Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?
Which of the following should be an IS auditor ' s GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
An IS auditor is asked to provide feedback on the systems options analysis for a new project. The BEST course of action for the IS auditor would be to:
During an organization ' s implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?
When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on
The use of which of the following would BEST enhance a process improvement program?
Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?
An IS auditor is reviewing the disaster recovery plan (DRP) of an organization with offices across multiple regions. Which of the following should be the auditor ' s PRIMARY focus?
Which of the following is the MOST important consideration for patching mission critical business application servers against known vulnerabilities?
Some control activities have been found to be only partially compliant with the design of the control. Which of the following is an IS auditor’s PRIMARY course of action?
Which of the following is the MOST effective way for an IS auditor to ensure information is preserved when conducting a forensic investigation?
An organization is permanently transitioning from onsite to fully remote business operations. When should the existing business impact analysis (BIA) be reviewed?
A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:
Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?
Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
Which of the following performance management tools BEST helps an IS auditor evaluate the success of an organization’s IT strategy implementation and execution?
Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?
At the end of each business day, a business-critical application generates a report of financial transac-tions greater than a certain value, and an employee
then checks these transactions for errors. What type of control is in place?
An IS audit manager is preparing the staffing plan for an audit engagement of a cloud service provider. What should be the manager ' s PRIMARY concern when being made aware that a new
auditor in the department previously worked for this provider?
Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?
A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor ' s BEST recommendation for a compensating control?
An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes. Which of the following is the MOST appropriate method to use for this purpose?
When information processing has been outsourced to another organization, an IS auditor reviewing the contract should expect it to specify:
A PRIMARY objective of risk management is to keep the total cost of risks below the:
Which of the following is the PRIMARY reason that asset classification is vital to an information security program?
What is the MOST effective way to detect installation of unauthorized software packages by employees?
Which of the following MOST effectively reduces the risk of emails containing personally identifiable information (PII) being sent to unauthorized recipients?
During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?
An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?
Which of the following approaches BEST enables an IS auditor to detect security vulnerabilities within an application?
An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?
Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?
Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?
An organization ' s information security policies should be developed PRIMARILY on the basis of:
Which of the following BEST indicates that the effectiveness of an organization ' s security awareness program has improved?
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor ' s NEXT course of action?
Which of the following occurs during the issues management process for a system development project?
Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?
Which of the following BEST Indicates that an incident management process is effective?
Which of the following should be of GREATEST concern to an IS auditor for work-from-anywhere scenarios as compared to work from home or work from office?
The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:
A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal
audit function to test its internal controls annually. Which of the following is the MOST significant benefit of
this approach?
Which of the following BEST indicates to an IS auditor that an organization handles emergency changes appropriately and transparently?
An organization ' s strategy to source certain IT functions from a Software as a Service (SaaS) provider should be approved by the:
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?
Which of the following responses to risk associated with separation of duties would incur the LOWEST initial cost?
Which of the following should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA)?
Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?
When assessing whether an organization ' s IT performance measures are comparable to other organizations in the same industry, which of the following would be MOST helpful to review?
Which of the following observations regarding change management should be considered the MOST serious risk by an IS auditor?
An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?
Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?
Which of the following is the BEST recommendation to include in an organization ' s bring your own device (BYOD)
policy to help prevent data leakage?
Which of the following would be the GREATEST concern during a financial statement audit?
An IS auditor has traced the source of a transaction fraud to the desktop system of an e-business staff member who is on leave. Which of the following is the BEST way for the auditor to ensure the success of the investigation?
Which of the following technologies BEST assists in protection of digital evidence as part of forensic investigation acquisition?
Which of the following should be of GREATEST concern to an IS auditor when auditing an organization ' s IT strategy development process?
What should an IS auditor evaluate FIRST when reviewing an organization ' s response to new privacy legislation?
Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
An organization ' s IT risk assessment should include the identification of:
Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?
Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?
Which of the following MOST effectively enables consistency across high-volume software changes ' ?
Which of the following should be given GREATEST consideration when implementing the use of an open-source product?
An IS auditor learns that an organization ' s business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor ' s BEST course of action?
An IS auditor has validated that an organization ' s IT department runs several low-priority automated tasks Which of the following is the BEST recommendation for an automated job schedule?
Which of the following is the PRIMARY purpose of enterprise architecture (EA) within an organization?
An organization ' s IT department and internal IS audit function all report to the chief information officer (CIO). Which of the following is the GREATEST concern associated with this reporting structure?
During an internal audit of project governance, which of the following is the MOST important to review to verify that IT investments align with organizational objectives?
Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software?
Which of the following is the MOST important consideration to facilitate prosecution of a perpetrator after a cybercrime?
Which of the following should be the IS auditor ' s PRIMARY focus when evaluating an organizations offsite storage facility?
An organization plans to centrally decommission end-of-life databases and migrate the data to the latest model of hardware. Which of the following BEST ensures data integrity is preserved during the migration?
An organization ' s software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?
In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?
A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?
To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?
Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?
An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor ' s PRIMARY concern?
An IS auditor has been asked to provide support to the control self-assessment (CSA) program. Which of the following BEST represents the scope of the auditor’s role in the program?
During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor ' s BEST course of action?
Which of the following would be of GREATEST concern to an IS auditor reviewing the feasibility study for a new application system?
Which of the following should be of GREATEST concern to an IS auditor reviewing a terminated employee’s network access?
An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?
Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?
Which of the following is the PRIMARY reason to perform a risk assessment?
Which of the following backup methods is MOST appropriate when storage space is limited?
To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?
Which of the following should be the FIRST step in the incident response process for a suspected breach?
Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?
Which of the following is the BEST way to ensure an organization ' s data classification policies are preserved during the process of data transformation?
An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor ' s NEXT course of action?
Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?
Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
An IS auditor is reviewing a machine learning (ML) model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?
Which of the following is the BEST method to delete sensitive information from storage media that will be reused?
An IS auditor is conducting an IT governance audit and notices many initiatives are managed informally by isolated project managers. Which of the following recommendations would have the GREATEST impact on improving the maturity of the IT team?
During the planning stage of a compliance audit, an IS auditor discovers that a bank ' s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?
Which of the following would be the GREATEST concern for an IS auditor conducting a pre-implementation review of a data loss prevention (DLP > tool?
An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly. Which of the following tests during the quality assurance (QA) phase would have identified this concern?
As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following is the BEST course of action for the IS auditor?
An IS auditor is reviewing an organization ' s business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor ' s GREATEST concern?
An organization outsourced its IS functions to meet its responsibility for disaster recovery, the organization should:
A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem. Which of the following is the senior auditor s MOST appropriate course of action?
An IS auditor is performing a follow-up audit and notes that some critical deficiencies have not been addressed. The auditor ' s BEST course of action is to:
Which of the following controls is BEST implemented through system configuration?
Network user accounts for temporary workers expire after 90 days.
Application user access is reviewed every 180 days for appropriateness.
Financial data in key reports is traced to source systems for completeness and accuracy.
Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?
Which of the following is a principle of the Agile software development process?
Which of the following strategies BEST optimizes data storage without compromising data retention practices?
Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization ' s disaster recovery plan (DRP)?
A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year. Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?
Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?
An IS auditor has identified deficiencies within the organization ' s software development life cycle policies. Which of the following should be done NEXT?
Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics
system?
Which of the following is the BEST source of information to determine the required level of data protection on a file server?
A proper audit trail of changes to server start-up procedures would include evidence of:
An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization ' s RACI chart. Which of the following roles within the chart would provide this information?
When processing speed is the highest priority, which cryptographic algorithm should be used to verify the integrity of a bit-for-bit copy from digital evidence?
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor ' s NEXT course of action?
Which of the following should an IS auditor be MOST concerned with when a system uses RFID?
Which of the following is BEST supported by enforcing data definition standards within a database?
Which of the following would be of MOST concern to an IS auditor reviewing a data loss prevention (DLP) solution implementation for endpoints?
When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;
Which of the following MOST effectively manages frequent program file changes where simultaneous code edits are used?
A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?
Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?
Which of the following techniques BEST mitigates the risk of pervasive network attacks?
Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
Which of the following BEST helps monitor and manage operational logs to create value for an organization?
A programmer has made unauthorized changes lo key fields in a payroll system report. Which of the following control weaknesses would have contributed MOST to this problem?
An IS auditor discovers that a developer has used the same key to grant access to multiple applications making calls to an application programming interface (API). Which of the following is the BEST recommendation to address this situation?
Which of the following is an IS auditor ' s BEST course of action when the auditee indicates that a corrective action plan for a high-risk finding will take longer than expected?
Based on best practices, which types of accounts should be disabled for interactive login?
Which of the following is the GREATEST concern associated with IS risk-based auditing when audit resources are limited?
Which of the following is the BEST way to ensure email confidentiality in transit?
Which of the following is an example of a preventative control in an accounts payable system?
Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?
An IS auditor is reviewing an organization ' s information asset management process. Which of the following would be of GREATEST concern to the auditor?
An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?
Which of the following should be an IS auditor ' s GREATEST concern when reviewing an organization ' s security controls for policy compliance?
Which of the following is MOST critical to the success of an information security program?
Controls related to authorized modifications to production programs are BEST tested by:
Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?
Which of the following is an advantage of using agile software development methodology over the waterfall methodology?
Aligning IT strategy with business strategy PRIMARILY helps an organization to:
A small IT department has embraced DevOps, which allows members of this group to deploy code to production and maintain some development access to automate releases. Which of the following is the MOST effective control?
An organization using a cloud provider for its online billing system requires the website to be accessible to customers at all times. What is the BEST way to verify the organization ' s business requirements are met?
Which of the following is MOST important to define within a disaster recovery plan (DRP)?
An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor ' s independence?
Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?
Which of following is MOST important to determine when conducting a post-implementation review?
Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?
Which of the following should be the FIRST step in a data migration project?
An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:
A steering committee established to oversee an organization’s digital transformation program is MOST likely to be involved with which of the following activities?
An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?
Which of the following data would be used when performing a business impact analysis (BIA)?
An IS auditor has been asked to review the integrity of data transfer between two business-critical systems that have not been tested since implementation. Which of the following would provide the MOST useful information to plan an audit?
An external attacker spoofing an internal Internet Protocol (IP) address can BEST be detected by which of the following?
Which of the following groups is PRIMARILY accountable for establishing a culture that facilitates an effective and efficient internal control system?
An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?
Which of the following BEST indicates an effective internal audit quality assurance and improvement program?
Which of the following should be of MOST concern to an IS auditor when reviewing an intrusion detection system (IDS)?
Which of the following is MOST useful for determining the strategy for IT portfolio management?
Which of the following is the MOST important activity in the data classification process?
Which of the following is the MOST important consideration when implementing a Zero Trust strategy for mobile, wireless, and Internet of Things (IoT) devices?
When protecting the confidentiality of information assets, the MOST effective control practice is the:
Which of the following is MOST important for an IS auditor to validate when reviewing the controls for an organization ' s quality management system (QMS)?
Which of the following is the PRIMARY benefit of benchmarking an organization ' s software development lifecycle practices against a capability maturity model?
An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT-related customer service project?
An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor ' s BEST recommendation should be to:
Which of the following is MOST important to determine when conducting an audit Of an organization ' s data privacy practices?
An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following should the auditor do FIRST?
A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?
During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor ' s MOST important course of action?
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
What should an IS auditor ensure when a financial organization intends to utilize production data in the testing environment?
During a review of an organization ' s IT capacity management process, an IS auditor should be MOST concerned if capacity planning:
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:
Reviewing which of the following would provide the BEST indication that a project is progressing as planned?
A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?
The GREATEST concern for an IS auditor reviewing vulnerability assessments by the auditee would be if the assessments are:
A white box testing method is applicable with which of the following testing processes?
Which of the following is the MOST effective method for ensuring the integrity of log data?
Which of the following should be used to evaluate an IT development project before an investment is committed?
An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?
Which of the following is MOST important for an IS auditor to verify when evaluating an organization ' s data conversion andinfrastructure migration plan?
Which of the following network topologies will provide the GREATEST fault tolerance?
During an audit of a financial application, it was determined that many terminated users ' accounts were not disabled. Which of the following should be the IS auditor ' s NEXT step?
Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?
Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?
Which of the following is the PRIMARY objective of performing quality assurance (QA) in a system development process?
Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?
A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?
in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?
Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?
Which of the following is the PRIMARY benefit of operational log management?
Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?
Which of the following is the MAIN responsibility of the IT steering committee?
Which of the following should be an IS auditor ' s PRIMARY consideration when determining which issues to include in an audit report?
What is the Most critical finding when reviewing an organization’s information security management?
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization ' s IT process performance reports over the last quarter?
An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?
Which of the following represents the GREATEST risk to virtualized environments?
Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?
Which of the following provides the MOST useful information regarding an organization ' s risk appetite and tolerance?
An IS auditor wants to gain a better understanding of an organization’s selected IT operating system software. Which of the following would be MOST helpful to review?
An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor ' s GREATEST concern?
Which of the following user actions poses the GREATEST risk for inadvertently introducing malware into a local network?
Which of the following should be the PRIMARY objective of a disaster recovery plan (DRP)?
When planning a review of IT governance, an IS auditor is MOST likely to:
Backup procedures for an organization ' s critical data are considered to be which type of control?
What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?
Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?
During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?
Which of the following is the MOST effective control when granting access to a service provider for a ctoud-6ased application?
Which of the following BEST guards against the risk of attack by hackers?
The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?
Which of the following provides the MOST reliable method of preventing unauthonzed logon?
Which of the following is an organization ' s BEST defense against malware?
Which of the following controls is MOST effective at preventing system failures when implementing a new web application?
What should an IS auditor do FIRST when a follow-up audit reveals some management action plans have not been initiated?
An organization is concerned with meeting new regulations for protecting data confidentiality and asks an IS auditor to evaluate their procedures for transporting data. Which of the
following would BEST support the organization ' s objectives?
Which of the following should be of GREATEST concern to an IS auditor reviewing controls around an AI system in an organization?
Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?
From an IS auditor ' s perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?
What would be the PRIMARY reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center?
Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?
Which of the following is MOST helpful for evaluating benefits realized by IT projects?
Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
When assessing the overall effectiveness of an organization ' s disaster recovery planning process, which of the following is MOST important for the IS auditor to verify?
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?
Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?
Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?
Which of the following provides the BEST assurance that vendor-supported software remains up to date?
Which of the following BEST describes the process of creating a digital envelope?
Which of the following is MOST important when implementing a data classification program?
Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?
Which of the following is the BEST justification for deferring remediation testing until the next audit?
An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor ' s GREATEST concern?
What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?
Which of the following is an analytical review procedure for a payroll system?
Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?
The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:
An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified Which type of control is in place?
Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
Which of the following is an IS auditor ' s BEST approach when prepanng to evaluate whether the IT strategy supports the organization ' s vision and mission?
During a database security audit, an IS auditor is reviewing the process used to input data. Which of the following is the MOST significant risk area for the auditor to focus on?
An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:
During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor ' s NEXT step should be to:
An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?
Which of the following provides the MOST assurance of the integrity of a firewall log?
Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?
While reviewing transactions, an IS auditor discovers inconsistencies in a relational database. Which of the following would be the auditor ' s BEST recommendation?
An organization is planning to implement a control self-assessment (CSA) program for selected business processes. Which of the following should be the role of the internal audit team for this program?
During an audit, an IT finding is agreed upon by all IT teams involved, but no team wants to be responsible for remediation or considers the finding within Its area of responsibility Which of the following is the IS auditor ' s BEST course of action?
Which of the following system attack methods is executed by entering malicious code into the search box of a vulnerable website, causing the server to reveal restricted information?
Which of the following can BEST reduce the impact of a long-term power failure?
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
Which of the following is the PRIMARY reason for an organization to implement a configuration management database (CMDB)?
An IS auditor believes that management has accepted a level of residual risk that is not appropriate for the organization. Which of the following is the auditor’s MOST appropriate course of action?
Which of the following roles is PRIMARILY responsible for mitigating the risk of benefits not being realized in an IT project?
An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?
An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?
Which of the following is the MOST likely root cause of shadow IT in an organization?
During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data any Internet-connected web browser. Which Of the following
is the auditor’s BEST recommendation to prevent unauthorized access?
Which of the following is MOST important to consider when reviewing an organization ' s defined data backup and restoration procedures?
An IS auditor is reviewing an organization that performs backups on local database servers every two weeks and does not have a formal policy to govern data backup and restoration procedures. Which of the following findings presents the GREATEST risk to the organization?
An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.
What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted
application?
Which of the following should an IS auditor perform FIRST when auditing an outsourced human resource application?
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization ' s disaster recovery plan (DRP)?
An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?
Which of the following MOST effectively detects transposition and transcription errors?
During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor ' s BEST recommendation?
Which of the following would be an auditor ' s GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?
Which of the following is the GREATEST benefit of adopting an Agile audit methodology?
An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?
An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)
The BEST way for an IS auditor to validate that separation of duties has been implemented is to perform:
In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?
Which of the following provides the BEST evidence of the validity and integrity of logs in an organization ' s security information and event management (SIEM) system?
During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor ' s GREATEST concern with this situation?
Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?
How does public key infrastructure (PKI) help to verify that a digitally signed document is not a forgery?
Which of the following technologies has the SMALLEST maximum range for data transmission between devices?
An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor ' s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization ' s incident management processes?
Which of the following is an IS auditor ' s BEST recommendation to mitigate the risk of eavesdropping
associated with an application programming interface (API) integration implementation?
Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?
A global organization ' s policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?
Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
An IS auditor is reviewing an organization ' s incident management processes and procedures. Which of the following observations should be the auditor ' s GREATEST concern?
Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?
Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
One advantage of managing an entire collection of projects as a portfolio is that it highlights the need to:
An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release. Which of the following should be the auditor ' s NEXT step?
An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?
Which of the following BEST addresses the availability of an online store?
Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?
Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?
An IS auditor finds that while an organization ' s IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance. Which of the Mowing is the BEST recommendation?
Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to existing server performance will be prevented?
Which of the following should be the FIRST step m managing the impact of a recently discovered zero-day attack?
Which of the following poses the GREATEST risk to the use of active RFID tags?
Which of the following should be of GREATEST concern to an IS auditor reviewing system interfaces used to transfer publicly available information?
IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance. Which of the following controls will MOST effectively compensate for the lack of referential integrity?
During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identify as the
associated risk?
An IS auditor notes that the previous year ' s disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?
An IS auditor is reviewing how password resets are performed for users working remotely. Which type of documentation should be requested to understand the detailed steps required for this activity?
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
Which of the following BEST helps to establish that digital evidence is in its original form and has not been tampered with?
When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?
Which of the following is the PRIMARY advantage of establishing a control self-assessment (CSA) program?
During an audit of a multinational bank ' s disposal process, an IS auditor notes several findings. Which of the following should be the auditor ' s GREATEST concern?
Which of the following would be MOST important to include in an IS audit report?
Which of the following is the PRIMARY benefit of performing periodic maturity model assessments?
When designing a data analytics process, which of the following should be the stakeholder ' s role in automating data extraction and validation?
The PRIMARY reason for an IS auditor to perform a functional walk-through of a business process during the preliminary phase of an audit assignment is to:
Data centers that want to prevent unauthorized personnel from entering during a power outage should ensure external access doors:
Which of the following is MOST important to include when developing a business continuity plan (BCP)?
A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:
An IS auditor wants to verify alignment of the organization ' s business continuity plan (BCP) with the business strategy. Which of the following would be MOST helpful to review?
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
Which of the following is the MOST effective method to identify new errors introduced as a result of program changes?
An organization used robotic process automation (RPA) technology to develop software bots that extract data from various sources for input into a legacy financial application. Which of the following should be of GREATEST concern to an IS auditor when reviewing the software bot job scheduling and production process automation?
An IS auditor is reviewing the system development practices of an organization that is about to move from a Waterfall to an Agile approach. Which of the following is MOST important for the auditor to focus on as a result of this move?
Which of the following is the PRIMARY role of the IS auditor m an organization ' s information classification process?
Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor ' s BEST recommendation to protect data in case of recurrence?
An IS auditor is reviewing an organizations release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application development projects. Which of the following should the auditor recommend to address this issue?
Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?
Management has agreed to move the organization ' s data center due to recent flood map changes in its current location. Which risk response has been adopted?
What should an IS auditor do FIRST when management responses
to an in-person internal control questionnaire indicate a key internal
control is no longer effective?
An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?
An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
When auditing the feasibility study of a system development project, the IS auditor should:
Which of the following audit evidence collection procedures is MOST reliable?
Of the following who should be responsible for cataloging and inventorying robotic process automation (RPA) processes?
Which of the following is the BEST way to mitigate risk to an organization ' s network associated with devices permitted under a bring your own device (BYOD) policy?
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?
An IS auditor finds that an IT manager recently changed a Software as a Service (SaaS) provider contract in an effort to cut costs. The new contract increases the time to resolve incidents. Which of the following should be the auditor’s GREATEST concern?
An IS auditor finds that some employees are using public cloud-based AI tools. Which of the following presents the GREATEST concern?
Which of the following should be of GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?
Which of the following would provide the BEST evidence of an IT strategy corrections effectiveness?
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?
A system experiences multiple recurring processing errors. Which of the following is the PRIMARY concern for an IS auditor?
Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?
Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
Which of the following should be the role of internal audit in an organization’s move to the cloud?
Which of the following is the BEST way to verify the effectiveness of a data restoration process?
The PRIMARY reason to assign data ownership for protection of data is to establish:
The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
Which type of attack poses the GREATEST risk to an organization ' s most sensitive data?
The PRIMARY role of an IS auditor in the remediation of problems found during an audit engagement is to:
Which of the following provides the MOST protection against emerging threats?
Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
Which of the following is the MOST important advantage of participating in beta testing of software products?
A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?
An IT strategic plan that BEST leverages IT in achieving organizational goals will include:
The following findings are the result of an IS auditor ' s post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?
In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:
Which type of control has been established when an organization implements a security information and event management (SIEM) system?
Which of the following is the PRIMARY objective of enterprise architecture (EA)?
Which of the following provides the BEST providence that outsourced provider services are being properly managed?
In the case of a disaster where the data center is no longer available, which of the following tasks should be done FIRST?
A global company has been using a publicly available AI tool to obtain information about global laws and regulations that could impact the business. Which of the following should be of MOST concern to an IS auditor?
Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves
for care?
A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?
Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?
Which of the following is the MOST important consideration for a contingency facility?
An organization that has decided to approve the use of end-user computing (EUC) should FIRST ensure:
When auditing the security architecture of an online application, an IS auditor should FIRST review the:
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management ' s decision. Which of the following should be the IS auditor ' s NEXT course of action?
The charging method that effectively encourages the MOST efficient use of IS resources is:
Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?
During a follow-up audit, an IS auditor learns that management has deferred the implementation of a previously agreed-upon recommendation. What is the responsibility of the auditor?
An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?
An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization ' s business continuity plan (BCP)?
Which of the following is the PRIMARY purpose of a business impact analysts (BIA) in an organization ' s overall risk management strategy?
Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?
The PRIMARY reason to perform a capacity management review of technology resources is to ensure that:
An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank ' s customers. Which of the following controls is MOST important for the auditor to confirm is in place?
Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?
An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?
Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?
External audits have identified recurring exceptions in the user termination process, despite similar internal audits having reported no exceptions in the past. Which of the following is the IS auditor ' s BEST course of action to improve the internal audit process in the future?
An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?
Which of the following is the BEST indicator of the effectiveness of an organization ' s incident response program?
An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?
A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?
During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor ' s BEST course of action?
When testing the accuracy of transaction data, which of the following situations BEST justifies the use of a smaller sample size?
Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
Which of the following is the PRIMARY advantage of a decentralized database architecture over a centralized architecture?
Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?
Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change
management process?
Which of the following is the MOST significant risk to an organization migrating its onsite application servers to a public cloud service provider?
A new system is being developed externally for an organization. Which of the following is the MOST important requirement to include in the vendor contract to ensure service continuity?
During a follow-up engagement, an IS auditor confirms evidence of a problem that was not an issue in the original audit. Which of the following is the auditor ' s BEST course of action?
Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
Which of the following is the PRIMARY benefit of introducing business impact analyses (BIAs) to business resiliency strategies?
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST
An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of
MOST concern?
Which of the following provides the MOST comprehensive information about inherent risk within an organization?
An organization has implemented a new data classification scheme and asks the IS auditor to evaluate its effectiveness. Which of the following would be of
GREATEST concern to the auditor?
Which of the following is MOST critical for the effective implementation of IT governance?
An IS auditor is reviewing an IT project and finds that an earned value analysis (EVA) is not regularly performed as part of project status reporting. Which of the following is the GREATEST risk resulting from this situation?
Which of the following is the MOST important consideration when defining an operational log management strategy?
An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor ' s BEST recommendation for the organization?
Which of the following BEST supports the effectiveness of a compliance program?
Which of the following is an IS auditor’s BEST recommendation for conducting a forensic investigation of the contents on a hard drive?
Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?
A finance department has a two-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger in year one the system version upgrade will be applied and in year two business processes will be updated to implement new system functionality. Which of the following should be the PRIMARY focus of an IS auditor reviewing the second year of the implementation ' ?
When reviewing a business case for a proposed implementation of a third-party system, which of the following should be an IS auditor ' s GREATEST concern?
Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?
During the course of an IS audit, management verbally agreed with an issue identified by the IS auditor. However, when presented in a draft report, management disagreed with the finding. What should the auditor do NEXT?
An organization ' s payroll department recently implemented a new Software as a Service (SaaS) tool for payment processing. Which of the following audits is MOST appropriate for an IS auditor to validate that the new tool is configured as expected to meet performance requirements?
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
Which of the following is the MOST important course of action to ensure a cloud access security broker (CASB) effectively detects and responds to threats?
An IS auditor is reviewing the service agreement with a technology company that provides IT help desk services to the organization. Which of the following monthly performance
metrics is the BEST indicator of service quality?
Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?
In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?
Which of the following should an IS auditor expect to find when reviewing an IT metrics dashboard?
An IS auditor is reviewing logical access controls for an organization ' s financial business application Which of the following findings should be of GREATEST concern to the auditor?
An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
An IS auditor reviewing an organization’s online payment system finds that the system sometimes duplicates payments. Which control will BEST compensate for this weakness?