March Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Isaca > Isaca Certification > CISA

CISA Certified Information Systems Auditor Question and Answers

Question # 4

Which of the following provides the MOST protection against emerging threats?

A.

Demilitarized zone (DMZ)

B.

Heuristic intrusion detection system (IDS)

C.

Real-time updating of antivirus software

D.

Signature-based intrusion detection system (IDS)

Full Access
Question # 5

Which of the following is the MOST appropriate indicator of change management effectiveness?

A.

Time lag between changes to the configuration and the update of records

B.

Number of system software changes

C.

Time lag between changes and updates of documentation materials

D.

Number of incidents resulting from changes

Full Access
Question # 6

Which of the following provides the MOST reliable method of preventing unauthonzed logon?

A.

issuing authentication tokens

B.

Reinforcing current security policies

C.

Limiting after-hours usage

D.

Installing an automatic password generator

Full Access
Question # 7

Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?

A.

Adding the developers to the change approval board

B.

A small number of people have access to deploy code

C.

Post-implementation change review

D.

Creation of staging environments

Full Access
Question # 8

Which of the following should be the FIRST step m managing the impact of a recently discovered zero-day attack?

A.

Evaluating the likelihood of attack

B.

Estimating potential damage

C.

Identifying vulnerable assets

D.

Assessing the Impact of vulnerabilities

Full Access
Question # 9

An organization's IT department and internal IS audit function all report to the chief information officer (CIO). Which of the following is the GREATEST concern associated with this reporting structure?

A.

Potential for inaccurate audit findings

B.

Compromise of IS audit independence

C.

IS audit resources being shared with other IT functions

D.

IS audit being isolated from other audit functions

Full Access
Question # 10

An organization has partnered with a third party to transport backup drives to an offsite storage facility. Which of the following is MOST important before sending the drives?

A.

Creating a chain of custody to accompany the drive in transit

B.

Ensuring data protection is aligned with the data classification policy

C.

Encrypting the drive with strong protection standards

D.

Ensuring the drive is placed in a tamper-evident mechanism

Full Access
Question # 11

An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet, which of the following should be a concern for the auditor?

A.

The system is hosted on an external third-party service provider’s server.

B.

The system is hosted in a hybrid-cloud platform managed by a service provider.

C.

The system is hosted within a demilitarized zone (DMZ) of a corporate network.

D.

The system is hosted within an internal segment of a corporate network.

Full Access
Question # 12

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?

A.

Antivirus software was unable to prevent the attack even though it was properly updated

B.

The most recent security patches were not tested prior to implementation

C.

Backups were only performed within the local network

D.

Employees were not trained on cybersecurity policies and procedures

Full Access
Question # 13

Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?

A.

The organization does not use an industry-recognized methodology

B.

Changes and change approvals are not documented

C.

All changes require middle and senior management approval

D.

There is no centralized configuration management database (CMDB)

Full Access
Question # 14

Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly. Which of the following tests during the quality assurance (QA) phase would have identified this concern?

A.

Stress

B.

Regression

C.

Interface

D.

Integration

Full Access
Question # 15

A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?

A.

Performance audit

B.

Integrated audit

C.

Cyber audit

D.

Financial audit

Full Access
Question # 16

To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?

A.

Performance feedback from the user community

B.

Contract with the server vendor

C.

Server CPU usage trends

D.

Mean time between failure (MTBF) of each server

Full Access
Question # 17

Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?

A.

Enabling remote data destruction capabilities

B.

Implementing mobile device management (MDM)

C.

Disabling unnecessary network connectivity options

D.

Requiring security awareness training for mobile users

Full Access
Question # 18

Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

A.

Periodic reporting of cybersecurity incidents to key stakeholders

B.

Periodic update of incident response process documentation

C.

Periodic cybersecurity training for staff involved in incident response

D.

Periodic tabletop exercises involving key stakeholders

Full Access
Question # 19

Which of the following can only be provided by asymmetric encryption?

A.

Information privacy

B.

256-brt key length

C.

Data availability

D.

Nonrepudiation

Full Access
Question # 20

An organization has assigned two new IS auditors to audit a new system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which of the following is MOST important to meet the IS audit standard for proficiency?

A.

Team member assignments must be based on individual competencies

B.

Technical co-sourcing must be used to help the new staff

C.

The standard is met as long as one member has a globally recognized audit certification.

D.

The standard is met as long as a supervisor reviews the new auditors' work

Full Access
Question # 21

Effective separation of duties in an online environment can BEST be achieved by utilizing:

A.

appropriate supervision.

B.

transaction logging.

C.

written procedure manuals.

D.

access authorization tables.

Full Access
Question # 22

In an IT organization where many responsibilities are shared which of the following is the BEST control for detecting unauthorized data changes?

A.

Users are required to periodically rotate responsibilities

B.

Segregation of duties conflicts are periodically reviewed

C.

Data changes are independently reviewed by another group

D.

Data changes are logged in an outside application

Full Access
Question # 23

Which of the following management decisions presents the GREATEST risk associated with data leakage?

A.

There is no requirement for desktops to be encrypted

B.

Staff are allowed to work remotely

C.

Security awareness training is not provided to staff

D.

Security policies have not been updated in the past year

Full Access
Question # 24

Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?

A.

Progress updates indicate that the implementation of agreed actions is on track.

B.

Sufficient time has elapsed since implementation to provide evidence of control operation.

C.

Business management has completed the implementation of agreed actions on schedule.

D.

Regulators have announced a timeline for an inspection visit.

Full Access
Question # 25

Which of the following is the MOST important consideration for a contingency facility?

A.

The contingency facility has the same badge access controls as the primary site.

B.

Both the contingency facility and the primary site have the same number of business assets in their inventory.

C.

The contingency facility is located a sufficient distance away from the primary site.

D.

Both the contingency facility and the primary site are easily identifiable.

Full Access
Question # 26

Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?

A.

Implement controls to prohibit downloads of unauthorized software.

B.

Conduct periodic software scanning.

C.

Perform periodic counting of licenses.

D.

Require senior management approval when installing licenses.

Full Access
Question # 27

During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. Which of the following is the BEST course of action in this situation?

A.

Outsource low-risk audits to external audit service providers.

B.

Conduct limited-scope audits of low-risk business entities.

C.

Validate the low-risk entity ratings and apply professional judgment.

D.

Challenge the risk rating and include the low-risk entities in the plan.

Full Access
Question # 28

Which of the following is an IS auditor's BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?

A.

Enforce a secure tunnel connection.

B.

Enhance internal firewalls.

C.

Set up a demilitarized zone (DMZ).

D.

Implement a secure protocol.

Full Access
Question # 29

Which of the following is the MOST important factor when an organization is developing information security policies and procedures?

A.

Consultation with security staff

B.

Inclusion of mission and objectives

C.

Compliance with relevant regulations

D.

Alignment with an information security framework

Full Access
Question # 30

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?

A.

Review the list of end users and evaluate for authorization.

B.

Report this control process weakness to senior management.

C.

Verify managements approval for this exemption

D.

Obtain a verbal confirmation from IT for this exemption.

Full Access
Question # 31

When auditing the feasibility study of a system development project, the IS auditor should:

A.

review qualifications of key members of the project team.

B.

review the request for proposal (RFP) to ensure that it covers the scope of work.

C.

review cost-benefit documentation for reasonableness.

D.

ensure that vendor contracts are reviewed by legal counsel.

Full Access
Question # 32

Which of the following should an IS auditor recommend be done FIRST when an organization is made aware of a new regulation that is likely to impact IT security requirements?

A.

Update security policies based on the new regulation.

B.

Determine which systems and IT-related processes may be impacted.

C.

Evaluate how security awareness and training content may be impacted.

D.

Review the design and effectiveness of existing IT controls.

Full Access
Question # 33

When developing customer-facing IT applications, in which stage of the system development life cycle (SDLC) is it MOST beneficial to consider data privacy principles?

A.

Systems design and architecture

B.

Software selection and acquisition

C.

User acceptance testing (UAT)

D.

Requirements definition

Full Access
Question # 34

An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor's NEXT action1?

A.

Make recommendations to IS management as to appropriate quality standards

B.

Postpone the audit until IS management implements written standards

C.

Document and lest compliance with the informal standards

D.

Finalize the audit and report the finding

Full Access
Question # 35

An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

A.

Degradation of services

B.

Limited tolerance for damage

C.

Decreased mean time between failures (MTBF)

D.

Single point of failure

Full Access
Question # 36

An IS auditor is reviewing an organization's business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of data quality would be to:

A.

review data against data classification standards.

B.

outsource data cleansing to skilled service providers.

C.

consolidate data stored across separate databases into a warehouse.

D.

analyze the data against predefined specifications.

Full Access
Question # 37

Which of the following should be the FIRST step when conducting an IT risk assessment?

A.

Identify potential threats.

B.

Assess vulnerabilities.

C.

Identify assets to be protected.

D.

Evaluate controls in place.

Full Access
Question # 38

Which of the following BEST protects evidence in a forensic investigation?

A.

imaging the affected system

B.

Powering down the affected system

C.

Protecting the hardware of the affected system

D.

Rebooting the affected system

Full Access
Question # 39

Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only. Which of the following did the IS auditor potentially compromise?

A.

Proficiency

B.

Due professional care

C.

Sufficient evidence

D.

Reporting

Full Access
Question # 40

Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

A.

Degaussing

B.

Random character overwrite

C.

Physical destruction

D.

Low-level formatting

Full Access
Question # 41

An organization considering the outsourcing of a business application should FIRST:

A.

define service level requirements.

B.

perform a vulnerability assessment.

C.

conduct a cost-benefit analysis.

D.

issue a request for proposal (RFP).

Full Access
Question # 42

Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?

A.

The organization's software inventory is not complete.

B.

Applications frequently need to be rebooted for patches to take effect.

C.

Software vendors are bundling patches.

D.

Testing patches takes significant time.

Full Access
Question # 43

An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?

A.

Monitoring access rights on a regular basis

B.

Referencing a standard user-access matrix

C.

Granting user access using a role-based model

D.

Correcting the segregation of duties conflicts

Full Access
Question # 44

Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

A.

IT value analysis

B.

Prior audit reports

C.

IT balanced scorecard

D.

Vulnerability assessment report

Full Access
Question # 45

Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?

A.

Lessons learned were documented and applied.

B.

Business and IT stakeholders participated in the post-implementation review.

C.

Post-implementation review is a formal phase in the system development life cycle (SDLC).

D.

Internal audit follow-up was completed without any findings.

Full Access
Question # 46

Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?

A.

adequate measurement of key risk indicators (KRIS)

B.

Inadequate alignment of IT plans and business objectives

C.

Inadequate business impact analysis (BIA) results and predictions

D.

Inadequate measurement of key performance indicators (KPls)

Full Access
Question # 47

Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?

A.

Timely audit execution

B.

Effective allocation of audit resources

C.

Reduced travel and expense costs

D.

Effective risk mitigation

Full Access
Question # 48

The PRIMARY purpose of an incident response plan is to:

A.

reduce the impact of an adverse event on information assets.

B.

increase the effectiveness of preventive controls.

C.

reduce the maximum tolerable downtime (MTD) of impacted systems.

D.

increase awareness of impacts from adverse events to IT systems.

Full Access
Question # 49

Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?

A.

The recovery plan does not contain the process and application dependencies.

B.

The duration of tabletop exercises is longer than the recovery point objective (RPO).

C.

The duration of tabletop exercises is longer than the recovery time objective (RTO).

D.

The recovery point objective (RPO) and recovery time objective (R TO) are not the same.

Full Access
Question # 50

An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor's GREATEST concern?

A.

Key business process end users did not participate in the business impact " analysis (BIA)

B.

Copies of the BCP have not been distributed to new business unit end users sjnce the reorganization

C.

A test plan for the BCP has not been completed during the last two years

Full Access
Question # 51

Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?

A.

End-user computing (EUC) systems

B.

Email attachments

C.

Data sent to vendors

D.

New system applications

Full Access
Question # 52

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?

A.

Risk appetite

B.

Critical applications m the cloud

C.

Completeness of critical asset inventory

D.

Recovery scenarios

Full Access
Question # 53

Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

A.

It demonstrates the maturity of the incident response program.

B.

It reduces the likelihood of an incident occurring.

C.

It identifies deficiencies in the operating environment.

D.

It increases confidence in the team's response readiness.

Full Access
Question # 54

An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

A.

Differential backup

B.

Full backup

C.

Incremental backup

D.

Mirror backup

Full Access
Question # 55

Which of the following is the BEST way to ensure an organization's data classification policies are preserved during the process of data transformation?

A.

Map data classification controls to data sets.

B.

Control access to extract, transform, and load (ETL) tools.

C.

Conduct a data discovery exercise across all business applications.

D.

Implement classification labels in metadata during data creation.

Full Access
Question # 56

An IS auditor is conducting an IT governance audit and notices many initiatives are managed informally by isolated project managers. Which of the following recommendations would have the GREATEST impact on improving the maturity of the IT team?

A.

Schedule a follow-up audit in the next year to confirm whether IT processes have matured.

B.

Create an interdisciplinary IT steering committee to oversee IT prioritization and spending.

C.

Document and track all IT decisions in a project management tool.

D.

Discontinue all current IT projects until formal approval is obtained and documented.

Full Access
Question # 57

An IS auditor is verifying the adequacy of an organization's internal controls and is concerned about potential circumvention of regulations. Which of the following is the BEST sampling method to use?

A.

Variable sampling

B.

Random sampling

C.

Cluster sampling

D.

Attribute sampling

Full Access
Question # 58

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality

within the organization. Which of the following should be recommended as the PRIMARY factor to

determine system criticality?

A.

Recovery point objective (RPO)

B.

Maximum allowable downtime (MAD)

C.

Mean time to restore (MTTR)

D.

Key performance indicators (KPls)

Full Access
Question # 59

The use of which of the following is an inherent risk in the application container infrastructure?

A.

Shared registries

B.

Host operating system

C.

Shared data

D.

Shared kernel

Full Access
Question # 60

Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?

A.

Voice recovery

B.

Alternative routing

C.

Long-haul network diversity

D.

Last-mile circuit protection

Full Access
Question # 61

Which type of risk would MOST influence the selection of a sampling methodology?

A.

Inherent

B.

Residual

C.

Control

D.

Detection

Full Access
Question # 62

Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?

A.

Professional skepticism

B.

Management's agreement

C.

Materiality

D.

Inherent risk

Full Access
Question # 63

After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit Which of the following risks is MOST affected by this oversight?

A.

Inherent

B.

Operational

C.

Audit

D.

Financial

Full Access
Question # 64

An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified Which type of control is in place?

A.

Detective

B.

Compensating

C.

Corrective

D.

Directive

Full Access
Question # 65

Which of the following is an example of a preventive control for physical access?

A.

Keeping log entries for all visitors to the building

B.

Implementing a fingerprint-based access control system for the building

C.

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

D.

Implementing a centralized logging server to record instances of staff logging into workstations

Full Access
Question # 66

During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?

A.

Input from customers

B.

Industry standard business definitions

C.

Validation of rules by the business

D.

Built-in data error prevention application controls

Full Access
Question # 67

Which of the following is the BEST way to verify the effectiveness of a data restoration process?

A.

Performing periodic reviews of physical access to backup media

B.

Performing periodic complete data restorations

C.

Validating off ne backups using software utilities

D.

Reviewing and updating data restoration policies annually

Full Access
Question # 68

Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

A.

Documentation of exit routines

B.

System initialization logs

C.

Change control log

D.

Security system parameters

Full Access
Question # 69

An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.

What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted

application?

A.

Financial regulations affecting the organization

B.

Data center physical access controls whore the application is hosted

C.

Privacy regulations affecting the organization

D.

Per-unit cost charged by the hosting services provider for storage

Full Access
Question # 70

An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?

A.

The organization may be locked into an unfavorable contract with the vendor.

B.

The vendor may be unable to restore critical data.

C.

The vendor may be unable to restore data by recovery time objective (RTO) requirements.

D.

The organization may not be allowed to inspect the vendor's data center.

Full Access
Question # 71

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

A.

Preserving the same data classifications

B.

Preserving the same data inputs

C.

Preserving the same data structure

D.

Preserving the same data interfaces

Full Access
Question # 72

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

A.

Review sign-off documentation

B.

Review the source code related to the calculation

C.

Re-perform the calculation with audit software

D.

Inspect user acceptance lest (UAT) results

Full Access
Question # 73

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Full Access
Question # 74

Which of the following business continuity activities prioritizes the recovery of critical functions?

A.

Business continuity plan (BCP) testing

B.

Business impact analysis (BIA)

C.

Disaster recovery plan (DRP) testing

D.

Risk assessment

Full Access
Question # 75

Providing security certification for a new system should include which of the following prior to the system's implementation?

A.

End-user authorization to use the system in production

B.

External audit sign-off on financial controls

C.

Testing of the system within the production environment

D.

An evaluation of the configuration management practices

Full Access
Question # 76

Which of the following BEST enables the timely identification of risk exposure?

A.

External audit review

B.

Internal audit review

C.

Control self-assessment (CSA)

D.

Stress testing

Full Access
Question # 77

An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?

A.

The standard is met as long as one member has a globally recognized audit certification.

B.

Technical co-sourcing must be used to help the new staff.

C.

Team member assignments must be based on individual competencies.

D.

The standard is met as long as a supervisor reviews the new auditors' work.

Full Access
Question # 78

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?

A.

Number of successful penetration tests

B.

Percentage of protected business applications

C.

Financial impact per security event

D.

Number of security vulnerability patches

Full Access
Question # 79

Which of the following occurs during the issues management process for a system development project?

A.

Contingency planning

B.

Configuration management

C.

Help desk management

D.

Impact assessment

Full Access
Question # 80

The waterfall life cycle model of software development is BEST suited for which of the following situations?

A.

The protect requirements are wall understood.

B.

The project is subject to time pressures.

C.

The project intends to apply an object-oriented design approach.

D.

The project will involve the use of new technology.

Full Access
Question # 81

In an online application, which of the following would provide the MOST information about the transaction audit trail?

A.

System/process flowchart

B.

File layouts

C.

Data architecture

D.

Source code documentation

Full Access
Question # 82

Which of the following represents the HIGHEST level of maturity of an information security program?

A.

A training program is in place to promote information security awareness.

B.

A framework is in place to measure risks and track effectiveness.

C.

Information security policies and procedures are established.

D.

The program meets regulatory and compliance requirements.

Full Access
Question # 83

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Full Access
Question # 84

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

A.

Obtain error codes indicating failed data feeds.

B.

Purchase data cleansing tools from a reputable vendor.

C.

Appoint data quality champions across the organization.

D.

Implement business rules to reject invalid data.

Full Access
Question # 85

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Full Access
Question # 86

Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?

A.

Human resources (HR) sourcing strategy

B.

Records of actual time spent on projects

C.

Peer organization staffing benchmarks

D.

Budgeted forecast for the next financial year

Full Access
Question # 87

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Full Access
Question # 88

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

A.

compare the organization's strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Full Access
Question # 89

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

A.

Staff members who failed the test did not receive follow-up education

B.

Test results were not communicated to staff members.

C.

Staff members were not notified about the test beforehand.

D.

Security awareness training was not provided prior to the test.

Full Access
Question # 90

Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

A.

Ensuring that audit trails exist for transactions

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator's user ID as a field in every transaction record created

D.

Restricting program functionality according to user security profiles

Full Access
Question # 91

In order to be useful, a key performance indicator (KPI) MUST

A.

be approved by management.

B.

be measurable in percentages.

C.

be changed frequently to reflect organizational strategy.

D.

have a target value.

Full Access
Question # 92

Capacity management enables organizations to:

A.

forecast technology trends

B.

establish the capacity of network communication links

C.

identify the extent to which components need to be upgraded

D.

determine business transaction volumes.

Full Access
Question # 93

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

A.

Data migration is not part of the contracted activities.

B.

The replacement is occurring near year-end reporting

C.

The user department will manage access rights.

D.

Testing was performed by the third-party consultant

Full Access
Question # 94

Which of the following MUST be completed as part of the annual audit planning process?

A.

Business impact analysis (BIA)

B.

Fieldwork

C.

Risk assessment

D.

Risk control matrix

Full Access
Question # 95

Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?

A.

Implementing two-factor authentication

B.

Restricting access to transactions using network security software

C.

implementing role-based access at the application level

D.

Using a single menu tor sensitive application transactions

Full Access
Question # 96

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

A.

document the exception in an audit report.

B.

review security incident reports.

C.

identify compensating controls.

D.

notify the audit committee.

Full Access
Question # 97

Which of the following concerns is BEST addressed by securing production source libraries?

A.

Programs are not approved before production source libraries are updated.

B.

Production source and object libraries may not be synchronized.

C.

Changes are applied to the wrong version of production source libraries.

D.

Unauthorized changes can be moved into production.

Full Access
Question # 98

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

A.

Evaluate the appropriateness of the remedial action taken.

B.

Conduct a risk analysis incorporating the change.

C.

Report results of the follow-up to the audit committee.

D.

Inform senior management of the change in approach.

Full Access
Question # 99

Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

A.

An increase in the number of identified false positives

B.

An increase in the number of detected Incidents not previously identified

C.

An increase in the number of unfamiliar sources of intruders

D.

An increase in the number of internally reported critical incidents

Full Access
Question # 100

Which of the following is an example of a preventative control in an accounts payable system?

A.

The system only allows payments to vendors who are included In the system's master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

Full Access
Question # 101

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

A.

Configure data quality alerts to check variances between the data warehouse and the source system

B.

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.

Include the data warehouse in the impact analysis (or any changes m the source system

D.

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

Full Access
Question # 102

Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?

A.

The person who collected the evidence is not qualified to represent the case.

B.

The logs failed to identify the person handling the evidence.

C.

The evidence was collected by the internal forensics team.

D.

The evidence was not fully backed up using a cloud-based solution prior to the trial.

Full Access
Question # 103

Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?

A.

Guest operating systems are updated monthly

B.

The hypervisor is updated quarterly.

C.

A variety of guest operating systems operate on one virtual server

D.

Antivirus software has been implemented on the guest operating system only.

Full Access
Question # 104

Which of the following is the BEST reason for an organization to use clustering?

A.

To decrease system response time

B.

To Improve the recovery lime objective (RTO)

C.

To facilitate faster backups

D.

To improve system resiliency

Full Access
Question # 105

In a RAO model, which of the following roles must be assigned to only one individual?

A.

Responsible

B.

Informed

C.

Consulted

D.

Accountable

Full Access
Question # 106

Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

A.

Data from the source and target system may be intercepted.

B.

Data from the source and target system may have different data formats.

C.

Records past their retention period may not be migrated to the new system.

D.

System performance may be impacted by the migration

Full Access
Question # 107

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Full Access
Question # 108

Which of the following is MOST helpful for measuring benefits realization for a new system?

A.

Function point analysis

B.

Balanced scorecard review

C.

Post-implementation review

D.

Business impact analysis (BIA)

Full Access
Question # 109

An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

A.

The exact definition of the service levels and their measurement

B.

The alerting and measurement process on the application servers

C.

The actual availability of the servers as part of a substantive test

D.

The regular performance-reporting documentation

Full Access
Question # 110

Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

A.

IT strategies are communicated to all Business stakeholders

B.

Organizational strategies are communicated to the chief information officer (CIO).

C.

Business stakeholders are Involved In approving the IT strategy.

D.

The chief information officer (CIO) is involved In approving the organizational strategies

Full Access
Question # 111

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

A.

The job scheduler application has not been designed to display pop-up error messages.

B.

Access to the job scheduler application has not been restricted to a maximum of two staff members

C.

Operations shift turnover logs are not utilized to coordinate and control the processing environment

D.

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

Full Access
Question # 112

Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

A.

Reversing the hash function using the digest

B.

Altering the plaintext message

C.

Deciphering the receiver's public key

D.

Obtaining the sender's private key

Full Access
Question # 113

Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?

A.

Historical privacy breaches and related root causes

B.

Globally accepted privacy best practices

C.

Local privacy standards and regulations

D.

Benchmark studies of similar organizations

Full Access
Question # 114

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Full Access
Question # 115

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?

A.

Service management standards are not followed.

B.

Expected time to resolve incidents is not specified.

C.

Metrics are not reported to senior management.

D.

Prioritization criteria are not defined.

Full Access
Question # 116

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Full Access
Question # 117

UESTION NO: 210

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

A.

There Is a reconciliation process between the spreadsheet and the finance system

B.

A separate copy of the spreadsheet is routinely backed up

C.

The spreadsheet is locked down to avoid inadvertent changes

D.

Access to the spreadsheet is given only to those who require access

Full Access
Question # 118

Which of the following is the MOST important activity in the data classification process?

A.

Labeling the data appropriately

B.

Identifying risk associated with the data

C.

Determining accountability of data owners

D.

Determining the adequacy of privacy controls

Full Access
Question # 119

Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?

A.

The design of controls

B.

Industry standards and best practices

C.

The results of the previous audit

D.

The amount of time since the previous audit

Full Access
Question # 120

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

A.

the access control system's log settings.

B.

how the latest system changes were implemented.

C.

the access control system's configuration.

D.

the access rights that have been granted.

Full Access
Question # 121

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

A.

Logs are being collected in a separate protected host

B.

Automated alerts are being sent when a risk is detected

C.

Insider attacks are being controlled

D.

Access to configuration files Is restricted.

Full Access
Question # 122

What is the MAIN reason to use incremental backups?

A.

To improve key availability metrics

B.

To reduce costs associates with backups

C.

To increase backup resiliency and redundancy

D.

To minimize the backup time and resources

Full Access
Question # 123

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

A.

Availability of the user list reviewed

B.

Confidentiality of the user list reviewed

C.

Source of the user list reviewed

D.

Completeness of the user list reviewed

Full Access
Question # 124

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Full Access
Question # 125

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

A.

Attack vectors are evolving for industrial control systems.

B.

There is a greater risk of system exploitation.

C.

Disaster recovery plans (DRPs) are not in place.

D.

Technical specifications are not documented.

Full Access
Question # 126

Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?

A.

To optimize system resources

B.

To follow system hardening standards

C.

To optimize asset management workflows

D.

To ensure proper change control

Full Access
Question # 127

Stress testing should ideally be earned out under a:

A.

test environment with production workloads.

B.

production environment with production workloads.

C.

production environment with test data.

D.

test environment with test data.

Full Access
Question # 128

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

Full Access
Question # 129

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

A.

Ask management why the regulatory changes have not been Included.

B.

Discuss potential regulatory issues with the legal department

C.

Report the missing regulatory updates to the chief information officer (CIO).

D.

Exclude recent regulatory changes from the audit scope.

Full Access
Question # 130

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Full Access
Question # 131

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

A.

Use of stateful firewalls with default configuration

B.

Ad hoc monitoring of firewall activity

C.

Misconfiguration of the firewall rules

D.

Potential back doors to the firewall software

Full Access
Question # 132

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Full Access
Question # 133

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

A.

Observing the execution of a daily backup run

B.

Evaluating the backup policies and procedures

C.

Interviewing key personnel evolved In the backup process

D.

Reviewing a sample of system-generated backup logs

Full Access
Question # 134

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Full Access
Question # 135

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

A.

Reviewing the last compile date of production programs

B.

Manually comparing code in production programs to controlled copies

C.

Periodically running and reviewing test data against production programs

D.

Verifying user management approval of modifications

Full Access
Question # 136

Which of the following metrics would BEST measure the agility of an organization's IT function?

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Full Access
Question # 137

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization's staff to manage the new software

Full Access
Question # 138

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Full Access
Question # 139

Which of the following is MOST important to consider when scheduling follow-up audits?

A.

The efforts required for independent verification with new auditors

B.

The impact if corrective actions are not taken

C.

The amount of time the auditee has agreed to spend with auditors

D.

Controls and detection risks related to the observations

Full Access
Question # 140

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

A.

the patches were updated.

B.

The logs were monitored.

C.

The network traffic was being monitored.

D.

The domain controller was classified for high availability.

Full Access
Question # 141

The PRIMARY benefit of information asset classification is that it:

A.

prevents loss of assets.

B.

helps to align organizational objectives.

C.

facilitates budgeting accuracy.

D.

enables risk management decisions.

Full Access
Question # 142

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

A.

Utilize a network-based firewall.

B.

Conduct regular user security awareness training.

C.

Perform domain name system (DNS) server security hardening.

D.

Enforce a strong password policy meeting complexity requirement.

Full Access
Question # 143

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

A.

Network penetration tests are not performed

B.

The network firewall policy has not been approved by the information security officer.

C.

Network firewall rules have not been documented.

D.

The network device inventory is incomplete.

Full Access
Question # 144

Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

A.

Cost of projects divided by total IT cost

B.

Expected return divided by total project cost

C.

Net present value (NPV) of the portfolio

D.

Total cost of each project

Full Access
Question # 145

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

A.

Restricting evidence access to professionally certified forensic investigators

B.

Documenting evidence handling by personnel throughout the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Engaging an independent third party to perform the forensic investigation

Full Access
Question # 146

Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

A.

The IT strategy is modified in response to organizational change.

B.

The IT strategy is approved by executive management.

C.

The IT strategy is based on IT operational best practices.

D.

The IT strategy has significant impact on the business strategy

Full Access
Question # 147

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

A.

Risk avoidance

B.

Risk transfer

C.

Risk acceptance

D.

Risk reduction

Full Access
Question # 148

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

A.

Using smart cards with one-time passwords

B.

Periodically reviewing log files

C.

Configuring the router as a firewall

D.

Installing biometrics-based authentication

Full Access
Question # 149

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

A.

Analyzing risks posed by new regulations

B.

Developing procedures to monitor the use of personal data

C.

Defining roles within the organization related to privacy

D.

Designing controls to protect personal data

Full Access
Question # 150

What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

A.

Notify law enforcement of the finding.

B.

Require the third party to notify customers.

C.

The audit report with a significant finding.

D.

Notify audit management of the finding.

Full Access
Question # 151

Which of the following presents the GREATEST challenge to the alignment of business and IT?

A.

Lack of chief information officer (CIO) involvement in board meetings

B.

Insufficient IT budget to execute new business projects

C.

Lack of information security involvement in business strategy development

D.

An IT steering committee chaired by the chief information officer (CIO)

Full Access
Question # 152

Which of the following is the BEST reason to implement a data retention policy?

A.

To limit the liability associated with storing and protecting information

B.

To document business objectives for processing data within the organization

C.

To assign responsibility and ownership for data protection outside IT

D.

To establish a recovery point detective (RPO) for (toaster recovery procedures

Full Access
Question # 153

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Full Access
Question # 154

Which of the following issues associated with a data center's closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?

A.

CCTV recordings are not regularly reviewed.

B.

CCTV cameras are not installed in break rooms

C.

CCTV records are deleted after one year.

D.

CCTV footage is not recorded 24 x 7.

Full Access
Question # 155

Which of the following backup schemes is the BEST option when storage media is limited?

A.

Real-time backup

B.

Virtual backup

C.

Differential backup

D.

Full backup

Full Access
Question # 156

Which of the following BEST facilitates the legal process in the event of an incident?

A.

Right to perform e-discovery

B.

Advice from legal counsel

C.

Preserving the chain of custody

D.

Results of a root cause analysis

Full Access
Question # 157

Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

A.

Program coding standards have been followed

B.

Acceptance test criteria have been developed

C.

Data conversion procedures have been established.

D.

The design has been approved by senior management.

Full Access
Question # 158

Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

A.

Project segments are established.

B.

The work is separated into phases.

C.

The work is separated into sprints.

D.

Project milestones are created.

Full Access
Question # 159

Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

A.

Shared facilities

B.

Adequacy of physical and environmental controls

C.

Results of business continuity plan (BCP) test

D.

Retention policy and period

Full Access
Question # 160

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

A.

The contract does not contain a right-to-audit clause.

B.

An operational level agreement (OLA) was not negotiated.

C.

Several vendor deliverables missed the commitment date.

D.

Software escrow was not negotiated.

Full Access
Question # 161

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

A.

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.

Review compliance with data loss and applicable mobile device user acceptance policies.

C.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.

Verify employees have received appropriate mobile device security awareness training.

Full Access
Question # 162

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

Full Access
Question # 163

Which of the following features of a library control software package would protect against unauthorized updating of source code?

A.

Required approvals at each life cycle step

B.

Date and time stamping of source and object code

C.

Access controls for source libraries

D.

Release-to-release comparison of source code

Full Access
Question # 164

Which of the following is MOST important when implementing a data classification program?

A.

Understanding the data classification levels

B.

Formalizing data ownership

C.

Developing a privacy policy

D.

Planning for secure storage capacity

Full Access
Question # 165

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Full Access
Question # 166

Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software?

A.

Assign the security risk analysis to a specially trained member of the project management office.

B.

Deploy changes in a controlled environment and observe for security defects.

C.

Include a mandatory step to analyze the security impact when making changes.

D.

Mandate that the change analyses are documented in a standard format.

Full Access
Question # 167

An IS auditor assessing the controls within a newly implemented call center would First

A.

gather information from the customers regarding response times and quality of service.

B.

review the manual and automated controls in the call center.

C.

test the technical infrastructure at the call center.

D.

evaluate the operational risk associated with the call center.

Full Access
Question # 168

An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

A.

Installing security software on the devices

B.

Partitioning the work environment from personal space on devices

C.

Preventing users from adding applications

D.

Restricting the use of devices for personal purposes during working hours

Full Access
Question # 169

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

A.

Level of stakeholder satisfaction with the scope of planned IT projects

B.

Percentage of enterprise risk assessments that include IT-related risk

C.

Percentage of stat satisfied with their IT-related roles

D.

Frequency of business process capability maturity assessments

Full Access
Question # 170

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

A.

Ensure sufficient audit resources are allocated,

B.

Communicate audit results organization-wide.

C.

Ensure ownership is assigned.

D.

Test corrective actions upon completion.

Full Access
Question # 171

Which of the following should be the FIRST step in the incident response process for a suspected breach?

A.

Inform potentially affected customers of the security breach

B.

Notify business management of the security breach.

C.

Research the validity of the alerted breach

D.

Engage a third party to independently evaluate the alerted breach.

Full Access
Question # 172

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Full Access
Question # 173

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Full Access
Question # 174

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Full Access
Question # 175

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Full Access
Question # 176

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

A.

Inability to utilize the site when required

B.

Inability to test the recovery plans onsite

C.

Equipment compatibility issues at the site

D.

Mismatched organizational security policies

Full Access
Question # 177

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

A.

Users can export application logs.

B.

Users can view sensitive data.

C.

Users can make unauthorized changes.

D.

Users can install open-licensed software.

Full Access
Question # 178

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

A.

Apply single sign-on for access control

B.

Implement segregation of duties.

C.

Enforce an internal data access policy.

D.

Enforce the use of digital signatures.

Full Access
Question # 179

Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

A.

Testing incident response plans with a wide range of scenarios

B.

Prioritizing incidents after impact assessment.

C.

Linking incidents to problem management activities

D.

Training incident management teams on current incident trends

Full Access
Question # 180

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Full Access
Question # 181

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

A.

Analyze a new application that moots the current re

B.

Perform an analysis to determine the business risk

C.

Bring the escrow version up to date.

D.

Develop a maintenance plan to support the application using the existing code

Full Access
Question # 182

An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?

A.

Users are not required to change their passwords on a regular basis

B.

Management does not review application user activity logs

C.

User accounts are shared between users

D.

Password length is set to eight characters

Full Access
Question # 183

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization's policies.

D.

the procurement project invited lenders from at least three different suppliers.

Full Access
Question # 184

An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

A.

Increasing the frequency of risk-based IS audits for each business entity

B.

Developing a risk-based plan considering each entity's business processes

C.

Conducting an audit of newly introduced IT policies and procedures

D.

Revising IS audit plans to focus on IT changes introduced after the split

Full Access
Question # 185

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Full Access
Question # 186

Which of the following BEST helps to ensure data integrity across system interfaces?

A.

Environment segregation

B.

Reconciliation

C.

System backups

D.

Access controls

Full Access
Question # 187

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Full Access
Question # 188

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Full Access
Question # 189

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Full Access
Question # 190

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

A.

Verify all patches have been applied to the software system's outdated version

B.

Close all unused ports on the outdated software system.

C.

Segregate the outdated software system from the main network.

D.

Monitor network traffic attempting to reach the outdated software system.

Full Access
Question # 191

During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

A.

Sampling risk

B.

Detection risk

C.

Control risk

D.

Inherent risk

Full Access
Question # 192

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Full Access
Question # 193

If enabled within firewall rules, which of the following services would present the GREATEST risk?

A.

Simple mail transfer protocol (SMTP)

B.

Simple object access protocol (SOAP)

C.

Hypertext transfer protocol (HTTP)

D.

File transfer protocol (FTP)

Full Access
Question # 194

Which of the following would be MOST useful when analyzing computer performance?

A.

Statistical metrics measuring capacity utilization

B.

Operations report of user dissatisfaction with response time

C.

Tuning of system software to optimize resource usage

D.

Report of off-peak utilization and response time

Full Access
Question # 195

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

A.

The end-to-end process is understood and documented.

B.

Roles and responsibilities are defined for the business processes in scope.

C.

A benchmarking exercise of industry peers who use RPA has been completed.

D.

A request for proposal (RFP) has been issued to qualified vendors.

Full Access
Question # 196

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

A.

Process and resource inefficiencies

B.

Irregularities and illegal acts

C.

Noncompliance with organizational policies

D.

Misalignment with business objectives

Full Access
Question # 197

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

A.

The DRP has not been formally approved by senior management.

B.

The DRP has not been distributed to end users.

C.

The DRP has not been updated since an IT infrastructure upgrade.

D.

The DRP contains recovery procedures for critical servers only.

Full Access
Question # 198

Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

A.

Analysis of industry benchmarks

B.

Identification of organizational goals

C.

Analysis of quantitative benefits

D.

Implementation of a balanced scorecard

Full Access
Question # 199

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

A.

Limit check

B.

Parity check

C.

Reasonableness check

D.

Validity check

Full Access
Question # 200

Which of the following is a challenge in developing a service level agreement (SLA) for network services?

A.

Establishing a well-designed framework for network servirces.

B.

Finding performance metrics that can be measured properly

C.

Ensuring that network components are not modified by the client

D.

Reducing the number of entry points into the network

Full Access
Question # 201

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

A.

Perform a business impact analysis (BIA).

B.

Determine which databases will be in scope.

C.

Identify the most critical database controls.

D.

Evaluate the types of databases being used

Full Access
Question # 202

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

Full Access
Question # 203

Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?

A.

Server room access history

B.

Emergency change records

C.

IT security incidents

D.

Penetration test results

Full Access
Question # 204

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

A.

Review of program documentation

B.

Use of test transactions

C.

Interviews with knowledgeable users

D.

Review of source code

Full Access
Question # 205

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

A.

Perform background verification checks.

B.

Review third-party audit reports.

C.

Implement change management review.

D.

Conduct a privacy impact analysis.

Full Access
Question # 206

An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?

A.

Procedures may not align with best practices

B.

Human resources (HR) records may not match system access.

C.

Unauthorized access cannot he identified.

D.

Access rights may not be removed in a timely manner.

Full Access
Question # 207

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

report on the internal control weaknesses.

D.

provide solutions for control weaknesses.

Full Access
Question # 208

Which of the following is necessary for effective risk management in IT governance?

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Full Access
Question # 209

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

A.

Temperature sensors

B.

Humidity sensors

C.

Water sensors

D.

Air pressure sensors

Full Access
Question # 210

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

A.

Require the auditee to address the recommendations in full.

B.

Adjust the annual risk assessment accordingly.

C.

Evaluate senior management's acceptance of the risk.

D.

Update the audit program based on management's acceptance of risk.

Full Access
Question # 211

Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

A.

System flowchart

B.

Data flow diagram

C.

Process flowchart

D.

Entity-relationship diagram

Full Access
Question # 212

Secure code reviews as part of a continuous deployment program are which type of control?

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Full Access
Question # 213

During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

A.

Review working papers with the auditee.

B.

Request the auditee provide management responses.

C.

Request management wait until a final report is ready for discussion.

D.

Present observations for discussion only.

Full Access
Question # 214

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

A.

the Internet.

B.

the demilitarized zone (DMZ).

C.

the organization's web server.

D.

the organization's network.

Full Access
Question # 215

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?

A.

Increase the capacity of existing systems.

B.

Upgrade hardware to newer technology.

C.

Hire temporary contract workers for the IT function.

D.

Build a virtual environment.

Full Access
Question # 216

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

A.

Agile auditing

B.

Continuous auditing

C.

Outsourced auditing

D.

Risk-based auditing

Full Access
Question # 217

Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

A.

Monitor access to stored images and snapshots of virtual machines.

B.

Restrict access to images and snapshots of virtual machines.

C.

Limit creation of virtual machine images and snapshots.

D.

Review logical access controls on virtual machines regularly.

Full Access
Question # 218

Coding standards provide which of the following?

A.

Program documentation

B.

Access control tables

C.

Data flow diagrams

D.

Field naming conventions

Full Access
Question # 219

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

A.

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.

Job failure alerts are automatically generated and routed to support personnel.

Full Access
Question # 220

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Full Access
Question # 221

Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

A.

Effectiveness of the security program

B.

Security incidents vs. industry benchmarks

C.

Total number of hours budgeted to security

D.

Total number of false positives

Full Access
Question # 222

Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

A.

File level encryption

B.

File Transfer Protocol (FTP)

C.

Instant messaging policy

D.

Application-level firewalls

Full Access
Question # 223

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

A.

Implement overtime pay and bonuses for all development staff.

B.

Utilize new system development tools to improve productivity.

C.

Recruit IS staff to expedite system development.

D.

Deliver only the core functionality on the initial target date.

Full Access
Question # 224

Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

A.

Encryption of the spreadsheet

B.

Version history

C.

Formulas within macros

D.

Reconciliation of key calculations

Full Access
Question # 225

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

A.

Conduct periodic on-site assessments using agreed-upon criteria.

B.

Periodically review the service level agreement (SLA) with the vendor.

C.

Conduct an unannounced vulnerability assessment of vendor's IT systems.

D.

Obtain evidence of the vendor's control self-assessment (CSA).

Full Access
Question # 226

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

A.

Implementation plan

B.

Project budget provisions

C.

Requirements analysis

D.

Project plan

Full Access
Question # 227

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

A.

Capacity management plan

B.

Training plans

C.

Database conversion results

D.

Stress testing results

Full Access
Question # 228

Which of the following is a social engineering attack method?

A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Full Access
Question # 229

Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

A.

The exceptions are likely to continue indefinitely.

B.

The exceptions may result in noncompliance.

C.

The exceptions may elevate the level of operational risk.

D.

The exceptions may negatively impact process efficiency.

Full Access
Question # 230

Which of the following BEST indicates the effectiveness of an organization's risk management program?

A.

Inherent risk is eliminated.

B.

Residual risk is minimized.

C.

Control risk is minimized.

D.

Overall risk is quantified.

Full Access
Question # 231

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

A.

Senior management's request

B.

Prior year's audit findings

C.

Organizational risk assessment

D.

Previous audit coverage and scope

Full Access
Question # 232

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

Full Access
Question # 233

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

A.

The default configurations have been changed.

B.

All tables in the database are normalized.

C.

The service port used by the database server has been changed.

D.

The default administration account is used after changing the account password.

Full Access
Question # 234

An IT balanced scorecard is the MOST effective means of monitoring:

A.

governance of enterprise IT.

B.

control effectiveness.

C.

return on investment (ROI).

D.

change management effectiveness.

Full Access
Question # 235

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

A.

Assignment of responsibility for each project to an IT team member

B.

Adherence to best practice and industry approved methodologies

C.

Controls to minimize risk and maximize value for the IT portfolio

D.

Frequency of meetings where the business discusses the IT portfolio

Full Access
Question # 236

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

A.

Key performance indicators (KPIs)

B.

Maximum allowable downtime (MAD)

C.

Recovery point objective (RPO)

D.

Mean time to restore (MTTR)

Full Access
Question # 237

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

Full Access
Question # 238

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

A.

Assurance that the new system meets functional requirements

B.

More time for users to complete training for the new system

C.

Significant cost savings over other system implemental or approaches

D.

Assurance that the new system meets performance requirements

Full Access
Question # 239

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Full Access
Question # 240

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

A.

Review system and error logs to verify transaction accuracy.

B.

Review input and output control reports to verify the accuracy of the system decisions.

C.

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.

Review system documentation to ensure completeness.

Full Access
Question # 241

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Full Access
Question # 242

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

A.

Accept management's decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Full Access
Question # 243

Which of the following is the BEST justification for deferring remediation testing until the next audit?

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management's planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Full Access
Question # 244

An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart. Which of the following roles within the chart would provide this information?

A.

Consulted

B.

Informed

C.

Responsible

D.

Accountable

Full Access
Question # 245

Which of the following demonstrates the use of data analytics for a loan origination process?

A.

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Full Access
Question # 246

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

A.

Analyze whether predetermined test objectives were met.

B.

Perform testing at the backup data center.

C.

Evaluate participation by key personnel.

D.

Test offsite backup files.

Full Access
Question # 247

Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

A.

Lack of appropriate labelling

B.

Lack of recent awareness training.

C.

Lack of password protection

D.

Lack of appropriate data classification

Full Access
Question # 248

Which of the following is MOST important to include in forensic data collection and preservation procedures?

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Full Access
Question # 249

An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

A.

The current business capabilities delivered by the legacy system

B.

The proposed network topology to be used by the redesigned system

C.

The data flows between the components to be used by the redesigned system

D.

The database entity relationships within the legacy system

Full Access
Question # 250

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Full Access
Question # 251

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The total transaction amount has no impact on financial reporting.

D.

The retention period complies with data owner responsibilities.

Full Access
Question # 252

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?

A.

Enterprise risk manager

B.

Project sponsor

C.

Information security officer

D.

Project manager

Full Access
Question # 253

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

A.

Balanced scorecard

B.

Enterprise dashboard

C.

Enterprise architecture (EA)

D.

Key performance indicators (KPIs)

Full Access
Question # 254

Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

A.

Business interruption due to remediation

B.

IT budgeting constraints

C.

Availability of responsible IT personnel

D.

Risk rating of original findings

Full Access
Question # 255

What is MOST important to verify during an external assessment of network vulnerability?

A.

Update of security information event management (SIEM) rules

B.

Regular review of the network security policy

C.

Completeness of network asset inventory

D.

Location of intrusion detection systems (IDS)

Full Access
Question # 256

Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

A.

Whether there is explicit permission from regulators to collect personal data

B.

The organization's legitimate purpose for collecting personal data

C.

Whether sharing of personal information with third-party service providers is prohibited

D.

The encryption mechanism selected by the organization for protecting personal data

Full Access
Question # 257

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

A.

Data masking

B.

Data tokenization

C.

Data encryption

D.

Data abstraction

Full Access
Question # 258

Which of the following is the MOST effective way for an organization to project against data loss?

A.

Limit employee internet access.

B.

Implement data classification procedures.

C.

Review firewall logs for anomalies.

D.

Conduct periodic security awareness training.

Full Access
Question # 259

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

A.

Segregation of duties between staff ordering and staff receiving information assets

B.

Complete and accurate list of information assets that have been deployed

C.

Availability and testing of onsite backup generators

D.

Knowledge of the IT staff regarding data protection requirements

Full Access
Question # 260

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Full Access
Question # 261

The PRIMARY advantage of object-oriented technology is enhanced:

A.

efficiency due to the re-use of elements of logic.

B.

management of sequential program execution for data access.

C.

grouping of objects into methods for data access.

D.

management of a restricted variety of data types for a data object.

Full Access
Question # 262

During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:

A.

note the noncompliance in the audit working papers.

B.

issue an audit memorandum identifying the noncompliance.

C.

include the noncompliance in the audit report.

D.

determine why the procedures were not followed.

Full Access
Question # 263

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Full Access
Question # 264

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

A.

Obtain error codes indicating failed data feeds.

B.

Appoint data quality champions across the organization.

C.

Purchase data cleansing tools from a reputable vendor.

D.

Implement business rules to reject invalid data.

Full Access
Question # 265

Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?

A.

Configure a single server as a primary authentication server and a second server as a secondary authentication server.

B.

Configure each authentication server as belonging to a cluster of authentication servers.

C.

Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.

D.

Configure each authentication server and ensure that the disks of each server form part of a duplex.

Full Access
Question # 266

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Full Access
Question # 267

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:

A.

review recent changes to the system.

B.

verify completeness of user acceptance testing (UAT).

C.

verify results to determine validity of user concerns.

D.

review initial business requirements.

Full Access
Question # 268

Which of the following BEST guards against the risk of attack by hackers?

A.

Tunneling

B.

Encryption

C.

Message validation

D.

Firewalls

Full Access
Question # 269

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

A.

Limiting the size of file attachments being sent via email

B.

Automatically deleting emails older than one year

C.

Moving emails to a virtual email vault after 30 days

D.

Allowing employees to store large emails on flash drives

Full Access
Question # 270

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

A.

To ensure that older versions are availability for reference

B.

To ensure that only the latest approved version of the application is used

C.

To ensure compatibility different versions of the application

D.

To ensure that only authorized users can access the application

Full Access
Question # 271

During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

A.

Notify the chair of the audit committee.

B.

Notify the audit manager.

C.

Retest the control.

D.

Close the audit finding.

Full Access
Question # 272

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

A.

incident management.

B.

quality assurance (QA).

C.

change management.

D.

project management.

Full Access
Question # 273

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

A.

The IS auditor provided consulting advice concerning application system best practices.

B.

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

C.

The IS auditor designed an embedded audit module exclusively for auditing the application system.

D.

The IS auditor implemented a specific control during the development of the application system.

Full Access
Question # 274

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

A.

Carbon dioxide

B.

FM-200

C.

Dry pipe

D.

Halon

Full Access
Question # 275

Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

A.

Availability of the site in the event of multiple disaster declarations

B.

Coordination with the site staff in the event of multiple disaster declarations

C.

Reciprocal agreements with other organizations

D.

Complete testing of the recovery plan

Full Access
Question # 276

What is the BEST control to address SQL injection vulnerabilities?

A.

Unicode translation

B.

Secure Sockets Layer (SSL) encryption

C.

Input validation

D.

Digital signatures

Full Access
Question # 277

Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

A.

To determine whether project objectives in the business case have been achieved

B.

To ensure key stakeholder sign-off has been obtained

C.

To align project objectives with business needs

D.

To document lessons learned to improve future project delivery

Full Access
Question # 278

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

A.

perform a business impact analysis (BIA).

B.

issue an intermediate report to management.

C.

evaluate the impact on current disaster recovery capability.

D.

conduct additional compliance testing.

Full Access