Valentine Day Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

Certified Information Systems Auditor Question and Answers

Certified Information Systems Auditor

Last Update Feb 26, 2024
Total Questions : 928

We are offering FREE CISA Isaca exam questions. All you do is to just go and sign up. Give your details, prepare CISA free exam questions and then go for complete pool of Certified Information Systems Auditor test questions that will help you more.

CISA pdf

CISA PDF

$69.65  $199
CISA Engine

CISA Testing Engine

$78.75  $225
CISA PDF + Engine

CISA PDF + Testing Engine

$87.15  $249
Questions 1

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Options:

A.  

Sell-assessment reports of IT capability and maturity

B.  

IT performance benchmarking reports with competitors

C.  

Recent third-party IS audit reports

D.  

Current and previous internal IS audit reports

Discussion 0
Questions 2

Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Options:

A.  

Audit charter

B.  

IT steering committee

C.  

Information security policy

D.  

Audit best practices

Discussion 0
Questions 3

In an online application which of the following would provide the MOST information about the transaction audit trail?

Options:

A.  

File layouts

B.  

Data architecture

C.  

System/process flowchart

D.  

Source code documentation

Discussion 0
Questions 4

During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?

Options:

A.  

Backup media are not reviewed before disposal.

B.  

Degaussing is used instead of physical shredding.

C.  

Backup media are disposed before the end of the retention period

D.  

Hardware is not destroyed by a certified vendor.

Discussion 0
Questions 5

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.  

Users are not required to sign updated acceptable use agreements.

B.  

Users have not been trained on the new system.

C.  

The business continuity plan (BCP) was not updated.

D.  

Mobile devices are not encrypted.

Discussion 0
Questions 6

Which of the following business continuity activities prioritizes the recovery of critical functions?

Options:

A.  

Business continuity plan (BCP) testing

B.  

Business impact analysis (BIA)

C.  

Disaster recovery plan (DRP) testing

D.  

Risk assessment

Discussion 0
Questions 7

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

Options:

A.  

Reviewing the parameter settings

B.  

Reviewing the system log

C.  

Interviewing the firewall administrator

D.  

Reviewing the actual procedures

Discussion 0
Questions 8

Which of the following documents should specify roles and responsibilities within an IT audit organization?

Options:

A.  

Organizational chart

B.  

Audit charier

C.  

Engagement letter

D.  

Annual audit plan

Discussion 0
Questions 9

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

Options:

A.  

Use of stateful firewalls with default configuration

B.  

Ad hoc monitoring of firewall activity

C.  

Misconfiguration of the firewall rules

D.  

Potential back doors to the firewall software

Discussion 0
Questions 10

Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

Options:

A.  

Reversing the hash function using the digest

B.  

Altering the plaintext message

C.  

Deciphering the receiver's public key

D.  

Obtaining the sender's private key

Discussion 0
Questions 11

Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

Options:

A.  

Ensure that the facts presented in the report are correct

B.  

Communicate the recommendations lo senior management

C.  

Specify implementation dates for the recommendations.

D.  

Request input in determining corrective action.

Discussion 0
Questions 12

To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

Options:

A.  

Review IT staff job descriptions for alignment

B.  

Develop quarterly training for each IT staff member.

C.  

Identify required IT skill sets that support key business processes

D.  

Include strategic objectives m IT staff performance objectives

Discussion 0
Questions 13

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

Options:

A.  

Data migration is not part of the contracted activities.

B.  

The replacement is occurring near year-end reporting

C.  

The user department will manage access rights.

D.  

Testing was performed by the third-party consultant

Discussion 0
Questions 14

An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?

Options:

A.  

Long-term Internal audit resource planning

B.  

Ongoing monitoring of the audit activities

C.  

Analysis of user satisfaction reports from business lines

D.  

Feedback from Internal audit staff

Discussion 0
Questions 15

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Options:

A.  

Expected deliverables meeting project deadlines

B.  

Sign-off from the IT team

C.  

Ongoing participation by relevant stakeholders

D.  

Quality assurance (OA) review

Discussion 0
Questions 16

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

Options:

A.  

The organization's systems inventory is kept up to date.

B.  

Vulnerability scanning results are reported to the CISO.

C.  

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.  

Access to the vulnerability scanning tool is periodically reviewed

Discussion 0
Questions 17

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

Options:

A.  

violation reports may not be reviewed in a timely manner.

B.  

a significant number of false positive violations may be reported.

C.  

violations may not be categorized according to the organization's risk profile.

D.  

violation reports may not be retained according to the organization's risk profile.

Discussion 0
Questions 18

Which of the following is the GREATEST risk associated with storing customer data on a web server?

Options:

A.  

Data availability

B.  

Data confidentiality

C.  

Data integrity

D.  

Data redundancy

Discussion 0
Questions 19

While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

Options:

A.  

Use automatic document classification based on content.

B.  

Have IT security staff conduct targeted training for data owners.

C.  

Publish the data classification policy on the corporate web portal.

D.  

Conduct awareness presentations and seminars for information classification policies.

Discussion 0
Questions 20

An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?

Options:

A.  

Data encryption on the mobile device

B.  

Complex password policy for mobile devices

C.  

The triggering of remote data wipe capabilities

D.  

Awareness training for mobile device users

Discussion 0
Questions 21

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.  

Statement of work (SOW)

B.  

Nondisclosure agreement (NDA)

C.  

Service level agreement (SLA)

D.  

Privacy agreement

Discussion 0
Questions 22

Upon completion of audit work, an IS auditor should:

Options:

A.  

provide a report to senior management prior to discussion with the auditee.

B.  

distribute a summary of general findings to the members of the auditing team.

C.  

provide a report to the auditee stating the initial findings.

D.  

review the working papers with the auditee.

Discussion 0
Questions 23

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

Options:

A.  

Available resources for the activities included in the action plan

B.  

A management response in the final report with a committed implementation date

C.  

A heal map with the gaps and recommendations displayed in terms of risk

D.  

Supporting evidence for the gaps and recommendations mentioned in the audit report

Discussion 0
Questions 24

Which of the following BEST enables the timely identification of risk exposure?

Options:

A.  

External audit review

B.  

Internal audit review

C.  

Control self-assessment (CSA)

D.  

Stress testing

Discussion 0
Questions 25

Which of the following BEST Indicates that an incident management process is effective?

Options:

A.  

Decreased time for incident resolution

B.  

Increased number of incidents reviewed by IT management

C.  

Decreased number of calls lo the help desk

D.  

Increased number of reported critical incidents

Discussion 0
Questions 26

An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?

Options:

A.  

Conduct security awareness training.

B.  

Implement an acceptable use policy

C.  

Create inventory records of personal devices

D.  

Configure users on the mobile device management (MDM) solution

Discussion 0
Questions 27

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

Options:

A.  

Revise the assessment based on senior management's objections.

B.  

Escalate the issue to audit management.

C.  

Finalize the draft audit report without changes.

D.  

Gather evidence to analyze senior management's objections

Discussion 0
Questions 28

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

Options:

A.  

Continuous 24/7 support must be available.

B.  

The vendor must have a documented disaster recovery plan (DRP) in place.

C.  

Source code for the software must be placed in escrow.

D.  

The vendor must train the organization's staff to manage the new software

Discussion 0
Questions 29

Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?

Options:

A.  

Historical privacy breaches and related root causes

B.  

Globally accepted privacy best practices

C.  

Local privacy standards and regulations

D.  

Benchmark studies of similar organizations

Discussion 0
Questions 30

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

Options:

A.  

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.  

Identifying data security threats in the affected jurisdiction

C.  

Reviewing data classification procedures associated with the affected jurisdiction

D.  

Identifying business processes associated with personal data exchange with the affected jurisdiction

Discussion 0
Questions 31

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.  

the organization's web server.

B.  

the demilitarized zone (DMZ).

C.  

the organization's network.

D.  

the Internet

Discussion 0
Questions 32

What is the MAIN reason to use incremental backups?

Options:

A.  

To improve key availability metrics

B.  

To reduce costs associates with backups

C.  

To increase backup resiliency and redundancy

D.  

To minimize the backup time and resources

Discussion 0
Questions 33

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

Options:

A.  

Security cameras deployed outside main entrance

B.  

Antistatic mats deployed at the computer room entrance

C.  

Muddy footprints directly inside the emergency exit

D.  

Fencing around facility is two meters high

Discussion 0
Questions 34

Which of the following is the MAIN purpose of an information security management system?

Options:

A.  

To identify and eliminate the root causes of information security incidents

B.  

To enhance the impact of reports used to monitor information security incidents

C.  

To keep information security policies and procedures up-to-date

D.  

To reduce the frequency and impact of information security incidents

Discussion 0
Questions 35

An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

Options:

A.  

An imaging process was used to obtain a copy of the data from each computer.

B.  

The legal department has not been engaged.

C.  

The chain of custody has not been documented.

D.  

Audit was only involved during extraction of the Information

Discussion 0
Questions 36

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

Options:

A.  

Availability of the user list reviewed

B.  

Confidentiality of the user list reviewed

C.  

Source of the user list reviewed

D.  

Completeness of the user list reviewed

Discussion 0
Questions 37

Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?

Options:

A.  

Circuit gateway

B.  

Application level gateway

C.  

Packet filtering router

D.  

Screening router

Discussion 0
Questions 38

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.  

Staging

B.  

Testing

C.  

Integration

D.  

Development

Discussion 0
Questions 39

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?

Options:

A.  

Number of successful penetration tests

B.  

Percentage of protected business applications

C.  

Financial impact per security event

D.  

Number of security vulnerability patches

Discussion 0
Questions 40

Which of the following metrics would BEST measure the agility of an organization's IT function?

Options:

A.  

Average number of learning and training hours per IT staff member

B.  

Frequency of security assessments against the most recent standards and guidelines

C.  

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.  

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Discussion 0
Questions 41

The GREATEST benefit of using a polo typing approach in software development is that it helps to:

Options:

A.  

minimize scope changes to the system.

B.  

decrease the time allocated for user testing and review.

C.  

conceptualize and clarify requirements.

D.  

Improve efficiency of quality assurance (QA) testing

Discussion 0
Questions 42

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

Options:

A.  

well understood by all employees.

B.  

based on industry standards.

C.  

developed by process owners.

D.  

updated frequently.

Discussion 0
Questions 43

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

Options:

A.  

Staff were not involved in the procurement process, creating user resistance to the new system.

B.  

Data is not converted correctly, resulting in inaccurate patient records.

C.  

The deployment project experienced significant overruns, exceeding budget projections.

D.  

The new system has capacity issues, leading to slow response times for users.

Discussion 0
Questions 44

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.  

Obtain error codes indicating failed data feeds.

B.  

Purchase data cleansing tools from a reputable vendor.

C.  

Appoint data quality champions across the organization.

D.  

Implement business rules to reject invalid data.

Discussion 0
Questions 45

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

Options:

A.  

the patches were updated.

B.  

The logs were monitored.

C.  

The network traffic was being monitored.

D.  

The domain controller was classified for high availability.

Discussion 0
Questions 46

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

Options:

A.  

Reviewing the last compile date of production programs

B.  

Manually comparing code in production programs to controlled copies

C.  

Periodically running and reviewing test data against production programs

D.  

Verifying user management approval of modifications

Discussion 0
Questions 47

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

Options:

A.  

Implementing the remediation plan

B.  

Partially completing the CSA

C.  

Developing the remediation plan

D.  

Developing the CSA questionnaire

Discussion 0
Questions 48

The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:

Options:

A.  

randomly selected by a test generator.

B.  

provided by the vendor of the application.

C.  

randomly selected by the user.

D.  

simulated by production entities and customers.

Discussion 0
Questions 49

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

Options:

A.  

Preserving the same data classifications

B.  

Preserving the same data inputs

C.  

Preserving the same data structure

D.  

Preserving the same data interfaces

Discussion 0
Questions 50

The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

Options:

A.  

Technology risk

B.  

Detection risk

C.  

Control risk

D.  

Inherent risk

Discussion 0
Questions 51

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Options:

A.  

Reviewing vacation patterns

B.  

Reviewing user activity logs

C.  

Interviewing senior IT management

D.  

Mapping IT processes to roles

Discussion 0
Questions 52

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

Options:

A.  

Staff members who failed the test did not receive follow-up education

B.  

Test results were not communicated to staff members.

C.  

Staff members were not notified about the test beforehand.

D.  

Security awareness training was not provided prior to the test.

Discussion 0
Questions 53

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

Options:

A.  

Implement key performance indicators (KPIs)

B.  

Implement annual third-party audits.

C.  

Benchmark organizational performance against industry peers.

D.  

Require executive management to draft IT strategy

Discussion 0
Questions 54

What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

Options:

A.  

it facilitates easier audit follow-up

B.  

it enforces action plan consensus between auditors and auditees

C.  

it establishes accountability for the action plans

D.  

it helps to ensure factual accuracy of findings

Discussion 0
Questions 55

In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?

Options:

A.  

Approved test scripts and results prior to implementation

B.  

Written procedures defining processes and controls

C.  

Approved project scope document

D.  

A review of tabletop exercise results

Discussion 0
Questions 56

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.  

Project management

B.  

Risk assessment results

C.  

IT governance framework

D.  

Portfolio management

Discussion 0
Questions 57

What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

Options:

A.  

Notify law enforcement of the finding.

B.  

Require the third party to notify customers.

C.  

The audit report with a significant finding.

D.  

Notify audit management of the finding.

Discussion 0
Questions 58

Which of the following is the BEST reason to implement a data retention policy?

Options:

A.  

To limit the liability associated with storing and protecting information

B.  

To document business objectives for processing data within the organization

C.  

To assign responsibility and ownership for data protection outside IT

D.  

To establish a recovery point detective (RPO) for (toaster recovery procedures

Discussion 0
Questions 59

During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

Options:

A.  

Sampling risk

B.  

Detection risk

C.  

Control risk

D.  

Inherent risk

Discussion 0
Questions 60

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.  

Prepare detailed plans for each business function.

B.  

Involve staff at all levels in periodic paper walk-through exercises.

C.  

Regularly update business impact assessments.

D.  

Make senior managers responsible for their plan sections.

Discussion 0
Questions 61

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

Options:

A.  

Risk avoidance

B.  

Risk transfer

C.  

Risk acceptance

D.  

Risk reduction

Discussion 0
Questions 62

Which of the following issues associated with a data center's closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?

Options:

A.  

CCTV recordings are not regularly reviewed.

B.  

CCTV cameras are not installed in break rooms

C.  

CCTV records are deleted after one year.

D.  

CCTV footage is not recorded 24 x 7.

Discussion 0
Questions 63

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

Options:

A.  

Level of stakeholder satisfaction with the scope of planned IT projects

B.  

Percentage of enterprise risk assessments that include IT-related risk

C.  

Percentage of stat satisfied with their IT-related roles

D.  

Frequency of business process capability maturity assessments

Discussion 0
Questions 64

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.  

The cost of outsourcing is lower than in-house development.

B.  

The vendor development team is located overseas.

C.  

A training plan for business users has not been developed.

D.  

The data model is not clearly documented.

Discussion 0
Questions 65

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

Options:

A.  

Disposal policies and procedures are not consistently implemented

B.  

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.  

Business units are allowed to dispose printers directly to

D.  

Inoperable printers are stored in an unsecured area.

Discussion 0
Questions 66

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.  

The quality of the data is not monitored.

B.  

Imported data is not disposed frequently.

C.  

The transfer protocol is not encrypted.

D.  

The transfer protocol does not require authentication.

Discussion 0
Questions 67

The PRIMARY benefit of information asset classification is that it:

Options:

A.  

prevents loss of assets.

B.  

helps to align organizational objectives.

C.  

facilitates budgeting accuracy.

D.  

enables risk management decisions.

Discussion 0
Questions 68

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Options:

A.  

Inability to utilize the site when required

B.  

Inability to test the recovery plans onsite

C.  

Equipment compatibility issues at the site

D.  

Mismatched organizational security policies

Discussion 0
Questions 69

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Options:

A.  

Monitor and restrict vendor activities

B.  

Issues an access card to the vendor.

C.  

Conceal data devices and information labels

D.  

Restrict use of portable and wireless devices.

Discussion 0
Questions 70

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

Options:

A.  

Analyze a new application that moots the current re

B.  

Perform an analysis to determine the business risk

C.  

Bring the escrow version up to date.

D.  

Develop a maintenance plan to support the application using the existing code

Discussion 0
Questions 71

Which of the following would be MOST useful when analyzing computer performance?

Options:

A.  

Statistical metrics measuring capacity utilization

B.  

Operations report of user dissatisfaction with response time

C.  

Tuning of system software to optimize resource usage

D.  

Report of off-peak utilization and response time

Discussion 0
Questions 72

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

Options:

A.  

Ensure that paper documents arc disposed security.

B.  

Implement an intrusion detection system (IDS).

C.  

Verify that application logs capture any changes made.

D.  

Validate that all data files contain digital watermarks

Discussion 0
Questions 73

An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

Options:

A.  

Loss of application support

B.  

Lack of system integrity

C.  

Outdated system documentation

D.  

Developer access 1o production

Discussion 0
Questions 74

An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?

Options:

A.  

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

B.  

Vulnerability in the virtualization platform affecting multiple hosts

C.  

Data center environmental controls not aligning with new configuration

D.  

System documentation not being updated to reflect changes in the environment

Discussion 0
Questions 75

Which of the following backup schemes is the BEST option when storage media is limited?

Options:

A.  

Real-time backup

B.  

Virtual backup

C.  

Differential backup

D.  

Full backup

Discussion 0
Questions 76

During an exit meeting, an IS auditor highlights that backup cycles

are being missed due to operator error and that these exceptions

are not being managed. Which of the following is the BEST way to

help management understand the associated risk?

Options:

A.  

Explain the impact to disaster recovery.

B.  

Explain the impact to resource requirements.

C.  

Explain the impact to incident management.

D.  

Explain the impact to backup scheduling.

Discussion 0
Questions 77

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Options:

A.  

Have an independent party review the source calculations

B.  

Execute copies of EUC programs out of a secure library

C.  

implement complex password controls

D.  

Verify EUC results through manual calculations

Discussion 0
Questions 78

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Options:

A.  

Utilize a network-based firewall.

B.  

Conduct regular user security awareness training.

C.  

Perform domain name system (DNS) server security hardening.

D.  

Enforce a strong password policy meeting complexity requirement.

Discussion 0
Questions 79

Which of the following BEST facilitates the legal process in the event of an incident?

Options:

A.  

Right to perform e-discovery

B.  

Advice from legal counsel

C.  

Preserving the chain of custody

D.  

Results of a root cause analysis

Discussion 0
Questions 80

A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

Options:

A.  

The survey results were not presented in detail lo management.

B.  

The survey questions did not address the scope of the business case.

C.  

The survey form template did not allow additional feedback to be provided.

D.  

The survey was issued to employees a month after implementation.

Discussion 0
Questions 81

Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

Options:

A.  

Analysis of industry benchmarks

B.  

Identification of organizational goals

C.  

Analysis of quantitative benefits

D.  

Implementation of a balanced scorecard

Discussion 0
Questions 82

An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Options:

A.  

Installing security software on the devices

B.  

Partitioning the work environment from personal space on devices

C.  

Preventing users from adding applications

D.  

Restricting the use of devices for personal purposes during working hours

Discussion 0
Questions 83

An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:

Options:

A.  

reclassify the data to a lower level of confidentiality

B.  

require the business owner to conduct regular access reviews.

C.  

implement a strong password schema for users.

D.  

recommend corrective actions to be taken by the security administrator.

Discussion 0
Questions 84

An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

Options:

A.  

The applications are not included in business continuity plans (BCFs)

B.  

The applications may not reasonably protect data.

C.  

The application purchases did not follow procurement policy.

D.  

The applications could be modified without advanced notice.

Discussion 0
Questions 85

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

Options:

A.  

failure to maximize the use of equipment

B.  

unanticipated increase in business s capacity needs.

C.  

cost of excessive data center storage capacity

D.  

impact to future business project funding.

Discussion 0
Questions 86

An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?

Options:

A.  

Users are not required to change their passwords on a regular basis

B.  

Management does not review application user activity logs

C.  

User accounts are shared between users

D.  

Password length is set to eight characters

Discussion 0
Questions 87

Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

Options:

A.  

Restricting program functionality according to user security profiles

B.  

Restricting access to update programs to accounts payable staff only

C.  

Including the creator’s user ID as a field in every transaction record created

D.  

Ensuring that audit trails exist for transactions

Discussion 0
Questions 88

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.  

Determine the resources required to make the control

effective.

B.  

Validate the overall effectiveness of the internal control.

C.  

Verify the impact of the control no longer being effective.

D.  

Ascertain the existence of other compensating controls.

Discussion 0
Questions 89

During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?

Options:

A.  

Leverage the work performed by external audit for the internal audit testing.

B.  

Ensure both the internal and external auditors perform the work simultaneously.

C.  

Request that the external audit team leverage the internal audit work.

D.  

Roll forward the general controls audit to the subsequent audit year.

Discussion 0
Questions 90

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

Options:

A.  

The security weakness facilitating the attack was not identified.

B.  

The attack was not automatically blocked by the intrusion detection system (IDS).

C.  

The attack could not be traced back to the originating person.

D.  

Appropriate response documentation was not maintained.

Discussion 0
Questions 91

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Options:

A.  

Improved disaster recovery

B.  

Better utilization of resources

C.  

Stronger data security

D.  

Increased application performance

Discussion 0
Questions 92

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

Options:

A.  

The BCP's contact information needs to be updated

B.  

The BCP is not version controlled.

C.  

The BCP has not been approved by senior management.

D.  

The BCP has not been tested since it was first issued.

Discussion 0
Questions 93

If enabled within firewall rules, which of the following services would present the GREATEST risk?

Options:

A.  

Simple mail transfer protocol (SMTP)

B.  

Simple object access protocol (SOAP)

C.  

Hypertext transfer protocol (HTTP)

D.  

File transfer protocol (FTP)

Discussion 0
Questions 94

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Options:

A.  

Perform background verification checks.

B.  

Review third-party audit reports.

C.  

Implement change management review.

D.  

Conduct a privacy impact analysis.

Discussion 0
Questions 95

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Options:

A.  

Temperature sensors

B.  

Humidity sensors

C.  

Water sensors

D.  

Air pressure sensors

Discussion 0
Questions 96

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

Options:

A.  

Analyzing risks posed by new regulations

B.  

Developing procedures to monitor the use of personal data

C.  

Defining roles within the organization related to privacy

D.  

Designing controls to protect personal data

Discussion 0
Questions 97

The PRIMARY objective of value delivery in reference to IT governance is to:

Options:

A.  

promote best practices

B.  

increase efficiency.

C.  

optimize investments.

D.  

ensure compliance.

Discussion 0
Questions 98

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.  

Verify all patches have been applied to the software system's outdated version

B.  

Close all unused ports on the outdated software system.

C.  

Segregate the outdated software system from the main network.

D.  

Monitor network traffic attempting to reach the outdated software system.

Discussion 0
Questions 99

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.  

Review the documentation of recant changes to implement sequential order numbering.

B.  

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.  

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.  

Examine a sample of system generated purchase orders obtained from management

Discussion 0
Questions 100

An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

Options:

A.  

Manual sign-in and sign-out log

B.  

System electronic log

C.  

Alarm system with CCTV

D.  

Security incident log

Discussion 0
Questions 101

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.  

the provider has alternate service locations.

B.  

the contract includes compensation for deficient service levels.

C.  

the provider's information security controls are aligned with the company's.

D.  

the provider adheres to the company's data retention policies.

Discussion 0
Questions 102

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

Options:

A.  

Misconfiguration and missing updates

B.  

Malicious software and spyware

C.  

Zero-day vulnerabilities

D.  

Security design flaws

Discussion 0
Questions 103

An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

Options:

A.  

some of the identified throats are unlikely to occur.

B.  

all identified throats relate to external entities.

C.  

the exercise was completed by local management.

D.  

neighboring organizations operations have been included.

Discussion 0
Questions 104

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.  

Perimeter firewall

B.  

Data loss prevention (DLP) system

C.  

Web application firewall

D.  

Network segmentation

Discussion 0
Questions 105

An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

Options:

A.  

Improve the change management process

B.  

Establish security metrics.

C.  

Perform a penetration test

D.  

Perform a configuration review

Discussion 0
Questions 106

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

Options:

A.  

Service level agreement (SLA)

B.  

Hardware change management policy

C.  

Vendor memo indicating problem correction

D.  

An up-to-date RACI chart

Discussion 0
Questions 107

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Options:

A.  

use a proxy server to filter out Internet sites that should not be accessed.

B.  

keep a manual log of Internet access.

C.  

monitor remote access activities.

D.  

include a statement in its security policy about Internet use.

Discussion 0
Questions 108

Which of the following is MOST critical for the effective implementation of IT governance?

Options:

A.  

Strong risk management practices

B.  

Internal auditor commitment

C.  

Supportive corporate culture

D.  

Documented policies

Discussion 0
Questions 109

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

Options:

A.  

Ensure sufficient audit resources are allocated,

B.  

Communicate audit results organization-wide.

C.  

Ensure ownership is assigned.

D.  

Test corrective actions upon completion.

Discussion 0
Questions 110

Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

Options:

A.  

Change management

B.  

Problem management

C.  

incident management

D.  

Configuration management

Discussion 0
Questions 111

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Options:

A.  

Network penetration tests are not performed

B.  

The network firewall policy has not been approved by the information security officer.

C.  

Network firewall rules have not been documented.

D.  

The network device inventory is incomplete.

Discussion 0
Questions 112

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

Options:

A.  

The contract does not contain a right-to-audit clause.

B.  

An operational level agreement (OLA) was not negotiated.

C.  

Several vendor deliverables missed the commitment date.

D.  

Software escrow was not negotiated.

Discussion 0
Questions 113

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Options:

A.  

Restricting evidence access to professionally certified forensic investigators

B.  

Documenting evidence handling by personnel throughout the forensic investigation

C.  

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.  

Engaging an independent third party to perform the forensic investigation

Discussion 0
Questions 114

A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

Options:

A.  

IT operator

B.  

System administration

C.  

Emergency support

D.  

Database administration

Discussion 0
Questions 115

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

Options:

A.  

The end-to-end process is understood and documented.

B.  

Roles and responsibilities are defined for the business processes in scope.

C.  

A benchmarking exercise of industry peers who use RPA has been completed.

D.  

A request for proposal (RFP) has been issued to qualified vendors.

Discussion 0
Questions 116

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.  

Review a report of security rights in the system.

B.  

Observe the performance of business processes.

C.  

Develop a process to identify authorization conflicts.

D.  

Examine recent system access rights violations.

Discussion 0
Questions 117

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.  

Use an electronic vault for incremental backups

B.  

Deploy a fully automated backup maintenance system.

C.  

Periodically test backups stored in a remote location

D.  

Use both tape and disk backup systems

Discussion 0
Questions 118

Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

Options:

A.  

The IT strategy is modified in response to organizational change.

B.  

The IT strategy is approved by executive management.

C.  

The IT strategy is based on IT operational best practices.

D.  

The IT strategy has significant impact on the business strategy

Discussion 0
Questions 119

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Options:

A.  

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.  

Review compliance with data loss and applicable mobile device user acceptance policies.

C.  

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.  

Verify employees have received appropriate mobile device security awareness training.

Discussion 0
Questions 120

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

Options:

A.  

SIEM reporting is customized.

B.  

SIEM configuration is reviewed annually

C.  

The SIEM is decentralized.

D.  

SIEM reporting is ad hoc.

Discussion 0
Questions 121

Which of the following should be the FIRST step in the incident response process for a suspected breach?

Options:

A.  

Inform potentially affected customers of the security breach

B.  

Notify business management of the security breach.

C.  

Research the validity of the alerted breach

D.  

Engage a third party to independently evaluate the alerted breach.

Discussion 0
Questions 122

Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

Options:

A.  

An assessment of whether requirements will be fully met

B.  

An assessment indicating security controls will operate

effectively

C.  

An assessment of whether the expected benefits can be

achieved

D.  

An assessment indicating the benefits will exceed the implement

Discussion 0
Questions 123

Which of the following is the BEST method to safeguard data on an organization's laptop computers?

Options:

A.  

Disabled USB ports

B.  

Full disk encryption

C.  

Biometric access control

D.  

Two-factor authentication

Discussion 0
Questions 124

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

Options:

A.  

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.  

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.  

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.  

Job failure alerts are automatically generated and routed to support personnel.

Discussion 0
Questions 125

Which of the following is MOST important to ensure when planning a black box penetration test?

Options:

A.  

The management of the client organization is aware of the testing.

B.  

The test results will be documented and communicated to management.

C.  

The environment and penetration test scope have been determined.

D.  

Diagrams of the organization's network architecture are available.

Discussion 0
Questions 126

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

Options:

A.  

business impact analysis (BIA).

B.  

threat and risk assessment.

C.  

business continuity plan (BCP).

D.  

disaster recovery plan (DRP).

Discussion 0
Questions 127

Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

Options:

A.  

Implement network access control.

B.  

Implement outbound firewall rules.

C.  

Perform network reviews.

D.  

Review access control lists.

Discussion 0
Questions 128

During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:

Options:

A.  

note the noncompliance in the audit working papers.

B.  

issue an audit memorandum identifying the noncompliance.

C.  

include the noncompliance in the audit report.

D.  

determine why the procedures were not followed.

Discussion 0
Questions 129

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Options:

A.  

Walk-through reviews

B.  

Substantive testing

C.  

Compliance testing

D.  

Design documentation reviews

Discussion 0
Questions 130

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

Options:

A.  

Notify the cyber insurance company.

B.  

Shut down the affected systems.

C.  

Quarantine the impacted systems.

D.  

Notify customers of the breach.

Discussion 0
Questions 131

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

Options:

A.  

The IS auditor provided consulting advice concerning application system best practices.

B.  

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

C.  

The IS auditor designed an embedded audit module exclusively for auditing the application system.

D.  

The IS auditor implemented a specific control during the development of the application system.

Discussion 0
Questions 132

An organizations audit charier PRIMARILY:

Options:

A.  

describes the auditors' authority to conduct audits.

B.  

defines the auditors' code of conduct.

C.  

formally records the annual and quarterly audit plans.

D.  

documents the audit process and reporting standards.

Discussion 0
Questions 133

An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:

Options:

A.  

establish criteria for reviewing alerts.

B.  

recruit more monitoring personnel.

C.  

reduce the firewall rules.

D.  

fine tune the intrusion detection system (IDS).

Discussion 0
Questions 134

An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

Options:

A.  

Percentage of new hires that have completed the training.

B.  

Number of new hires who have violated enterprise security policies.

C.  

Number of reported incidents by new hires.

D.  

Percentage of new hires who report incidents

Discussion 0
Questions 135

The decision to accept an IT control risk related to data quality should be the responsibility of the:

Options:

A.  

information security team.

B.  

IS audit manager.

C.  

chief information officer (CIO).

D.  

business owner.

Discussion 0
Questions 136

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.  

Detective

B.  

Logical

C.  

Preventive

D.  

Corrective

Discussion 0
Questions 137

An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Options:

A.  

Assessment of the personnel training processes of the provider

B.  

Adequacy of the service provider's insurance

C.  

Review of performance against service level agreements (SLAs)

D.  

Periodic audits of controls by an independent auditor

Discussion 0
Questions 138

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.  

Accept management's decision and continue the follow-up.

B.  

Report the issue to IS audit management.

C.  

Report the disagreement to the board.

D.  

Present the issue to executive management.

Discussion 0
Questions 139

From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Options:

A.  

Inability to close unused ports on critical servers

B.  

Inability to identify unused licenses within the organization

C.  

Inability to deploy updated security patches

D.  

Inability to determine the cost of deployed software

Discussion 0
Questions 140

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Options:

A.  

Periodically reviewing log files

B.  

Configuring the router as a firewall

C.  

Using smart cards with one-time passwords

D.  

Installing biometrics-based authentication

Discussion 0
Questions 141

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:

A.  

Frequent testing of backups

B.  

Annual walk-through testing

C.  

Periodic risk assessment

D.  

Full operational test

Discussion 0
Questions 142

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

Options:

A.  

Document the finding and present it to management.

B.  

Determine if a root cause analysis was conducted.

C.  

Confirm the resolution time of the incidents.

D.  

Validate whether all incidents have been actioned.

Discussion 0
Questions 143

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

Options:

A.  

Implement overtime pay and bonuses for all development staff.

B.  

Utilize new system development tools to improve productivity.

C.  

Recruit IS staff to expedite system development.

D.  

Deliver only the core functionality on the initial target date.

Discussion 0
Questions 144

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

Options:

A.  

Assign responsibility for improving data quality.

B.  

Invest in additional employee training for data entry.

C.  

Outsource data cleansing activities to reliable third parties.

D.  

Implement business rules to validate employee data entry.

Discussion 0
Questions 145

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.  

Projected impact of current business on future business

B.  

Cost-benefit analysis of running the current business

C.  

Cost of regulatory compliance

D.  

Expected costs for recovering the business

Discussion 0
Questions 146

Which of the following is the BEST method to prevent wire transfer fraud by bank employees?

Options:

A.  

Independent reconciliation

B.  

Re-keying of wire dollar amounts

C.  

Two-factor authentication control

D.  

System-enforced dual control

Discussion 0
Questions 147

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

Options:

A.  

To ensure that older versions are availability for reference

B.  

To ensure that only the latest approved version of the application is used

C.  

To ensure compatibility different versions of the application

D.  

To ensure that only authorized users can access the application

Discussion 0
Questions 148

During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

Options:

A.  

application test cases.

B.  

acceptance testing.

C.  

cost-benefit analysis.

D.  

project plans.

Discussion 0
Questions 149

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Options:

A.  

Balanced scorecard

B.  

Enterprise dashboard

C.  

Enterprise architecture (EA)

D.  

Key performance indicators (KPIs)

Discussion 0
Questions 150

An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

Options:

A.  

There is not a defined IT security policy.

B.  

The business strategy meeting minutes are not distributed.

C.  

IT is not engaged in business strategic planning.

D.  

There is inadequate documentation of IT strategic planning.

Discussion 0
Questions 151

During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:

Options:

A.  

Future compatibility of the application.

B.  

Proposed functionality of the application.

C.  

Controls incorporated into the system specifications.

D.  

Development methodology employed.

Discussion 0
Questions 152

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

Options:

A.  

The default configurations have been changed.

B.  

All tables in the database are normalized.

C.  

The service port used by the database server has been changed.

D.  

The default administration account is used after changing the account password.

Discussion 0
Questions 153

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

Options:

A.  

Assignment of responsibility for each project to an IT team member

B.  

Adherence to best practice and industry approved methodologies

C.  

Controls to minimize risk and maximize value for the IT portfolio

D.  

Frequency of meetings where the business discusses the IT portfolio

Discussion 0
Questions 154

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

Options:

A.  

recommend that the option to directly modify the database be removed immediately.

B.  

recommend that the system require two persons to be involved in modifying the database.

C.  

determine whether the log of changes to the tables is backed up.

D.  

determine whether the audit trail is secured and reviewed.

Discussion 0
Questions 155

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

Options:

A.  

Report the mitigating controls.

B.  

Report the security posture of the organization.

C.  

Determine the value of the firewall.

D.  

Determine the risk of not replacing the firewall.

Discussion 0
Questions 156

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

Options:

A.  

incident management.

B.  

quality assurance (QA).

C.  

change management.

D.  

project management.

Discussion 0
Questions 157

An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Options:

A.  

Require employees to attend security awareness training.

B.  

Password protect critical data files.

C.  

Configure to auto-wipe after multiple failed access attempts.

D.  

Enable device auto-lock function.

Discussion 0
Questions 158

Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Options:

A.  

Availability of the site in the event of multiple disaster declarations

B.  

Coordination with the site staff in the event of multiple disaster declarations

C.  

Reciprocal agreements with other organizations

D.  

Complete testing of the recovery plan

Discussion 0
Questions 159

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:

A.  

is more effective at suppressing flames.

B.  

allows more time to abort release of the suppressant.

C.  

has a decreased risk of leakage.

D.  

disperses dry chemical suppressants exclusively.

Discussion 0
Questions 160

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Options:

A.  

Developing and communicating test procedure best practices to audit teams

B.  

Developing and implementing an audit data repository

C.  

Decentralizing procedures and Implementing periodic peer review

D.  

Centralizing procedures and implementing change control

Discussion 0
Questions 161

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

Options:

A.  

Double-posting of a single journal entry

B.  

Inability to support new business transactions

C.  

Unauthorized alteration of account attributes

D.  

Inaccuracy of financial reporting

Discussion 0
Questions 162

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Options:

A.  

Invoking the disaster recovery plan (DRP)

B.  

Backing up data frequently

C.  

Paying the ransom

D.  

Requiring password changes for administrative accounts

Discussion 0
Questions 163

The PRIMARY advantage of object-oriented technology is enhanced:

Options:

A.  

efficiency due to the re-use of elements of logic.

B.  

management of sequential program execution for data access.

C.  

grouping of objects into methods for data access.

D.  

management of a restricted variety of data types for a data object.

Discussion 0
Questions 164

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.  

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B.  

Establishing strong access controls on confidential data

C.  

Providing education and guidelines to employees on use of social networking sites

D.  

Monitoring employees' social networking usage

Discussion 0
Questions 165

Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

Options:

A.  

Business interruption due to remediation

B.  

IT budgeting constraints

C.  

Availability of responsible IT personnel

D.  

Risk rating of original findings

Discussion 0
Questions 166

The implementation of an IT governance framework requires that the board of directors of an organization:

Options:

A.  

Address technical IT issues.

B.  

Be informed of all IT initiatives.

C.  

Have an IT strategy committee.

D.  

Approve the IT strategy.

Discussion 0
Questions 167

During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

Options:

A.  

Review working papers with the auditee.

B.  

Request the auditee provide management responses.

C.  

Request management wait until a final report is ready for discussion.

D.  

Present observations for discussion only.

Discussion 0
Questions 168

To confirm integrity for a hashed message, the receiver should use:

Options:

A.  

the same hashing algorithm as the sender's to create a binary image of the file.

B.  

a different hashing algorithm from the sender's to create a binary image of the file.

C.  

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.  

a different hashing algorithm from the sender's to create a numerical representation of the file.

Discussion 0
Questions 169

A proper audit trail of changes to server start-up procedures would include evidence of:

Options:

A.  

subsystem structure.

B.  

program execution.

C.  

security control options.

D.  

operator overrides.

Discussion 0
Questions 170

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Options:

A.  

Senior management's request

B.  

Prior year's audit findings

C.  

Organizational risk assessment

D.  

Previous audit coverage and scope

Discussion 0
Questions 171

What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

Options:

A.  

Full test results

B.  

Completed test plans

C.  

Updated inventory of systems

D.  

Change management processes

Discussion 0
Questions 172

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

Options:

A.  

Audit cycle defined in the audit plan

B.  

Complexity of management's action plans

C.  

Recommendation from executive management

D.  

Residual risk from the findings of previous audits

Discussion 0
Questions 173

Which of the following demonstrates the use of data analytics for a loan origination process?

Options:

A.  

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.  

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.  

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.  

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Discussion 0
Questions 174

An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart. Which of the following roles within the chart would provide this information?

Options:

A.  

Consulted

B.  

Informed

C.  

Responsible

D.  

Accountable

Discussion 0
Questions 175

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

Options:

A.  

Modify applications to no longer require direct access to the database.

B.  

Introduce database access monitoring into the environment

C.  

Modify the access management policy to make allowances for application accounts.

D.  

Schedule downtime to implement password changes.

Discussion 0
Questions 176

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

Options:

A.  

Portfolio management

B.  

Business plans

C.  

Business processes

D.  

IT strategic plans

Discussion 0
Questions 177

Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

Options:

A.  

Rotate job duties periodically.

B.  

Perform an independent audit.

C.  

Hire temporary staff.

D.  

Implement compensating controls.

Discussion 0
Questions 178

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Options:

A.  

Data masking

B.  

Data tokenization

C.  

Data encryption

D.  

Data abstraction

Discussion 0
Questions 179

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.  

Identifying relevant roles for an enterprise IT governance framework

B.  

Making decisions regarding risk response and monitoring of residual risk

C.  

Verifying that legal, regulatory, and contractual requirements are being met

D.  

Providing independent and objective feedback to facilitate improvement of IT processes

Discussion 0
Questions 180

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.  

Note the exception in a new report as the item was not addressed by management.

B.  

Recommend alternative solutions to address the repeat finding.

C.  

Conduct a risk assessment of the repeat finding.

D.  

Interview management to determine why the finding was not addressed.

Discussion 0
Questions 181

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

Options:

A.  

Ensure corrected program code is compiled in a dedicated server.

B.  

Ensure change management reports are independently reviewed.

C.  

Ensure programmers cannot access code after the completion of program edits.

D.  

Ensure the business signs off on end-to-end user acceptance test (UAT) results.

Discussion 0
Questions 182

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

Options:

A.  

perform a business impact analysis (BIA).

B.  

issue an intermediate report to management.

C.  

evaluate the impact on current disaster recovery capability.

D.  

conduct additional compliance testing.

Discussion 0
Questions 183

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

Options:

A.  

Key performance indicators (KPIs)

B.  

Maximum allowable downtime (MAD)

C.  

Recovery point objective (RPO)

D.  

Mean time to restore (MTTR)

Discussion 0
Questions 184

Which of the following is a social engineering attack method?

Options:

A.  

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.  

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.  

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.  

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Discussion 0
Questions 185

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

Options:

A.  

phishing.

B.  

denial of service (DoS)

C.  

structured query language (SQL) injection

D.  

buffer overflow

Discussion 0
Questions 186

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

Options:

A.  

firewall standards.

B.  

configuration of the firewall

C.  

firmware version of the firewall

D.  

location of the firewall within the network

Discussion 0
Questions 187

Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

Options:

A.  

Require all employees to sign nondisclosure agreements (NDAs).

B.  

Develop an acceptable use policy for end-user computing (EUC).

C.  

Develop an information classification scheme.

D.  

Provide notification to employees about possible email monitoring.

Discussion 0
Questions 188

Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

Options:

A.  

Lack of appropriate labelling

B.  

Lack of recent awareness training.

C.  

Lack of password protection

D.  

Lack of appropriate data classification

Discussion 0
Questions 189

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Options:

A.  

Incident monitoring togs

B.  

The ISP service level agreement

C.  

Reports of network traffic analysis

D.  

Network topology diagrams

Discussion 0
Questions 190

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.  

Obtain error codes indicating failed data feeds.

B.  

Appoint data quality champions across the organization.

C.  

Purchase data cleansing tools from a reputable vendor.

D.  

Implement business rules to reject invalid data.

Discussion 0
Questions 191

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Options:

A.  

Rollback strategy

B.  

Test cases

C.  

Post-implementation review objectives

D.  

Business case

Discussion 0
Questions 192

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

Options:

A.  

Conduct periodic on-site assessments using agreed-upon criteria.

B.  

Periodically review the service level agreement (SLA) with the vendor.

C.  

Conduct an unannounced vulnerability assessment of vendor's IT systems.

D.  

Obtain evidence of the vendor's control self-assessment (CSA).

Discussion 0
Questions 193

Which of the following management decisions presents the GREATEST risk associated with data leakage?

Options:

A.  

There is no requirement for desktops to be encrypted

B.  

Staff are allowed to work remotely

C.  

Security awareness training is not provided to staff

D.  

Security policies have not been updated in the past year

Discussion 0
Questions 194

Which of the following should be the FIRST step in a data migration project?

Options:

A.  

Reviewing decisions on how business processes should be conducted in the new system

B.  

Completing data cleanup in the current database to eliminate inconsistencies

C.  

Understanding the new system's data structure

D.  

Creating data conversion scripts

Discussion 0
Questions 195

An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

Options:

A.  

Biometrics

B.  

Procedures for escorting visitors

C.  

Airlock entrance

D.  

Intruder alarms

Discussion 0
Questions 196

An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?

Options:

A.  

Audit transparency

B.  

Data confidentiality

C.  

Professionalism

D.  

Audit efficiency

Discussion 0
Questions 197

Which of the following presents the GREATEST risk to an organization's ability to manage quality control (QC) processes?

Options:

A.  

Lack of segregation of duties

B.  

Lack of a dedicated QC function

C.  

Lack of policies and procedures

D.  

Lack of formal training and attestation

Discussion 0
Questions 198

An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?

Options:

A.  

Computer-assisted technique

B.  

Stratified sampling

C.  

Statistical sampling

D.  

Process walk-through

Discussion 0
Questions 199

An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which ot the following should the auditor do FIRSTS

Options:

A.  

Determine whether another DBA could make the changes

B.  

Report a potential segregation of duties violation

C.  

identify whether any compensating controls exist

D.  

Ensure a change management process is followed prior to implementation

Discussion 0
Questions 200

Capacity management tools are PRIMARILY used to ensure that:

Options:

A.  

available resources are used efficiently and effectively

B.  

computer systems are used to their maximum capacity most of the time

C.  

concurrent use by a large number of users is enabled

D.  

proposed hardware acquisitions meet capacity requirements

Discussion 0
Questions 201

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

Options:

A.  

Business continuity plan (BCP)

B.  

Test results for backup data restoration

C.  

A comprehensive list of disaster recovery scenarios and priorities

D.  

Roles and responsibilities for recovery team members

Discussion 0
Questions 202

An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?

Options:

A.  

Interview change management personnel about completeness.

B.  

Take an item from the log and trace it back to the system.

C.  

Obtain management attestation of completeness.

D.  

Take the last change from the system and trace it back to the log.

Discussion 0
Questions 203

A new system development project is running late against a critical implementation deadline Which of the following is the MOST important activity?

Options:

A.  

Document last-minute enhancements

B.  

Perform a pre-implementation audit

C.  

Perform user acceptance testing (UAT)

D.  

Ensure that code has been reviewed

Discussion 0
Questions 204

The use of which of the following is an inherent risk in the application container infrastructure?

Options:

A.  

Shared registries

B.  

Host operating system

C.  

Shared data

D.  

Shared kernel

Discussion 0
Questions 205

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Options:

A.  

Legacy data has not been purged.

B.  

Admin account passwords are not set to expire.

C.  

Default settings have not been changed.

D.  

Database activity logging is not complete.

Discussion 0
Questions 206

Which of the following controls is MOST important for ensuring the integrity of system interfaces?

Options:

A.  

Periodic audits

B.  

File counts

C.  

File checksums

D.  

IT operator monitoring

Discussion 0
Questions 207

Which of the following is the BEST reason for an IS auditor to emphasize to management the importance of using an IT governance framework?

Options:

A.  

Frameworks enable IT benchmarks against competitors

B.  

Frameworks can be tailored and optimized for different organizations

C.  

Frameworks help facilitate control self-assessments (CSAs)

D.  

Frameworks help organizations understand and manage IT risk

Discussion 0
Questions 208

Which of the following is the BEST way to ensure an organization's data classification policies are preserved during the process of data transformation?

Options:

A.  

Map data classification controls to data sets.

B.  

Control access to extract, transform, and load (ETL) tools.

C.  

Conduct a data discovery exercise across all business applications.

D.  

Implement classification labels in metadata during data creation.

Discussion 0
Questions 209

An organization is disposing of removable onsite media which contains sensitive information. Which of the following is the MOST effective method to prevent disclosure of sensitive data?

Options:

A.  

Encrypting and destroying keys

B.  

Machine shredding

C.  

Software formatting

D.  

Wiping and rewriting three times

Discussion 0
Questions 210

What is the PRIMARY reason for an organization to classify the data stored on its internal networks?

Options:

A.  

To determine data retention policy

B.  

To implement data protection requirements

C.  

To comply with the organization's data policies

D.  

To follow industry best practices

Discussion 0
Questions 211

An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?

Options:

A.  

implement a control self-assessment (CSA)

B.  

Conduct a gap analysis

C.  

Develop a maturity model

D.  

Evaluate key performance indicators (KPIs)

Discussion 0
Questions 212

An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?

Options:

A.  

Interview IT management to clarify the current procedure.

B.  

Report this finding to senior management.

C.  

Review the organization's patch management policy.

D.  

Request a plan of action to be established as a follow-up item.

Discussion 0
Questions 213

A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year. Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?

Options:

A.  

Virtual firewall

B.  

Proxy server

C.  

Load balancer

D.  

Virtual private network (VPN)

Discussion 0
Questions 214

The FIRST step in an incident response plan is to:

Options:

A.  

validate the incident.

B.  

notify the head of the IT department.

C.  

isolate systems impacted by the incident.

D.  

initiate root cause analysis.

Discussion 0
Questions 215

When testing the accuracy of transaction data, which of the following situations BEST justifies the use of a smaller sample size?

Options:

A.  

The IS audit staff has a high level of experience.

B.  

It is expected that the population is error-free.

C.  

Proper segregation of duties is in place.

D.  

The data can be directly changed by users.

Discussion 0
Questions 216

Which of following is MOST important to determine when conducting a post-implementation review?

Options:

A.  

Whether the solution architecture compiles with IT standards

B.  

Whether success criteria have been achieved

C.  

Whether the project has been delivered within the approved budget

D.  

Whether lessons teamed have been documented

Discussion 0
Questions 217

Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?

Options:

A.  

To evaluate the effectiveness of continuous improvement efforts

B.  

To compare incident response metrics with industry benchmarks

C.  

To re-analyze the incident to identify any hidden backdoors planted by the attacker

D.  

To evaluate the effectiveness of the network firewall against future security breaches

Discussion 0
Questions 218

An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy. What is the BEST way (or the auditor to address this issue?

Options:

A.  

Recommend the application be patched to meet requirements.

B.  

Inform the IT director of the policy noncompliance.

C.  

Verify management has approved a policy exception to accept the risk.

D.  

Take no action since the application will be decommissioned in three months.

Discussion 0
Questions 219

An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.

What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted

application?

Options:

A.  

Financial regulations affecting the organization

B.  

Data center physical access controls whore the application is hosted

C.  

Privacy regulations affecting the organization

D.  

Per-unit cost charged by the hosting services provider for storage

Discussion 0
Questions 220

A security administrator is called in the middle of the night by the on-call programmer A number of programs have failed, and the programmer has asked for access to the live system. What IS the BEST course of action?

Options:

A.  

Require that a change request be completed and approved

B.  

Give the programmer an emergency ID for temporary access and review the activity

C.  

Give the programmer read-only access to investigate the problem

D.  

Review activity logs the following day and investigate any suspicious activity

Discussion 0
Questions 221

To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?

Options:

A.  

Data retention

B.  

Data minimization

C.  

Data quality

D.  

Data integrity

Discussion 0
Questions 222

Which of the following is the BEST indication of effective IT investment management?

Options:

A.  

IT investments are implemented and monitored following a system development life cycle (SDLC)

B.  

IT investments are mapped to specific business objectives

C.  

Key performance indicators (KPIs) are defined for each business requiring IT Investment

D.  

The IT Investment budget is significantly below industry benchmarks

Discussion 0
Questions 223

If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?

Options:

A.  

Comparison of object and executable code

B.  

Review of audit trail of compile dates

C.  

Comparison of date stamping of source and object code

D.  

Review of developer comments in executable code

Discussion 0
Questions 224

An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the

business continuity plan (BCP). Which of the following is the auditor's BEST course of action?

Options:

A.  

Confirm the BCP has been recently updated.

B.  

Review the effectiveness of the business response.

C.  

Raise an audit issue for the lack of simulated testing.

D.  

Interview staff members to obtain commentary on the BCP's effectiveness.

Discussion 0
Questions 225

Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?

Options:

A.  

Risk acceptance

B.  

Risk mitigation

C.  

Risk transference

D.  

Risk reduction

Discussion 0
Questions 226

Audit frameworks cart assist the IS audit function by:

Options:

A.  

defining the authority and responsibility of the IS audit function.

B.  

providing details on how to execute the audit program.

C.  

providing direction and information regarding the performance of audits.

D.  

outlining the specific steps needed to complete audits

Discussion 0
Questions 227

Which of the following should be given GREATEST consideration when implementing the use of an open-source product?

Options:

A.  

Support

B.  

Performance

C.  

Confidentiality

D.  

Usability

Discussion 0
Questions 228

Which of the following is the MOST effective control over visitor access to highly secured areas?

Options:

A.  

Visitors are required to be escorted by authorized personnel.

B.  

Visitors are required to use biometric authentication.

C.  

Visitors are monitored online by security cameras

D.  

Visitors are required to enter through dead-man doors.

Discussion 0
Questions 229

When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?

Options:

A.  

Report that the changes make it impractical to determine whether the risks have been addressed.

B.  

Accept management's assertion and report that the risks have been addressed.

C.  

Determine whether the changes have introduced new risks that need to be addressed.

D.  

Review the changes and determine whether the risks have been addressed.

Discussion 0
Questions 230

Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a new application system?

Options:

A.  

The change management process was not formally documented

B.  

Backups of the old system and data are not available online

C.  

Unauthorized data modifications occurred during conversion,

D.  

Data conversion was performed using manual processes

Discussion 0
Questions 231

Management has learned the implementation of a new IT system will not be completed on time and has requested an audit. Which of the following audit findings should be of GREATEST concern?

Options:

A.  

The actual start times of some activities were later than originally scheduled.

B.  

Tasks defined on the critical path do not have resources allocated.

C.  

The project manager lacks formal certification.

D.  

Milestones have not been defined for all project products.

Discussion 0
Questions 232

Which of the following is the MOST appropriate testing approach when auditing a daily data flow between two systems via an automated interface to confirm that it is complete and accurate?

Options:

A.  

Confirm that the encryption standard applied to the interface is in line with best practice.

B.  

Inspect interface configurations and an example output of the systems.

C.  

Perform data reconciliation between the two systems for a sample of 25 days.

D.  

Conduct code review for both systems and inspect design documentation.

Discussion 0
Questions 233

An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process Which of the following is the MOST appropriate population to sample from when testing for remediation?

Options:

A.  

All users provisioned after the finding was originally identified

B.  

All users provisioned after management resolved the audit issue

C.  

All users provisioned after the final audit report was issued

D.  

All users who have followed user provisioning processes provided by management

Discussion 0
Questions 234

Audit observations should be FIRST communicated with the auditee:

Options:

A.  

when drafting the report.

B.  

during fieldwork.

C.  

at the end of fieldwork.

D.  

within the audit report

Discussion 0
Questions 235

An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data

classification in this project?

Options:

A.  

Information security officer

B.  

Database administrator (DBA)

C.  

Information owner

D.  

Data architect

Discussion 0
Questions 236

Which of the following is the GREATEST advantage of outsourcing the development of an e-banking solution when in-house technical expertise is not available?

Options:

A.  

Lower start-up costs

B.  

Reduced risk of system downtime

C.  

Direct oversight of risks

D.  

Increased ability to adapt the system

Discussion 0
Questions 237

The PRIMARY responsibility of a project steering committee is to:

Options:

A.  

sign off on the final build document.

B.  

ensure that each project deadline is met.

C.  

ensure that developed systems meet business needs.

D.  

provide regular project updates and oversight.

Discussion 0
Questions 238

An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management

experience. What is the BEST course of action?

Options:

A.  

Transfer the assignment to a different audit manager despite lack of IT project management experience.

B.  

Outsource the audit to independent and qualified resources.

C.  

Manage the audit since there is no one else with the appropriate experience.

D.  

Have a senior IS auditor manage the project with the IS audit manager performing final review.

Discussion 0
Questions 239

During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts Which of the following is the auditor's BEST course of action?

Options:

A.  

Identify accounts that have had excessive failed login attempts and request they be disabled

B.  

Request the IT manager to change administrator security parameters and update the finding

C.  

Document the finding and explain the risk of having administrator accounts with inappropriate security settings

Discussion 0
Questions 240

Which of the following is the MOST effective control to mitigate against the risk of inappropriate activity by employees?

Options:

A.  

User activity monitoring

B.  

Two-factor authentication

C.  

Network segmentation

D.  

Access recertification

Discussion 0
Questions 241

Which of the following should be the GREATEST concern for an IS auditor assessing an organization's disaster recovery plan (DRP)?

Options:

A.  

The DRP was developed by the IT department.

B.  

The DRP has not been tested during the past three years.

C.  

The DRP has not been updated for two years.

D.  

The DRP does not include the recovery the time objective (RTO) for a key system.

Discussion 0
Questions 242

What is the PRIMARY purpose of performing a parallel run of a now system?

Options:

A.  

To train the end users and supporting staff on the new system

B.  

To verify the new system provides required business functionality

C.  

To reduce the need for additional testing

D.  

To validate the new system against its predecessor

Discussion 0
Questions 243

A web proxy server for corporate connections to external resources reduces organizational risk by:

Options:

A.  

anonymizing users through changed IP addresses.

B.  

providing multi-factor authentication for additional security.

C.  

providing faster response than direct access.

D.  

load balancing traffic to optimize data pathways.

Discussion 0
Questions 244

While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:

Options:

A.  

data classifications are automated.

B.  

a data dictionary is maintained.

C.  

data retention requirements are clearly defined.

D.  

data is correctly classified.

Discussion 0
Questions 245

Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?

Options:

A.  

Access to change testing strategy and results is not restricted to staff outside the IT team.

B.  

Some user acceptance testing (IJAT) was completed by members of the IT team.

C.  

IT administrators have access to the production and development environment

D.  

Post-implementation testing is not conducted for all system releases.

Discussion 0
Questions 246

Which of following areas is MOST important for an IS auditor to focus on when reviewing the maturity model for a technology organization?

Options:

A.  

Standard operating procedures

B.  

Service level agreements (SLAs)

C.  

Roles and responsibility matrix

D.  

Business resiliency

Discussion 0
Questions 247

Which type of attack poses the GREATEST risk to an organization's most sensitive data?

Options:

A.  

Password attack

B.  

Eavesdropping attack

C.  

Insider attack

D.  

Spear phishing attack

Discussion 0
Questions 248

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's incident response management program?

Options:

A.  

All incidents have a severity level assigned.

B.  

All identified incidents are escalated to the CEO and the CISO.

C.  

Incident response is within defined service level agreements (SLAs).

D.  

The alerting tools and incident response team can detect incidents.

Discussion 0
Questions 249

Which of the following can only be provided by asymmetric encryption?

Options:

A.  

Information privacy

B.  

256-brt key length

C.  

Data availability

D.  

Nonrepudiation

Discussion 0
Questions 250

When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:

Options:

A.  

database conflicts are managed during replication.

B.  

end users are trained in the replication process.

C.  

the source database is backed up on both sites.

D.  

user rights are identical on both databases.

Discussion 0
Questions 251

Which of the following provides the MOST reliable method of preventing unauthonzed logon?

Options:

A.  

issuing authentication tokens

B.  

Reinforcing current security policies

C.  

Limiting after-hours usage

D.  

Installing an automatic password generator

Discussion 0
Questions 252

An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

Options:

A.  

Differential backup

B.  

Full backup

C.  

Incremental backup

D.  

Mirror backup

Discussion 0
Questions 253

The FIRST step in auditing a data communication system is to determine:

Options:

A.  

traffic volumes and response-time criteria

B.  

physical security for network equipment

C.  

the level of redundancy in the various communication paths

D.  

business use and types of messages to be transmitted

Discussion 0
Questions 254

Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?

Options:

A.  

Integration testing

B.  

Regression testing

C.  

Automated testing

D.  

User acceptance testing (UAT)

Discussion 0
Questions 255

An IS auditor learns that an in-house system development life cycle (SDLC) project has not met user specifications. The auditor should FIRST examine requirements from which of the following phases?

Options:

A.  

Configuration phase

B.  

User training phase

C.  

Quality assurance (QA) phase

D.  

Development phase

Discussion 0
Questions 256

Which of the following metrics is the BEST indicator of the performance of a web application

Options:

A.  

HTTP server error rate

B.  

Server thread count

C.  

Average response time

D.  

Server uptime

Discussion 0
Questions 257

Which of the following is the MOST important responsibility of data owners when implementing a data classification process?

Options:

A.  

Reviewing emergency changes to data

B.  

Authorizing application code changes

C.  

Determining appropriate user access levels

D.  

Implementing access rules over database tables

Discussion 0
Questions 258

Which of the following is MOST critical to the success of an information security program?

Options:

A.  

Alignment of information security with IT objectives

B.  

Management’s commitment to information security

C.  

Integration of business and information security

D.  

User accountability for information security

Discussion 0
Questions 259

An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?

Options:

A.  

Document the findings in the audit report.

B.  

Identify who approved the policies.

C.  

Escalate the situation to the lead auditor.

D.  

Communicate the observation to the auditee.

Discussion 0
Questions 260

An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?

Options:

A.  

Administrator passwords do not meet organizational security and complexity requirements.

B.  

The number of support staff responsible for job scheduling has been reduced.

C.  

The scheduling tool was not classified as business-critical by the IT department.

D.  

Maintenance patches and the latest enhancement upgrades are missing.

Discussion 0
Questions 261

Which of the following is the BEST indication of effective governance over IT infrastructure?

Options:

A.  

The ability to deliver continuous, reliable performance

B.  

A requirement for annual security awareness programs

C.  

An increase in the number of IT infrastructure servers

D.  

A decrease in the number of information security incidents

Discussion 0
Questions 262

Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?

Options:

A.  

Completing the incident management log

B.  

Broadcasting an emergency message

C.  

Requiring a dedicated incident response team

D.  

Implementing incident escalation procedures

Discussion 0
Questions 263

Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?

Options:

A.  

Ensure the third party allocates adequate resources to meet requirements.

B.  

Use analytics within the internal audit function

C.  

Conduct a capacity planning exercise

D.  

Utilize performance monitoring tools to verify service level agreements (SLAs)

Discussion 0
Questions 264

An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?

Options:

A.  

Implementing risk responses on management's behalf

B.  

Integrating the risk register for audit planning purposes

C.  

Providing assurances to management regarding risk

D.  

Facilitating audit risk identification and evaluation workshops

Discussion 0
Questions 265

Which of the following security risks can be reduced by a property configured network firewall?

Options:

A.  

SQL injection attacks

B.  

Denial of service (DoS) attacks

C.  

Phishing attacks

D.  

Insider attacks

Discussion 0
Questions 266

Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?

Options:

A.  

To optimize system resources

B.  

To follow system hardening standards

C.  

To optimize asset management workflows

D.  

To ensure proper change control

Discussion 0
Questions 267

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

Options:

A.  

Observing the execution of a daily backup run

B.  

Evaluating the backup policies and procedures

C.  

Interviewing key personnel evolved In the backup process

D.  

Reviewing a sample of system-generated backup logs

Discussion 0
Questions 268

IT disaster recovery time objectives (RTOs) should be based on the:

Options:

A.  

maximum tolerable loss of data.

B.  

nature of the outage

C.  

maximum tolerable downtime (MTD).

D.  

business-defined criticality of the systems.

Discussion 0
Questions 269

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Options:

A.  

attributes for system passwords.

B.  

security training prior to implementation.

C.  

security requirements for the new application.

D.  

the firewall configuration for the web server.

Discussion 0
Questions 270

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

Options:

A.  

Attack vectors are evolving for industrial control systems.

B.  

There is a greater risk of system exploitation.

C.  

Disaster recovery plans (DRPs) are not in place.

D.  

Technical specifications are not documented.

Discussion 0
Questions 271

An IS auditor should ensure that an application's audit trail:

Options:

A.  

has adequate security.

B.  

logs ail database records.

C.  

Is accessible online

D.  

does not impact operational efficiency

Discussion 0
Questions 272

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Options:

A.  

Verifying that access privileges have been reviewed

B.  

investigating access rights for expiration dates

C.  

Updating the continuity plan for critical resources

D.  

Updating the security policy

Discussion 0
Questions 273

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Options:

A.  

Require written authorization for all payment transactions

B.  

Restrict payment authorization to senior staff members.

C.  

Reconcile payment transactions with invoices.

D.  

Review payment transaction history

Discussion 0
Questions 274

Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?

Options:

A.  

Analyzing risks posed by new regulations

B.  

Designing controls to protect personal data

C.  

Defining roles within the organization related to privacy

D.  

Developing procedures to monitor the use of personal data

Discussion 0
Questions 275

Which of the following is the BEST reason for an organization to use clustering?

Options:

A.  

To decrease system response time

B.  

To Improve the recovery lime objective (RTO)

C.  

To facilitate faster backups

D.  

To improve system resiliency

Discussion 0
Questions 276

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Options:

A.  

Testing

B.  

Replication

C.  

Staging

D.  

Development

Discussion 0
Questions 277

Which of the following is an example of a preventative control in an accounts payable system?

Options:

A.  

The system only allows payments to vendors who are included In the system's master vendor list.

B.  

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.  

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.  

Policies and procedures are clearly communicated to all members of the accounts payable department

Discussion 0
Questions 278

Which of the following findings from an IT governance review should be of GREATEST concern?

Options:

A.  

The IT budget is not monitored

B.  

All IT services are provided by third parties.

C.  

IT value analysis has not been completed.

D.  

IT supports two different operating systems.

Discussion 0