Pre-Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Isaca > Isaca Certification > CISA

CISA Certified Information Systems Auditor Question and Answers

Question # 4

Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?

A.

Audit staff interviews

B.

Quality control reviews

C.

Control self-assessments (CSAs)

D.

Corrective action plans

Full Access
Question # 5

Which of the following should be an IS auditor ' s GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

A.

Business interruption due to remediation

B.

IT budgeting constraints

C.

Availability of responsible IT personnel

D.

Risk rating of original findings

Full Access
Question # 6

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Full Access
Question # 7

An IS auditor is asked to provide feedback on the systems options analysis for a new project. The BEST course of action for the IS auditor would be to:

A.

Identify the best alternative.

B.

Retain comments as findings for the audit report.

C.

Comment on the criteria used to assess the alternatives.

D.

Request at least one other alternative.

Full Access
Question # 8

During an organization ' s implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?

A.

Configuring reports

B.

Configuring rule sets

C.

Enabling detection points

D.

Establishing exceptions workflow

Full Access
Question # 9

When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on

A.

employee retention

B.

enterprise architecture (EA)

C.

future task updates

D.

task capacity output

Full Access
Question # 10

The use of which of the following would BEST enhance a process improvement program?

A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Full Access
Question # 11

Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?

A.

Continuous auditing

B.

Manual checks

C.

Exception reporting

D.

Automated reconciliations

Full Access
Question # 12

An IS auditor is reviewing the disaster recovery plan (DRP) of an organization with offices across multiple regions. Which of the following should be the auditor ' s PRIMARY focus?

A.

Recovery point objective (RPO) monitoring

B.

Processes and system dependencies

C.

Disaster recovery training

D.

Data backup and storage changes

Full Access
Question # 13

Which of the following is the BEST data integrity check?

A.

Counting the transactions processed per day

B.

Performing a sequence check

C.

Tracing data back to the point of origin

D.

Preparing and running test data

Full Access
Question # 14

Which of the following is the MOST important consideration for patching mission critical business application servers against known vulnerabilities?

A.

Patches are implemented in a test environment prior to rollout into production.

B.

Network vulnerability scans are conducted after patches are implemented.

C.

Vulnerability assessments are periodically conducted according to defined schedules.

D.

Roles and responsibilities for implementing patches are defined

Full Access
Question # 15

Some control activities have been found to be only partially compliant with the design of the control. Which of the following is an IS auditor’s PRIMARY course of action?

A.

Recommend redesigning control activities to ensure acceptance by users.

B.

Evaluate the impact of the partial compliance.

C.

Discuss partial compliance with control owners.

D.

Include each instance of partial compliance as a finding in the final audit report.

Full Access
Question # 16

Which of the following is the MOST effective way for an IS auditor to ensure information is preserved when conducting a forensic investigation?

A.

Harden computer hardware and software.

B.

Image residual data and deleted files.

C.

Encode system logs and intrusion detection system (IDS) logs.

D.

Document all application programming interface (API) connections with third parties.

Full Access
Question # 17

An organization is permanently transitioning from onsite to fully remote business operations. When should the existing business impact analysis (BIA) be reviewed?

A.

During the next scheduled review

B.

At least one year after the transition

C.

As soon as the decision about the transition is announced

D.

As soon as the new operating model is in place

Full Access
Question # 18

A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:

A.

audit management.

B.

the police.

C.

the audit committee.

D.

auditee line management.

Full Access
Question # 19

Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?

A.

Role-based access control policies

B.

Types of data that can be uploaded to the platform

C.

Processes for on-boarding and off-boarding users to the platform

D.

Processes for reviewing administrator activity

Full Access
Question # 20

Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

A.

Readily available resources such as domains and risk and control methodologies

B.

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

C.

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

D.

Wide acceptance by different business and support units with IT governance objectives

Full Access
Question # 21

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

A.

compare the organization ' s strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Full Access
Question # 22

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Full Access
Question # 23

Which of the following performance management tools BEST helps an IS auditor evaluate the success of an organization’s IT strategy implementation and execution?

A.

IT benchmarking

B.

Capability maturity model

C.

Six Sigma

D.

IT metrics dashboard

Full Access
Question # 24

Which of the following is a corrective control?

A.

Separating equipment development testing and production

B.

Verifying duplicate calculations in data processing

C.

Reviewing user access rights for segregation

D.

Executing emergency response plans

Full Access
Question # 25

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

A.

Blocking attachments in IM

B.

Blocking external IM traffic

C.

Allowing only corporate IM solutions

D.

Encrypting IM traffic

Full Access
Question # 26

At the end of each business day, a business-critical application generates a report of financial transac-tions greater than a certain value, and an employee

then checks these transactions for errors. What type of control is in place?

A.

Detective

B.

Preventive

C.

Corrective

D.

Deterrent

Full Access
Question # 27

An IS audit manager is preparing the staffing plan for an audit engagement of a cloud service provider. What should be the manager ' s PRIMARY concern when being made aware that a new

auditor in the department previously worked for this provider?

A.

Independence

B.

Professional conduct

C.

Subject matter expertise

D.

Resource availability

Full Access
Question # 28

Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?

A.

Implement controls to prohibit downloads of unauthorized software.

B.

Conduct periodic software scanning.

C.

Perform periodic counting of licenses.

D.

Require senior management approval when installing licenses.

Full Access
Question # 29

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Full Access
Question # 30

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor ' s BEST recommendation for a compensating control?

A.

Require written authorization for all payment transactions

B.

Restrict payment authorization to senior staff members.

C.

Reconcile payment transactions with invoices.

D.

Review payment transaction history

Full Access
Question # 31

An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes. Which of the following is the MOST appropriate method to use for this purpose?

A.

Penetration testing

B.

Authenticated scanning

C.

Change management records

D.

System log review

Full Access
Question # 32

When information processing has been outsourced to another organization, an IS auditor reviewing the contract should expect it to specify:

A.

Backup and recovery processes.

B.

Audit objectives.

C.

Compliance with legal requirements.

D.

Security administration processes.

Full Access
Question # 33

An IT balanced scorecard is the MOST effective means of monitoring:

A.

governance of enterprise IT.

B.

control effectiveness.

C.

return on investment (ROI).

D.

change management effectiveness.

Full Access
Question # 34

A PRIMARY objective of risk management is to keep the total cost of risks below the:

A.

amount of losses that would materially damage the firm.

B.

average cost of physical security measures.

C.

administrative cost of risk management.

D.

estimated amount of losses included in the firm ' s budget

Full Access
Question # 35

Which of the following is the PRIMARY reason that asset classification is vital to an information security program?

A.

To ensure the appropriate level of protection to assets

B.

To ensure asset protection efforts are in line with industry standards

C.

To ensure risk mitigation efforts are adequate

D.

To ensure sufficient resources are allocated for information security

Full Access
Question # 36

What is the MOST effective way to detect installation of unauthorized software packages by employees?

A.

Regular scanning of hard drives

B.

Communicating the policy to employees

C.

Logging of activity on the network

D.

Maintaining current antivirus software

Full Access
Question # 37

Which of the following MOST effectively reduces the risk of emails containing personally identifiable information (PII) being sent to unauthorized recipients?

A.

Multi-factor authentication (MFA)

B.

Intrusion detection system (IDS)

C.

Email audit trails

D.

Regular security awareness training

Full Access
Question # 38

During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?

A.

The project manager will have to be replaced.

B.

The project reporting to the board of directors will be incomplete.

C.

The project steering committee cannot provide effective governance.

D.

The project will not withstand a quality assurance (QA) review.

Full Access
Question # 39

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

A.

Source code version control

B.

Project change management controls

C.

Existence of an architecture review board

D.

Configuration management

Full Access
Question # 40

Which of the following approaches BEST enables an IS auditor to detect security vulnerabilities within an application?

A.

Threat modeling

B.

Concept mapping

C.

Prototyping

D.

Threat intelligence

Full Access
Question # 41

An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?

A.

Overviews of interviews between data center personnel and the auditor

B.

Prior audit reports involving other corporate disaster recovery audits

C.

Summary memos reflecting audit opinions regarding noted weaknesses

D.

Detailed evidence of the successes and weaknesses of all contingency testing

Full Access
Question # 42

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

A.

Mobile device tracking program

B.

Mobile device upgrade program

C.

Mobile device testing program

D.

Mobile device awareness program

Full Access
Question # 43

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

A.

Process and resource inefficiencies

B.

Irregularities and illegal acts

C.

Noncompliance with organizational policies

D.

Misalignment with business objectives

Full Access
Question # 44

An organization ' s information security policies should be developed PRIMARILY on the basis of:

A.

enterprise architecture (EA).

B.

industry best practices.

C.

a risk management process.

D.

past information security incidents.

Full Access
Question # 45

Which of the following BEST indicates that the effectiveness of an organization ' s security awareness program has improved?

A.

A decrease in the number of information security audit findings

B.

An increase in the number of staff who complete awareness training

C.

An increase in the number of phishing emails reported by employees

D.

A decrease in the number of malware outbreaks

Full Access
Question # 46

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor ' s NEXT course of action?

A.

Evaluate the appropriateness of the remedial action taken.

B.

Conduct a risk analysis incorporating the change.

C.

Report results of the follow-up to the audit committee.

D.

Inform senior management of the change in approach.

Full Access
Question # 47

Which of the following occurs during the issues management process for a system development project?

A.

Contingency planning

B.

Configuration management

C.

Help desk management

D.

Impact assessment

Full Access
Question # 48

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

A.

Legacy data has not been purged.

B.

Admin account passwords are not set to expire.

C.

Default settings have not been changed.

D.

Database activity logging is not complete.

Full Access
Question # 49

Which of the following BEST Indicates that an incident management process is effective?

A.

Decreased time for incident resolution

B.

Increased number of incidents reviewed by IT management

C.

Decreased number of calls lo the help desk

D.

Increased number of reported critical incidents

Full Access
Question # 50

Which of the following should be of GREATEST concern to an IS auditor for work-from-anywhere scenarios as compared to work from home or work from office?

A.

Inadequate physical security practices in public places

B.

Susceptibility to targeted phishing attacks

C.

Use of insecurely configured wireless networks

D.

Use of weak passwords and authentication methods

Full Access
Question # 51

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Full Access
Question # 52

A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal

audit function to test its internal controls annually. Which of the following is the MOST significant benefit of

this approach?

A.

Compliance costs are reduced.

B.

Risks are detected earlier.

C.

Business owners can focus more on their core roles.

D.

Line management is more motivated to avoid control exceptions.

Full Access
Question # 53

Which of the following BEST indicates to an IS auditor that an organization handles emergency changes appropriately and transparently?

A.

The application operations manual contains procedures to ensure emergency fixes do not compromise system integrity.

B.

Special logon IDs are used to grant programmers permanent access to the production environment.

C.

Change management controls are retroactively applied.

D.

Emergency changes are applied to production libraries immediately.

Full Access
Question # 54

An organization ' s strategy to source certain IT functions from a Software as a Service (SaaS) provider should be approved by the:

A.

chief financial officer (CFO).

B.

chief risk officer (CRO).

C.

IT steering committee.

D.

IT operations manager.

Full Access
Question # 55

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

A.

Available resources for the activities included in the action plan

B.

A management response in the final report with a committed implementation date

C.

A heal map with the gaps and recommendations displayed in terms of risk

D.

Supporting evidence for the gaps and recommendations mentioned in the audit report

Full Access
Question # 56

Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?

A.

Configuration management database (CMDB)

B.

Enterprise architecture (EA)

C.

IT portfolio management

D.

IT service management

Full Access
Question # 57

Which of the following responses to risk associated with separation of duties would incur the LOWEST initial cost?

A.

Risk mitigation

B.

Risk acceptance

C.

Risk transference

D.

Risk reduction

Full Access
Question # 58

Which of the following should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA)?

A.

A risk assessment was not conducted prior to completing the BIA.

B.

System criticality information was only provided by the IT manager.

C.

A questionnaire was used to gather information as opposed to in-person interviews.

D.

The BIA was not signed off by executive management.

Full Access
Question # 59

Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?

A.

Data privacy must be managed in accordance with the regulations applicable to the organization.

B.

Data privacy must be monitored in accordance with industry standards and best practices.

C.

No personal information may be transferred to the service provider without notifying the customer.

D.

Customer data transferred to the service provider must be reported to the regulatory authority.

Full Access
Question # 60

When assessing whether an organization ' s IT performance measures are comparable to other organizations in the same industry, which of the following would be MOST helpful to review?

A.

IT governance frameworks

B.

Benchmarking surveys

C.

Utilization reports

D.

Balanced scorecard

Full Access
Question # 61

Which of the following observations regarding change management should be considered the MOST serious risk by an IS auditor?

A.

There is no software used to track change management.

B.

The change is not approved by the business owners.

C.

The change is deployed two weeks after approval.

D.

The development of the change is not cost-effective.

Full Access
Question # 62

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

A.

Network penetration tests are not performed

B.

The network firewall policy has not been approved by the information security officer.

C.

Network firewall rules have not been documented.

D.

The network device inventory is incomplete.

Full Access
Question # 63

Which of the following is the PRIMARY role of the IT steering committee?

A.

Granting authorization for periodic IT audits

B.

Periodically reporting to business units about IT performance

C.

Facilitating collaboration between business and IT

D.

Ensuring business units are supporting IT objectives

Full Access
Question # 64

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?

A.

Short key length

B.

Random key generation

C.

Use of symmetric encryption

D.

Use of asymmetric encryption

Full Access
Question # 65

Which of the following is the BEST recommendation to include in an organization ' s bring your own device (BYOD)

policy to help prevent data leakage?

A.

Require employees to waive privacy rights related to data on BYOD devices.

B.

Require multi-factor authentication on BYOD devices,

C.

Specify employee responsibilities for reporting lost or stolen BYOD devices.

D.

Allow only registered BYOD devices to access the network.

Full Access
Question # 66

Which of the following would be the GREATEST concern during a financial statement audit?

A.

A backup has not been identified for key approvers.

B.

System capacity has not been tested.

C.

The procedures for generating key reports have not been approved.

D.

The financial management system is cloud based.

Full Access
Question # 67

An IS auditor has traced the source of a transaction fraud to the desktop system of an e-business staff member who is on leave. Which of the following is the BEST way for the auditor to ensure the success of the investigation?

A.

Create an image of the attacked system and dump the memory to a file for review.

B.

Immediately seal off the attacked system and block all access until after the investigation.

C.

Reboot the attacked system and promptly review log files and file timestamps.

D.

Interview the business staff and ask them to provide details of recent system activities.

Full Access
Question # 68

Which of the following technologies BEST assists in protection of digital evidence as part of forensic investigation acquisition?

A.

Hardware-based media write blocker

B.

Data encryption

C.

Differential backups

D.

Source media sanitization

Full Access
Question # 69

Which of the following should be of GREATEST concern to an IS auditor when auditing an organization ' s IT strategy development process?

A.

The IT strategy was developed before the business plan

B.

A business impact analysis (BIA) was not performed to support the IT strategy

C.

The IT strategy was developed based on the current IT capability

D.

Information security was not included as a key objective m the IT strategic plan.

Full Access
Question # 70

What should an IS auditor evaluate FIRST when reviewing an organization ' s response to new privacy legislation?

A.

Implementation plan for restricting the collection of personal information

B.

Privacy legislation in other countries that may contain similar requirements

C.

Operational plan for achieving compliance with the legislation

D.

Analysis of systems that contain privacy components

Full Access
Question # 71

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

A.

Temperature sensors

B.

Humidity sensors

C.

Water sensors

D.

Air pressure sensors

Full Access
Question # 72

An organization ' s IT risk assessment should include the identification of:

A.

vulnerabilities

B.

compensating controls

C.

business needs

D.

business process owners

Full Access
Question # 73

Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

A.

Reversing the hash function using the digest

B.

Altering the plaintext message

C.

Deciphering the receiver ' s public key

D.

Obtaining the sender ' s private key

Full Access
Question # 74

Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?

A.

Hash totals

B.

Online review of description

C.

Comparison to historical order pattern

D.

Self-checking digit

Full Access
Question # 75

Which of the following MOST effectively enables consistency across high-volume software changes ' ?

A.

The use of continuous integration and deployment pipelines

B.

Management reviews of detailed exception reports for released code

C.

Publication of a refreshed policy on development and release management

D.

An ongoing awareness campaign for software deployment best practices

Full Access
Question # 76

Which of the following should be given GREATEST consideration when implementing the use of an open-source product?

A.

Support

B.

Performance

C.

Confidentiality

D.

Usability

Full Access
Question # 77

An IS auditor learns that an organization ' s business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor ' s BEST course of action?

A.

Determine whether the business impact analysis (BIA) is current with the organization ' s structure and context.

B.

Determine the types of technologies used at the plant and how they may affect the BCP.

C.

Perform testing to determine the impact to the recovery time objective (R TO).

D.

Assess the risk to operations from the closing of the plant.

Full Access
Question # 78

An IS auditor has validated that an organization ' s IT department runs several low-priority automated tasks Which of the following is the BEST recommendation for an automated job schedule?

A.

Low-priority jobs should be avoided.

B.

Low-priority jobs should include the major functions.

C.

Low-priority jobs should be provided with optimal resources.

D.

Low-priority jobs should be scheduled subject to resource availability.

Full Access
Question # 79

Which of the following is the PRIMARY purpose of enterprise architecture (EA) within an organization?

A.

To structure IT projects to achieve desired business results.

B.

To design and implement individual IT systems.

C.

To design and manage day-to-day IT operations.

D.

To oversee network security protocols.

Full Access
Question # 80

An organization ' s IT department and internal IS audit function all report to the chief information officer (CIO). Which of the following is the GREATEST concern associated with this reporting structure?

A.

Potential for inaccurate audit findings

B.

Compromise of IS audit independence

C.

IS audit resources being shared with other IT functions

D.

IS audit being isolated from other audit functions

Full Access
Question # 81

During an internal audit of project governance, which of the following is the MOST important to review to verify that IT investments align with organizational objectives?

A.

Project risk register.

B.

Project steering committee charter.

C.

Business case.

D.

Return on investment (ROI) forecast.

Full Access
Question # 82

Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software?

A.

Assign the security risk analysis to a specially trained member of the project management office.

B.

Deploy changes in a controlled environment and observe for security defects.

C.

Include a mandatory step to analyze the security impact when making changes.

D.

Mandate that the change analyses are documented in a standard format.

Full Access
Question # 83

The PRIMARY objective of a control self-assessment (CSA) is to:

A.

educate functional areas on risks and controls.

B.

ensure appropriate access controls are implemented.

C.

eliminate the audit risk by leveraging management ' s analysis.

D.

gain assurance for business functions that cannot be audited.

Full Access
Question # 84

Which of the following is the MOST important consideration to facilitate prosecution of a perpetrator after a cybercrime?

A.

An active intrusion detection system (IDS)

B.

Professional collection of unaltered evidence

C.

Reporting to the internal legal department

D.

Immediate law enforcement involvement

Full Access
Question # 85

Which of the following should be the IS auditor ' s PRIMARY focus when evaluating an organizations offsite storage facility?

A.

Adequacy of physical and environmental controls

B.

Results of business continuity plan (BCP) tests

C.

Shared facilities

D.

Retention policy and period

Full Access
Question # 86

An organization plans to centrally decommission end-of-life databases and migrate the data to the latest model of hardware. Which of the following BEST ensures data integrity is preserved during the migration?

A.

Reconciling sample data to most recent backups

B.

Obfuscating confidential data

C.

Encrypting the data

D.

Comparing checksums

Full Access
Question # 87

An organization ' s software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

A.

Data masking

B.

Data tokenization

C.

Data encryption

D.

Data abstraction

Full Access
Question # 88

The PRIMARY purpose of an incident response plan is to:

A.

reduce the impact of an adverse event on information assets.

B.

increase the effectiveness of preventive controls.

C.

reduce the maximum tolerable downtime (MTD) of impacted systems.

D.

increase awareness of impacts from adverse events to IT systems.

Full Access
Question # 89

In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?

A.

Planning phase

B.

Execution phase

C.

Follow-up phase

D.

Selection phase

Full Access
Question # 90

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization ' s staff to manage the new software

Full Access
Question # 91

Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?

A.

Insufficient processes to track ownership of each EUC application?

B.

Insufficient processes to lest for version control

C.

Lack of awareness training for EUC users

D.

Lack of defined criteria for EUC applications

Full Access
Question # 92

To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?

A.

Data retention

B.

Data minimization

C.

Data quality

D.

Data integrity

Full Access
Question # 93

Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?

A.

To evaluate the effectiveness of continuous improvement efforts

B.

To compare incident response metrics with industry benchmarks

C.

To re-analyze the incident to identify any hidden backdoors planted by the attacker

D.

To evaluate the effectiveness of the network firewall against future security breaches

Full Access
Question # 94

Which of the following is the PRIMARY objective of cyber resiliency?

A.

To resume normal operations after service disruptions

B.

To prevent potential attacks or disruptions in operations

C.

To efficiently and effectively recover from an incident with limited operational impact

D.

To limit the severity of security breaches and maintain continuous operations

Full Access
Question # 95

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor ' s PRIMARY concern?

A.

A single point of failure for both voice and data communications

B.

Inability to use virtual private networks (VPNs) for internal traffic

C.

Lack of integration of voice and data communications

D.

Voice quality degradation due to packet toss

Full Access
Question # 96

An IS auditor has been asked to provide support to the control self-assessment (CSA) program. Which of the following BEST represents the scope of the auditor’s role in the program?

A.

The auditor should act as a program facilitator.

B.

The auditor should focus on improving process productivity

C.

The auditor should perform detailed audit procedures

D.

The auditor ' s presence replaces the audit responsibilities of other team members.

Full Access
Question # 97

During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor ' s BEST course of action?

A.

Recommend the utilization of software licensing monitoring tools

B.

Recommend the purchase of additional software license keys

C.

Validate user need for shared software licenses

D.

Verify whether the licensing agreement allows shared use

Full Access
Question # 98

Which of the following would be of GREATEST concern to an IS auditor reviewing the feasibility study for a new application system?

A.

Security requirements have not been defined.

B.

Conditions under which the system will operate are unclear.

C.

The business case does not include well-defined strategic benefits.

D.

System requirements and expectations have not been clarified.

Full Access
Question # 99

Which of the following should be of GREATEST concern to an IS auditor reviewing a terminated employee’s network access?

A.

The user account password is set to never expire.

B.

The last login to the user account was days after the last working date.

C.

The user account password was last changed more than 90 days ago.

D.

There is not a documented approval process to disable user accounts.

Full Access
Question # 100

An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?

A.

When the model was tested with data drawn from a different population, the accuracy decreased.

B.

The data set for training the model was obtained from an unreliable source.

C.

An open-source programming language was used to develop the model.

D.

The model was tested with data drawn from the same population as the training data.

Full Access
Question # 101

Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?

A.

Decreased effectiveness of root cause analysis

B.

Decreased overall recovery time

C.

Increased number of false negatives in security logs

D.

Increased demand for storage space for logs

Full Access
Question # 102

Which of the following is the PRIMARY reason to perform a risk assessment?

A.

To determine the current risk profile

B.

To ensure alignment with the business impact analysis (BIA)

C.

To achieve compliance with regulatory requirements

D.

To help allocate budget for risk mitigation controls

Full Access
Question # 103

Which of the following backup methods is MOST appropriate when storage space is limited?

A.

Incremental backups

B.

Mirror backups

C.

Full backups

D.

Annual backups

Full Access
Question # 104

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

A.

Recipient ' s public key

B.

Sender ' s private key

C.

Sender ' s public key

D.

Recipient ' s private key

Full Access
Question # 105

Which of the following should be the FIRST step in the incident response process for a suspected breach?

A.

Inform potentially affected customers of the security breach

B.

Notify business management of the security breach.

C.

Research the validity of the alerted breach

D.

Engage a third party to independently evaluate the alerted breach.

Full Access
Question # 106

Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

A.

Align service level agreements (SLAs) with current needs.

B.

Monitor customer satisfaction with the change.

C.

Minimize costs related to the third-party agreement.

D.

Ensure right to audit is included within the contract.

Full Access
Question # 107

Which of the following is the BEST way to ensure an organization ' s data classification policies are preserved during the process of data transformation?

A.

Map data classification controls to data sets.

B.

Control access to extract, transform, and load (ETL) tools.

C.

Conduct a data discovery exercise across all business applications.

D.

Implement classification labels in metadata during data creation.

Full Access
Question # 108

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor ' s NEXT course of action?

A.

Review the list of end users and evaluate for authorization.

B.

Report this control process weakness to senior management.

C.

Verify managements approval for this exemption

D.

Obtain a verbal confirmation from IT for this exemption.

Full Access
Question # 109

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

A.

The certificate revocation list has not been updated.

B.

The PKI policy has not been updated within the last year.

C.

The private key certificate has not been updated.

D.

The certificate practice statement has not been published

Full Access
Question # 110

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

A.

Attack vectors are evolving for industrial control systems.

B.

There is a greater risk of system exploitation.

C.

Disaster recovery plans (DRPs) are not in place.

D.

Technical specifications are not documented.

Full Access
Question # 111

An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:

A.

indicate whether the organization meets quality standards.

B.

ensure that IT staff meet performance requirements.

C.

train and educate IT staff.

D.

assess IT functions and processes.

Full Access
Question # 112

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

A.

Staging

B.

Testing

C.

Integration

D.

Development

Full Access
Question # 113

Job scheduling impacts system availability and reliability by:

A.

Reducing system downtime.

B.

Ensuring flexibility and scalability.

C.

Optimizing resource utilization.

D.

Decreasing system complexity.

Full Access
Question # 114

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Full Access
Question # 115

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

A.

Carbon dioxide

B.

FM-200

C.

Dry pipe

D.

Halon

Full Access
Question # 116

An IS auditor is reviewing a machine learning (ML) model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?

A.

An open source programming language was used to develop the model.

B.

The model was tested with data drawn from the same population as the training data.

C.

When the model was tested with data drawn from a different population, the accuracy decreased.

D.

The dataset for training the model was obtained from an unreliable source.

Full Access
Question # 117

Which of the following is the BEST method to delete sensitive information from storage media that will be reused?

A.

Crypto-shredding

B.

Multiple overwriting

C.

Reformatting

D.

Re-partitioning

Full Access
Question # 118

An IS auditor is conducting an IT governance audit and notices many initiatives are managed informally by isolated project managers. Which of the following recommendations would have the GREATEST impact on improving the maturity of the IT team?

A.

Schedule a follow-up audit in the next year to confirm whether IT processes have matured.

B.

Create an interdisciplinary IT steering committee to oversee IT prioritization and spending.

C.

Document and track all IT decisions in a project management tool.

D.

Discontinue all current IT projects until formal approval is obtained and documented.

Full Access
Question # 119

A KEY benefit of integrated auditing is that it:

A.

Facilitates the business in reviewing its control environment.

B.

Enables continuous auditing and monitoring.

C.

Improves the review of audit work by team leaders.

D.

Combines skill sets from operational, functional, and IS auditors.

Full Access
Question # 120

During the planning stage of a compliance audit, an IS auditor discovers that a bank ' s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

A.

Ask management why the regulatory changes have not been Included.

B.

Discuss potential regulatory issues with the legal department

C.

Report the missing regulatory updates to the chief information officer (CIO).

D.

Exclude recent regulatory changes from the audit scope.

Full Access
Question # 121

Which of the following would be the GREATEST concern for an IS auditor conducting a pre-implementation review of a data loss prevention (DLP > tool?

A.

The tool is implemented in monitor mode rather than block mode.

B.

Crawlers are used to discover sensitive data.

C.

Deep packet inspection opens data packets in transit.

D.

Encryption keys are not centrally managed.

Full Access
Question # 122

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

A.

well understood by all employees.

B.

based on industry standards.

C.

developed by process owners.

D.

updated frequently.

Full Access
Question # 123

Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly. Which of the following tests during the quality assurance (QA) phase would have identified this concern?

A.

Stress

B.

Regression

C.

Interface

D.

Integration

Full Access
Question # 124

As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following is the BEST course of action for the IS auditor?

A.

Accept the auditee ' s response and perform additional testing.

B.

Suggest hiring a third-party consultant to perform a current state assessment.

C.

Conduct further discussions with the auditee to develop a mitigation plan.

D.

Issue a final report without including the opinion of the auditee.

Full Access
Question # 125

An IS auditor is reviewing an organization ' s business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor ' s GREATEST concern?

A.

Key business process end users did not participate in the business impact " analysis (BIA)

B.

Copies of the BCP have not been distributed to new business unit end users sjnce the reorganization

C.

A test plan for the BCP has not been completed during the last two years

Full Access
Question # 126

An organization outsourced its IS functions to meet its responsibility for disaster recovery, the organization should:

A.

discontinue maintenance of the disaster recovery plan (DRP >

B.

coordinate disaster recovery administration with the outsourcing vendor

C.

delegate evaluation of disaster recovery to a third party

D.

delegate evaluation of disaster recovery to internal audit

Full Access
Question # 127

A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem. Which of the following is the senior auditor s MOST appropriate course of action?

A.

Ask the auditee to retest

B.

Approve the work papers as written

C.

Have the finding reinstated

D.

Refer the issue to the audit director

Full Access
Question # 128

An IS auditor is performing a follow-up audit and notes that some critical deficiencies have not been addressed. The auditor ' s BEST course of action is to:

A.

document management ' s reasons for not addressing deficiencies.

B.

postpone the audit until the deficiencies are addressed.

C.

assess the impact of not addressing deficiencies.

D.

provide new recommendations.

Full Access
Question # 129

Which of the following controls is BEST implemented through system configuration?

Network user accounts for temporary workers expire after 90 days.

Application user access is reviewed every 180 days for appropriateness.

Financial data in key reports is traced to source systems for completeness and accuracy.

A.

Computer operations personnel initiate batch processing jobs daily.

Full Access
Question # 130

Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?

A.

Detective control

B.

Preventive control

C.

Directive control

D.

Corrective control

Full Access
Question # 131

Which of the following is a principle of the Agile software development process?

A.

Clear documentation should be seen as the primary measure of progress.

B.

Development phases should be isolated from each other.

C.

A linear approach should be used that requires phase completion before continuing.

D.

Changing requirements should be welcomed, even late in the development process.

Full Access
Question # 132

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

A.

Limiting the size of file attachments being sent via email

B.

Automatically deleting emails older than one year

C.

Moving emails to a virtual email vault after 30 days

D.

Allowing employees to store large emails on flash drives

Full Access
Question # 133

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization ' s disaster recovery plan (DRP)?

A.

Performing a cyber resilience test

B.

Performing a full interruption test

C.

Performing a tabletop test

D.

Performing a parallel test

Full Access
Question # 134

A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year. Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?

A.

Virtual firewall

B.

Proxy server

C.

Load balancer

D.

Virtual private network (VPN)

Full Access
Question # 135

Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?

A.

Requiring all users to encrypt documents before sending

B.

Installing firewalls on the corporate network

C.

Reporting all outgoing emails that are marked as confidential

D.

Monitoring all emails based on pre-defined criteria

Full Access
Question # 136

An IS auditor has identified deficiencies within the organization ' s software development life cycle policies. Which of the following should be done NEXT?

A.

Document the findings in the audit report.

B.

Identify who approved the policies.

C.

Escalate the situation to the lead auditor.

D.

Communicate the observation to the auditee.

Full Access
Question # 137

Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics

system?

A.

Hashing in-scope data sets

B.

Encrypting in-scope data sets

C.

Running and comparing the count function within the in-scope data sets

D.

Hosting a digital certificate for in-scope data sets

Full Access
Question # 138

Which of the following is the BEST source of information to determine the required level of data protection on a file server?

A.

Data classification policy and procedures

B.

Access rights of similar file servers

C.

Previous data breach incident reports

D.

Acceptable use policy and privacy statements

Full Access
Question # 139

A proper audit trail of changes to server start-up procedures would include evidence of:

A.

subsystem structure.

B.

program execution.

C.

security control options.

D.

operator overrides.

Full Access
Question # 140

An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization ' s RACI chart. Which of the following roles within the chart would provide this information?

A.

Consulted

B.

Informed

C.

Responsible

D.

Accountable

Full Access
Question # 141

When processing speed is the highest priority, which cryptographic algorithm should be used to verify the integrity of a bit-for-bit copy from digital evidence?

A.

MD5

B.

SHA-1

C.

AES

D.

SHA-2

Full Access
Question # 142

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor ' s NEXT course of action?

A.

Report the mitigating controls.

B.

Report the security posture of the organization.

C.

Determine the value of the firewall.

D.

Determine the risk of not replacing the firewall.

Full Access
Question # 143

What is the PRIMARY benefit of using one-time passwords?

A.

An intercepted password cannot be reused

B.

Security for applications can be automated

C.

Users do not have to memorize complex passwords

D.

Users cannot be locked out of an account

Full Access
Question # 144

Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

A.

privacy

B.

Maintainability

C.

Scalability

D.

Nonrepudiation

Full Access
Question # 145

Which of the following is BEST supported by enforcing data definition standards within a database?

A.

Data disposal

B.

Data retention

C.

Data formatting

D.

Data confidentiality

Full Access
Question # 146

Which of the following would be of MOST concern to an IS auditor reviewing a data loss prevention (DLP) solution implementation for endpoints?

A.

The DLP solution does not support all types of servers.

B.

The solution has been implemented in blocking mode prior to performing tuning.

C.

The organization has never finished tuning the solution.

D.

The solution does not prevent data leakage because it is still in the monitoring phase.

Full Access
Question # 147

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

A.

data analytics findings.

B.

audit trails

C.

acceptance lasting results

D.

rollback plans

Full Access
Question # 148

Which of the following MOST effectively manages frequent program file changes where simultaneous code edits are used?

A.

Mandatory architecture reviews.

B.

Source code composition scanning.

C.

Source code version control.

D.

Change control self-assessments (CSAs).

Full Access
Question # 149

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Full Access
Question # 150

Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?

A.

Using a continuous auditing module

B.

Interviewing business management

C.

Confirming accounts

D.

Reviewing program documentation

Full Access
Question # 151

Which of the following techniques BEST mitigates the risk of pervasive network attacks?

A.

Segmentation

B.

Configuration assessment

C.

Encryption

D.

Demilitarized zone (DMZ)

Full Access
Question # 152

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

A.

Limit check

B.

Parity check

C.

Reasonableness check

D.

Validity check

Full Access
Question # 153

Which of the following BEST helps monitor and manage operational logs to create value for an organization?

A.

Using automated tools to collect logs and raise alerts based on use cases

B.

Reporting results of log analyses to senior management for review

C.

Selecting logs only from critical operational systems and devices for monitoring

D.

Encrypting logs processed before archiving for defined retention periods

Full Access
Question # 154

A programmer has made unauthorized changes lo key fields in a payroll system report. Which of the following control weaknesses would have contributed MOST to this problem?

A.

The programmer did not involve the user in testing

B.

The user requirements were not documented

C.

The programmer has access to the production programs

D.

Payroll files were not under the control of a librarian

Full Access
Question # 155

An IS auditor discovers that a developer has used the same key to grant access to multiple applications making calls to an application programming interface (API). Which of the following is the BEST recommendation to address this situation?

A.

Replace the API key with time-limited tokens that grant least privilege access.

B.

Authorize the API key to allow read-only access by all applications.

C.

Implement a process to expire the API key after a previously agreed-upon period of time.

D.

Coordinate an API key rotation exercise with all impacted application owners.

Full Access
Question # 156

Which of the following is an IS auditor ' s BEST course of action when the auditee indicates that a corrective action plan for a high-risk finding will take longer than expected?

A.

Accept the longer target date and document it in the audit system.

B.

Determine if an interim compensating control has been implemented.

C.

Escalate the overdue finding to the audit committee.

D.

Require that remediation is completed in the agreed timeframe.

Full Access
Question # 157

Based on best practices, which types of accounts should be disabled for interactive login?

A.

Local accounts

B.

Administrator accounts

C.

Console accounts

D.

Service accounts

Full Access
Question # 158

Which of the following is the GREATEST concern associated with IS risk-based auditing when audit resources are limited?

A.

The audit schedule may become too predictable.

B.

Some business processes may not be audited.

C.

There may be significant delays in responding to management audit requests.

D.

Conducting risk assessments may reduce the time available for auditing.

Full Access
Question # 159

Which of the following is the BEST way to ensure email confidentiality in transit?

A.

Encryption of corporate network traffic

B.

Complex user passwords

C.

End-to-end encryption

D.

Digital signatures

Full Access
Question # 160

Which of the following is an example of a preventative control in an accounts payable system?

A.

The system only allows payments to vendors who are included In the system ' s master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

Full Access
Question # 161

Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?

A.

The vendor ' s process appropriately sanitizes the media before disposal

B.

The contract includes issuance of a certificate of destruction by the vendor

C.

The vendor has not experienced security incidents in the past.

D.

The disposal transportation vehicle is fully secure

Full Access
Question # 162

An IS auditor is reviewing an organization ' s information asset management process. Which of the following would be of GREATEST concern to the auditor?

A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Full Access
Question # 163

An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?

A.

Focus on limiting the damage.

B.

Remove and restore the affected systems.

C.

Verify that the compromised systems are fully functional.

D.

Document the incident.

Full Access
Question # 164

Which of the following should be an IS auditor ' s GREATEST concern when reviewing an organization ' s security controls for policy compliance?

A.

The security policy has not been reviewed within the past year.

B.

Security policy documents are available on a public domain website.

C.

Security policies are not applicable across all business units.

D.

End users are not required to acknowledge security policy training.

Full Access
Question # 165

Which of the following is MOST critical to the success of an information security program?

A.

Alignment of information security with IT objectives

B.

Management’s commitment to information security

C.

Integration of business and information security

D.

User accountability for information security

Full Access
Question # 166

Controls related to authorized modifications to production programs are BEST tested by:

A.

tracing modifications from the original request for change forward to the executable program.

B.

tracing modifications from the executable program back to the original request for change.

C.

testing only the authorizations to implement the new program.

D.

reviewing only the actual lines of source code changed in the program.

Full Access
Question # 167

Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?

A.

Continuous network monitoring

B.

Periodic network vulnerability assessments

C.

Review of electronic access logs

D.

Physical security reviews

Full Access
Question # 168

Which of the following is an advantage of using agile software development methodology over the waterfall methodology?

A.

Less funding required overall

B.

Quicker deliverables

C.

Quicker end user acceptance

D.

Clearly defined business expectations

Full Access
Question # 169

Aligning IT strategy with business strategy PRIMARILY helps an organization to:

A.

Increase involvement of senior management in IT.

B.

Optimize investments in IT.

C.

Create risk awareness across business units.

D.

Monitor the effectiveness of IT.

Full Access
Question # 170

A small IT department has embraced DevOps, which allows members of this group to deploy code to production and maintain some development access to automate releases. Which of the following is the MOST effective control?

A.

Enforce approval prior to deployment by a member of the team who has not taken part in the development.

B.

The DevOps team provides an annual policy acknowledgment that they did not develop and deploy the same code.

C.

Annual training reinforces the need to maintain segregation between developers and deployers of code

D.

The IT compliance manager performs weekly reviews to ensure the same person did not develop and deploy code.

Full Access
Question # 171

An organization using a cloud provider for its online billing system requires the website to be accessible to customers at all times. What is the BEST way to verify the organization ' s business requirements are met?

A.

Invoke the right-to-audit clause.

B.

Require the vendor to report any outages longer than five minutes

C.

Monitor the service level agreement (SLA) with the vendor.

D.

Agree on periodic performance discussions with the vendor

Full Access
Question # 172

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

A.

Business continuity plan (BCP)

B.

Test results for backup data restoration

C.

A comprehensive list of disaster recovery scenarios and priorities

D.

Roles and responsibilities for recovery team members

Full Access
Question # 173

An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor ' s independence?

A.

The auditor implemented a specific control during the development of the system.

B.

The auditor provided advice concerning best practices.

C.

The auditor participated as a member of the project team without operational responsibilities

D.

The auditor designed an embedded audit module exclusively for audit

Full Access
Question # 174

Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?

A.

To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value

B.

To evaluate the cost-benefit of tools implemented to monitor control performance

C.

To assess the functionality of a software deliverable based on business processes

D.

To enable conclusions about the performance of the processes and target variances for follow-up analysis

Full Access
Question # 175

Which of following is MOST important to determine when conducting a post-implementation review?

A.

Whether the solution architecture compiles with IT standards

B.

Whether success criteria have been achieved

C.

Whether the project has been delivered within the approved budget

D.

Whether lessons teamed have been documented

Full Access
Question # 176

Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?

A.

The architecture review board is chaired by the CIO

B.

IT application owners have sole responsibility for architecture approval

C.

The EA program governs projects that are not IT-related

D.

Information security requirements are reviewed by the EA program

Full Access
Question # 177

Which of the following should be the FIRST step in a data migration project?

A.

Reviewing decisions on how business processes should be conducted in the new system

B.

Completing data cleanup in the current database to eliminate inconsistencies

C.

Understanding the new system ' s data structure

D.

Creating data conversion scripts

Full Access
Question # 178

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

A.

incident management.

B.

quality assurance (QA).

C.

change management.

D.

project management.

Full Access
Question # 179

A steering committee established to oversee an organization’s digital transformation program is MOST likely to be involved with which of the following activities?

A.

Designing interface controls.

B.

Documenting requirements.

C.

Reviewing escalated project issues.

D.

Preparing project status reports.

Full Access
Question # 180

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

A.

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B.

Establishing strong access controls on confidential data

C.

Providing education and guidelines to employees on use of social networking sites

D.

Monitoring employees ' social networking usage

Full Access
Question # 181

Which of the following data would be used when performing a business impact analysis (BIA)?

A.

Projected impact of current business on future business

B.

Cost-benefit analysis of running the current business

C.

Cost of regulatory compliance

D.

Expected costs for recovering the business

Full Access
Question # 182

An IS auditor has been asked to review the integrity of data transfer between two business-critical systems that have not been tested since implementation. Which of the following would provide the MOST useful information to plan an audit?

A.

Quality assurance (QA) testing

B.

System change logs

C.

IT testing policies and procedures

D.

Previous system interface testing records

Full Access
Question # 183

An external attacker spoofing an internal Internet Protocol (IP) address can BEST be detected by which of the following?

A.

Comparing the source address to the domain name server (DNS) entry

B.

Using static IP addresses for identification

C.

Comparing the source address to the interface used as the entry point

D.

Using a state table to compare the message states of each packet as it enters the system

Full Access
Question # 184

Which of the following groups is PRIMARILY accountable for establishing a culture that facilitates an effective and efficient internal control system?

A.

HR

B.

Senior management

C.

Line management

D.

Internal audit

Full Access
Question # 185

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Full Access
Question # 186

Which of the following BEST indicates an effective internal audit quality assurance and improvement program?

A.

Oversight of the improvement program by senior management

B.

An improved internal audit charter

C.

A scope that focuses on high-risk audit engagements

D.

Identification of opportunities for continuous improvement

Full Access
Question # 187

Which of the following should be of MOST concern to an IS auditor when reviewing an intrusion detection system (IDS)?

A.

High false-positive rate

B.

Delay in signature updates

C.

High false-negative rate

D.

Decrease in processing speed

Full Access
Question # 188

Which of the following is MOST useful for determining the strategy for IT portfolio management?

A.

IT metrics dashboards

B.

IT roadmap

C.

Capability maturity model

D.

Life cycle cost-benefit analysis

Full Access
Question # 189

Which of the following is the MOST important activity in the data classification process?

A.

Labeling the data appropriately

B.

Identifying risk associated with the data

C.

Determining accountability of data owners

D.

Determining the adequacy of privacy controls

Full Access
Question # 190

Which of the following is the MOST important consideration when implementing a Zero Trust strategy for mobile, wireless, and Internet of Things (IoT) devices?

A.

Ensuring the latest firmware updates are applied regularly to all devices

B.

Validating the identity of all devices and users before granting access to resources

C.

Focusing on user training and awareness to prevent phishing attacks

D.

Implementing strong encryption protocols for data in transit and at rest

Full Access
Question # 191

When protecting the confidentiality of information assets, the MOST effective control practice is the:

A.

Awareness training of personnel on regulatory requirements

B.

Utilization of a dual-factor authentication mechanism

C.

Configuration of read-only access to all users

D.

Enforcement of a need-to-know access control philosophy

Full Access
Question # 192

Which of the following is MOST important for an IS auditor to validate when reviewing the controls for an organization ' s quality management system (QMS)?

A.

Whether root cause analysis is performed on all failed and rejected changes

B.

Whether critical services are delivered in a timely and sustainable manner

C.

Whether there is a process to monitor continuous improvement areas and necessary targets

D.

Whether the organization follows an industry-recognized service management framework

Full Access
Question # 193

A contract for outsourcing IS functions should always include:

A.

Full details of security procedures to be observed by the contractor.

B.

A provision for an independent audit of the contractor’s operations.

C.

The names and roles of staff to be employed in the operation.

D.

Data transfer protocols.

Full Access
Question # 194

Which of the following is the PRIMARY benefit of benchmarking an organization ' s software development lifecycle practices against a capability maturity model?

A.

Reliable products are guaranteed.

B.

Repeatable software development procedures are established.

C.

Programmers ' efficiency is improved.

D.

Security requirements are added to software development processes.

Full Access
Question # 195

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

A.

document the exception in an audit report.

B.

review security incident reports.

C.

identify compensating controls.

D.

notify the audit committee.

Full Access
Question # 196

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT-related customer service project?

A.

The project risk exceeds the organization ' s risk appetite.

B.

Executing the project will require additional investments.

C.

Expected business value is expressed in qualitative terms.

D.

The organization will be the first to offer the proposed services.

Full Access
Question # 197

An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor ' s BEST recommendation should be to:

A.

reclassify the data to a lower level of confidentiality

B.

require the business owner to conduct regular access reviews.

C.

implement a strong password schema for users.

D.

recommend corrective actions to be taken by the security administrator.

Full Access
Question # 198

Which of the following is MOST important to determine when conducting an audit Of an organization ' s data privacy practices?

A.

Whether a disciplinary process is established for data privacy violations

B.

Whether strong encryption algorithms are deployed for personal data protection

C.

Whether privacy technologies are implemented for personal data protection

D.

Whether the systems inventory containing personal data is maintained

Full Access
Question # 199

An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following should the auditor do FIRST?

A.

Recommend reverting to the previous application.

B.

Discuss the concern with audit management.

C.

Conduct a review of the application.

D.

Disclose the concern to legal counsel.

Full Access
Question # 200

A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?

A.

Terminated staff

B.

Unauthorized access

C.

Deleted log data

D.

Hacktivists

Full Access
Question # 201

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor ' s MOST important course of action?

A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

Full Access
Question # 202

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Full Access
Question # 203

What should an IS auditor ensure when a financial organization intends to utilize production data in the testing environment?

A.

The data utilized is de-identified.

B.

The data utilized is accurate.

C.

The data utilized is complete.

D.

The data utilized is current.

Full Access
Question # 204

During a review of an organization ' s IT capacity management process, an IS auditor should be MOST concerned if capacity planning:

A.

Was reviewed once during the previous six months.

B.

Omitted changes to key business systems.

C.

Lacked input from system administrators.

D.

Was based on input from IT service management only.

Full Access
Question # 205

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

A.

Implementing the remediation plan

B.

Partially completing the CSA

C.

Developing the remediation plan

D.

Developing the CSA questionnaire

Full Access
Question # 206

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

A.

allocation of resources during an emergency.

B.

frequency of system testing.

C.

differences in IS policies and procedures.

D.

maintenance of hardware and software compatibility.

Full Access
Question # 207

Reviewing which of the following would provide the BEST indication that a project is progressing as planned?

A.

Identification of the critical path

B.

Earned value analysis (EVA) results

C.

Work breakdown structure

D.

Traceability matrix

Full Access
Question # 208

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

A.

Implement overtime pay and bonuses for all development staff.

B.

Utilize new system development tools to improve productivity.

C.

Recruit IS staff to expedite system development.

D.

Deliver only the core functionality on the initial target date.

Full Access
Question # 209

The GREATEST concern for an IS auditor reviewing vulnerability assessments by the auditee would be if the assessments are:

A.

Conducted once per year just before system audits are scheduled.

B.

Conducted by the internal technical team instead of external experts.

C.

Performed for critical systems, not for the entire infrastructure.

D.

Performed using open-source testing tools.

Full Access
Question # 210

A white box testing method is applicable with which of the following testing processes?

A.

Integration testing

B.

Parallel testing

C.

Sociability testing

D.

User acceptance testing (UAT)

Full Access
Question # 211

Which of the following is the MOST effective method for ensuring the integrity of log data?

A.

Implementing a timestamping mechanism

B.

Implementing cryptographic hash functions

C.

Limiting access to log data

D.

Regularly archiving log data

Full Access
Question # 212

Which of the following should be used to evaluate an IT development project before an investment is committed?

A.

Earned value analysis (EVA)

B.

Rapid application development

C.

Function point analysis

D.

Feasibility study

Full Access
Question # 213

An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?

A.

Procedures may not align with best practices

B.

Human resources (HR) records may not match system access.

C.

Unauthorized access cannot he identified.

D.

Access rights may not be removed in a timely manner.

Full Access
Question # 214

Which of the following is MOST important for an IS auditor to verify when evaluating an organization ' s data conversion andinfrastructure migration plan?

A.

Strategic: goals have been considered.

B.

A rollback plan is included.

C.

A code check review is included.

D.

A migration steering committee has been formed.

Full Access
Question # 215

Which of the following network topologies will provide the GREATEST fault tolerance?

A.

Star configuration

B.

Ring configuration

C.

Bus configuration

D.

Mesh configuration

Full Access
Question # 216

During an audit of a financial application, it was determined that many terminated users ' accounts were not disabled. Which of the following should be the IS auditor ' s NEXT step?

A.

Perform substantive testing of terminated users ' access rights.

B.

Perform a review of terminated users ' account activity

C.

Communicate risks to the application owner.

D.

Conclude that IT general controls ate ineffective.

Full Access
Question # 217

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

A.

To ensure that older versions are availability for reference

B.

To ensure that only the latest approved version of the application is used

C.

To ensure compatibility different versions of the application

D.

To ensure that only authorized users can access the application

Full Access
Question # 218

Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?

A.

Identify staff training needs related to compliance requirements.

B.

Analyze historical compliance-related audit findings.

C.

Research and purchase an industry-recognized IT compliance tool

D.

Identify applicable laws, regulations, and standards.

Full Access
Question # 219

Which of the following is the PRIMARY objective of performing quality assurance (QA) in a system development process?

A.

To ensure that expected benefits have been realized

B.

To ensure the developed system meets business requirements

C.

To ensure the developed system integrates well with another system

D.

To help determine high-level requirements for the new system

Full Access
Question # 220

Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

A.

Establish the timing of testing.

B.

Identify milestones.

C.

Determine the test reporting

D.

Establish the rules of engagement.

Full Access
Question # 221

A checksum is classified as which type of control?

A.

Detective control

B.

Preventive control

C.

Corrective control

D.

Administrative control

Full Access
Question # 222

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

A.

Notify the cyber insurance company.

B.

Shut down the affected systems.

C.

Quarantine the impacted systems.

D.

Notify customers of the breach.

Full Access
Question # 223

in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

A.

application programmer

B.

systems programmer

C.

computer operator

D.

quality assurance (QA) personnel

Full Access
Question # 224

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

A.

Utilize a network-based firewall.

B.

Conduct regular user security awareness training.

C.

Perform domain name system (DNS) server security hardening.

D.

Enforce a strong password policy meeting complexity requirement.

Full Access
Question # 225

Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?

A.

Implementing two-factor authentication

B.

Restricting access to transactions using network security software

C.

implementing role-based access at the application level

D.

Using a single menu tor sensitive application transactions

Full Access
Question # 226

Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

A.

Requiring users to save files in secured folders instead of a company-wide shared drive

B.

Reviewing data transfer logs to determine historical patterns of data flow

C.

Developing a DLP policy and requiring signed acknowledgment by users

D.

Identifying where existing data resides and establishing a data classification matrix

Full Access
Question # 227

Which of the following is the PRIMARY benefit of operational log management?

A.

It enhances user experience via predictive analysis.

B.

It improves security with real-time monitoring of network data.

C.

It organizes data to identify performance issues.

D.

It supports data aggregation using unified storage.

Full Access
Question # 228

Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

A.

Lack of appropriate labelling

B.

Lack of recent awareness training.

C.

Lack of password protection

D.

Lack of appropriate data classification

Full Access
Question # 229

Which of the following is the MAIN responsibility of the IT steering committee?

A.

Reviewing and assisting with IT strategy integration efforts

B.

Developing and assessing the IT security strategy

C.

Implementing processes to integrate security with business objectives

D.

Developing and implementing the secure system development framework

Full Access
Question # 230

Which of the following should be an IS auditor ' s PRIMARY consideration when determining which issues to include in an audit report?

A.

Professional skepticism

B.

Management ' s agreement

C.

Materiality

D.

Inherent risk

Full Access
Question # 231

What is the Most critical finding when reviewing an organization’s information security management?

A.

No dedicated security officer

B.

No official charier for the information security management system

C.

No periodic assessments to identify threats and vulnerabilities

D.

No employee awareness training and education program

Full Access
Question # 232

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization ' s IT process performance reports over the last quarter?

A.

Metrics are not aligned with industry benchmarks

B.

Performance reporting includes too many technical terms

C.

Key performance indicators (KPIs) were met in only one month

D.

Metrics were defined without stakeholder review

Full Access
Question # 233

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

Full Access
Question # 234

Which of the following represents the GREATEST risk to virtualized environments?

A.

Virtual servers may not have the latest security updates.

B.

Servers may only be accessed remotely.

C.

Hypervisors may be a single point of failure.

D.

Account reviews may not be performed for guest operating systems.

Full Access
Question # 235

Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?

A.

Preventive

B.

Deterrent

C.

Corrective

D.

Detective

Full Access
Question # 236

Which of the following provides the MOST useful information regarding an organization ' s risk appetite and tolerance?

A.

Gap analysis

B.

Audit reports

C.

Risk profile

D.

Risk register

Full Access
Question # 237

An IS auditor wants to gain a better understanding of an organization’s selected IT operating system software. Which of the following would be MOST helpful to review?

A.

Service level agreements (SLAs)

B.

Project steering committee charter

C.

IT audit reports

D.

Enterprise architecture (EA)

Full Access
Question # 238

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor ' s GREATEST concern?

A.

The cost of outsourcing is lower than in-house development.

B.

The vendor development team is located overseas.

C.

A training plan for business users has not been developed.

D.

The data model is not clearly documented.

Full Access
Question # 239

Which of the following user actions poses the GREATEST risk for inadvertently introducing malware into a local network?

A.

Uploading a file onto an internal server

B.

Viewing a hypertext markup language (HTML) document

C.

Downloading a file from an enterprise file share

D.

Opening an email attachment from an external account

Full Access
Question # 240

Which of the following should be the PRIMARY objective of a disaster recovery plan (DRP)?

A.

Minimizing loss of information

B.

Assessing the risk of key applications

C.

Identifying key business processes

D.

Documenting all IT assets

Full Access
Question # 241

When planning a review of IT governance, an IS auditor is MOST likely to:

A.

assess whether business process owner responsibilities are consistent.

B.

obtain information about the control framework adopted by management.

C.

examine audit committee minutes for IT-related controls.

D.

define key performance indicators (KPIs).

Full Access
Question # 242

Backup procedures for an organization ' s critical data are considered to be which type of control?

A.

Directive

B.

Corrective

C.

Detective

D.

Compensating

Full Access
Question # 243

What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

A.

Notify law enforcement of the finding.

B.

Require the third party to notify customers.

C.

The audit report with a significant finding.

D.

Notify audit management of the finding.

Full Access
Question # 244

Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?

A.

To prevent confidential data loss

B.

To comply with legal and regulatory requirements

C.

To identify data at rest and data in transit for encryption

D.

To provide options to individuals regarding use of their data

Full Access
Question # 245

During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?

A.

Input from customers

B.

Industry standard business definitions

C.

Validation of rules by the business

D.

Built-in data error prevention application controls

Full Access
Question # 246

Which of the following is the MOST effective control when granting access to a service provider for a ctoud-6ased application?

A.

Administrator access is provided for a limited period with an expiration date.

B.

Access has been provided on a need-to-know basis.

C.

User IDs are deleted when work is completed.

D.

Access is provided to correspond with the service level agreement (SLA).

Full Access
Question # 247

Which of the following BEST guards against the risk of attack by hackers?

A.

Tunneling

B.

Encryption

C.

Message validation

D.

Firewalls

Full Access
Question # 248

The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?

A.

Report results to management

B.

Document lessons learned

C.

Perform a damage assessment

D.

Prioritize resources for corrective action

Full Access
Question # 249

Which of the following provides the MOST reliable method of preventing unauthonzed logon?

A.

issuing authentication tokens

B.

Reinforcing current security policies

C.

Limiting after-hours usage

D.

Installing an automatic password generator

Full Access
Question # 250

Which of the following is an organization ' s BEST defense against malware?

A.

Documented security procedures

B.

Intrusion prevention system (IPS)

C.

Security awareness training

D.

Intrusion detection system (IDS)

Full Access
Question # 251

Audit frameworks cart assist the IS audit function by:

A.

defining the authority and responsibility of the IS audit function.

B.

providing details on how to execute the audit program.

C.

providing direction and information regarding the performance of audits.

D.

outlining the specific steps needed to complete audits

Full Access
Question # 252

Which of the following controls is MOST effective at preventing system failures when implementing a new web application?

A.

System recovery plan

B.

System testing

C.

Business continuity plan (BCP)

D.

Transaction monitoring

Full Access
Question # 253

What should an IS auditor do FIRST when a follow-up audit reveals some management action plans have not been initiated?

A.

Confirm whether the identified risks are still valid.

B.

Provide a report to the audit committee.

C.

Escalate the lack of plan completion to executive management.

D.

Request an additional action plan review to confirm the findings.

Full Access
Question # 254

An organization is concerned with meeting new regulations for protecting data confidentiality and asks an IS auditor to evaluate their procedures for transporting data. Which of the

following would BEST support the organization ' s objectives?

A.

Cryptographic hashes

B.

Virtual local area network (VLAN)

C.

Encryption

D.

Dedicated lines

Full Access
Question # 255

Which of the following should be of GREATEST concern to an IS auditor reviewing controls around an AI system in an organization?

A.

Development of the knowledge base was outsourced to vendors.

B.

The policy and procedure guide and its decision logic were reviewed once annually.

C.

Contracted developers have access to the knowledge base for maintenance purposes.

D.

Basic assumptions and formulas used to develop the decision logic were not documented.

Full Access
Question # 256

Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?

A.

Changes are promoted to production by the development group.

B.

Object code can be accessed by the development group.

C.

Developers have access to the testing environment.

D.

Change approvals are not formally documented.

Full Access
Question # 257

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

A.

Availability of IS audit resources

B.

Remediation dates included in management responses

C.

Peak activity periods for the business

D.

Complexity of business processes identified in the audit

Full Access
Question # 258

An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?

A.

Log feeds are uploaded via batch process.

B.

Completeness testing has not been performed on the log data.

C.

The log data is not normalized.

D.

Data encryption standards have not been considered.

Full Access
Question # 259

From an IS auditor ' s perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

A.

Inability to close unused ports on critical servers

B.

Inability to identify unused licenses within the organization

C.

Inability to deploy updated security patches

D.

Inability to determine the cost of deployed software

Full Access
Question # 260

What would be the PRIMARY reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center?

A.

To improve traceability

B.

To prevent piggybacking

C.

To implement multi-factor authentication

D.

To reduce maintenance costs

Full Access
Question # 261

Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?

A.

Risk acceptance

B.

Risk mitigation

C.

Risk transference

D.

Risk reduction

Full Access
Question # 262

Which of the following is MOST helpful for evaluating benefits realized by IT projects?

A.

Benchmarking IT project management practices with industry peers

B.

Evaluating compliance with key security controls

C.

Comparing planned versus actual return on investment (ROI)

D.

Reviewing system development life cycle (SDLC) processes

Full Access
Question # 263

Which of the following is the BEST method to prevent wire transfer fraud by bank employees?

A.

Independent reconciliation

B.

Re-keying of wire dollar amounts

C.

Two-factor authentication control

D.

System-enforced dual control

Full Access
Question # 264

When assessing the overall effectiveness of an organization ' s disaster recovery planning process, which of the following is MOST important for the IS auditor to verify?

A.

Management contracts with a third party for warm site services.

B.

Management schedules an annual tabletop exercise.

C.

Management documents and distributes a copy of the plan to all personnel.

D.

Management reviews and updates the plan annually or as changes occur.

Full Access
Question # 265

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

A.

Conduct periodic onsite assessments using agreed-upon criteria.

B.

Conduct an unannounced vulnerability assessment of the vendor’s IT systems.

C.

Periodically review the service level agreement (SLA) with the vendor.

D.

Obtain evidence of the vendor ' s control self-assessment (CSA).

Full Access
Question # 266

An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?

A.

Audit transparency

B.

Data confidentiality

C.

Professionalism

D.

Audit efficiency

Full Access
Question # 267

Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

A.

Data storage costs

B.

Data classification

C.

Vendor cloud certification

D.

Service level agreements (SLAs)

Full Access
Question # 268

Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?

A.

Review exception reports

B.

Review IT staffing schedules.

C.

Analyze help desk ticket logs

D.

Conduct IT management interviews

Full Access
Question # 269

Which of the following provides the BEST assurance that vendor-supported software remains up to date?

A.

Release and patch management

B.

Licensing agreement and escrow

C.

Software asset management

D.

Version management

Full Access
Question # 270

Which of the following BEST describes the process of creating a digital envelope?

A.

The encryption key is compressed within a folder after a message is encoded using symmetric encryption.

B.

A message is encoded using symmetric encryption, and then the encryption key is secured using public key encryption.

C.

The message is hashed, and the hash total is sent using symmetric encryption.

D.

A message digest is encrypted using asymmetric encryption, and the encryption key is sent using asymmetric encryption.

Full Access
Question # 271

Which of the following is MOST important when implementing a data classification program?

A.

Understanding the data classification levels

B.

Formalizing data ownership

C.

Developing a privacy policy

D.

Planning for secure storage capacity

Full Access
Question # 272

Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?

A.

Switch

B.

Intrusion prevention system (IPS)

C.

Gateway

D.

Router

Full Access
Question # 273

Which of the following is the BEST justification for deferring remediation testing until the next audit?

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management ' s planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Full Access
Question # 274

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor ' s GREATEST concern?

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Full Access
Question # 275

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

A.

To address the overall risk associated with the activity under review

B.

To identify areas with relatively high probability of material problems

C.

To help ensure maximum use of audit resources during the engagement

D.

To help prioritize and schedule auditee meetings

Full Access
Question # 276

Which of the following is an analytical review procedure for a payroll system?

A.

Performing reasonableness tests by multiplying the number of employees by the average wage rate

B.

Evaluating the performance of the payroll system using benchmarking software

C.

Performing penetration attempts on the payroll system

D.

Testing hours reported on time sheets

Full Access
Question # 277

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

A.

The audit program does not involve periodic engagement with external assessors.

B.

Quarterly reports are not distributed to the audit committee.

C.

Results of corrective actions are not tracked consistently.

D.

Substantive testing is not performed during the assessment phase of some audits.

Full Access
Question # 278

The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:

A.

audit resources are used most effectively.

B.

internal audit activity conforms with audit standards and methodology.

C.

the audit function is adequately governed and meets performance metrics.

D.

inherent risk in audits is minimized.

Full Access
Question # 279

An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified Which type of control is in place?

A.

Detective

B.

Compensating

C.

Corrective

D.

Directive

Full Access
Question # 280

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

A.

The information security policy has not been approved by the chief audit executive (CAE).

B.

The information security policy does not include mobile device provisions

C.

The information security policy is not frequently reviewed

D.

The information security policy has not been approved by the policy owner

Full Access
Question # 281

Which of the following is an IS auditor ' s BEST approach when prepanng to evaluate whether the IT strategy supports the organization ' s vision and mission?

A.

Review strategic projects tor return on investments (ROls)

B.

Solicit feedback from other departments to gauge the organization ' s maturity

C.

Meet with senior management to understand business goals

D.

Review the organization ' s key performance indicators (KPls)

Full Access
Question # 282

During a database security audit, an IS auditor is reviewing the process used to input data. Which of the following is the MOST significant risk area for the auditor to focus on?

A.

Data resilience

B.

Data availability

C.

Data normalization

D.

Data integrity

Full Access
Question # 283

An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

A.

some of the identified throats are unlikely to occur.

B.

all identified throats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations operations have been included.

Full Access
Question # 284

During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor ' s NEXT step should be to:

A.

note the noncompliance in the audit working papers.

B.

issue an audit memorandum identifying the noncompliance.

C.

include the noncompliance in the audit report.

D.

determine why the procedures were not followed.

Full Access
Question # 285

An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

A.

Differential backup

B.

Full backup

C.

Incremental backup

D.

Mirror backup

Full Access
Question # 286

Which of the following provides the MOST assurance of the integrity of a firewall log?

A.

The log is reviewed on a monthly basis.

B.

Authorized access is required to view the log.

C.

The log cannot be modified.

D.

The log is retained per policy.

Full Access
Question # 287

Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?

A.

Conduct a data inventory and classification exercise.

B.

Identify approved data workflows across the enterprise_

C.

Conduct a threat analysis against sensitive data usage.

D.

Create the DLP policies and templates

Full Access
Question # 288

While reviewing transactions, an IS auditor discovers inconsistencies in a relational database. Which of the following would be the auditor ' s BEST recommendation?

A.

Update the data dictionary.

B.

Implement edit checks.

C.

Perform data modeling.

D.

Conduct data owner training.

Full Access
Question # 289

An organization is planning to implement a control self-assessment (CSA) program for selected business processes. Which of the following should be the role of the internal audit team for this program?

A.

Perform testing to validate the accuracy of management ' s self-assessment.

B.

Advise management on the self-assessment process.

C.

Design testing procedures for management to assess process controls effectively.

D.

De-scope business processes to be covered by CSAs from future audit plans.

Full Access
Question # 290

During an audit, an IT finding is agreed upon by all IT teams involved, but no team wants to be responsible for remediation or considers the finding within Its area of responsibility Which of the following is the IS auditor ' s BEST course of action?

A.

Escalate to IT management for resolution.

B.

Issue the finding without identifying an owner

C.

Assign shared responsibility to all IT teams.

D.

Determine the most appropriate team and assign accordingly.

Full Access
Question # 291

Which of the following system attack methods is executed by entering malicious code into the search box of a vulnerable website, causing the server to reveal restricted information?

A.

Man-m-the-middle

B.

Denial of service (DoS)

C.

SQL injection

D.

Cross-site scripting

Full Access
Question # 292

An organizations audit charier PRIMARILY:

A.

describes the auditors ' authority to conduct audits.

B.

defines the auditors ' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Full Access
Question # 293

Which of the following can BEST reduce the impact of a long-term power failure?

A.

Power conditioning unit

B.

Emergency power-off switches

C.

Battery bank

D.

Redundant power source

Full Access
Question # 294

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

A.

Apply single sign-on for access control

B.

Implement segregation of duties.

C.

Enforce an internal data access policy.

D.

Enforce the use of digital signatures.

Full Access
Question # 295

Which of the following is the PRIMARY reason for an organization to implement a configuration management database (CMDB)?

A.

To track configuration incidents and service requests

B.

To record and monitor performance metrics for configuration items

C.

To provide an organized view of configuration items and their relationships

D.

To store backup copies of software applications

Full Access
Question # 296

An IS auditor believes that management has accepted a level of residual risk that is not appropriate for the organization. Which of the following is the auditor’s MOST appropriate course of action?

A.

Submit a report informing the board of management’s decision to accept the risk.

B.

Discuss the matter with IS audit management and executive management.

C.

Include management’s response to accept the risk in the audit report and take no further action.

D.

Include the risk as a finding in the audit report but do not note management’s risk acceptance.

Full Access
Question # 297

Which of the following roles is PRIMARILY responsible for mitigating the risk of benefits not being realized in an IT project?

A.

Project sponsor

B.

Project manager

C.

Quality assurance (QA) manager

D.

Chief risk officer (CRO)

Full Access
Question # 298

An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?

A.

Long-term Internal audit resource planning

B.

Ongoing monitoring of the audit activities

C.

Analysis of user satisfaction reports from business lines

D.

Feedback from Internal audit staff

Full Access
Question # 299

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

A.

A significant increase in authorized connections to third parties

B.

A significant increase in cybersecurity audit findings

C.

A significant increase in approved exceptions

D.

A significant increase in external attack attempts

Full Access
Question # 300

Which of the following is the MOST likely root cause of shadow IT in an organization?

A.

Lengthy approval for technology investment

B.

The opportunity to reduce software license fees

C.

Ease of use for cloud-based applications and services

D.

Approved software not meeting user requirements

Full Access
Question # 301

During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data any Internet-connected web browser. Which Of the following

is the auditor’s BEST recommendation to prevent unauthorized access?

A.

Implement an intrusion detection system (IDS),

B.

Update security policies and procedures.

C.

Implement multi-factor authentication.

D.

Utilize strong anti-malware controls on all computing devices.

Full Access
Question # 302

Which of the following is MOST important to consider when reviewing an organization ' s defined data backup and restoration procedures?

A.

Business continuity plan (BCP)

B.

Recovery point objective (RPO)

C.

Mean time to restore (MTTR)

D.

Mean time between failures (MTBF)

Full Access
Question # 303

An IS auditor is reviewing an organization that performs backups on local database servers every two weeks and does not have a formal policy to govern data backup and restoration procedures. Which of the following findings presents the GREATEST risk to the organization?

A.

Lack of offsite data backups

B.

Absence of a data backup policy

C.

Lack of periodic data restoration testing

D.

Insufficient data backup frequency

Full Access
Question # 304

An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.

What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted

application?

A.

Financial regulations affecting the organization

B.

Data center physical access controls whore the application is hosted

C.

Privacy regulations affecting the organization

D.

Per-unit cost charged by the hosting services provider for storage

Full Access
Question # 305

Which of the following should an IS auditor perform FIRST when auditing an outsourced human resource application?

A.

Verify that fees billed for the service are appropriate to the work performed.

B.

Review the terms and provisions in the contract.

C.

Implement data access rights consistent with the organization’s security policy.

D.

Verify that security incident reports are issued in a timely manner.

Full Access
Question # 306

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization ' s disaster recovery plan (DRP)?

A.

The DRP has not been formally approved by senior management.

B.

The DRP has not been distributed to end users.

C.

The DRP has not been updated since an IT infrastructure upgrade.

D.

The DRP contains recovery procedures for critical servers only.

Full Access
Question # 307

An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?

A.

Directive

B.

Detective

C.

Preventive

D.

Compensating

Full Access
Question # 308

Which of the following MOST effectively detects transposition and transcription errors?

A.

Duplicate check

B.

Completeness check

C.

Sequence check

D.

Check digit

Full Access
Question # 309

The use of control totals reduces the risk of:

A.

posting to the wrong record.

B.

incomplete processing.

C.

improper backup.

D.

improper authorization.

Full Access
Question # 310

During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor ' s BEST recommendation?

A.

System administrators should ensure consistency of assigned rights.

B.

IT security should regularly revoke excessive system rights.

C.

Human resources (HR) should delete access rights of terminated employees.

D.

Line management should regularly review and request modification of access rights

Full Access
Question # 311

Which of the following would be an auditor ' s GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?

A.

Undocumented code formats data and transmits directly to the database.

B.

There is not a complete inventory of spreadsheets, and file naming is inconsistent.

C.

The department data protection policy has not been reviewed or updated for two years.

D.

Spreadsheets are accessible by all members of the finance department.

Full Access
Question # 312

Which of the following is the GREATEST benefit of adopting an Agile audit methodology?

A.

Better ability to address key risks

B.

Less frequent client interaction

C.

Annual cost savings

D.

Reduced documentation requirements

Full Access
Question # 313

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

A.

Double-posting of a single journal entry

B.

Inability to support new business transactions

C.

Unauthorized alteration of account attributes

D.

Inaccuracy of financial reporting

Full Access
Question # 314

An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

A.

Biometrics

B.

Procedures for escorting visitors

C.

Airlock entrance

D.

Intruder alarms

Full Access
Question # 315

The BEST way for an IS auditor to validate that separation of duties has been implemented is to perform:

A.

A review of personnel files.

B.

An analysis of documented job descriptions.

C.

A review of the organizational chart.

D.

A walk-through of job functions.

Full Access
Question # 316

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

A.

Configure data quality alerts to check variances between the data warehouse and the source system

B.

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.

Include the data warehouse in the impact analysis (or any changes m the source system

D.

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

Full Access
Question # 317

Which of the following provides the BEST evidence of the validity and integrity of logs in an organization ' s security information and event management (SIEM) system?

A.

Compliance testing

B.

Stop-or-go sampling

C.

Substantive testing

D.

Variable sampling

Full Access
Question # 318

During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor ' s GREATEST concern with this situation?

A.

Unrealistic milestones

B.

Inadequate deliverables

C.

Unclear benefits

D.

Incomplete requirements

Full Access
Question # 319

Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

A.

It demonstrates the maturity of the incident response program.

B.

It reduces the likelihood of an incident occurring.

C.

It identifies deficiencies in the operating environment.

D.

It increases confidence in the team ' s response readiness.

Full Access
Question # 320

How does public key infrastructure (PKI) help to verify that a digitally signed document is not a forgery?

A.

By decrypting the signature with the signer’s public key

B.

By verifying the signature with the signer’s private key

C.

By checking the signature against the receiver’s public key

D.

By checking the signed document’s audit history

Full Access
Question # 321

Which of the following technologies has the SMALLEST maximum range for data transmission between devices?

A.

Wi-Fi

B.

Bluetooth

C.

Long-term evolution (LTE)

D.

Near-field communication (NFC)

Full Access
Question # 322

An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?

A.

Backlog consumption reports

B.

Critical path analysis reports

C.

Developer status reports

D.

Change management logs

Full Access
Question # 323

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor ' s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

A.

the organization ' s web server.

B.

the demilitarized zone (DMZ).

C.

the organization ' s network.

D.

the Internet

Full Access
Question # 324

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization ' s incident management processes?

A.

Service management standards are not followed.

B.

Expected time to resolve incidents is not specified.

C.

Metrics are not reported to senior management.

D.

Prioritization criteria are not defined.

Full Access
Question # 325

Which of the following is an IS auditor ' s BEST recommendation to mitigate the risk of eavesdropping

associated with an application programming interface (API) integration implementation?

A.

Encrypt the extensible markup language (XML) file.

B.

Implement Transport Layer Security (TLS).

C.

Implement Simple Object Access Protocol (SOAP).

D.

Mask the API endpoints.

Full Access
Question # 326

Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?

A.

Function point analysis

B.

Work breakdown structure

C.

Critical path analysts

D.

Software cost estimation

Full Access
Question # 327

A global organization ' s policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?

A.

Penetration testing results

B.

Management attestation

C.

Anti-malware tool audit logs

D.

Recent malware scan reports

Full Access
Question # 328

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

A.

Identifying relevant roles for an enterprise IT governance framework

B.

Making decisions regarding risk response and monitoring of residual risk

C.

Verifying that legal, regulatory, and contractual requirements are being met

D.

Providing independent and objective feedback to facilitate improvement of IT processes

Full Access
Question # 329

An IS auditor is reviewing an organization ' s incident management processes and procedures. Which of the following observations should be the auditor ' s GREATEST concern?

A.

Ineffective post-incident review

B.

Ineffective incident prioritization

C.

Ineffective incident detection

D.

Ineffective incident classification

Full Access
Question # 330

Stress testing should ideally be earned out under a:

A.

test environment with production workloads.

B.

production environment with production workloads.

C.

production environment with test data.

D.

test environment with test data.

Full Access
Question # 331

Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

A.

IT strategies are communicated to all Business stakeholders

B.

Organizational strategies are communicated to the chief information officer (CIO).

C.

Business stakeholders are Involved In approving the IT strategy.

D.

The chief information officer (CIO) is involved In approving the organizational strategies

Full Access
Question # 332

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Full Access
Question # 333

One advantage of managing an entire collection of projects as a portfolio is that it highlights the need to:

A.

Inform users about all ongoing projects.

B.

Manage the quality of each project.

C.

Identify dependencies between projects.

D.

Manage the risk of each individual project.

Full Access
Question # 334

An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release. Which of the following should be the auditor ' s NEXT step?

A.

Evaluate developer training.

B.

Evaluate the incident management process.

C.

Evaluate the change management process.

D.

Evaluate secure code practices.

Full Access
Question # 335

An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?

A.

The organization may be locked into an unfavorable contract with the vendor.

B.

The vendor may be unable to restore critical data.

C.

The vendor may be unable to restore data by recovery time objective (RTO) requirements.

D.

The organization may not be allowed to inspect the vendor ' s data center.

Full Access
Question # 336

Which of the following BEST addresses the availability of an online store?

A.

RAID level 5 storage devices

B.

Online backups

C.

A mirrored site at another location

D.

Clustered architecture

Full Access
Question # 337

Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?

A.

Integration testing results

B.

Sign-off from senior management

C.

User acceptance testing (UAT) results

D.

Regression testing results

Full Access
Question # 338

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Full Access
Question # 339

An IS auditor finds that while an organization ' s IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance. Which of the Mowing is the BEST recommendation?

A.

Align the IT strategy will business objectives

B.

Review priorities in the IT portfolio

C.

Change the IT strategy to focus on operational excellence.

D.

Align the IT portfolio with the IT strategy.

Full Access
Question # 340

Audit observations should be FIRST communicated with the auditee:

A.

when drafting the report.

B.

during fieldwork.

C.

at the end of fieldwork.

D.

within the audit report

Full Access
Question # 341

Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to existing server performance will be prevented?

A.

Reviewing results from simulated high-demand stress test scenarios

B.

Performing a root cause analysis for past performance incidents

C.

Anticipating current service level agreements (SLAs) will remain unchanged

D.

Duplicating existing disk drive systems to improve redundancy and data storage

Full Access
Question # 342

Which of the following should be the FIRST step m managing the impact of a recently discovered zero-day attack?

A.

Evaluating the likelihood of attack

B.

Estimating potential damage

C.

Identifying vulnerable assets

D.

Assessing the Impact of vulnerabilities

Full Access
Question # 343

When reviewing an IT strategic plan, the GREATEST concern would be that

A.

an IT strategy committee has not been created

B.

the plan does not support relevant organizational goals.

C.

there are no key performance indicators (KPls).

D.

the plan was not formally approved by the board of directors

Full Access
Question # 344

Which of the following poses the GREATEST risk to the use of active RFID tags?

A.

Session hijacking

B.

Eavesdropping

C.

Piggybacking

D.

Phishing attacks

Full Access
Question # 345

Which of the following should be of GREATEST concern to an IS auditor reviewing system interfaces used to transfer publicly available information?

A.

A system interface tracking program is not enabled.

B.

The data has not been encrypted.

C.

Data is intercepted while in transit between systems.

D.

The data from the originating system differs from the downloaded data.

Full Access
Question # 346

IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance. Which of the following controls will MOST effectively compensate for the lack of referential integrity?

A.

More frequent data backups

B.

Periodic table link checks

C.

Concurrent access controls

D.

Performance monitoring tools

Full Access
Question # 347

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identify as the

associated risk?

A.

Increased vulnerability due to anytime, anywhere accessibility

B.

Increased need for user awareness training

C.

The use of the cloud negatively impacting IT availability

D.

Lack of governance and oversight for IT infrastructure and applications

Full Access
Question # 348

An IS auditor notes that the previous year ' s disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Full Access
Question # 349

An IS auditor is reviewing how password resets are performed for users working remotely. Which type of documentation should be requested to understand the detailed steps required for this activity?

A.

Standards

B.

Guidelines

C.

Policies

D.

Procedures

Full Access
Question # 350

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The retention period complies with data owner responsibilities.

D.

The total transaction amount has no impact on financial reporting

Full Access
Question # 351

Which of the following BEST helps to establish that digital evidence is in its original form and has not been tampered with?

A.

Imaging of digital media.

B.

Write-protecting media.

C.

Hash values.

D.

Chain of custody.

Full Access
Question # 352

When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?

A.

Overwriting multiple times

B.

Encrypting the disk

C.

Reformatting

D.

Deleting files sequentially

Full Access
Question # 353

Which of the following is the PRIMARY advantage of establishing a control self-assessment (CSA) program?

A.

Early detection of risk.

B.

Reduction in control cost.

C.

Improvement in audit rating processes.

D.

Engagement of senior management.

Full Access
Question # 354

During an audit of a multinational bank ' s disposal process, an IS auditor notes several findings. Which of the following should be the auditor ' s GREATEST concern?

A.

Backup media are not reviewed before disposal.

B.

Degaussing is used instead of physical shredding.

C.

Backup media are disposed before the end of the retention period

D.

Hardware is not destroyed by a certified vendor.

Full Access
Question # 355

Which of the following would be MOST important to include in an IS audit report?

A.

Observations not reported as findings due to inadequate evidence

B.

The roadmap for addressing the various risk areas

C.

The level of unmitigated risk along with business impact

D.

Specific technology solutions for each audit observation

Full Access
Question # 356

Which of the following is the PRIMARY benefit of performing periodic maturity model assessments?

A.

It identifies and fixes attribute weaknesses.

B.

It ensures organizational consistency and improvement.

C.

It acts as a measuring tool and progress indicator.

D.

It facilitates the execution of an improvement plan.

Full Access
Question # 357

When designing a data analytics process, which of the following should be the stakeholder ' s role in automating data extraction and validation?

A.

Indicating which data elements are necessary to make informed decisions

B.

Allocating the resources necessary to purchase the appropriate software packages

C.

Performing the business case analysis for the data analytics initiative

D.

Designing the workflow necessary for the data analytics tool to evaluate the appropriate data

Full Access
Question # 358

The PRIMARY reason for an IS auditor to perform a functional walk-through of a business process during the preliminary phase of an audit assignment is to:

A.

identify control weaknesses in the business process.

B.

optimize the business process.

C.

understand the key areas.

D.

understand the resource requirements.

Full Access
Question # 359

Data centers that want to prevent unauthorized personnel from entering during a power outage should ensure external access doors:

A.

Have physical key backup.

B.

Operate in fail-safe mode.

C.

Operate in fail-secure mode.

D.

Are alarmed and monitored.

Full Access
Question # 360

Which of the following is MOST important to include when developing a business continuity plan (BCP)?

A.

Criteria for triggering the plan

B.

Details of linked security policies

C.

Details of a comprehensive asset inventory

D.

Plans for addressing all types of threats

Full Access
Question # 361

A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:

A.

evaluate replacement systems and performance monitoring software.

B.

restrict functionality of system monitoring software to security-related events.

C.

re-install the system and performance monitoring software.

D.

use analytical tools to produce exception reports from the system and performance monitoring software

Full Access
Question # 362

An IS auditor wants to verify alignment of the organization ' s business continuity plan (BCP) with the business strategy. Which of the following would be MOST helpful to review?

A.

Disaster recovery plan (DRP) testing results

B.

Business impact analysis (BIA)

C.

Corporate risk management policy

D.

Key performance indicators (KPIs)

Full Access
Question # 363

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

A.

Conduct periodic on-site assessments using agreed-upon criteria.

B.

Periodically review the service level agreement (SLA) with the vendor.

C.

Conduct an unannounced vulnerability assessment of vendor ' s IT systems.

D.

Obtain evidence of the vendor ' s control self-assessment (CSA).

Full Access
Question # 364

Which of the following is the MOST effective method to identify new errors introduced as a result of program changes?

A.

Unit testing.

B.

Interface testing.

C.

Integration testing.

D.

Regression testing.

Full Access
Question # 365

An organization used robotic process automation (RPA) technology to develop software bots that extract data from various sources for input into a legacy financial application. Which of the following should be of GREATEST concern to an IS auditor when reviewing the software bot job scheduling and production process automation?

A.

Minor overrides were not authorized by the business

B.

Software bots were incapable of learning from training data

C.

Software bots were programmed to record all user interactions, including mouse tracking

D.

Unauthorized modifications were made to the scripts to improve performance

Full Access
Question # 366

An IS auditor is reviewing the system development practices of an organization that is about to move from a Waterfall to an Agile approach. Which of the following is MOST important for the auditor to focus on as a result of this move?

A.

Secure code review

B.

Release management

C.

Capacity planning

D.

Code documentation

Full Access
Question # 367

Data Loss Prevention (DLP) tools provide the MOST protection against:

A.

The installation of unknown malware.

B.

Malicious programs running on organizational systems.

C.

The downloading of sensitive information to devices by employees.

D.

The sending of corrupt data files to external parties via email.

Full Access
Question # 368

Which of the following is the PRIMARY role of the IS auditor m an organization ' s information classification process?

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

Full Access
Question # 369

Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor ' s BEST recommendation to protect data in case of recurrence?

A.

Encrypt the disk drive.

B.

Require two-factor authentication

C.

Enhance physical security

D.

Require the use of cable locks

Full Access
Question # 370

To confirm integrity for a hashed message, the receiver should use:

A.

the same hashing algorithm as the sender ' s to create a binary image of the file.

B.

a different hashing algorithm from the sender ' s to create a binary image of the file.

C.

the same hashing algorithm as the sender ' s to create a numerical representation of the file.

D.

a different hashing algorithm from the sender ' s to create a numerical representation of the file.

Full Access
Question # 371

An IS auditor is reviewing an organizations release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application development projects. Which of the following should the auditor recommend to address this issue?

A.

Critical path methodology

B.

Agile development approach

C.

Function point analysis

D.

Rapid application development

Full Access
Question # 372

Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?

A.

A high percentage of stakeholders satisfied with the quality of IT

B.

A high percentage of IT processes reviewed by quality assurance (QA)

C.

A high percentage of incidents being quickly resolved

D.

A high percentage of IT employees attending quality training

Full Access
Question # 373

Management has agreed to move the organization ' s data center due to recent flood map changes in its current location. Which risk response has been adopted?

A.

Risk elimination

B.

Risk transfer

C.

Risk acceptance

D.

Risk avoidance

Full Access
Question # 374

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

A.

Determine the resources required to make the controleffective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Full Access
Question # 375

An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?

A.

Between each host and the local network switch/hub

B.

Between virtual local area networks (VLANs)

C.

Inside the demilitarized zone (DMZ)

D.

At borders of network segments with different security levels

Full Access
Question # 376

An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

A.

Increasing the frequency of risk-based IS audits for each business entity

B.

Developing a risk-based plan considering each entity ' s business processes

C.

Conducting an audit of newly introduced IT policies and procedures

D.

Revising IS audit plans to focus on IT changes introduced after the split

Full Access
Question # 377

When auditing the feasibility study of a system development project, the IS auditor should:

A.

review qualifications of key members of the project team.

B.

review the request for proposal (RFP) to ensure that it covers the scope of work.

C.

review cost-benefit documentation for reasonableness.

D.

ensure that vendor contracts are reviewed by legal counsel.

Full Access
Question # 378

Which of the following audit evidence collection procedures is MOST reliable?

A.

Inspecting paper documentation obtained from an independent third party

B.

Inspecting system-generated evidence provided by a control owner

C.

Examining critical data received from an auditee

D.

Performing manual procedures independently from a control owner

Full Access
Question # 379

Of the following who should be responsible for cataloging and inventorying robotic process automation (RPA) processes?

A.

IT personnel

B.

Business owner

C.

Information security personnel

D.

Data steward

Full Access
Question # 380

Which of the following is the BEST way to mitigate risk to an organization ' s network associated with devices permitted under a bring your own device (BYOD) policy?

A.

Require personal devices to be reviewed by IT staff.

B.

Enable port security on all network switches.

C.

Implement a network access control system.

D.

Ensure the policy requires antivirus software on devices.

Full Access
Question # 381

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

A.

The previous year’s IT strategic goals were not achieved.

B.

Target architecture is defined at a technical level.

C.

Financial estimates of new initiatives are disclosed within the document.

D.

Strategic IT goals are derived solely from the latest market trends.

Full Access
Question # 382

An IS auditor finds that an IT manager recently changed a Software as a Service (SaaS) provider contract in an effort to cut costs. The new contract increases the time to resolve incidents. Which of the following should be the auditor’s GREATEST concern?

A.

The new contract is not in compliance with IT security policy.

B.

Alternative cost-reduction methods were not considered.

C.

The impact on business processes has not been evaluated.

D.

The corresponding service level agreement (SLA) was not modified.

Full Access
Question # 383

An IS auditor finds that some employees are using public cloud-based AI tools. Which of the following presents the GREATEST concern?

A.

Data reliability

B.

Cost overruns

C.

Copyright infringements

D.

Data leakage

Full Access
Question # 384

Which of the following should be of GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

A.

Backups of the old system and data are not available online

B.

The change management process was not formally documented

C.

Data conversion was performed using manual processes

D.

Unauthorized data modifications occurred during conversion

Full Access
Question # 385

Which of the following would provide the BEST evidence of an IT strategy corrections effectiveness?

A.

The minutes from the IT strategy committee meetings

B.

Synchronization of IT activities with corporate objectives

C.

The IT strategy committee charier

D.

Business unit satisfaction survey results

Full Access
Question # 386

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

A.

Preserving the same data classifications

B.

Preserving the same data inputs

C.

Preserving the same data structure

D.

Preserving the same data interfaces

Full Access
Question # 387

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

A.

Testing

B.

Replication

C.

Staging

D.

Development

Full Access
Question # 388

A system experiences multiple recurring processing errors. Which of the following is the PRIMARY concern for an IS auditor?

A.

Inefficient incident management

B.

Lack of problem management

C.

Lack of change management

D.

Inefficient project management

Full Access
Question # 389

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Full Access
Question # 390

The PRIMARY focus of a post-implementation review is to verify that:

A.

enterprise architecture (EA) has been complied with.

B.

user requirements have been met.

C.

acceptance testing has been properly executed.

D.

user access controls have been adequately designed.

Full Access
Question # 391

Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?

A.

Electronic copies of customer sales receipts are maintained.

B.

Monthly bank statements are reconciled without exception.

C.

Nightly batch processing has been replaced with real-time processing.

D.

The data transferred over the POS interface is encrypted.

Full Access
Question # 392

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Full Access
Question # 393

Which of the following should be the role of internal audit in an organization’s move to the cloud?

A.

Mitigating risk to an acceptable level.

B.

Assessing key controls that support the migration.

C.

Implementing security controls for data prior to migration.

D.

Identifying impacts to organizational budgets and resources.

Full Access
Question # 394

Which of the following is the BEST way to verify the effectiveness of a data restoration process?

A.

Performing periodic reviews of physical access to backup media

B.

Performing periodic complete data restorations

C.

Validating off ne backups using software utilities

D.

Reviewing and updating data restoration policies annually

Full Access
Question # 395

The PRIMARY reason to assign data ownership for protection of data is to establish:

A.

reliability.

B.

traceability.

C.

authority,

D.

accountability.

Full Access
Question # 396

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Full Access
Question # 397

Which type of attack poses the GREATEST risk to an organization ' s most sensitive data?

A.

Password attack

B.

Eavesdropping attack

C.

Insider attack

D.

Spear phishing attack

Full Access
Question # 398

The PRIMARY role of an IS auditor in the remediation of problems found during an audit engagement is to:

A.

help auditee management by providing the solution.

B.

explain the findings and provide general advice.

C.

present updated policies to management for approval.

D.

take ownership of the problems and oversee remediation efforts.

Full Access
Question # 399

Which of the following provides the MOST protection against emerging threats?

A.

Demilitarized zone (DMZ)

B.

Heuristic intrusion detection system (IDS)

C.

Real-time updating of antivirus software

D.

Signature-based intrusion detection system (IDS)

Full Access
Question # 400

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Full Access
Question # 401

Which of the following is the MOST important advantage of participating in beta testing of software products?

A.

It increases an organization ' s ability to retain staff who prefer to work with new technology.

B.

It improves vendor support and training.

C.

It enhances security and confidentiality.

D.

It enables an organization to gain familiarity with new products and their functionality.

Full Access
Question # 402

A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?

A.

Business objectives

B.

Business impact analysis (BIA)

C.

Enterprise architecture (EA)

D.

Recent incident trends

Full Access
Question # 403

The PRIMARY goal of capacity management is to:

A.

minimize data storage needs across the organization.

B.

provide necessary IT resources to meet business requirements.

C.

minimize system idle time to optimize cost.

D.

ensure that IT teams have sufficient personnel.

Full Access
Question # 404

An IT strategic plan that BEST leverages IT in achieving organizational goals will include:

A.

a comparison of future needs against current capabilities.

B.

a risk-based ranking of projects.

C.

enterprise architecture (EA) impacts.

D.

IT budgets linked to the organization ' s budget.

Full Access
Question # 405

The following findings are the result of an IS auditor ' s post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?

A.

A lessons-learned session was never conducted.

B.

The projects 10% budget overrun was not reported to senior management.

C.

Measurable benefits were not defined.

D.

Monthly dashboards did not always contain deliverables.

Full Access
Question # 406

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

A.

integrated test facility (ITF).

B.

parallel simulation.

C.

transaction tagging.

D.

embedded audit modules.

Full Access
Question # 407

Which type of control has been established when an organization implements a security information and event management (SIEM) system?

A.

Preventive

B.

Detective

C.

Directive

D.

Corrective

Full Access
Question # 408

Which of the following is the PRIMARY objective of enterprise architecture (EA)?

A.

Maintaining detailed system documentation

B.

Managing and planning for IT investments

C.

Executing customized development and delivery of projects

D.

Enforcing the IT policy across the organization

Full Access
Question # 409

Which of the following provides the BEST providence that outsourced provider services are being properly managed?

A.

The service level agreement (SLA) includes penalties for non-performance.

B.

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.

The vendor provides historical data to demonstrate its performance.

D.

Internal performance standards align with corporate strategy.

Full Access
Question # 410

In the case of a disaster where the data center is no longer available, which of the following tasks should be done FIRST?

A.

Perform data recovery.

B.

Arrange for a secondary site.

C.

Analyze risk.

D.

Activate the call tree.

Full Access
Question # 411

A global company has been using a publicly available AI tool to obtain information about global laws and regulations that could impact the business. Which of the following should be of MOST concern to an IS auditor?

A.

Accuracy and quality of the data provided by the AI tool

B.

Whether the organization is using a paid version of the AI tool

C.

Version and provider of the AI tool being utilized

D.

Whether the tool is utilized by competitors in the same industry

Full Access
Question # 412

Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves

for care?

A.

Infrastructure as a Service (laaS) provider

B.

Software as a Service (SaaS) provider

C.

Network segmentation

D.

Dynamic localization

Full Access
Question # 413

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

A.

Installing security cameras at the doors

B.

Changing to a biometric access control system

C.

Implementing a monitored mantrap at entrance and exit points

D.

Requiring two-factor authentication at entrance and exit points

Full Access
Question # 414

Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?

A.

Route the traffic from the sensor system through a proxy server.

B.

Hash the data that is transmitted from the sensor system.

C.

Implement network address translation on the sensor system.

D.

Transmit the sensor data via a virtual private network (VPN) to the server.

Full Access
Question # 415

Which of the following is the MOST important consideration for a contingency facility?

A.

The contingency facility has the same badge access controls as the primary site.

B.

Both the contingency facility and the primary site have the same number of business assets in their inventory.

C.

The contingency facility is located a sufficient distance away from the primary site.

D.

Both the contingency facility and the primary site are easily identifiable.

Full Access
Question # 416

An organization that has decided to approve the use of end-user computing (EUC) should FIRST ensure:

A.

a business impact analysis (BIA) is conducted.

B.

EUC controls are reviewed.

C.

EUC use cases are assessed and documented.

D.

an EUC policy is developed.

Full Access
Question # 417

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

A.

firewall standards.

B.

configuration of the firewall

C.

firmware version of the firewall

D.

location of the firewall within the network

Full Access
Question # 418

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management ' s decision. Which of the following should be the IS auditor ' s NEXT course of action?

A.

Accept management ' s decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Full Access
Question # 419

The charging method that effectively encourages the MOST efficient use of IS resources is:

A.

specific charges that can be tied back to specific usage.

B.

total utilization to achieve full operating capacity.

C.

residual income in excess of actual incurred costs.

D.

allocations based on the ability to absorb charges.

Full Access
Question # 420

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

A.

Disposal policies and procedures are not consistently implemented

B.

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.

Business units are allowed to dispose printers directly to

D.

Inoperable printers are stored in an unsecured area.

Full Access
Question # 421

During a follow-up audit, an IS auditor learns that management has deferred the implementation of a previously agreed-upon recommendation. What is the responsibility of the auditor?

A.

Assess the impact of any risks the decision may pose to the organization.

B.

Amend the final report to reflect the decision to defer the implementation.

C.

Obtain commitment from management to implement the recommendation.

D.

Report the decision to defer the implementation to the steering committee.

Full Access
Question # 422

An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?

A.

Interview change management personnel about completeness.

B.

Take an item from the log and trace it back to the system.

C.

Obtain management attestation of completeness.

D.

Take the last change from the system and trace it back to the log.

Full Access
Question # 423

An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?

A.

Review the decision-making logic built into the system.

B.

Interview the system owner.

C.

Understand the purpose and functionality of the system.

D.

Verify system adherence to corporate policy.

Full Access
Question # 424

What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization ' s business continuity plan (BCP)?

A.

Full test results

B.

Completed test plans

C.

Updated inventory of systems

D.

Change management processes

Full Access
Question # 425

Which of the following is the PRIMARY purpose of a business impact analysts (BIA) in an organization ' s overall risk management strategy?

A.

Evaluating business investment opportunities for the organization

B.

Identifying critical business processes to effectively prioritize recovery efforts

C.

Ensuring compliance with regulations through regular audits

D.

Conducting vulnerability assessments to enhance network security measures

Full Access
Question # 426

Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?

A.

Monitoring tools are configured to alert in case of downtime

B.

A comprehensive security review is performed every quarter.

C.

Data for different tenants is segregated by database schema

D.

Tenants are required to implement data classification polices

Full Access
Question # 427

The PRIMARY reason to perform a capacity management review of technology resources is to ensure that:

A.

infrastructure and processes can meet current and future business needs.

B.

available capacity is operated in a secure and compliant manner.

C.

technology resource acquisitions align with current needed capacity.

D.

technology resource capacity requirements are properly defined.

Full Access
Question # 428

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank ' s customers. Which of the following controls is MOST important for the auditor to confirm is in place?

A.

The default configurations have been changed.

B.

All tables in the database are normalized.

C.

The service port used by the database server has been changed.

D.

The default administration account is used after changing the account password.

Full Access
Question # 429

Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

A.

Documentation of exit routines

B.

System initialization logs

C.

Change control log

D.

Security system parameters

Full Access
Question # 430

An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?

A.

Implementing risk responses on management ' s behalf

B.

Integrating the risk register for audit planning purposes

C.

Providing assurances to management regarding risk

D.

Facilitating audit risk identification and evaluation workshops

Full Access
Question # 431

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

A.

The job scheduler application has not been designed to display pop-up error messages.

B.

Access to the job scheduler application has not been restricted to a maximum of two staff members

C.

Operations shift turnover logs are not utilized to coordinate and control the processing environment

D.

Changes to the job scheduler application ' s parameters are not approved and reviewed by an operations supervisor

Full Access
Question # 432

Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?

A.

Variable sampling

B.

Judgmental sampling

C.

Stop-or-go sampling

D.

Discovery sampling

Full Access
Question # 433

External audits have identified recurring exceptions in the user termination process, despite similar internal audits having reported no exceptions in the past. Which of the following is the IS auditor ' s BEST course of action to improve the internal audit process in the future?

A.

Include the user termination process in all upcoming audits.

B.

Review user termination process changes.

C.

Review the internal audit sampling methodology.

D.

Review control self-assessment (CSA) results.

Full Access
Question # 434

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Full Access
Question # 435

Which of the following is the BEST indicator of the effectiveness of an organization ' s incident response program?

A.

Number of successful penetration tests

B.

Percentage of protected business applications

C.

Financial impact per security event

D.

Number of security vulnerability patches

Full Access
Question # 436

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

A.

Implement a process to actively monitor postings on social networking sites.

B.

Adjust budget for network usage to include social media usage.

C.

Use data loss prevention (DLP) tools on endpoints.

D.

implement policies addressing acceptable usage of social media during working hours.

Full Access
Question # 437

Which of the following is a social engineering attack method?

A.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

B.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

C.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

D.

An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.

Full Access
Question # 438

A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?

A.

unit testing

B.

Network performance

C.

User acceptance testing (UAT)

D.

Regression testing

Full Access
Question # 439

Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?

A.

Access to change testing strategy and results is not restricted to staff outside the IT team.

B.

Some user acceptance testing (IJAT) was completed by members of the IT team.

C.

IT administrators have access to the production and development environment

D.

Post-implementation testing is not conducted for all system releases.

Full Access
Question # 440

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor ' s BEST course of action?

A.

Revise the assessment based on senior management ' s objections.

B.

Escalate the issue to audit management.

C.

Finalize the draft audit report without changes.

D.

Gather evidence to analyze senior management ' s objections

Full Access
Question # 441

When testing the accuracy of transaction data, which of the following situations BEST justifies the use of a smaller sample size?

A.

The IS audit staff has a high level of experience.

B.

It is expected that the population is error-free.

C.

Proper segregation of duties is in place.

D.

The data can be directly changed by users.

Full Access
Question # 442

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

A.

Assurance that the new system meets functional requirements

B.

More time for users to complete training for the new system

C.

Significant cost savings over other system implemental or approaches

D.

Assurance that the new system meets performance requirements

Full Access
Question # 443

Which of the following is the PRIMARY advantage of a decentralized database architecture over a centralized architecture?

A.

The risk and the impact of a denial of service (DoS) attack is reduced.

B.

Data can be more easily synchronized in real time over public networks.

C.

Transactions performed in a decentralized environment are more consistent.

D.

Uniform security policies can be applied more easily.

Full Access
Question # 444

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization ' s policies and procedures

Full Access
Question # 445

Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change

management process?

A.

The added functionality has not been documented.

B.

The new functionality may not meet requirements.

C.

The project may fail to meet the established deadline.

D.

The project may go over budget.

Full Access
Question # 446

Which of the following is the MOST significant risk to an organization migrating its onsite application servers to a public cloud service provider?

A.

Service provider access to organizational data

B.

Account hacking from other clients using the same provider

C.

Increased dependency on an external provider

D.

Service provider limiting the right to audit

Full Access
Question # 447

A new system is being developed externally for an organization. Which of the following is the MOST important requirement to include in the vendor contract to ensure service continuity?

A.

Support documentation must be provided by the vendor.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization’s staff to manage the new software.

Full Access
Question # 448

During a follow-up engagement, an IS auditor confirms evidence of a problem that was not an issue in the original audit. Which of the following is the auditor ' s BEST course of action?

A.

Include the evidence as part of a future audit.

B.

Report only on the areas within the scope of the follow-up.

C.

Report the risk to management in the follow-up report.

D.

Expand the follow-up scope to include examining the evidence.

Full Access
Question # 449

Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?

A.

To ensure the conclusions are adequately supported

B.

To ensure adequate sampling methods were used during fieldwork

C.

To ensure the work is properly documented and filed

D.

To ensure the work is conducted according to industry standards

Full Access
Question # 450

An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

A.

The security of the desktop PC is enhanced.

B.

Administrative security can be provided for the client.

C.

Desktop application software will never have to be upgraded.

D.

System administration can be better managed

Full Access
Question # 451

Which of the following is the PRIMARY benefit of introducing business impact analyses (BIAs) to business resiliency strategies?

A.

It identifies legal obligations that may be incurred as a result of business service disruptions

B.

It provides updates on the risk level of disasters that may occur

C.

It delineates employee responsibilities that the organization must fulfill in a crisis

D.

It helps prioritize the restoration of systems and applications

Full Access
Question # 452

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

A.

perform a business impact analysis (BIA).

B.

issue an intermediate report to management.

C.

evaluate the impact on current disaster recovery capability.

D.

conduct additional compliance testing.

Full Access
Question # 453

An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of

MOST concern?

A.

Confidentiality of the user list

B.

Timeliness of the user list review

C.

Completeness of the user list

D.

Availability of the user list

Full Access
Question # 454

Which of the following provides the MOST comprehensive information about inherent risk within an organization?

A.

Risk assessments.

B.

Risk-based audit findings.

C.

Peer benchmarking.

D.

Business impact analysis (BIA).

Full Access
Question # 455

An organization has implemented a new data classification scheme and asks the IS auditor to evaluate its effectiveness. Which of the following would be of

GREATEST concern to the auditor?

A.

End-user managers determine who should access what information.

B.

The organization has created a dozen different classification categories.

C.

The compliance manager decides how the information should be classified.

D.

The organization classifies most of its information as confidential.

Full Access
Question # 456

Which of the following is MOST critical for the effective implementation of IT governance?

A.

Strong risk management practices

B.

Internal auditor commitment

C.

Supportive corporate culture

D.

Documented policies

Full Access
Question # 457

An IS auditor is reviewing an IT project and finds that an earned value analysis (EVA) is not regularly performed as part of project status reporting. Which of the following is the GREATEST risk resulting from this situation?

A.

Resources might not be assigned and prioritized in a timely manner.

B.

Time and budget overruns might not be identified in a timely manner.

C.

The project might not be compliant with project management standards.

D.

Business requirements may not be properly benchmarked.

Full Access
Question # 458

Which of the following is the MOST important consideration when defining an operational log management strategy?

A.

Stakeholder requirements

B.

Audit recommendations

C.

Industry benchmarking

D.

Event response procedures

Full Access
Question # 459

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor ' s BEST recommendation for the organization?

A.

Analyze a new application that moots the current re

B.

Perform an analysis to determine the business risk

C.

Bring the escrow version up to date.

D.

Develop a maintenance plan to support the application using the existing code

Full Access
Question # 460

Which of the following BEST supports the effectiveness of a compliance program?

A.

Implementing an awareness plan regarding compliance regulation requirements

B.

Implementing a governance, risk, and compliance (GRC) tool to track compliance to regulations

C.

Assessing and tracking all compliance audit findings

D.

Monitoring which compliance regulations apply to the organization

Full Access
Question # 461

Which of the following is an IS auditor’s BEST recommendation for conducting a forensic investigation of the contents on a hard drive?

A.

Make an image of the hard drive for investigation and save the original drive in a secure place.

B.

Investigate the original hard drive to ensure it has not been tampered with.

C.

Ask the user of the endpoint to make a copy of the hard drive and provide it to the auditor for investigation.

D.

Shut down the computer in order to preserve the evidence, disconnect it from the network, and restart.

Full Access
Question # 462

Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

A.

System flowchart

B.

Data flow diagram

C.

Process flowchart

D.

Entity-relationship diagram

Full Access
Question # 463

An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?

A.

Verify that the compromised systems are fully functional

B.

Focus on limiting the damage

C.

Document the incident

D.

Remove and restore the affected systems

Full Access
Question # 464

A finance department has a two-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger in year one the system version upgrade will be applied and in year two business processes will be updated to implement new system functionality. Which of the following should be the PRIMARY focus of an IS auditor reviewing the second year of the implementation ' ?

A.

Data migration

B.

Sociability testing

C.

User acceptance testing (UAT)

D.

Initial user access provisioning

Full Access
Question # 465

When reviewing a business case for a proposed implementation of a third-party system, which of the following should be an IS auditor ' s GREATEST concern?

A.

Lack of ongoing maintenance costs

B.

Lack of training materials

C.

Lack of plan for pilot implementation

D.

Lack of detailed work breakdown structure

Full Access
Question # 466

Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?

A.

Stronger data security

B.

Better utilization of resources

C.

Increased application performance

D.

Improved disaster recovery

Full Access
Question # 467

During the course of an IS audit, management verbally agreed with an issue identified by the IS auditor. However, when presented in a draft report, management disagreed with the finding. What should the auditor do NEXT?

A.

Rewrite the finding according to management’s suggestion.

B.

Discontinue further consultation and issue a final report as written.

C.

Provide evidence for the finding and request a follow-up meeting.

D.

Report the matter immediately to the chair of the audit committee.

Full Access
Question # 468

An organization ' s payroll department recently implemented a new Software as a Service (SaaS) tool for payment processing. Which of the following audits is MOST appropriate for an IS auditor to validate that the new tool is configured as expected to meet performance requirements?

A.

Financial audit

B.

Administrative audit

C.

Functional audit

D.

Compliance audit

Full Access
Question # 469

Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:

A.

eliminated

B.

unchanged

C.

increased

D.

reduced

Full Access
Question # 470

Which of the following is the MOST important course of action to ensure a cloud access security broker (CASB) effectively detects and responds to threats?

A.

Monitoring data movement

B.

Implementing a long-term CASB contract

C.

Reviewing the information security policy

D.

Evaluating firewall effectiveness

Full Access
Question # 471

An IS auditor is reviewing the service agreement with a technology company that provides IT help desk services to the organization. Which of the following monthly performance

metrics is the BEST indicator of service quality?

A.

The total number of users requesting help desk services

B.

The average call waiting time on each request

C.

The percent of issues resolved by the first contact

D.

The average turnaround time spent on each reported issue

Full Access
Question # 472

Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?

A.

Integration testing

B.

Regression testing

C.

Automated testing

D.

User acceptance testing (UAT)

Full Access
Question # 473

In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?

A.

Discovery sampling

B.

Variable sampling

C.

Stop-or-go sampling

D.

Judgmental sampling

Full Access
Question # 474

Which of the following should an IS auditor expect to find when reviewing an IT metrics dashboard?

A.

An assessment of how senior management evaluates the IT department.

B.

An assessment of how senior management evaluates IT portfolio performance.

C.

An assessment of controls needed to mitigate risks.

D.

An assessment of business processes.

Full Access
Question # 475

An IS auditor is reviewing logical access controls for an organization ' s financial business application Which of the following findings should be of GREATEST concern to the auditor?

A.

Users are not required to change their passwords on a regular basis

B.

Management does not review application user activity logs

C.

User accounts are shared between users

D.

Password length is set to eight characters

Full Access
Question # 476

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

A.

Verify all patches have been applied to the software system ' s outdated version

B.

Close all unused ports on the outdated software system.

C.

Segregate the outdated software system from the main network.

D.

Monitor network traffic attempting to reach the outdated software system.

Full Access
Question # 477

Which of the following is a detective control?

A.

Programmed edit checks for data entry

B.

Backup procedures

C.

Use of pass cards to gain access to physical facilities

D.

Verification of hash totals

Full Access
Question # 478

An IS auditor reviewing an organization’s online payment system finds that the system sometimes duplicates payments. Which control will BEST compensate for this weakness?

A.

Using hash totals

B.

Performing a bank reconciliation

C.

Manually receipting payments

D.

Using control totals

Full Access