A programmer has made unauthorized changes lo key fields in a payroll system report. Which of the following control weaknesses would have contributed MOST to this problem?
Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?
In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?
Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?
Which of the following is an advantage of using agile software development methodology over the waterfall methodology?
Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?
Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?
During which phase of the software development life cycle is it BEST to initiate the discussion of application controls?
Which of the following is the BEST source of information for examining the classification of new data?
Which of the following is the MAJOR advantage of automating internal controls?
Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?
Email required for business purposes is being stored on employees' personal devices.
Which of the following is an IS auditor's BEST recommendation?
Which of the following are used in a firewall to protect the entity's internal resources?
With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?
An organization has recently moved to an agile model for deploying custom code to its in-house accounting software system. When reviewing the procedures in place for production code deployment, which of the following is the MOST significant security concern to address?
During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?
After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit Which of the following risks is MOST affected by this oversight?
Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?
A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
Which of the following is the MOST appropriate indicator of change management effectiveness?
Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?
Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?
Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?
Which of following is MOST important to determine when conducting a post-implementation review?
The use of which of the following is an inherent risk in the application container infrastructure?
Which of the following would be the BEST process for continuous auditing to a large financial Institution?
A database administrator (DBA) should be prevented from having end user responsibilities:
An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which ot the following should the auditor do FIRSTS
What is the PRIMARY purpose of performing a parallel run of a now system?
Which of the following is the MOST appropriate control to ensure integrity of online orders?
During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor's GREATEST concern with this situation?
An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?
Which of the following methods will BEST reduce the risk associated with the transition to a new system using
technologies that are not compatible with the old system?
Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the
During the discussion of a draft audit report IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective Which of the following is the auditor's BEST action?
Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?
An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?
A web proxy server for corporate connections to external resources reduces organizational risk by:
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?
An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?
An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?
Which of the following is the MOST important activity in the data classification process?
During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?
Which of the following represents the HIGHEST level of maturity of an information security program?
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
An information systems security officer's PRIMARY responsibility for business process applications is to:
Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?
An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?
Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?
Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:
An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:
A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?
The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:
When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.
Which of the following would MOST effectively ensure the integrity of data transmitted over a network?
During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?
Which of the following is an example of a preventive control for physical access?
Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?
Which of the following MUST be completed as part of the annual audit planning process?
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
Which of the following concerns is BEST addressed by securing production source libraries?
Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?
Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?
The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
UESTION NO: 210
An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?
Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?
Which of the following is the GREATEST risk associated with storing customer data on a web server?
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?
Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?
Which of the following documents should specify roles and responsibilities within an IT audit organization?
Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
Which of the following is an example of a preventative control in an accounts payable system?
Which of the following findings from an IT governance review should be of GREATEST concern?
The GREATEST benefit of using a polo typing approach in software development is that it helps to:
Which of the following is the BEST reason for an organization to use clustering?
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
In an online application which of the following would provide the MOST information about the transaction audit trail?
Which of the following BEST enables the timely identification of risk exposure?
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?
An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?
Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?
Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?
An IS auditor has learned that access privileges are not periodically reviewed or updated. Which of the following would provide the BEST evidence to determine whether transactions have been executed by authorized employees?
An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor's independence?
Which of the following is the MOST important responsibility of data owners when implementing a data classification process?
Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?
A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?
An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the
business continuity plan (BCP). Which of the following is the auditor's BEST course of action?