Month End Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Certified Information Systems Auditor Question and Answers

Certified Information Systems Auditor

Last Update Jan 26, 2025
Total Questions : 1277

We are offering FREE CISA Isaca exam questions. All you do is to just go and sign up. Give your details, prepare CISA free exam questions and then go for complete pool of Certified Information Systems Auditor test questions that will help you more.

CISA pdf

CISA PDF

$69.65  $199
CISA Engine

CISA Testing Engine

$78.75  $225
CISA PDF + Engine

CISA PDF + Testing Engine

$87.15  $249
Questions 1

When reviewing a business case for a proposed implementation of a third-party system, which of the following should be an IS auditor's GREATEST concern?

Options:

A.  

Lack of ongoing maintenance costs

B.  

Lack of training materials

C.  

Lack of plan for pilot implementation

D.  

Lack of detailed work breakdown structure

Discussion 0
Questions 2

During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. Which of the following is the BEST course of action in this situation?

Options:

A.  

Outsource low-risk audits to external audit service providers.

B.  

Conduct limited-scope audits of low-risk business entities.

C.  

Validate the low-risk entity ratings and apply professional judgment.

D.  

Challenge the risk rating and include the low-risk entities in the plan.

Discussion 0
Questions 3

Which of the following is the BEST indication of effective governance over IT infrastructure?

Options:

A.  

The ability to deliver continuous, reliable performance

B.  

A requirement for annual security awareness programs

C.  

An increase in the number of IT infrastructure servers

D.  

A decrease in the number of information security incidents

Discussion 0
Questions 4

The PRIMARY objective of a control self-assessment (CSA) is to:

Options:

A.  

educate functional areas on risks and controls.

B.  

ensure appropriate access controls are implemented.

C.  

eliminate the audit risk by leveraging management's analysis.

D.  

gain assurance for business functions that cannot be audited.

Discussion 0
Questions 5

The PRIMARY responsibility of a project steering committee is to:

Options:

A.  

sign off on the final build document.

B.  

ensure that each project deadline is met.

C.  

ensure that developed systems meet business needs.

D.  

provide regular project updates and oversight.

Discussion 0
Questions 6

An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

Options:

A.  

structured query language (SQL) injection

B.  

buffer overflow.

C.  

denial of service (DoS).

D.  

phishing.

Discussion 0
Questions 7

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?

Options:

A.  

Benchmark organizational performance against industry peers

B.  

Implement key performance indicators (KPIs).

C.  

Require executive management to draft IT strategy

D.  

Implement annual third-party audits.

Discussion 0
Questions 8

Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

Options:

A.  

Requiring users to save files in secured folders instead of a company-wide shared drive

B.  

Reviewing data transfer logs to determine historical patterns of data flow

C.  

Developing a DLP policy and requiring signed acknowledgment by users

D.  

Identifying where existing data resides and establishing a data classification matrix

Discussion 0
Questions 9

Aligning IT strategy with business strategy PRIMARILY helps an organization to:

Options:

A.  

optimize investments in IT.

B.  

create risk awareness across business units.

C.  

increase involvement of senior management in IT.

D.  

monitor the effectiveness of IT.

Discussion 0
Questions 10

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality

within the organization. Which of the following should be recommended as the PRIMARY factor to

determine system criticality?

Options:

A.  

Recovery point objective (RPO)

B.  

Maximum allowable downtime (MAD)

C.  

Mean time to restore (MTTR)

D.  

Key performance indicators (KPls)

Discussion 0
Questions 11

An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's

GREATEST concern?

Options:

A.  

User access rights have not been periodically reviewed by the client.

B.  

Payroll processing costs have not been included in the IT budget.

C.  

The third-party contract has not been reviewed by the legal department.

D.  

The third-party contract does not comply with the vendor management policy.

Discussion 0
Questions 12

What is the PRIMARY reason for an organization to classify the data stored on its internal networks?

Options:

A.  

To determine data retention policy

B.  

To implement data protection requirements

C.  

To comply with the organization's data policies

D.  

To follow industry best practices

Discussion 0
Questions 13

Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?

Options:

A.  

It helps to identify areas with a relatively high probability of material problems.

B.  

It provides a basis for the formulation of corrective action plans.

C.  

It increases awareness of the types of management actions that may be inappropriate

D.  

It helps to identify areas that are most sensitive to fraudulent or inaccurate practices

Discussion 0
Questions 14

Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?

Options:

A.  

adequate measurement of key risk indicators (KRIS)

B.  

Inadequate alignment of IT plans and business objectives

C.  

Inadequate business impact analysis (BIA) results and predictions

D.  

Inadequate measurement of key performance indicators (KPls)

Discussion 0
Questions 15

Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:

Options:

A.  

eliminated

B.  

unchanged

C.  

increased

D.  

reduced

Discussion 0
Questions 16

Which of the following is the PRIMARY basis on which audit objectives are established?

Options:

A.  

Audit risk

B.  

Consideration of risks

C.  

Assessment of prior audits

D.  

Business strategy

Discussion 0
Questions 17

The FIRST step in an incident response plan is to:

Options:

A.  

validate the incident.

B.  

notify the head of the IT department.

C.  

isolate systems impacted by the incident.

D.  

initiate root cause analysis.

Discussion 0
Questions 18

Which of the following biometric access controls has the HIGHEST rate of false negatives?

Options:

A.  

Iris recognition

B.  

Fingerprint scanning

C.  

Face recognition

D.  

Retina scanning

Discussion 0
Questions 19

Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?

Options:

A.  

Enabling remote data destruction capabilities

B.  

Implementing mobile device management (MDM)

C.  

Disabling unnecessary network connectivity options

D.  

Requiring security awareness training for mobile users

Discussion 0
Questions 20

Which of the following would provide management with the MOST reasonable assurance that a new data warehouse will meet the needs of the

organization?

Options:

A.  

Integrating data requirements into the system development life cycle (SDLC)

B.  

Appointing data stewards to provide effective data governance

C.  

Classifying data quality issues by the severity of their impact to the organization

D.  

Facilitating effective communication between management and developers

Discussion 0
Questions 21

If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?

Options:

A.  

Comparison of object and executable code

B.  

Review of audit trail of compile dates

C.  

Comparison of date stamping of source and object code

D.  

Review of developer comments in executable code

Discussion 0
Questions 22

An IT strategic plan that BEST leverages IT in achieving organizational goals will include:

Options:

A.  

a comparison of future needs against current capabilities.

B.  

a risk-based ranking of projects.

C.  

enterprise architecture (EA) impacts.

D.  

IT budgets linked to the organization's budget.

Discussion 0
Questions 23

Which of the following is MOST important to ensure when developing an effective security awareness program?

Options:

A.  

Training personnel are information security professionals.

B.  

Outcome metrics for the program are established.

C.  

Security threat scenarios are included in the program content.

D.  

Phishing exercises are conducted post-training

Discussion 0
Questions 24

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Options:

A.  

Legacy data has not been purged.

B.  

Admin account passwords are not set to expire.

C.  

Default settings have not been changed.

D.  

Database activity logging is not complete.

Discussion 0
Questions 25

Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?

Options:

A.  

Continuous auditing

B.  

Manual checks

C.  

Exception reporting

D.  

Automated reconciliations

Discussion 0
Questions 26

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

Options:

A.  

Recipient's public key

B.  

Sender's private key

C.  

Sender's public key

D.  

Recipient's private key

Discussion 0
Questions 27

Which of the following should be the FIRST step in a data migration project?

Options:

A.  

Reviewing decisions on how business processes should be conducted in the new system

B.  

Completing data cleanup in the current database to eliminate inconsistencies

C.  

Understanding the new system's data structure

D.  

Creating data conversion scripts

Discussion 0
Questions 28

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.  

Requiring policy acknowledgment and nondisclosure agreements signed by employees

B.  

Providing education and guidelines to employees on use of social networking sites

C.  

Establishing strong access controls on confidential data

D.  

Monitoring employees' social networking usage

Discussion 0
Questions 29

Which of the following is MOST critical to the success of an information security program?

Options:

A.  

User accountability for information security

B.  

Management's commitment to information security

C.  

Integration of business and information security

D.  

Alignment of information security with IT objectives

Discussion 0
Questions 30

An IS auditor is providing input to an RFP to acquire a financial application system. Which of the following is MOST important for the auditor to recommend?

Options:

A.  

The application should meet the organization's requirements.

B.  

Audit trails should be included in the design.

C.  

Potential suppliers should have experience in the relevant area.

D.  

Vendor employee background checks should be conducted regularly.

Discussion 0
Questions 31

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

Options:

A.  

Source code version control

B.  

Project change management controls

C.  

Existence of an architecture review board

D.  

Configuration management

Discussion 0
Questions 32

Which of the following is the MOST effective control over visitor access to highly secured areas?

Options:

A.  

Visitors are required to be escorted by authorized personnel.

B.  

Visitors are required to use biometric authentication.

C.  

Visitors are monitored online by security cameras

D.  

Visitors are required to enter through dead-man doors.

Discussion 0
Questions 33

In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?

Options:

A.  

Onsite disk-based backup systems

B.  

Tape-based backup systems

C.  

Virtual tape library

D.  

Redundant array of independent disks (RAID)

Discussion 0
Questions 34

Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

Options:

A.  

Establish the timing of testing.

B.  

Identify milestones.

C.  

Determine the test reporting

D.  

Establish the rules of engagement.

Discussion 0
Questions 35

The PRIMARY purpose of an incident response plan is to:

Options:

A.  

reduce the impact of an adverse event on information assets.

B.  

increase the effectiveness of preventive controls.

C.  

reduce the maximum tolerable downtime (MTD) of impacted systems.

D.  

increase awareness of impacts from adverse events to IT systems.

Discussion 0
Questions 36

An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?

Options:

A.  

Version control issues

B.  

Reduced system performance

C.  

Inability to recover from cybersecurity attacks

D.  

Increase in IT investment cost

Discussion 0
Questions 37

Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?

Options:

A.  

Any information assets transmitted over a public network must be approved by executive management.

B.  

All information assets must be encrypted when stored on the organization's systems.

C.  

Information assets should only be accessed by persons with a justified need.

D.  

All information assets will be assigned a clearly defined level to facilitate proper employee handling.

Discussion 0
Questions 38

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

Options:

A.  

integrated test facility (ITF).

B.  

parallel simulation.

C.  

transaction tagging.

D.  

embedded audit modules.

Discussion 0
Questions 39

An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-circuit television (CCTV) systems located in a patient care area. Which of the following is the GREATEST concern?

Options:

A.  

Cameras are not monitored 24/7.

B.  

There are no notices indicating recording IS in progress.

C.  

The retention period for video recordings is undefined

D.  

There are no backups of the videos.

Discussion 0
Questions 40

Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?

Options:

A.  

Variable sampling

B.  

Judgmental sampling

C.  

Stop-or-go sampling

D.  

Discovery sampling

Discussion 0
Questions 41

An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?

Options:

A.  

Hardware configurations

B.  

Access control requirements

C.  

Help desk availability

D.  

Perimeter network security diagram

Discussion 0
Questions 42

A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?

Options:

A.  

Penetration testing results

B.  

Management attestation

C.  

Anti-malware tool audit logs

D.  

Recent malware scan reports

Discussion 0
Questions 43

Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change

management process?

Options:

A.  

The added functionality has not been documented.

B.  

The new functionality may not meet requirements.

C.  

The project may fail to meet the established deadline.

D.  

The project may go over budget.

Discussion 0
Questions 44

Which of the following is BEST used for detailed testing of a business application's data and configuration files?

Options:

A.  

Version control software

B.  

Audit hooks

C.  

Utility software

D.  

Audit analytics tool

Discussion 0
Questions 45

Which of the following is MOST likely to be a project deliverable of an agile software development methodology?

Options:

A.  

Strictly managed software requirements baselines

B.  

Extensive project documentation

C.  

Automated software programming routines

D.  

Rapidly created working prototypes

Discussion 0
Questions 46

When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?

Options:

A.  

Ensuring the scope of penetration testing is restricted to the test environment

B.  

Obtaining management's consent to the testing scope in writing

C.  

Notifying the IT security department regarding the testing scope

D.  

Agreeing on systems to be excluded from the testing scope with the IT department

Discussion 0
Questions 47

Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

Options:

A.  

privacy

B.  

Maintainability

C.  

Scalability

D.  

Nonrepudiation

Discussion 0
Questions 48

Which of the following is MOST critical to the success of an information security program?

Options:

A.  

Alignment of information security with IT objectives

B.  

Management’s commitment to information security

C.  

Integration of business and information security

D.  

User accountability for information security

Discussion 0
Questions 49

Which of the following demonstrates the use of data analytics for a loan origination process?

Options:

A.  

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.  

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.  

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.  

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Discussion 0
Questions 50

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

Options:

A.  

incident management.

B.  

quality assurance (QA).

C.  

change management.

D.  

project management.

Discussion 0
Questions 51

During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

Options:

A.  

Review working papers with the auditee.

B.  

Request the auditee provide management responses.

C.  

Request management wait until a final report is ready for discussion.

D.  

Present observations for discussion only.

Discussion 0
Questions 52

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

Options:

A.  

Portfolio management

B.  

Business plans

C.  

Business processes

D.  

IT strategic plans

Discussion 0
Questions 53

Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

Options:

A.  

Write access to production program libraries

B.  

Write access to development data libraries

C.  

Execute access to production program libraries

D.  

Execute access to development program libraries

Discussion 0
Questions 54

Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

Options:

A.  

Align service level agreements (SLAs) with current needs.

B.  

Monitor customer satisfaction with the change.

C.  

Minimize costs related to the third-party agreement.

D.  

Ensure right to audit is included within the contract.

Discussion 0
Questions 55

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.  

Projected impact of current business on future business

B.  

Cost-benefit analysis of running the current business

C.  

Cost of regulatory compliance

D.  

Expected costs for recovering the business

Discussion 0
Questions 56

When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

Options:

A.  

a risk management process.

B.  

an information security framework.

C.  

past information security incidents.

D.  

industry best practices.

Discussion 0
Questions 57

During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

Options:

A.  

application test cases.

B.  

acceptance testing.

C.  

cost-benefit analysis.

D.  

project plans.

Discussion 0
Questions 58

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

Options:

A.  

Ensure corrected program code is compiled in a dedicated server.

B.  

Ensure change management reports are independently reviewed.

C.  

Ensure programmers cannot access code after the completion of program edits.

D.  

Ensure the business signs off on end-to-end user acceptance test (UAT) results.

Discussion 0
Questions 59

Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

Options:

A.  

System flowchart

B.  

Data flow diagram

C.  

Process flowchart

D.  

Entity-relationship diagram

Discussion 0
Questions 60

An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?

Options:

A.  

Segregation of duties between issuing purchase orders and making payments.

B.  

Segregation of duties between receiving invoices and setting authorization limits

C.  

Management review and approval of authorization tiers

D.  

Management review and approval of purchase orders

Discussion 0
Questions 61

Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

Options:

A.  

Encryption of the spreadsheet

B.  

Version history

C.  

Formulas within macros

D.  

Reconciliation of key calculations

Discussion 0
Questions 62

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

Options:

A.  

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.  

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.  

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.  

Job failure alerts are automatically generated and routed to support personnel.

Discussion 0
Questions 63

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.  

communicate via Transport Layer Security (TLS),

B.  

block authorized users from unauthorized activities.

C.  

channel access only through the public-facing firewall.

D.  

channel access through authentication.

Discussion 0
Questions 64

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:

A.  

is more effective at suppressing flames.

B.  

allows more time to abort release of the suppressant.

C.  

has a decreased risk of leakage.

D.  

disperses dry chemical suppressants exclusively.

Discussion 0
Questions 65

Which of the following is the BEST method to safeguard data on an organization's laptop computers?

Options:

A.  

Disabled USB ports

B.  

Full disk encryption

C.  

Biometric access control

D.  

Two-factor authentication

Discussion 0
Questions 66

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

Options:

A.  

Double-posting of a single journal entry

B.  

Inability to support new business transactions

C.  

Unauthorized alteration of account attributes

D.  

Inaccuracy of financial reporting

Discussion 0
Questions 67

Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Options:

A.  

Availability of the site in the event of multiple disaster declarations

B.  

Coordination with the site staff in the event of multiple disaster declarations

C.  

Reciprocal agreements with other organizations

D.  

Complete testing of the recovery plan

Discussion 0
Questions 68

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?

Options:

A.  

Reconciliation of total amounts by project

B.  

Validity checks, preventing entry of character data

C.  

Reasonableness checks for each cost type

D.  

Display the back of the project detail after the entry

Discussion 0
Questions 69

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.  

Accept management's decision and continue the follow-up.

B.  

Report the issue to IS audit management.

C.  

Report the disagreement to the board.

D.  

Present the issue to executive management.

Discussion 0
Questions 70

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.  

Detective

B.  

Logical

C.  

Preventive

D.  

Corrective

Discussion 0
Questions 71

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

Options:

A.  

Phishing

B.  

Using a dictionary attack of encrypted passwords

C.  

Intercepting packets and viewing passwords

D.  

Flooding the site with an excessive number of packets

Discussion 0
Questions 72

Coding standards provide which of the following?

Options:

A.  

Program documentation

B.  

Access control tables

C.  

Data flow diagrams

D.  

Field naming conventions

Discussion 0
Questions 73

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

Options:

A.  

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.  

Ensuring evidence is sufficient to support audit conclusions

C.  

Ensuring appropriate statistical sampling methods were used

D.  

Ensuring evidence is labeled to show it was obtained from an approved source

Discussion 0
Questions 74

An IT balanced scorecard is the MOST effective means of monitoring:

Options:

A.  

governance of enterprise IT.

B.  

control effectiveness.

C.  

return on investment (ROI).

D.  

change management effectiveness.

Discussion 0
Questions 75

An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Options:

A.  

Require employees to attend security awareness training.

B.  

Password protect critical data files.

C.  

Configure to auto-wipe after multiple failed access attempts.

D.  

Enable device auto-lock function.

Discussion 0
Questions 76

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:

A.  

Frequent testing of backups

B.  

Annual walk-through testing

C.  

Periodic risk assessment

D.  

Full operational test

Discussion 0
Questions 77

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:

Options:

A.  

review recent changes to the system.

B.  

verify completeness of user acceptance testing (UAT).

C.  

verify results to determine validity of user concerns.

D.  

review initial business requirements.

Discussion 0
Questions 78

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:

A.  

Background checks

B.  

User awareness training

C.  

Transaction log review

D.  

Mandatory holidays

Discussion 0
Questions 79

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Options:

A.  

Annual sign-off of acceptable use policy

B.  

Regular monitoring of user access logs

C.  

Security awareness training

D.  

Formalized disciplinary action

Discussion 0
Questions 80

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Options:

A.  

Assurance that the new system meets functional requirements

B.  

More time for users to complete training for the new system

C.  

Significant cost savings over other system implemental or approaches

D.  

Assurance that the new system meets performance requirements

Discussion 0
Questions 81

Which of the following is the BEST method to prevent wire transfer fraud by bank employees?

Options:

A.  

Independent reconciliation

B.  

Re-keying of wire dollar amounts

C.  

Two-factor authentication control

D.  

System-enforced dual control

Discussion 0
Questions 82

What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

Options:

A.  

Full test results

B.  

Completed test plans

C.  

Updated inventory of systems

D.  

Change management processes

Discussion 0
Questions 83

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

Options:

A.  

Assignment of responsibility for each project to an IT team member

B.  

Adherence to best practice and industry approved methodologies

C.  

Controls to minimize risk and maximize value for the IT portfolio

D.  

Frequency of meetings where the business discusses the IT portfolio

Discussion 0
Questions 84

From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Options:

A.  

Inability to close unused ports on critical servers

B.  

Inability to identify unused licenses within the organization

C.  

Inability to deploy updated security patches

D.  

Inability to determine the cost of deployed software

Discussion 0
Questions 85

Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

Options:

A.  

Real-time audit software

B.  

Performance data

C.  

Quality assurance (QA) reviews

D.  

Participative management techniques

Discussion 0
Questions 86

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

Options:

A.  

The system does not have a maintenance plan.

B.  

The system contains several minor defects.

C.  

The system deployment was delayed by three weeks.

D.  

The system was over budget by 15%.

Discussion 0
Questions 87

Which of the following is the BEST justification for deferring remediation testing until the next audit?

Options:

A.  

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.  

Management's planned actions are sufficient given the relative importance of the observations.

C.  

Auditee management has accepted all observations reported by the auditor.

D.  

The audit environment has changed significantly.

Discussion 0
Questions 88

Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

Options:

A.  

The lack of technical documentation to support the program code

B.  

The lack of completion of all requirements at the end of each sprint

C.  

The lack of acceptance criteria behind user requirements.

D.  

The lack of a detailed unit and system test plan

Discussion 0
Questions 89

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.  

Note the exception in a new report as the item was not addressed by management.

B.  

Recommend alternative solutions to address the repeat finding.

C.  

Conduct a risk assessment of the repeat finding.

D.  

Interview management to determine why the finding was not addressed.

Discussion 0
Questions 90

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Options:

A.  

Analyze whether predetermined test objectives were met.

B.  

Perform testing at the backup data center.

C.  

Evaluate participation by key personnel.

D.  

Test offsite backup files.

Discussion 0
Questions 91

Which of the following MOST effectively minimizes downtime during system conversions?

Options:

A.  

Phased approach

B.  

Direct cutover

C.  

Pilot study

D.  

Parallel run

Discussion 0
Questions 92

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

Options:

A.  

To ensure that older versions are availability for reference

B.  

To ensure that only the latest approved version of the application is used

C.  

To ensure compatibility different versions of the application

D.  

To ensure that only authorized users can access the application

Discussion 0
Questions 93

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?

Options:

A.  

Examine the computer to search for evidence supporting the suspicions.

B.  

Advise management of the crime after the investigation.

C.  

Contact the incident response team to conduct an investigation.

D.  

Notify local law enforcement of the potential crime before further investigation.

Discussion 0
Questions 94

Which of the following is MOST important for an effective control self-assessment (CSA) program?

Options:

A.  

Determining the scope of the assessment

B.  

Performing detailed test procedures

C.  

Evaluating changes to the risk environment

D.  

Understanding the business process

Discussion 0
Questions 95

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

Options:

A.  

Implementation plan

B.  

Project budget provisions

C.  

Requirements analysis

D.  

Project plan

Discussion 0
Questions 96

Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Options:

A.  

Monitor access to stored images and snapshots of virtual machines.

B.  

Restrict access to images and snapshots of virtual machines.

C.  

Limit creation of virtual machine images and snapshots.

D.  

Review logical access controls on virtual machines regularly.

Discussion 0
Questions 97

Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Options:

A.  

Lessons learned were implemented.

B.  

Management approved the PIR report.

C.  

The review was performed by an external provider.

D.  

Project outcomes have been realized.

Discussion 0
Questions 98

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Options:

A.  

Periodically reviewing log files

B.  

Configuring the router as a firewall

C.  

Using smart cards with one-time passwords

D.  

Installing biometrics-based authentication

Discussion 0
Questions 99

Which of the following BEST indicates the effectiveness of an organization's risk management program?

Options:

A.  

Inherent risk is eliminated.

B.  

Residual risk is minimized.

C.  

Control risk is minimized.

D.  

Overall risk is quantified.

Discussion 0
Questions 100

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

Options:

A.  

Carbon dioxide

B.  

FM-200

C.  

Dry pipe

D.  

Halon

Discussion 0
Questions 101

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.  

Identifying relevant roles for an enterprise IT governance framework

B.  

Making decisions regarding risk response and monitoring of residual risk

C.  

Verifying that legal, regulatory, and contractual requirements are being met

D.  

Providing independent and objective feedback to facilitate improvement of IT processes

Discussion 0
Questions 102

Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

Options:

A.  

Effectiveness of the security program

B.  

Security incidents vs. industry benchmarks

C.  

Total number of hours budgeted to security

D.  

Total number of false positives

Discussion 0
Questions 103

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

Options:

A.  

Assign responsibility for improving data quality.

B.  

Invest in additional employee training for data entry.

C.  

Outsource data cleansing activities to reliable third parties.

D.  

Implement business rules to validate employee data entry.

Discussion 0
Questions 104

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Options:

A.  

The process does not require specifying the physical locations of assets.

B.  

Process ownership has not been established.

C.  

The process does not include asset review.

D.  

Identification of asset value is not included in the process.

Discussion 0
Questions 105

Which of the following is the BEST data integrity check?

Options:

A.  

Counting the transactions processed per day

B.  

Performing a sequence check

C.  

Tracing data back to the point of origin

D.  

Preparing and running test data

Discussion 0
Questions 106

Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

Options:

A.  

The exceptions are likely to continue indefinitely.

B.  

The exceptions may result in noncompliance.

C.  

The exceptions may elevate the level of operational risk.

D.  

The exceptions may negatively impact process efficiency.

Discussion 0
Questions 107

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Options:

A.  

Limiting the size of file attachments being sent via email

B.  

Automatically deleting emails older than one year

C.  

Moving emails to a virtual email vault after 30 days

D.  

Allowing employees to store large emails on flash drives

Discussion 0
Questions 108

The business case for an information system investment should be available for review until the:

Options:

A.  

information system investment is retired.

B.  

information system has reached end of life.

C.  

formal investment decision is approved.

D.  

benefits have been fully realized.

Discussion 0
Questions 109

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

Options:

A.  

Include the requirement in the incident management response plan.

B.  

Establish key performance indicators (KPIs) for timely identification of security incidents.

C.  

Enhance the alert functionality of the intrusion detection system (IDS).

D.  

Engage an external security incident response expert for incident handling.

Discussion 0
Questions 110

Which of the following is the GREATEST benefit of adopting an Agile audit methodology?

Options:

A.  

Better ability to address key risks

B.  

Less frequent client interaction

C.  

Annual cost savings

D.  

Reduced documentation requirements

Discussion 0
Questions 111

Which of the following should be the PRIMARY focus when communicating an IS audit issue to management?

Options:

A.  

The risk to which the organization is exposed due to the issue

B.  

The nature, extent, and timing of subsequent audit follow-up

C.  

How the issue was found and who bears responsibility

D.  

A detailed solution for resolving the issue

Discussion 0
Questions 112

A security review focused on data loss prevention (DLP) revealed the organization has no visibility to data stored in the cloud. What is the IS auditor's BEST recommendation to address this

issue?

Options:

A.  

Enhance the firewall at the network perimeter.

B.  

Implement a file system scanner to discover data stored in the cloud.

C.  

Employ a cloud access security broker (CASB).

D.  

Utilize a DLP tool on desktops to monitor user activities.

Discussion 0
Questions 113

Which of the following findings related to segregation of duties should be of GREATEST concern to an IS auditor?

Options:

A.  

The person who tests source code also approves changes.

B.  

The person who administers servers is also part of the infrastructure management team.

C.  

The person who creates new user accounts also modifies user access levels.

D.  

The person who edits source code also has write access to production.

Discussion 0
Questions 114

Which of the following staff should an IS auditor interview FIRST to obtain a general overview of the various technologies used across different programs?

Options:

A.  

Technical architect

B.  

Enterprise architect

C.  

Program manager

D.  

Solution architect

Discussion 0
Questions 115

Which of the following presents the GREATEST risk to an organization's ability to manage quality control (QC) processes?

Options:

A.  

Lack of segregation of duties

B.  

Lack of a dedicated QC function

C.  

Lack of policies and procedures

D.  

Lack of formal training and attestation

Discussion 0
Questions 116

An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?

Options:

A.  

Senior management representation

B.  

Ability to meet the time commitment required

C.  

Agile project management experience

D.  

ERP implementation experience

Discussion 0
Questions 117

An organization's information security policies should be developed PRIMARILY on the basis of:

Options:

A.  

enterprise architecture (EA).

B.  

industry best practices.

C.  

a risk management process.

D.  

past information security incidents.

Discussion 0
Questions 118

When an intrusion into an organization's network is detected, which of the following should be done FIRST?

Options:

A.  

Notify senior management.

B.  

Block all compromised network nodes.

C.  

Identify nodes that have been compromised.

D.  

Contact law enforcement.

Discussion 0
Questions 119

What should be an IS auditor's PRIMARY focus when reviewing a patch management procedure in an environment where availability is a top priority?

Options:

A.  

Deployment automation to all servers

B.  

Technical skills of the deployment team

C.  

Comprehensive testing prior to deployment

D.  

Validity certification prior to deployment

Discussion 0
Questions 120

During an IS audit of a data center, it was found that programmers are allowed to make emergency fixes to operational programs. Which of the following should be the IS auditor's PRIMARY recommendation?

Options:

A.  

Programmers should be allowed to implement emergency fixes only after obtaining verbal agreement from the application owner.

B.  

Emergency program changes should be subject to program migration and testing procedures before they are applied to operational systems.

C.  

Bypass user ID procedures should be put in place to ensure that the changes are subject to after-the-event approval and testing.

Discussion 0
Questions 121

An IS auditor is reviewing a data conversion project. Which of the following is the auditor's BEST recommendation prior to go-live?

Options:

A.  

Conduct a mock conversion test.

B.  

Review test procedures and scenarios.

C.  

Automate the test scripts.

D.  

Establish a configuration baseline.

Discussion 0
Questions 122

During an audit of payment services of a branch based in a foreign country, a large global bank's audit team identifies an opportunity to use data analytics techniques to identify abnormal payments. Which of the following is the team's MOST important course of action?

Options:

A.  

Consult the legal department to understand the procedure for requesting data from a different jurisdiction.

B.  

Conduct a walk through of the analytical strategy with stakeholders of the audited branch to obtain their buy-in.

C.  

Request the data from the branch as the team audit charter covers the country where it is based.

D.  

Agree on a data extraction and sharing strategy with the IT team of the audited branch.

Discussion 0
Questions 123

An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?

Options:

A.  

When the model was tested with data drawn from a different population, the accuracy decreased.

B.  

The data set for training the model was obtained from an unreliable source.

C.  

An open-source programming language was used to develop the model.

D.  

The model was tested with data drawn from the same population as the training data.

Discussion 0
Questions 124

Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to existing server performance will be prevented?

Options:

A.  

Reviewing results from simulated high-demand stress test scenarios

B.  

Performing a root cause analysis for past performance incidents

C.  

Anticipating current service level agreements (SLAs) will remain unchanged

D.  

Duplicating existing disk drive systems to improve redundancy and data storage

Discussion 0
Questions 125

Which of the following is the PRIMARY purpose of a rollback plan for a system change?

Options:

A.  

To ensure steps exist to remove the change if necessary

B.  

To ensure testing can be re-performed if required

C.  

To ensure a backup exists before implementing a change

D.  

To ensure the system change is effective

Discussion 0
Questions 126

An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

Options:

A.  

Decreased mean time between failures (MTBF)

B.  

Degradation of services

C.  

Limited tolerance for damage

D.  

Single point of failure

Discussion 0
Questions 127

An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?

Options:

A.  

Log feeds are uploaded via batch process.

B.  

Completeness testing has not been performed on the log data.

C.  

The log data is not normalized.

D.  

Data encryption standards have not been considered.

Discussion 0
Questions 128

A sample for testing must include the 80 largest client balances and a random sample of the rest. What should the IS auditor recommend?

Options:

A.  

Query the database.

B.  

Develop an integrated test facility (ITF).

C.  

Use generalized audit software.

D.  

Leverage a random number generator.

Discussion 0
Questions 129

An IS auditor reviewing the system development life cycle (SDLC) finds there is no requirement for business cases. Which of the following should be offGREATEST concern to the organization?

Options:

A.  

Vendor selection criteria are not sufficiently evaluated.

B.  

Business resources have not been optimally assigned.

C.  

Business impacts of projects are not adequately analyzed.

D.  

Project costs exceed established budgets.

Discussion 0
Questions 130

A source code repository should be designed to:

Options:

A.  

prevent changes from being incorporated into existing code.

B.  

prevent developers from accessing secure source code.

C.  

provide secure versioning and backup capabilities for existing code.

D.  

provide automatic incorporation and distribution of modified code.

Discussion 0
Questions 131

Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

Options:

A.  

Penetration testing

B.  

Application security testing

C.  

Forensic audit

D.  

Server security audit

Discussion 0
Questions 132

Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?

Options:

A.  

Encrypt the extensible markup language (XML) file.

B.  

Implement Transport Layer Security (TLS).

C.  

Mask the API endpoints.

D.  

Implement Simple Object Access Protocol (SOAP).

Discussion 0
Questions 133

Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?

Options:

A.  

Cloud computing

B.  

Robotic process automation (RPA)

C.  

Internet of Things (IoT)

D.  

Machine learning algorithms

Discussion 0
Questions 134

Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?

Options:

A.  

Performing independent reviews of responsible parties engaged in the project

B.  

Shortlisting vendors to perform renovations

C.  

Ensuring the project progresses as scheduled and milestones are achieved

D.  

Implementing data center operational controls

Discussion 0
Questions 135

Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor's BEST recommendation?

Options:

A.  

Create regional centers of excellence.

B.  

Engage an IT governance consultant.

C.  

Create regional IT steering committees.

D.  

Update the IT steering committee's formal charter.

Discussion 0
Questions 136

An IS auditor is reviewing database fields updated in real-time and displayed through other applications in multiple organizational functions. When validating business approval for these various use cases, which of the following sources of information would be the BEST starting point?

Options:

A.  

Network map from the network administrator

B.  

Historical database change log records

C.  

List of integrations from the database administrator (DBA)

D.  

Business process flow from management

Discussion 0
Questions 137

Which of the following is a PRIMARY function of an intrusion detection system (IDS)?

Options:

A.  

Predicting an attack before it occurs

B.  

Alerting when a scheduled backup job fails

C.  

Blocking malicious network traffic

D.  

Warning when executable programs are modified

Discussion 0
Questions 138

Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?

Options:

A.  

Error log review

B.  

Total number of items

C.  

Hash totals

D.  

Aggregate monetary amount

Discussion 0
Questions 139

An IS auditor is supporting a forensic investigation. An image of affected storage media has been captured while collecting digital forensic evidence. Which of the following techniques would BEST enable an IS auditor to verify that the captured image is an exact, unchanged replica of the original media?

Options:

A.  

Hash value

B.  

Access control list

C.  

File allocation table

D.  

Size of the file

Discussion 0
Questions 140

Which of the following is MOST important to the effectiveness of smoke detectors installed in a data processing facility?

Options:

A.  

Detectors trigger audible alarms when activated.

B.  

Detectors have the correct industry certification.

C.  

Detectors are linked to dry pipe fire suppression systems.

D.  

Detectors are linked to wet pipe fire suppression systems.

Discussion 0
Questions 141

External audits have identified recurring exceptions in the user termination process, despite similar internal audits having reported no exceptions in the past. Which of the following is the IS auditor's BEST course of action to improve the internal audit process in the future?

Options:

A.  

Include the user termination process in all upcoming audits.

B.  

Review user termination process changes.

C.  

Review the internal audit sampling methodology.

D.  

Review control self-assessment (CSA) results.

Discussion 0
Questions 142

Which of the following tasks would cause the GREATEST segregation of duties (SoD) concern if performed by the person who reconciles the organization's device inventory?

Options:

A.  

Tracking devices used for spare parts

B.  

Creating the device policy

C.  

vIssuing devices to employees

D.  

Approving the issuing of devices

Discussion 0
Questions 143

Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?

Options:

A.  

Route the traffic from the sensor system through a proxy server.

B.  

Hash the data that is transmitted from the sensor system.

C.  

Implement network address translation on the sensor system.

D.  

Transmit the sensor data via a virtual private network (VPN) to the server.

Discussion 0
Questions 144

A steering committee established to oversee an organization's digital transformation program is MOSTlikely to be involved with which of the following activities?

Options:

A.  

Preparing project status reports

B.  

Designing interface controls

C.  

Reviewing escalated project issues

D.  

Documenting requirements

Discussion 0
Questions 145

Which of the following controls helps to ensure that data extraction queries run by the database administrator (DBA) are monitored?

Options:

A.  

Restricting access to DBA activities

B.  

Performing periodic access reviews

C.  

Storing logs of database access

D.  

Reviewing activity logs of the DBA

Discussion 0
Questions 146

The waterfall life cycle model of software development is BEST suited for which of the following situations?

Options:

A.  

The project will involve the use of new technology.

B.  

The project intends to apply an object-oriented design approach.

C.  

The project requirements are well understood.

D.  

The project is subject to time pressures.

Discussion 0
Questions 147

The PRIMARY reason to assign data ownership for protection of data is to establish:

Options:

A.  

reliability.

B.  

traceability.

C.  

authority,

D.  

accountability.

Discussion 0
Questions 148

Which of the following non-audit activities may impair an IS auditor's independence and objectivity?

Options:

A.  

Evaluating a third-party customer satisfaction survey

B.  

Providing advice on an IT project management framework

C.  

Designing security controls for a new cloud-based workforce management system

D.  

Reviewing secure software development guidelines adopted by an organization

Discussion 0
Questions 149

An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of

MOST concern?

Options:

A.  

Confidentiality of the user list

B.  

Timeliness of the user list review

C.  

Completeness of the user list

D.  

Availability of the user list

Discussion 0
Questions 150

Which of the following roles is PRIMARILY responsible for mitigating the risk of benefits not being realized in an IT project?

Options:

A.  

Project sponsor

B.  

Project manager

C.  

Quality assurance (QA) manager

D.  

Chief risk officer (CRO)

Discussion 0
Questions 151

Which of the following should be done FIRST when creating a data protection program?

Options:

A.  

Implement data loss prevention (DLP) controls.

B.  

Perform classification based on standards.

C.  

Deploy intrusion detection systems (IDS).

D.  

Test logical access controls for effectiveness.

Discussion 0
Questions 152

During a follow-up engagement, an IS auditor confirms evidence of a problem that was not an issue in the original audit. Which of the following is the auditor's BEST course of action?

Options:

A.  

Include the evidence as part of a future audit.

B.  

Report only on the areas within the scope of the follow-up.

C.  

Report the risk to management in the follow-up report.

D.  

Expand the follow-up scope to include examining the evidence.

Discussion 0
Questions 153

Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?

Options:

A.  

Professional skepticism

B.  

Management's agreement

C.  

Materiality

D.  

Inherent risk

Discussion 0
Questions 154

An IS auditor learns that a business owner violated the organization's security policy by creating a web page with access to production data. The auditor's NEXT step should be to:

Options:

A.  

determine if sufficient access controls exist.

B.  

assess the sensitivity of the production data.

C.  

shut down the web page.

D.  

escalate to senior management.

Discussion 0
Questions 155

The process of applying a hash function to a message and obtaining and ciphering a digest refers to:

Options:

A.  

digital certificates.

B.  

digital signatures.

C.  

public key infrastructure (PKI).

D.  

authentication.

Discussion 0
Questions 156

Which of the following is MOST important when defining the IS audit scope?

Options:

A.  

Minimizing the time and cost to the organization of IS audit procedures

B.  

Involving business in the formulation of the scope statement

C.  

Aligning the IS audit procedures with IT management priorities

D.  

Understanding the relationship between IT and business risks

Discussion 0
Questions 157

When building or upgrading enterprise cryptographic infrastructure, which of the following is the MOST critical requirement for growing business environments?

Options:

A.  

Service discovery

B.  

Backup and restoration capabilities

C.  

Network throttling

D.  

Scalable architectures and systems

Discussion 0
Questions 158

Which type of control has been established when an organization implements a security information and event management (SIEM) system?

Options:

A.  

Preventive

B.  

Detective

C.  

Directive

D.  

Corrective

Discussion 0
Questions 159

Which of the following is the PRIMARY reason for using a digital signature?

Options:

A.  

Provide availability to the transmission

B.  

Authenticate the sender of a message

C.  

Provide confidentiality to the transmission

D.  

Verify the integrity of the data and the identity of the recipient

Discussion 0
Questions 160

An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?

Options:

A.  

Focus on limiting the damage.

B.  

Remove and restore the affected systems.

C.  

Verify that the compromised systems are fully functional.

D.  

Document the incident.

Discussion 0
Questions 161

Which of the following is the PRIMARY benefit of monitoring IT operational logs?

Options:

A.  

Detecting processing errors in a timely manner

B.  

Identifying configuration flaws in operating systems

C.  

Managing the usability and capacity of IT resources

D.  

Generating exception reports to assess security compliance

Discussion 0
Questions 162

Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?

Options:

A.  

Decreased effectiveness of root cause analysis

B.  

Decreased overall recovery time

C.  

Increased number of false negatives in security logs

D.  

Increased demand for storage space for logs

Discussion 0
Questions 163

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's job scheduling practices?

Options:

A.  

Most jobs are run manually.

B.  

Jobs are executed during working hours.

C.  

Job dependencies are undefined.

D.  

Job processing procedures are missing.

Discussion 0
Questions 164

Which of the following BEST indicates to an IS auditor that an organization handles emergency changes appropriately and transparently?

Options:

A.  

The application operations manual contains procedures to ensure emergency fixes do not compromise system integrity.

B.  

Special logon IDs are used to grant programmers permanent access to the production environment.

C.  

Change management controls are retroactively applied.

D.  

Emergency changes are applied to production libraries immediately.

Discussion 0
Questions 165

A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:

Options:

A.  

the audit committee.

B.  

audit management.

C.  

auditee line management.

D.  

the police.

Discussion 0
Questions 166

Which of the following is the BEST disposal method for flash drives that previously stored confidential data?

Options:

A.  

Destruction

B.  

Degaussing

C.  

Cryptographic erasure

D.  

Overwriting

Discussion 0
Questions 167

Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?

Options:

A.  

A high percentage of stakeholders satisfied with the quality of IT

B.  

Ahigh percentage of incidents being quickly resolved

C.  

Ahigh percentage of IT processes reviewed by quality assurance (QA)

D.  

Ahigh percentage of IT employees attending quality training

Discussion 0
Questions 168

Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?

Options:

A.  

Review of monthly performance reports submitted by the vendor

B.  

Certifications maintained by the vendor

C.  

Regular independent assessment of the vendor

D.  

Substantive log file review of the vendor's system

Discussion 0
Questions 169

Which of the following features of a library control software package would protect against unauthorized updating of source code?

Options:

A.  

Required approvals at each life cycle step

B.  

Date and time stamping of source and object code

C.  

Access controls for source libraries

D.  

Release-to-release comparison of source code

Discussion 0
Questions 170

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

Options:

A.  

SIEM reporting is customized.

B.  

SIEM configuration is reviewed annually

C.  

The SIEM is decentralized.

D.  

SIEM reporting is ad hoc.

Discussion 0
Questions 171

Which of the following is necessary for effective risk management in IT governance?

Options:

A.  

Local managers are solely responsible for risk evaluation.

B.  

IT risk management is separate from corporate risk management.

C.  

Risk management strategy is approved by the audit committee.

D.  

Risk evaluation is embedded in management processes.

Discussion 0
Questions 172

An IS auditor assessing the controls within a newly implemented call center would First

Options:

A.  

gather information from the customers regarding response times and quality of service.

B.  

review the manual and automated controls in the call center.

C.  

test the technical infrastructure at the call center.

D.  

evaluate the operational risk associated with the call center.

Discussion 0
Questions 173

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.  

Project management

B.  

Risk assessment results

C.  

IT governance framework

D.  

Portfolio management

Discussion 0
Questions 174

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Options:

A.  

Monitor and restrict vendor activities

B.  

Issues an access card to the vendor.

C.  

Conceal data devices and information labels

D.  

Restrict use of portable and wireless devices.

Discussion 0
Questions 175

A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

Options:

A.  

The survey results were not presented in detail lo management.

B.  

The survey questions did not address the scope of the business case.

C.  

The survey form template did not allow additional feedback to be provided.

D.  

The survey was issued to employees a month after implementation.

Discussion 0
Questions 176

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Options:

A.  

use a proxy server to filter out Internet sites that should not be accessed.

B.  

keep a manual log of Internet access.

C.  

monitor remote access activities.

D.  

include a statement in its security policy about Internet use.

Discussion 0
Questions 177

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.  

IT steering committee minutes

B.  

Business objectives

C.  

Alignment with the IT tactical plan

D.  

Compliance with industry best practice

Discussion 0
Questions 178

An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Options:

A.  

Installing security software on the devices

B.  

Partitioning the work environment from personal space on devices

C.  

Preventing users from adding applications

D.  

Restricting the use of devices for personal purposes during working hours

Discussion 0
Questions 179

Which of the following should be the FIRST step in the incident response process for a suspected breach?

Options:

A.  

Inform potentially affected customers of the security breach

B.  

Notify business management of the security breach.

C.  

Research the validity of the alerted breach

D.  

Engage a third party to independently evaluate the alerted breach.

Discussion 0
Questions 180

Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?

Options:

A.  

Role-based access control policies

B.  

Types of data that can be uploaded to the platform

C.  

Processes for on-boarding and off-boarding users to the platform

D.  

Processes for reviewing administrator activity

Discussion 0
Questions 181

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.  

Determine the resources required to make the control

effective.

B.  

Validate the overall effectiveness of the internal control.

C.  

Verify the impact of the control no longer being effective.

D.  

Ascertain the existence of other compensating controls.

Discussion 0
Questions 182

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Options:

A.  

Restricting evidence access to professionally certified forensic investigators

B.  

Documenting evidence handling by personnel throughout the forensic investigation

C.  

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.  

Engaging an independent third party to perform the forensic investigation

Discussion 0
Questions 183

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.  

the provider has alternate service locations.

B.  

the contract includes compensation for deficient service levels.

C.  

the provider's information security controls are aligned with the company's.

D.  

the provider adheres to the company's data retention policies.

Discussion 0
Questions 184

What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

Options:

A.  

Notify law enforcement of the finding.

B.  

Require the third party to notify customers.

C.  

The audit report with a significant finding.

D.  

Notify audit management of the finding.

Discussion 0
Questions 185

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

Options:

A.  

each information asset is to a assigned to a different classification.

B.  

the security criteria are clearly documented for each classification

C.  

Senior IT managers are identified as information owner.

D.  

the information owner is required to approve access to the asset

Discussion 0
Questions 186

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Options:

A.  

Perform background verification checks.

B.  

Review third-party audit reports.

C.  

Implement change management review.

D.  

Conduct a privacy impact analysis.

Discussion 0
Questions 187

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Options:

A.  

Require the auditee to address the recommendations in full.

B.  

Adjust the annual risk assessment accordingly.

C.  

Evaluate senior management's acceptance of the risk.

D.  

Update the audit program based on management's acceptance of risk.

Discussion 0
Questions 188

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

Options:

A.  

Ensure sufficient audit resources are allocated,

B.  

Communicate audit results organization-wide.

C.  

Ensure ownership is assigned.

D.  

Test corrective actions upon completion.

Discussion 0
Questions 189

An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:

Options:

A.  

reclassify the data to a lower level of confidentiality

B.  

require the business owner to conduct regular access reviews.

C.  

implement a strong password schema for users.

D.  

recommend corrective actions to be taken by the security administrator.

Discussion 0
Questions 190

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.  

Use an electronic vault for incremental backups

B.  

Deploy a fully automated backup maintenance system.

C.  

Periodically test backups stored in a remote location

D.  

Use both tape and disk backup systems

Discussion 0
Questions 191

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

Options:

A.  

Misconfiguration and missing updates

B.  

Malicious software and spyware

C.  

Zero-day vulnerabilities

D.  

Security design flaws

Discussion 0
Questions 192

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

Options:

A.  

A formal request for proposal (RFP) process

B.  

Business case development procedures

C.  

An information asset acquisition policy

D.  

Asset life cycle management.

Discussion 0
Questions 193

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

Options:

A.  

The contract does not contain a right-to-audit clause.

B.  

An operational level agreement (OLA) was not negotiated.

C.  

Several vendor deliverables missed the commitment date.

D.  

Software escrow was not negotiated.

Discussion 0
Questions 194

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Options:

A.  

Inability to utilize the site when required

B.  

Inability to test the recovery plans onsite

C.  

Equipment compatibility issues at the site

D.  

Mismatched organizational security policies

Discussion 0
Questions 195

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.  

Prepare detailed plans for each business function.

B.  

Involve staff at all levels in periodic paper walk-through exercises.

C.  

Regularly update business impact assessments.

D.  

Make senior managers responsible for their plan sections.

Discussion 0
Questions 196

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Options:

A.  

Perform a business impact analysis (BIA).

B.  

Determine which databases will be in scope.

C.  

Identify the most critical database controls.

D.  

Evaluate the types of databases being used

Discussion 0
Questions 197

In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?

Options:

A.  

Approved test scripts and results prior to implementation

B.  

Written procedures defining processes and controls

C.  

Approved project scope document

D.  

A review of tabletop exercise results

Discussion 0
Questions 198

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

Options:

A.  

data analytics findings.

B.  

audit trails

C.  

acceptance lasting results

D.  

rollback plans

Discussion 0
Questions 199

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

Options:

A.  

Rotating backup copies of transaction files offsite

B.  

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.  

Maintaining system console logs in electronic formal

D.  

Ensuring bisynchronous capabilities on all transmission lines

Discussion 0
Questions 200

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Options:

A.  

Mobile device tracking program

B.  

Mobile device upgrade program

C.  

Mobile device testing program

D.  

Mobile device awareness program

Discussion 0
Questions 201

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Options:

A.  

Improved disaster recovery

B.  

Better utilization of resources

C.  

Stronger data security

D.  

Increased application performance

Discussion 0
Questions 202

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

Options:

A.  

conduct interviews to gain background information.

B.  

focus the team on internal controls.

C.  

report on the internal control weaknesses.

D.  

provide solutions for control weaknesses.

Discussion 0
Questions 203

Which of the following BEST facilitates the legal process in the event of an incident?

Options:

A.  

Right to perform e-discovery

B.  

Advice from legal counsel

C.  

Preserving the chain of custody

D.  

Results of a root cause analysis

Discussion 0
Questions 204

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

Options:

A.  

The DRP has not been formally approved by senior management.

B.  

The DRP has not been distributed to end users.

C.  

The DRP has not been updated since an IT infrastructure upgrade.

D.  

The DRP contains recovery procedures for critical servers only.

Discussion 0
Questions 205

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

Options:

A.  

security parameters are set in accordance with the manufacturer s standards.

B.  

a detailed business case was formally approved prior to the purchase.

C.  

security parameters are set in accordance with the organization's policies.

D.  

the procurement project invited lenders from at least three different suppliers.

Discussion 0
Questions 206

Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

Options:

A.  

Shared facilities

B.  

Adequacy of physical and environmental controls

C.  

Results of business continuity plan (BCP) test

D.  

Retention policy and period

Discussion 0
Questions 207

An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

Options:

A.  

Alarm system with CCTV

B.  

Access control log

C.  

Security incident log

D.  

Access card allocation records

Discussion 0
Questions 208

Which of the following is a corrective control?

Options:

A.  

Separating equipment development testing and production

B.  

Verifying duplicate calculations in data processing

C.  

Reviewing user access rights for segregation

D.  

Executing emergency response plans

Discussion 0
Questions 209

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Options:

A.  

Limiting access to the data files based on frequency of use

B.  

Obtaining formal agreement by users to comply with the data classification policy

C.  

Applying access controls determined by the data owner

D.  

Using scripted access control lists to prevent unauthorized access to the server

Discussion 0
Questions 210

During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?

Options:

A.  

There are documented compensating controls over the business processes.

B.  

The risk acceptances were previously reviewed and approved by appropriate senior management

C.  

The business environment has not significantly changed since the risk acceptances were approved.

D.  

The risk acceptances with issues reflect a small percentage of the total population

Discussion 0
Questions 211

Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

Options:

A.  

Testing incident response plans with a wide range of scenarios

B.  

Prioritizing incidents after impact assessment.

C.  

Linking incidents to problem management activities

D.  

Training incident management teams on current incident trends

Discussion 0
Questions 212

Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

Options:

A.  

An assessment of whether requirements will be fully met

B.  

An assessment indicating security controls will operate

effectively

C.  

An assessment of whether the expected benefits can be

achieved

D.  

An assessment indicating the benefits will exceed the implement

Discussion 0
Questions 213

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

Options:

A.  

Risk avoidance

B.  

Risk transfer

C.  

Risk acceptance

D.  

Risk reduction

Discussion 0
Questions 214

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.  

Review the documentation of recant changes to implement sequential order numbering.

B.  

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.  

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.  

Examine a sample of system generated purchase orders obtained from management

Discussion 0
Questions 215

An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

Options:

A.  

some of the identified throats are unlikely to occur.

B.  

all identified throats relate to external entities.

C.  

the exercise was completed by local management.

D.  

neighboring organizations operations have been included.

Discussion 0
Questions 216

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

Options:

A.  

Implement key performance indicators (KPIs)

B.  

Implement annual third-party audits.

C.  

Benchmark organizational performance against industry peers.

D.  

Require executive management to draft IT strategy

Discussion 0
Questions 217

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

Options:

A.  

To address the overall risk associated with the activity under review

B.  

To identify areas with relatively high probability of material problems

C.  

To help ensure maximum use of audit resources during the engagement

D.  

To help prioritize and schedule auditee meetings

Discussion 0
Questions 218

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Options:

A.  

Temperature sensors

B.  

Humidity sensors

C.  

Water sensors

D.  

Air pressure sensors

Discussion 0
Questions 219

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Options:

A.  

Network penetration tests are not performed

B.  

The network firewall policy has not been approved by the information security officer.

C.  

Network firewall rules have not been documented.

D.  

The network device inventory is incomplete.

Discussion 0
Questions 220

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

Options:

A.  

Separate authorization for input of transactions

B.  

Statistical sampling of adjustment transactions

C.  

Unscheduled audits of lost stock lines

D.  

An edit check for the validity of the inventory transaction

Discussion 0
Questions 221

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?

Options:

A.  

The use of the cloud negatively impacting IT availably

B.  

Increased need for user awareness training

C.  

Increased vulnerability due to anytime, anywhere accessibility

D.  

Lack of governance and oversight for IT infrastructure and applications

Discussion 0
Questions 222

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

Options:

A.  

Disposal policies and procedures are not consistently implemented

B.  

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.  

Business units are allowed to dispose printers directly to

D.  

Inoperable printers are stored in an unsecured area.

Discussion 0
Questions 223

Which of the following BEST helps to ensure data integrity across system interfaces?

Options:

A.  

Environment segregation

B.  

Reconciliation

C.  

System backups

D.  

Access controls

Discussion 0
Questions 224

The PRIMARY objective of value delivery in reference to IT governance is to:

Options:

A.  

promote best practices

B.  

increase efficiency.

C.  

optimize investments.

D.  

ensure compliance.

Discussion 0
Questions 225

Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

Options:

A.  

Restricting program functionality according to user security profiles

B.  

Restricting access to update programs to accounts payable staff only

C.  

Including the creator’s user ID as a field in every transaction record created

D.  

Ensuring that audit trails exist for transactions

Discussion 0
Questions 226

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

Options:

A.  

Abuses by employees have not been reported.

B.  

Lessons learned have not been properly documented

C.  

vulnerabilities have not been properly addressed

D.  

Security incident policies are out of date.

Discussion 0
Questions 227

A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

Options:

A.  

IT operator

B.  

System administration

C.  

Emergency support

D.  

Database administration

Discussion 0
Questions 228

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.  

Verify all patches have been applied to the software system's outdated version

B.  

Close all unused ports on the outdated software system.

C.  

Segregate the outdated software system from the main network.

D.  

Monitor network traffic attempting to reach the outdated software system.

Discussion 0
Questions 229

When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the

Options:

A.  

scope and methodology meet audit requirements

B.  

service provider is independently certified and accredited

C.  

report confirms that service levels were not violated

D.  

report was released within the last 12 months

Discussion 0
Questions 230

Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?

Options:

A.  

Return on investment (ROI)

B.  

Business strategy

C.  

Business cases

D.  

Total cost of ownership (TCO)

Discussion 0
Questions 231

Which of the following would be the BEST criteria for monitoring an IT vendor's service levels?

Options:

A.  

Service auditor's report

B.  

Performance metrics

C.  

Surprise visit to vendor

D.  

Interview with vendor

Discussion 0
Questions 232

As part of the architecture of virtualized environments, in a bare metal or native visualization the hypervisor runs without:

Options:

A.  

a host operating system.

B.  

a guest operating system.

C.  

any applications on the guest operating system.

D.  

any applications on the host operating system.

Discussion 0
Questions 233

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?

Options:

A.  

Antivirus software was unable to prevent the attack even though it was properly updated

B.  

The most recent security patches were not tested prior to implementation

C.  

Backups were only performed within the local network

D.  

Employees were not trained on cybersecurity policies and procedures

Discussion 0
Questions 234

Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?

Options:

A.  

Completing the incident management log

B.  

Broadcasting an emergency message

C.  

Requiring a dedicated incident response team

D.  

Implementing incident escalation procedures

Discussion 0
Questions 235

Which of the following is the BEST indicator for measuring performance of IT help desk function?

Options:

A.  

Percentage of problems raised from incidents

B.  

Mean time to categorize tickets

C.  

Number 0t incidents reported

D.  

Number of reopened tickets

Discussion 0
Questions 236

A new system development project is running late against a critical implementation deadline Which of the following is the MOST important activity?

Options:

A.  

Document last-minute enhancements

B.  

Perform a pre-implementation audit

C.  

Perform user acceptance testing (UAT)

D.  

Ensure that code has been reviewed

Discussion 0
Questions 237

Which of the following is the MOST important factor when an organization is developing information security policies and procedures?

Options:

A.  

Consultation with security staff

B.  

Inclusion of mission and objectives

C.  

Compliance with relevant regulations

D.  

Alignment with an information security framework

Discussion 0
Questions 238

An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?

Options:

A.  

Determine exposure to the business

B.  

Adjust future testing activities accordingly

C.  

Increase monitoring for security incidents

D.  

Hire a third party to perform security testing

Discussion 0
Questions 239

Which of the following should be an IS auditor's PRIMARY focus when evaluating the response process for cybercrimes?

Options:

A.  

Communication with law enforcement

B.  

Notification to regulators

C.  

Root cause analysis

D.  

Evidence collection

Discussion 0
Questions 240

Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a new application system?

Options:

A.  

The change management process was not formally documented

B.  

Backups of the old system and data are not available online

C.  

Unauthorized data modifications occurred during conversion,

D.  

Data conversion was performed using manual processes

Discussion 0
Questions 241

During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts Which of the following is the auditor's BEST course of action?

Options:

A.  

Identify accounts that have had excessive failed login attempts and request they be disabled

B.  

Request the IT manager to change administrator security parameters and update the finding

C.  

Document the finding and explain the risk of having administrator accounts with inappropriate security settings

Discussion 0
Questions 242

Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)

policy to help prevent data leakage?

Options:

A.  

Require employees to waive privacy rights related to data on BYOD devices.

B.  

Require multi-factor authentication on BYOD devices,

C.  

Specify employee responsibilities for reporting lost or stolen BYOD devices.

D.  

Allow only registered BYOD devices to access the network.

Discussion 0
Questions 243

Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves

for care?

Options:

A.  

Infrastructure as a Service (laaS) provider

B.  

Software as a Service (SaaS) provider

C.  

Network segmentation

D.  

Dynamic localization

Discussion 0
Questions 244

The FIRST step in auditing a data communication system is to determine:

Options:

A.  

traffic volumes and response-time criteria

B.  

physical security for network equipment

C.  

the level of redundancy in the various communication paths

D.  

business use and types of messages to be transmitted

Discussion 0
Questions 245

Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

Options:

A.  

Industry regulations

B.  

Industry standards

C.  

Incident response plan

D.  

Information security policy

Discussion 0
Questions 246

During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data any Internet-connected web browser. Which Of the following

is the auditor’s BEST recommendation to prevent unauthorized access?

Options:

A.  

Implement an intrusion detection system (IDS),

B.  

Update security policies and procedures.

C.  

Implement multi-factor authentication.

D.  

Utilize strong anti-malware controls on all computing devices.

Discussion 0
Questions 247

Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?

Options:

A.  

Password/PIN protection

B.  

Device tracking software

C.  

Device encryption

D.  

Periodic backup

Discussion 0
Questions 248

A programmer has made unauthorized changes lo key fields in a payroll system report. Which of the following control weaknesses would have contributed MOST to this problem?

Options:

A.  

The programmer did not involve the user in testing

B.  

The user requirements were not documented

C.  

The programmer has access to the production programs

D.  

Payroll files were not under the control of a librarian

Discussion 0
Questions 249

The PRIMARY benefit of automating application testing is to:

Options:

A.  

provide test consistency.

B.  

provide more flexibility.

C.  

replace all manual test processes.

D.  

reduce the time to review code.

Discussion 0
Questions 250

Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?

Options:

A.  

Implement controls to prohibit downloads of unauthorized software.

B.  

Conduct periodic software scanning.

C.  

Perform periodic counting of licenses.

D.  

Require senior management approval when installing licenses.

Discussion 0
Questions 251

In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?

Options:

A.  

Implementation

B.  

Development

C.  

Feasibility

D.  

Design

Discussion 0
Questions 252

Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?

Options:

A.  

Controls to adequately safeguard the data may not be applied.

B.  

Data may not be encrypted by the system administrator.

C.  

Competitors may be able to view the data.

D.  

Control costs may exceed the intrinsic value of the IT asset.

Discussion 0
Questions 253

Which of the following is an advantage of using agile software development methodology over the waterfall methodology?

Options:

A.  

Less funding required overall

B.  

Quicker deliverables

C.  

Quicker end user acceptance

D.  

Clearly defined business expectations

Discussion 0
Questions 254

Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

Options:

A.  

Data storage costs

B.  

Data classification

C.  

Vendor cloud certification

D.  

Service level agreements (SLAs)

Discussion 0
Questions 255

Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?

Options:

A.  

The vendor's process appropriately sanitizes the media before disposal

B.  

The contract includes issuance of a certificate of destruction by the vendor

C.  

The vendor has not experienced security incidents in the past.

D.  

The disposal transportation vehicle is fully secure

Discussion 0
Questions 256

During which phase of the software development life cycle is it BEST to initiate the discussion of application controls?

Options:

A.  

Business case development phase when stakeholders are identified

B.  

Application design phase process functionalities are finalized

C.  

User acceptance testing (UAT) phase when test scenarios are designed

D.  

Application coding phase when algorithms are developed to solve business problems

Discussion 0
Questions 257

Which of the following is the BEST source of information for examining the classification of new data?

Options:

A.  

Input by data custodians

B.  

Security policy requirements

C.  

Risk assessment results

D.  

Current level of protection

Discussion 0
Questions 258

Which of the following is the MAJOR advantage of automating internal controls?

Options:

A.  

To enable the review of large value transactions

B.  

To efficiently test large volumes of data

C.  

To help identity transactions with no segregation of duties

D.  

To assist in performing analytical reviews

Discussion 0
Questions 259

Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?

Options:

A.  

Review the third party's monitoring logs and incident handling

B.  

Review the roles and responsibilities of the third-party provider

C.  

Evaluate the organization's third-party monitoring process

D.  

Determine if the organization has a secure connection to the provider

Discussion 0
Questions 260

Email required for business purposes is being stored on employees' personal devices.

Which of the following is an IS auditor's BEST recommendation?

Options:

A.  

Require employees to utilize passwords on personal devices

B.  

Prohibit employees from storing company email on personal devices

C.  

Ensure antivirus protection is installed on personal devices

D.  

Implement an email containerization solution on personal devices

Discussion 0
Questions 261

What is the PRIMARY benefit of using one-time passwords?

Options:

A.  

An intercepted password cannot be reused

B.  

Security for applications can be automated

C.  

Users do not have to memorize complex passwords

D.  

Users cannot be locked out of an account

Discussion 0
Questions 262

Which of the following are used in a firewall to protect the entity's internal resources?

Options:

A.  

Remote access servers

B.  

Secure Sockets Layers (SSLs)

C.  

Internet Protocol (IP) address restrictions

D.  

Failover services

Discussion 0
Questions 263

With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?

Options:

A.  

A business impact analysis (BIA) has not been performed

B.  

Business data is not sanitized in the development environment

C.  

There is no plan for monitoring system downtime

D.  

The process owner has not signed off on user acceptance testing (UAT)

Discussion 0
Questions 264

An organization has recently moved to an agile model for deploying custom code to its in-house accounting software system. When reviewing the procedures in place for production code deployment, which of the following is the MOST significant security concern to address?

Options:

A.  

Software vulnerability scanning is done on an ad hoc basis.

B.  

Change control does not include testing and approval from quality assurance (QA).

C.  

Production code deployment is not automated.

D.  

Current DevSecOps processes have not been independently verified.

Discussion 0
Questions 265

During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?

Options:

A.  

Recommend the utilization of software licensing monitoring tools

B.  

Recommend the purchase of additional software license keys

C.  

Validate user need for shared software licenses

D.  

Verify whether the licensing agreement allows shared use

Discussion 0
Questions 266

After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit Which of the following risks is MOST affected by this oversight?

Options:

A.  

Inherent

B.  

Operational

C.  

Audit

D.  

Financial

Discussion 0
Questions 267

Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

Options:

A.  

Availability integrity

B.  

Data integrity

C.  

Entity integrity

D.  

Referential integrity

Discussion 0
Questions 268

Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?

Options:

A.  

Using passwords to allow authorized users to send documents to the printer

B.  

Requiring a key code to be entered on the printer to produce hard copy

C.  

Encrypting the data stream between the user's computer and the printer

D.  

Producing a header page with classification level for printed documents

Discussion 0
Questions 269

A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?

Options:

A.  

unit testing

B.  

Network performance

C.  

User acceptance testing (UAT)

D.  

Regression testing

Discussion 0
Questions 270

Which of the following is the MOST appropriate indicator of change management effectiveness?

Options:

A.  

Time lag between changes to the configuration and the update of records

B.  

Number of system software changes

C.  

Time lag between changes and updates of documentation materials

D.  

Number of incidents resulting from changes

Discussion 0
Questions 271

Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?

Options:

A.  

Function point analysis

B.  

Work breakdown structure

C.  

Critical path analysts

D.  

Software cost estimation

Discussion 0
Questions 272

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

Options:

A.  

Only new employees are required to attend the program

B.  

Metrics have not been established to assess training results

C.  

Employees do not receive immediate notification of results

D.  

The timing for program updates has not been determined

Discussion 0
Questions 273

Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

Options:

A.  

Data owners are not trained on the use of data conversion tools.

B.  

A post-implementation lessons-learned exercise was not conducted.

C.  

There is no system documentation available for review.

D.  

System deployment is routinely performed by contractors.

Discussion 0
Questions 274

Which of following is MOST important to determine when conducting a post-implementation review?

Options:

A.  

Whether the solution architecture compiles with IT standards

B.  

Whether success criteria have been achieved

C.  

Whether the project has been delivered within the approved budget

D.  

Whether lessons teamed have been documented

Discussion 0
Questions 275

The use of which of the following is an inherent risk in the application container infrastructure?

Options:

A.  

Shared registries

B.  

Host operating system

C.  

Shared data

D.  

Shared kernel

Discussion 0
Questions 276

Which of the following would be the BEST process for continuous auditing to a large financial Institution?

Options:

A.  

Testing encryption standards on the disaster recovery system

B.  

Validating access controls for real-time data systems

C.  

Performing parallel testing between systems

D.  

Validating performance of help desk metrics

Discussion 0
Questions 277

A database administrator (DBA) should be prevented from having end user responsibilities:

Options:

A.  

having end user responsibilities

B.  

accessing sensitive information

C.  

having access to production files

D.  

using an emergency user ID

Discussion 0
Questions 278

An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which ot the following should the auditor do FIRSTS

Options:

A.  

Determine whether another DBA could make the changes

B.  

Report a potential segregation of duties violation

C.  

identify whether any compensating controls exist

D.  

Ensure a change management process is followed prior to implementation

Discussion 0
Questions 279

What is the PRIMARY purpose of performing a parallel run of a now system?

Options:

A.  

To train the end users and supporting staff on the new system

B.  

To verify the new system provides required business functionality

C.  

To reduce the need for additional testing

D.  

To validate the new system against its predecessor

Discussion 0
Questions 280

Which of the following is the MOST appropriate control to ensure integrity of online orders?

Options:

A.  

Data Encryption Standard (DES)

B.  

Digital signature

C.  

Public key encryption

D.  

Multi-factor authentication

Discussion 0
Questions 281

During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor's GREATEST concern with this situation?

Options:

A.  

Unrealistic milestones

B.  

Inadequate deliverables

C.  

Unclear benefits

D.  

Incomplete requirements

Discussion 0
Questions 282

An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?

Options:

A.  

Single sign-on is not enabled

B.  

Audit logging is not enabled

C.  

Security baseline is not consistently applied

D.  

Complex passwords are not required

Discussion 0
Questions 283

Which of the following methods will BEST reduce the risk associated with the transition to a new system using

technologies that are not compatible with the old system?

Options:

A.  

Parallel changeover

B.  

Modular changeover

C.  

Phased operation

D.  

Pilot operation

Discussion 0
Questions 284

Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the

Options:

A.  

computer room closest to the uninterruptible power supply (UPS) module

B.  

computer room closest to the server computers

C.  

system administrators’ office

D.  

booth used by the building security personnel

Discussion 0
Questions 285

During the discussion of a draft audit report IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective Which of the following is the auditor's BEST action?

Options:

A.  

Explain to IT management that the new control will be evaluated during follow-up

B.  

Add comments about the action taken by IT management in the report

C.  

Change the conclusion based on evidence provided by IT management

D.  

Re-perform the audit before changing the conclusion

Discussion 0
Questions 286

Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?

Options:

A.  

The organization does not use an industry-recognized methodology

B.  

Changes and change approvals are not documented

C.  

All changes require middle and senior management approval

D.  

There is no centralized configuration management database (CMDB)

Discussion 0
Questions 287

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

Options:

A.  

A significant increase in authorized connections to third parties

B.  

A significant increase in cybersecurity audit findings

C.  

A significant increase in approved exceptions

D.  

A significant increase in external attack attempts

Discussion 0
Questions 288

A web proxy server for corporate connections to external resources reduces organizational risk by:

Options:

A.  

anonymizing users through changed IP addresses.

B.  

providing multi-factor authentication for additional security.

C.  

providing faster response than direct access.

D.  

load balancing traffic to optimize data pathways.

Discussion 0
Questions 289

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.  

Staging

B.  

Testing

C.  

Integration

D.  

Development

Discussion 0
Questions 290

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

Options:

A.  

Information security program plans

B.  

Penetration test results

C.  

Risk assessment results

D.  

Industry benchmarks

Discussion 0
Questions 291

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Options:

A.  

Sell-assessment reports of IT capability and maturity

B.  

IT performance benchmarking reports with competitors

C.  

Recent third-party IS audit reports

D.  

Current and previous internal IS audit reports

Discussion 0
Questions 292

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

Options:

A.  

A single point of failure for both voice and data communications

B.  

Inability to use virtual private networks (VPNs) for internal traffic

C.  

Lack of integration of voice and data communications

D.  

Voice quality degradation due to packet toss

Discussion 0
Questions 293

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

Options:

A.  

compare the organization's strategic plan against industry best practice.

B.  

interview senior managers for their opinion of the IT function.

C.  

ensure an IT steering committee is appointed to monitor new IT projects.

D.  

evaluate deliverables of new IT initiatives against planned business services.

Discussion 0
Questions 294

An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?

Options:

A.  

Implementing risk responses on management's behalf

B.  

Integrating the risk register for audit planning purposes

C.  

Providing assurances to management regarding risk

D.  

Facilitating audit risk identification and evaluation workshops

Discussion 0
Questions 295

Which of the following is the MOST important activity in the data classification process?

Options:

A.  

Labeling the data appropriately

B.  

Identifying risk associated with the data

C.  

Determining accountability of data owners

D.  

Determining the adequacy of privacy controls

Discussion 0
Questions 296

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

Options:

A.  

Ask management why the regulatory changes have not been Included.

B.  

Discuss potential regulatory issues with the legal department

C.  

Report the missing regulatory updates to the chief information officer (CIO).

D.  

Exclude recent regulatory changes from the audit scope.

Discussion 0
Questions 297

Which of the following represents the HIGHEST level of maturity of an information security program?

Options:

A.  

A training program is in place to promote information security awareness.

B.  

A framework is in place to measure risks and track effectiveness.

C.  

Information security policies and procedures are established.

D.  

The program meets regulatory and compliance requirements.

Discussion 0
Questions 298

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

Options:

A.  

Attack vectors are evolving for industrial control systems.

B.  

There is a greater risk of system exploitation.

C.  

Disaster recovery plans (DRPs) are not in place.

D.  

Technical specifications are not documented.

Discussion 0
Questions 299

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.  

authorize secured emergency access

B.  

approve the organization's security policy

C.  

ensure access rules agree with policies

D.  

create role-based rules for each business process

Discussion 0
Questions 300

Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?

Options:

A.  

The design of controls

B.  

Industry standards and best practices

C.  

The results of the previous audit

D.  

The amount of time since the previous audit

Discussion 0
Questions 301

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Options:

A.  

Redundant pathways

B.  

Clustering

C.  

Failover power

D.  

Parallel testing

Discussion 0
Questions 302

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

Options:

A.  

Staff members who failed the test did not receive follow-up education

B.  

Test results were not communicated to staff members.

C.  

Staff members were not notified about the test beforehand.

D.  

Security awareness training was not provided prior to the test.

Discussion 0
Questions 303

Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?

Options:

A.  

Analyzing risks posed by new regulations

B.  

Designing controls to protect personal data

C.  

Defining roles within the organization related to privacy

D.  

Developing procedures to monitor the use of personal data

Discussion 0
Questions 304

An IS auditor should ensure that an application's audit trail:

Options:

A.  

has adequate security.

B.  

logs ail database records.

C.  

Is accessible online

D.  

does not impact operational efficiency

Discussion 0
Questions 305

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Options:

A.  

Expected deliverables meeting project deadlines

B.  

Sign-off from the IT team

C.  

Ongoing participation by relevant stakeholders

D.  

Quality assurance (OA) review

Discussion 0
Questions 306

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

Options:

A.  

the implementation plan meets user requirements.

B.  

a full, visible audit trail will be Included.

C.  

a dear business case has been established.

D.  

the new hardware meets established security standards

Discussion 0
Questions 307

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

Options:

A.  

violation reports may not be reviewed in a timely manner.

B.  

a significant number of false positive violations may be reported.

C.  

violations may not be categorized according to the organization's risk profile.

D.  

violation reports may not be retained according to the organization's risk profile.

Discussion 0
Questions 308

A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Options:

A.  

Establish key performance indicators (KPls) for timely identification of security incidents.

B.  

Engage an external security incident response expert for incident handling.

C.  

Enhance the alert functionality of the intrusion detection system (IDS).

D.  

Include the requirement in the incident management response plan.

Discussion 0
Questions 309

The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:

Options:

A.  

randomly selected by a test generator.

B.  

provided by the vendor of the application.

C.  

randomly selected by the user.

D.  

simulated by production entities and customers.

Discussion 0
Questions 310

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

Options:

A.  

architecture and cloud environment of the system.

B.  

business process supported by the system.

C.  

policies and procedures of the business area being audited.

D.  

availability reports associated with the cloud-based system.

Discussion 0
Questions 311

Which of the following would MOST effectively ensure the integrity of data transmitted over a network?

Options:

A.  

Message encryption

B.  

Certificate authority (CA)

C.  

Steganography

D.  

Message digest

Discussion 0
Questions 312

During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?

Options:

A.  

The project manager will have to be replaced.

B.  

The project reporting to the board of directors will be incomplete.

C.  

The project steering committee cannot provide effective governance.

D.  

The project will not withstand a quality assurance (QA) review.

Discussion 0
Questions 313

Which of the following is an example of a preventive control for physical access?

Options:

A.  

Keeping log entries for all visitors to the building

B.  

Implementing a fingerprint-based access control system for the building

C.  

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

D.  

Implementing a centralized logging server to record instances of staff logging into workstations

Discussion 0
Questions 314

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.  

Ensure compliance with the data classification policy.

B.  

Protect the plan from unauthorized alteration.

C.  

Comply with business continuity best practice.

D.  

Reduce the risk of data leakage that could lead to an attack.

Discussion 0
Questions 315

Which of the following MUST be completed as part of the annual audit planning process?

Options:

A.  

Business impact analysis (BIA)

B.  

Fieldwork

C.  

Risk assessment

D.  

Risk control matrix

Discussion 0
Questions 316

What is the MAIN reason to use incremental backups?

Options:

A.  

To improve key availability metrics

B.  

To reduce costs associates with backups

C.  

To increase backup resiliency and redundancy

D.  

To minimize the backup time and resources

Discussion 0
Questions 317

To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

Options:

A.  

Review IT staff job descriptions for alignment

B.  

Develop quarterly training for each IT staff member.

C.  

Identify required IT skill sets that support key business processes

D.  

Include strategic objectives m IT staff performance objectives

Discussion 0
Questions 318

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Options:

A.  

Require written authorization for all payment transactions

B.  

Restrict payment authorization to senior staff members.

C.  

Reconcile payment transactions with invoices.

D.  

Review payment transaction history

Discussion 0
Questions 319

Which of the following concerns is BEST addressed by securing production source libraries?

Options:

A.  

Programs are not approved before production source libraries are updated.

B.  

Production source and object libraries may not be synchronized.

C.  

Changes are applied to the wrong version of production source libraries.

D.  

Unauthorized changes can be moved into production.

Discussion 0
Questions 320

Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?

Options:

A.  

To optimize system resources

B.  

To follow system hardening standards

C.  

To optimize asset management workflows

D.  

To ensure proper change control

Discussion 0
Questions 321

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

Options:

A.  

The job scheduler application has not been designed to display pop-up error messages.

B.  

Access to the job scheduler application has not been restricted to a maximum of two staff members

C.  

Operations shift turnover logs are not utilized to coordinate and control the processing environment

D.  

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

Discussion 0
Questions 322

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

Options:

A.  

risk management review

B.  

control self-assessment (CSA).

C.  

service level agreement (SLA).

D.  

balanced scorecard.

Discussion 0
Questions 323

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

Options:

A.  

document the exception in an audit report.

B.  

review security incident reports.

C.  

identify compensating controls.

D.  

notify the audit committee.

Discussion 0
Questions 324

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

Options:

A.  

Available resources for the activities included in the action plan

B.  

A management response in the final report with a committed implementation date

C.  

A heal map with the gaps and recommendations displayed in terms of risk

D.  

Supporting evidence for the gaps and recommendations mentioned in the audit report

Discussion 0
Questions 325

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

Options:

A.  

Evaluate the appropriateness of the remedial action taken.

B.  

Conduct a risk analysis incorporating the change.

C.  

Report results of the follow-up to the audit committee.

D.  

Inform senior management of the change in approach.

Discussion 0
Questions 326

The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

Options:

A.  

Technology risk

B.  

Detection risk

C.  

Control risk

D.  

Inherent risk

Discussion 0
Questions 327

UESTION NO: 210

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

Options:

A.  

There Is a reconciliation process between the spreadsheet and the finance system

B.  

A separate copy of the spreadsheet is routinely backed up

C.  

The spreadsheet is locked down to avoid inadvertent changes

D.  

Access to the spreadsheet is given only to those who require access

Discussion 0
Questions 328

An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

Options:

A.  

Data with customer personal information

B.  

Data reported to the regulatory body

C.  

Data supporting financial statements

D.  

Data impacting business objectives

Discussion 0
Questions 329

Capacity management enables organizations to:

Options:

A.  

forecast technology trends

B.  

establish the capacity of network communication links

C.  

identify the extent to which components need to be upgraded

D.  

determine business transaction volumes.

Discussion 0
Questions 330

The IS quality assurance (OA) group is responsible for:

Options:

A.  

ensuring that program changes adhere to established standards.

B.  

designing procedures to protect data against accidental disclosure.

C.  

ensuring that the output received from system processing is complete.

D.  

monitoring the execution of computer processing tasks.

Discussion 0
Questions 331

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.  

Statement of work (SOW)

B.  

Nondisclosure agreement (NDA)

C.  

Service level agreement (SLA)

D.  

Privacy agreement

Discussion 0
Questions 332

Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

Options:

A.  

Reversing the hash function using the digest

B.  

Altering the plaintext message

C.  

Deciphering the receiver's public key

D.  

Obtaining the sender's private key

Discussion 0
Questions 333

Which of the following is the GREATEST risk associated with storing customer data on a web server?

Options:

A.  

Data availability

B.  

Data confidentiality

C.  

Data integrity

D.  

Data redundancy

Discussion 0
Questions 334

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

Options:

A.  

the access control system's log settings.

B.  

how the latest system changes were implemented.

C.  

the access control system's configuration.

D.  

the access rights that have been granted.

Discussion 0
Questions 335

During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?

Options:

A.  

Backup media are not reviewed before disposal.

B.  

Degaussing is used instead of physical shredding.

C.  

Backup media are disposed before the end of the retention period

D.  

Hardware is not destroyed by a certified vendor.

Discussion 0
Questions 336

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?

Options:

A.  

Short key length

B.  

Random key generation

C.  

Use of symmetric encryption

D.  

Use of asymmetric encryption

Discussion 0
Questions 337

Which of the following documents should specify roles and responsibilities within an IT audit organization?

Options:

A.  

Organizational chart

B.  

Audit charier

C.  

Engagement letter

D.  

Annual audit plan

Discussion 0
Questions 338

Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

Options:

A.  

Ensure that the facts presented in the report are correct

B.  

Communicate the recommendations lo senior management

C.  

Specify implementation dates for the recommendations.

D.  

Request input in determining corrective action.

Discussion 0
Questions 339

Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

Options:

A.  

Data from the source and target system may be intercepted.

B.  

Data from the source and target system may have different data formats.

C.  

Records past their retention period may not be migrated to the new system.

D.  

System performance may be impacted by the migration

Discussion 0
Questions 340

Which of the following is an example of a preventative control in an accounts payable system?

Options:

A.  

The system only allows payments to vendors who are included In the system's master vendor list.

B.  

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.  

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.  

Policies and procedures are clearly communicated to all members of the accounts payable department

Discussion 0
Questions 341

Which of the following findings from an IT governance review should be of GREATEST concern?

Options:

A.  

The IT budget is not monitored

B.  

All IT services are provided by third parties.

C.  

IT value analysis has not been completed.

D.  

IT supports two different operating systems.

Discussion 0
Questions 342

The GREATEST benefit of using a polo typing approach in software development is that it helps to:

Options:

A.  

minimize scope changes to the system.

B.  

decrease the time allocated for user testing and review.

C.  

conceptualize and clarify requirements.

D.  

Improve efficiency of quality assurance (QA) testing

Discussion 0
Questions 343

Which of the following is the BEST reason for an organization to use clustering?

Options:

A.  

To decrease system response time

B.  

To Improve the recovery lime objective (RTO)

C.  

To facilitate faster backups

D.  

To improve system resiliency

Discussion 0
Questions 344

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

Options:

A.  

Preserving the same data classifications

B.  

Preserving the same data inputs

C.  

Preserving the same data structure

D.  

Preserving the same data interfaces

Discussion 0
Questions 345

In an online application which of the following would provide the MOST information about the transaction audit trail?

Options:

A.  

File layouts

B.  

Data architecture

C.  

System/process flowchart

D.  

Source code documentation

Discussion 0
Questions 346

Which of the following BEST enables the timely identification of risk exposure?

Options:

A.  

External audit review

B.  

Internal audit review

C.  

Control self-assessment (CSA)

D.  

Stress testing

Discussion 0
Questions 347

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Options:

A.  

The policy includes a strong risk-based approach.

B.  

The retention period allows for review during the year-end audit.

C.  

The retention period complies with data owner responsibilities.

D.  

The total transaction amount has no impact on financial reporting

Discussion 0
Questions 348

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Options:

A.  

Reviewing vacation patterns

B.  

Reviewing user activity logs

C.  

Interviewing senior IT management

D.  

Mapping IT processes to roles

Discussion 0
Questions 349

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

Options:

A.  

Training was not provided to the department that handles intellectual property and patents

B.  

Logging and monitoring for content filtering is not enabled.

C.  

Employees can share files with users outside the company through collaboration tools.

D.  

The collaboration tool is hosted and can only be accessed via an Internet browser

Discussion 0
Questions 350

An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?

Options:

A.  

The standard is met as long as one member has a globally recognized audit certification.

B.  

Technical co-sourcing must be used to help the new staff.

C.  

Team member assignments must be based on individual competencies.

D.  

The standard is met as long as a supervisor reviews the new auditors' work.

Discussion 0
Questions 351

Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?

Options:

A.  

Adding the developers to the change approval board

B.  

A small number of people have access to deploy code

C.  

Post-implementation change review

D.  

Creation of staging environments

Discussion 0
Questions 352

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

Options:

A.  

The audit program does not involve periodic engagement with external assessors.

B.  

Quarterly reports are not distributed to the audit committee.

C.  

Results of corrective actions are not tracked consistently.

D.  

Substantive testing is not performed during the assessment phase of some audits.

Discussion 0
Questions 353

An IS auditor has learned that access privileges are not periodically reviewed or updated. Which of the following would provide the BEST evidence to determine whether transactions have been executed by authorized employees?

Options:

A.  

Audit trails

B.  

Control totals

C.  

Reconciliations

D.  

Change logs

Discussion 0
Questions 354

An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor's independence?

Options:

A.  

The auditor implemented a specific control during the development of the system.

B.  

The auditor provided advice concerning best practices.

C.  

The auditor participated as a member of the project team without operational responsibilities

D.  

The auditor designed an embedded audit module exclusively for audit

Discussion 0
Questions 355

Which of the following is the MOST important responsibility of data owners when implementing a data classification process?

Options:

A.  

Reviewing emergency changes to data

B.  

Authorizing application code changes

C.  

Determining appropriate user access levels

D.  

Implementing access rules over database tables

Discussion 0
Questions 356

Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?

Options:

A.  

Configuration management database (CMDB)

B.  

Enterprise architecture (EA)

C.  

IT portfolio management

D.  

IT service management

Discussion 0
Questions 357

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

Options:

A.  

Installing security cameras at the doors

B.  

Changing to a biometric access control system

C.  

Implementing a monitored mantrap at entrance and exit points

D.  

Requiring two-factor authentication at entrance and exit points

Discussion 0
Questions 358

An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the

business continuity plan (BCP). Which of the following is the auditor's BEST course of action?

Options:

A.  

Confirm the BCP has been recently updated.

B.  

Review the effectiveness of the business response.

C.  

Raise an audit issue for the lack of simulated testing.

D.  

Interview staff members to obtain commentary on the BCP's effectiveness.

Discussion 0