Summer Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CISA Questions and Answers

Question # 6

Which of the following should be of GREATEST concern to an IS auditor when using data analytics?

A.

The data source lacks integrity.

B.

The data analytics software is open source.

C.

The data set contains irrelevant fields.

D.

The data was not extracted by the auditor.

Full Access
Question # 7

During which stage of the penetration test cycle does the tester utilize identified vulnerabilities to attempt to access the target system?

A.

Exfiltration

B.

Exploitation

C.

Reconnaissance

D.

Scanning

Full Access
Question # 8

An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?

A.

Lack of data for measuring compliance

B.

Violation of industry standards

C.

Noncompliance with documentation requirements

D.

Lack of user accountability

Full Access
Question # 9

Which of the following BEST enables an organization to verify whether an encrypted message sent by a client has been altered?

A.

The digital signature

B.

The message header

C.

The date and time stamp of the received message

D.

The sender ' s private key

Full Access
Question # 10

Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

A.

Write access to production program libraries

B.

Write access to development data libraries

C.

Execute access to production program libraries

D.

Execute access to development program libraries

Full Access
Question # 11

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

A.

Conduct periodic onsite assessments using agreed-upon criteria.

B.

Conduct an unannounced vulnerability assessment of the vendor’s IT systems.

C.

Periodically review the service level agreement (SLA) with the vendor.

D.

Obtain evidence of the vendor ' s control self-assessment (CSA).

Full Access
Question # 12

Which of the following is found in an audit charter?

A.

The process of developing the annual audit plan

B.

The authority given to the audit function

C.

Required training for audit staff

D.

Audit objectives and scope

Full Access
Question # 13

A PRIMARY objective of risk management is to keep the total cost of risks below the:

A.

amount of losses that would materially damage the firm.

B.

average cost of physical security measures.

C.

administrative cost of risk management.

D.

estimated amount of losses included in the firm ' s budget

Full Access
Question # 14

A firewall between internal network segments improves security and reduces risk by:

A.

Jogging all packets passing through network segments

B.

inspecting all traffic flowing between network segments and applying security policies

C.

monitoring and reporting on sessions between network participants

D.

ensuring all connecting systems have appropriate security controls enabled.

Full Access
Question # 15

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

A.

integrated test facility (ITF).

B.

parallel simulation.

C.

transaction tagging.

D.

embedded audit modules.

Full Access
Question # 16

The MOST important objective of a post-implementation audit is to:

A.

Address lessons learned from the project.

B.

Determine whether the required objectives were met.

C.

Develop a process for continuous improvement.

D.

Seek approval for the next implementation phase.

Full Access
Question # 17

Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?

A.

Conduct a data inventory and classification exercise.

B.

Identify approved data workflows across the enterprise_

C.

Conduct a threat analysis against sensitive data usage.

D.

Create the DLP policies and templates

Full Access
Question # 18

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

A.

Source code version control

B.

Project change management controls

C.

Existence of an architecture review board

D.

Configuration management

Full Access
Question # 19

Which of the following business continuity activities prioritizes the recovery of critical functions?

A.

Business continuity plan (BCP) testing

B.

Business impact analysis (BIA)

C.

Disaster recovery plan (DRP) testing

D.

Risk assessment

Full Access
Question # 20

Which of the following is MOST important to consider when developing a service level agreement (SLAP)?

A.

Description of the services from the viewpoint of the provider

B.

Detailed identification of work to be completed

C.

Provisions for regulatory requirements that impact the end users ' businesses

D.

Description of the services from the viewpoint of the client organization

Full Access
Question # 21

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Full Access
Question # 22

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor ' s BEST recommendation for the organization?

A.

Analyze a new application that moots the current re

B.

Perform an analysis to determine the business risk

C.

Bring the escrow version up to date.

D.

Develop a maintenance plan to support the application using the existing code

Full Access
Question # 23

Which of the following should be the IS auditor ' s PRIMARY focus, when evaluating an organization ' s offsite storage facility?

A.

Shared facilities

B.

Adequacy of physical and environmental controls

C.

Results of business continuity plan (BCP) test

D.

Retention policy and period

Full Access
Question # 24

Which of the following issues identified during a formal review of an organization ' s information security policies presents the GREATEST potential risk to the organization?

A.

The policies are not available to key risk stakeholders.

B.

The policies have not been reviewed by the risk management committee.

C.

The policies are not aligned with the information security risk appetite.

D.

The policies are not based on industry best practices for information security.

Full Access
Question # 25

Which of the following is MOST appropriate to review when determining if the work completed on an IT project is in alignment with budgeted costs?

A.

Return on investment (ROI) analysis

B.

Earned value analysis (EVA)

C.

Financial value analysis

D.

Business impact analysis (BIA)

Full Access
Question # 26

When selecting a new data loss prevention (DLP) solution, the MOST important consideration is that the solution:

A.

is cost effective and meets proposed return on investment (ROI) criteria.

B.

provides comprehensive reporting and alerting features with detailed insights on data movements.

C.

is compatible with legacy IT infrastructure and integrates with other security tools.

D.

identifies and safeguards confidential information from unauthorized transmission.

Full Access
Question # 27

Which of the following is the BEST indication that a software development project is on track to meet its completion deadline?

A.

Technical specifications and development requirements have been agreed upon and formally recorded.

B.

Project plan due dates have been documented for each phase of the software development life cycle.

C.

Issues identified during user acceptance testing (UAT) have been addressed prior to the original implementation date.

D.

The planned software go-live date has been communicated in advance to end users and stakeholders.

Full Access
Question # 28

The PRIMARY reason to assign data ownership for protection of data is to establish:

A.

reliability.

B.

traceability.

C.

authority,

D.

accountability.

Full Access
Question # 29

An organizations audit charier PRIMARILY:

A.

describes the auditors ' authority to conduct audits.

B.

defines the auditors ' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Full Access
Question # 30

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

A.

Modify applications to no longer require direct access to the database.

B.

Introduce database access monitoring into the environment

C.

Modify the access management policy to make allowances for application accounts.

D.

Schedule downtime to implement password changes.

Full Access
Question # 31

Which of the following risk scenarios is BEST mitigated through the use of a data loss prevention (DLP) tool?

A.

An employee is sending company documents to an external email to increase productivity.

B.

A former employee retains access to an application that authenticates via single sign-on < SSO).

C.

An employee uses production data in a test environment.

D.

An employee selects the incorrect data classification on documents.

Full Access
Question # 32

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

A.

Training was not provided to the department that handles intellectual property and patents

B.

Logging and monitoring for content filtering is not enabled.

C.

Employees can share files with users outside the company through collaboration tools.

D.

The collaboration tool is hosted and can only be accessed via an Internet browser

Full Access
Question # 33

An IS auditor finds that an organization ' s data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor ' s MAIN concern should be that:

A.

violation reports may not be reviewed in a timely manner.

B.

a significant number of false positive violations may be reported.

C.

violations may not be categorized according to the organization ' s risk profile.

D.

violation reports may not be retained according to the organization ' s risk profile.

Full Access
Question # 34

An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users ' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

A.

An imaging process was used to obtain a copy of the data from each computer.

B.

The legal department has not been engaged.

C.

The chain of custody has not been documented.

D.

Audit was only involved during extraction of the Information

Full Access
Question # 35

An organization outsourced its IS functions to meet its responsibility for disaster recovery, the organization should:

A.

discontinue maintenance of the disaster recovery plan (DRP >

B.

coordinate disaster recovery administration with the outsourcing vendor

C.

delegate evaluation of disaster recovery to a third party

D.

delegate evaluation of disaster recovery to internal audit

Full Access
Question # 36

Stress testing should ideally be carried out under a:

A.

test environment with production workloads.

B.

test environment with test data.

C.

production environment with production workloads.

D.

production environment with test data.

Full Access
Question # 37

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

A.

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.

Review compliance with data loss and applicable mobile device user acceptance policies.

C.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.

Verify employees have received appropriate mobile device security awareness training.

Full Access
Question # 38

An IS auditor should ensure that an application ' s audit trail:

A.

has adequate security.

B.

logs ail database records.

C.

Is accessible online

D.

does not impact operational efficiency

Full Access
Question # 39

Which of the following is the MOST effective way to detect as many abnormalities as possible during an IS audit?

A.

Conduct a walk-through of the process.

B.

Perform substantive testing on sampled records.

C.

Perform judgmental sampling of key processes.

D.

Use a data analytics tool to identify trends.

Full Access
Question # 40

An IS auditor is reviewing an organization ' s risk management program. Which of the following should be the PRIMARY driver of the enterprise IT risk appetite?

A.

Strategic objectives

B.

Return on investment (ROI)

C.

Cost of implementing controls

D.

Likelihood of risk events

Full Access
Question # 41

An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

A.

Biometrics

B.

Procedures for escorting visitors

C.

Airlock entrance

D.

Intruder alarms

Full Access
Question # 42

When designing metrics for information security, the MOST important consideration is that the metrics:

A.

conform to industry standards.

B.

apply to all business units.

C.

provide actionable data.

D.

are easy to understand.

Full Access
Question # 43

After areas have been appropriately scoped, what is the IS auditor ' s NEXT step in the selection for sampling?

A.

Define the population for sampling.

B.

Determine the sampling method.

C.

Calculate the sample size.

D.

Pull the sample.

Full Access
Question # 44

Before the release of a new application into an organization’s production environment, which of the following should be in place to ensure that proper testing has occurred and rollback plans are in place?

A.

Change approval board

B.

Standardized change requests

C.

Independent third-party approval

D.

Secure code review

Full Access
Question # 45

Which of the following should an IS auditor recommend be done FIRST when an organization is made aware of a new regulation that is likely to impact IT security requirements?

A.

Update security policies based on the new regulation.

B.

Determine which systems and IT-related processes may be impacted.

C.

Evaluate how security awareness and training content may be impacted.

D.

Review the design and effectiveness of existing IT controls.

Full Access
Question # 46

Which of the following is a PRIMARY benefit of an integrated audit?

A.

It enhances audit quality assurance (QA).

B.

It optimizes audit efforts across various functions.

C.

It ensures the improvement of auditor skills and competencies.

D.

It is suited for different business areas within organizations of any size.

Full Access
Question # 47

Which of the following is the GREATEST advantage of maintaining an internal IS audit function within an organization?

A.

Increased independence and impartiality of recommendations

B.

Better understanding of the business and processes

C.

Ability to negotiate recommendations with management

D.

Increased IS audit staff visibility and availability throughout the year

Full Access
Question # 48

The use of control totals satisfies which of the following control objectives?

A.

Transaction integrity

B.

Processing integrity

C.

Distribution control

D.

System recoverability

Full Access
Question # 49

Which of the following BEST supports the effectiveness of a compliance program?

A.

Implementing an awareness plan regarding compliance regulation requirements

B.

Implementing a governance, risk, and compliance (GRC) tool to track compliance to regulations

C.

Assessing and tracking all compliance audit findings

D.

Monitoring which compliance regulations apply to the organization

Full Access
Question # 50

An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization ' s payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management

experience. What is the BEST course of action?

A.

Transfer the assignment to a different audit manager despite lack of IT project management experience.

B.

Outsource the audit to independent and qualified resources.

C.

Manage the audit since there is no one else with the appropriate experience.

D.

Have a senior IS auditor manage the project with the IS audit manager performing final review.

Full Access
Question # 51

While reviewing transactions, an IS auditor discovers inconsistencies in a relational database. Which of the following would be the auditor ' s BEST recommendation?

A.

Update the data dictionary.

B.

Implement edit checks.

C.

Perform data modeling.

D.

Conduct data owner training.

Full Access
Question # 52

To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?

A.

Review of the general IS controls followed by a review of the application controls

B.

Detailed examination of financial transactions followed by review of the general ledger

C.

Review of major financial applications followed by a review of IT governance processes

D.

Review of application controls followed by a test of key business process controls

Full Access
Question # 53

What is the MOST effective way to detect installation of unauthorized software packages by employees?

A.

Regular scanning of hard drives

B.

Communicating the policy to employees

C.

Logging of activity on the network

D.

Maintaining current antivirus software

Full Access
Question # 54

An organization has implemented a new data classification scheme and asks the IS auditor to evaluate its effectiveness. Which of the following would be of

GREATEST concern to the auditor?

A.

End-user managers determine who should access what information.

B.

The organization has created a dozen different classification categories.

C.

The compliance manager decides how the information should be classified.

D.

The organization classifies most of its information as confidential.

Full Access
Question # 55

Which type of attack poses the GREATEST risk to an organization ' s most sensitive data?

A.

Password attack

B.

Eavesdropping attack

C.

Insider attack

D.

Spear phishing attack

Full Access
Question # 56

An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?

A.

The organization may be locked into an unfavorable contract with the vendor.

B.

The vendor may be unable to restore critical data.

C.

The vendor may be unable to restore data by recovery time objective (RTO) requirements.

D.

The organization may not be allowed to inspect the vendor ' s data center.

Full Access
Question # 57

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

A.

Inability to utilize the site when required

B.

Inability to test the recovery plans onsite

C.

Equipment compatibility issues at the site

D.

Mismatched organizational security policies

Full Access
Question # 58

Which type of control has been established when an organization implements a security information and event management (SIEM) system?

A.

Preventive

B.

Detective

C.

Directive

D.

Corrective

Full Access
Question # 59

An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:

A.

indicate whether the organization meets quality standards.

B.

ensure that IT staff meet performance requirements.

C.

train and educate IT staff.

D.

assess IT functions and processes.

Full Access
Question # 60

Which of the following BEST reflects a mature strategic planning process?

A.

Action plans with IT requirements built into all projects

B.

An IT strategic plan with specifications of controls and safeguards

C.

An IT strategic plan that supports the corporate strategy

D.

IT projects from the strategic plan are approved by management

Full Access
Question # 61

Which of the following is an objective of IT project portfolio management?

A.

Successful implementation of projects

B.

Selection of sound, strategically aligned investment opportunities

C.

Validation of business case benefits

D.

Establishment of tracking mechanisms

Full Access
Question # 62

An IS auditor observes that a large number of departed employees have not been removed from the accounts payable system. Which of the following is MOST important to determine in order to assess the risk1?

A.

The frequency of user access reviews performed by management

B.

The frequency of intrusion attempts associated with the accounts payable system

C.

The process for terminating access of departed employees

D.

The ability of departed employees to actually access the system

Full Access
Question # 63

Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?

A.

To ensure the conclusions are adequately supported

B.

To ensure adequate sampling methods were used during fieldwork

C.

To ensure the work is properly documented and filed

D.

To ensure the work is conducted according to industry standards

Full Access
Question # 64

During an audit of payment services of a branch based in a foreign country, a large global bank ' s audit team identifies an opportunity to use data analytics techniques to identify abnormal payments. Which of the following is the team ' s MOST important course of action?

A.

Consult the legal department to understand the procedure for requesting data from a different jurisdiction.

B.

Conduct a walk through of the analytical strategy with stakeholders of the audited branch to obtain their buy-in.

C.

Request the data from the branch as the team audit charter covers the country where it is based.

D.

Agree on a data extraction and sharing strategy with the IT team of the audited branch.

Full Access
Question # 65

Which of the following security measures is MOST important for protecting Internet of Things (IoT) devices from potential cyberattacks?

A.

Logging and monitoring network traffic

B.

Confirming firmware compliance to current security requirements

C.

Changing default passwords

D.

Reviewing and updating the network diagram on a regular basis

Full Access
Question # 66

Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

A.

Documentation of exit routines

B.

System initialization logs

C.

Change control log

D.

Security system parameters

Full Access
Question # 67

Which of the following metrics BEST demonstrates the effectiveness of an organization’s privacy program?

A.

Percentage of employees who have completed privacy training.

B.

Number of attempted privacy breaches.

C.

Percentage of privacy impact assessments (PIAs) completed.

D.

Number of requests from clients to delete their information.

Full Access
Question # 68

Management receives information indicating a high level of risk associated with potential flooding near the organization ' s data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

A.

Risk avoidance

B.

Risk transfer

C.

Risk acceptance

D.

Risk reduction

Full Access
Question # 69

An IS auditor extracts data from a travel and expenses system to determine whether employees are using the organization’s car for personal use. What type of audit is being performed?

A.

Fraud audit

B.

Financial audit

C.

Functional audit

D.

Compliance audit

Full Access
Question # 70

Which of the following BEST demonstrates alignment of the IT department with the corporate mission?

A.

Analysis of IT department functionality

B.

Biweekly reporting to senior management

C.

Annual board meetings

D.

Quarterly steering committee meetings

Full Access
Question # 71

An IT strategic plan that BEST leverages IT in achieving organizational goals will include:

A.

a comparison of future needs against current capabilities.

B.

a risk-based ranking of projects.

C.

enterprise architecture (EA) impacts.

D.

IT budgets linked to the organization ' s budget.

Full Access
Question # 72

Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

A.

Reversing the hash function using the digest

B.

Altering the plaintext message

C.

Deciphering the receiver ' s public key

D.

Obtaining the sender ' s private key

Full Access
Question # 73

Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?

A.

To prevent confidential data loss

B.

To comply with legal and regulatory requirements

C.

To identify data at rest and data in transit for encryption

D.

To provide options to individuals regarding use of their data

Full Access
Question # 74

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor ' s BEST recommendation to facilitate compliance with the regulation?

A.

Include the requirement in the incident management response plan.

B.

Establish key performance indicators (KPIs) for timely identification of security incidents.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Engage an external security incident response expert for incident handling.

Full Access
Question # 75

Which of the following should be the PRIMARY focus when communicating an IS audit issue to management?

A.

The risk to which the organization is exposed due to the issue

B.

The nature, extent, and timing of subsequent audit follow-up

C.

How the issue was found and who bears responsibility

D.

A detailed solution for resolving the issue

Full Access
Question # 76

During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed, as management has decided to accept the risk. Which of the following is the IS auditors BEST course of action?

A.

Require the auditee to address the recommendations in full.

B.

Update the audit program based on management ' s acceptance of risk.

C.

Evaluate senior management ' s acceptance of the risk.

D.

Adjust the annual risk assessment accordingly.

Full Access
Question # 77

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

A.

Ensure sufficient audit resources are allocated,

B.

Communicate audit results organization-wide.

C.

Ensure ownership is assigned.

D.

Test corrective actions upon completion.

Full Access
Question # 78

During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.

Which of the following is the BEST recommendation to help prevent this situation in the future?

A.

Introduce escalation protocols.

B.

Develop a competency matrix.

C.

Implement fallback options.

D.

Enable an emergency access ID.

Full Access
Question # 79

Which of the following would be an IS auditor ' s GREATEST concern when reviewing the organization ' s business continuity plan (BCP)?

A.

The recovery plan does not contain the process and application dependencies.

B.

The duration of tabletop exercises is longer than the recovery point objective (RPO).

C.

The duration of tabletop exercises is longer than the recovery time objective (RTO).

D.

The recovery point objective (RPO) and recovery time objective (R TO) are not the same.

Full Access
Question # 80

Which of the following is MOST helpful in identifying system performance constraints?

A.

Security logs

B.

Directory service logs

C.

Proxy logs

D.

Operational logs

Full Access
Question # 81

Which of the following is MOST important for an IS auditor to assess during a post-implementation review of a newly modified IT application developed in-house?

A.

Sufficiency of implemented controls

B.

Resource management plan

C.

Updates required for end-user manuals

D.

Rollback plans for changes

Full Access
Question # 82

When assessing whether an organization ' s IT performance measures are comparable to other organizations in the same industry, which of the following would be MOST helpful to review?

A.

IT governance frameworks

B.

Benchmarking surveys

C.

Utilization reports

D.

Balanced scorecard

Full Access
Question # 83

Which of the following would be an IS auditor’s GREATEST concern when reviewing the configuration management process?

A.

Use of vendor-supplied baseline documents for configuration change processes.

B.

Lack of management approval for the configuration control process.

C.

Use of commercial software products to automate parts of the configuration management process.

D.

Lack of centralized system documentation for configuration change approvals.

Full Access
Question # 84

Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?

A.

Risk acceptance

B.

Risk mitigation

C.

Risk transference

D.

Risk reduction

Full Access
Question # 85

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

A.

Process and resource inefficiencies

B.

Irregularities and illegal acts

C.

Noncompliance with organizational policies

D.

Misalignment with business objectives

Full Access
Question # 86

Which of the following is the BEST way to ensure an organization ' s data classification policies are preserved during the process of data transformation?

A.

Map data classification controls to data sets.

B.

Control access to extract, transform, and load (ETL) tools.

C.

Conduct a data discovery exercise across all business applications.

D.

Implement classification labels in metadata during data creation.

Full Access
Question # 87

Which of following areas is MOST important for an IS auditor to focus on when reviewing the maturity model for a technology organization?

A.

Standard operating procedures

B.

Service level agreements (SLAs)

C.

Roles and responsibility matrix

D.

Business resiliency

Full Access
Question # 88

Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

A.

Ensuring that audit trails exist for transactions

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator ' s user ID as a field in every transaction record created

D.

Restricting program functionality according to user security profiles

Full Access
Question # 89

Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor ' s BEST recommendation to protect data in case of recurrence?

A.

Encrypt the disk drive.

B.

Require two-factor authentication

C.

Enhance physical security

D.

Require the use of cable locks

Full Access
Question # 90

During the implementation of an enterprise resource planning (ERP) system, an IS auditor is reviewing the results of user acceptance testing (UAT). Which of the following should be the auditor’s PRIMARY focus?

A.

Confirm that all errors have been communicated to end users.

B.

Determine if the business process owner has signed off on the results.

C.

Verify that system integration testing was performed.

D.

Determine if application interfaces have been satisfactorily tested.

Full Access
Question # 91

Retention periods and conditions for the destruction of personal data should be determined by the.

A.

risk manager.

B.

database administrator (DBA).

C.

privacy manager.

D.

business owner.

Full Access
Question # 92

Management has decided to accept a risk in response to a draft audit recommendation. Which of the following should be the IS auditor’s NEXT course of action?

A.

Document management ' s acceptance in the audit report.

B.

Escalate the acceptance to the board.

C.

Ensure a follow-up audit is on next year ' s plan.

D.

Escalate acceptance to the audit committee.

Full Access
Question # 93

In a public key cryptographic system, which of the following is the PRIMARY requirement to address the risk of man-in-the-middle attacks through spoofing?

A.

Strong encryption algorithms

B.

Kerberos authentication

C.

Registration authority

D.

Certificate authority (CA)

Full Access
Question # 94

Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

A.

Ensure that the facts presented in the report are correct

B.

Communicate the recommendations lo senior management

C.

Specify implementation dates for the recommendations.

D.

Request input in determining corrective action.

Full Access
Question # 95

An IS auditor reviewing an organization’s online payment system finds that the system sometimes duplicates payments. Which control will BEST compensate for this weakness?

A.

Manually receipting payments.

B.

Using hash totals.

C.

Using control totals.

D.

Performing a bank reconciliation.

Full Access
Question # 96

When is it MOST important for an IS auditor to apply the concept of materiality in an audit?

A.

When planning an audit engagement

B.

When gathering information for the fieldwork

C.

When a violation of a regulatory requirement has been identified

D.

When evaluating representations from the auditee

Full Access
Question # 97

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

A.

Restricting evidence access to professionally certified forensic investigators

B.

Documenting evidence handling by personnel throughout the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Engaging an independent third party to perform the forensic investigation

Full Access
Question # 98

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

A.

allocation of resources during an emergency.

B.

frequency of system testing.

C.

differences in IS policies and procedures.

D.

maintenance of hardware and software compatibility.

Full Access
Question # 99

Which of the following is the PRIMARY reason for implementing continuous auditing?

A.

Evidence is reviewed for completeness and accuracy.

B.

Management is aware of issues in real time.

C.

It is incorporated into continuous monitoring activities.

D.

Risks are identified in a timely manner.

Full Access
Question # 100

Which of the following is the BEST source of organizational direction on when to use cloud services?

A.

Enterprise architecture (EA)

B.

Business continuity plans (BCPs)

C.

Availability requirements

D.

Cloud regulations

Full Access
Question # 101

An IS auditor is reviewing the disaster recovery plan (DRP) of an organization with offices across multiple regions. Which of the following should be the auditor ' s PRIMARY focus?

A.

Recovery point objective (RPO) monitoring

B.

Processes and system dependencies

C.

Disaster recovery training

D.

Data backup and storage changes

Full Access
Question # 102

Which of the following methods provides the MOST reliable audit evidence?

A.

Inquiry

B.

Management attestation

C.

Re-performance of controls

D.

Observation

Full Access
Question # 103

An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?

A.

Version control issues

B.

Reduced system performance

C.

Inability to recover from cybersecurity attacks

D.

Increase in IT investment cost

Full Access
Question # 104

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

A.

Annual sign-off of acceptable use policy

B.

Regular monitoring of user access logs

C.

Security awareness training

D.

Formalized disciplinary action

Full Access
Question # 105

An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor’s independence?

A.

The auditor implemented a specific control during the development of the system.

B.

The auditor participated as a member of the project team without operational responsibilities.

C.

The auditor provided advice concerning best practices.

D.

The auditor designed an embedded audit module exclusively for audit.

Full Access
Question # 106

Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

A.

Data owners are not trained on the use of data conversion tools.

B.

A post-implementation lessons-learned exercise was not conducted.

C.

There is no system documentation available for review.

D.

System deployment is routinely performed by contractors.

Full Access
Question # 107

Secure code reviews as part of a continuous deployment program are which type of control?

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Full Access
Question # 108

To ensure the organization is able to centrally manage mobile devices to protect against data disclosure, it is MOST important for an IS auditor to determine whether:

A.

A mobile security awareness training program exists.

B.

Incident statistics are regularly provided to management.

C.

Remote wipe functionality is enabled on mobile devices.

D.

Lost mobile devices can be located remotely.

Full Access
Question # 109

Which of the following helps to ensure the integrity of data for a system interface?

A.

System interface testing

B.

user acceptance testing (IJAT)

C.

Validation checks

D.

Audit logs

Full Access
Question # 110

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

A.

Periodically reviewing log files

B.

Configuring the router as a firewall

C.

Using smart cards with one-time passwords

D.

Installing biometrics-based authentication

Full Access
Question # 111

Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides assurance that the BEST transactions were recovered successfully?

A.

Review transaction recovery logs to ensure no errors were recorded.

B.

Recount the transaction records to ensure no records are missing.

C.

Rerun the process on a backup machine to verify the results are the same.

D.

Compare transaction values against external statements to verify accuracy.

Full Access
Question # 112

During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor ' s BEST action?

A.

Explain to IT management that the new control will be evaluated during follow-up

B.

Re-perform the audit before changing the conclusion.

C.

Change the conclusion based on evidence provided by IT management.

D.

Add comments about the action taken by IT management in the report.

Full Access
Question # 113

Which of the following is the BEST indication that an information security awareness program is effective?

A.

A reduction in the number of reported information security incidents

B.

A reduction in the success rate of social engineering attacks

C.

A reduction in the cost of maintaining the information security program

D.

A reduction in the number of information security attacks

Full Access
Question # 114

While conducting a follow-up on an asset management audit, the IS auditor finds paid invoices for IT devices not recorded in the organization ' s inventory. Which of the following is the auditor ' s BEST course of action?

A.

Ask the asset management staff where the devices are.

B.

Alert both audit and operations management about the discrepancy.

C.

Ignore the invoices since they are not part of the follow-up.

D.

Make a note of the evidence to include it in the scope of a future audit.

Full Access
Question # 115

When reviewing the disaster recovery strategy, IT management identified an application that requires a short recovery point objective (RPO). Which of the following data restoration strategies would BEST enable the organization to meet this objective?

A.

Snapshots

B.

Mirroring

C.

Log shipping

D.

Data backups

Full Access
Question # 116

An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization ' s RACI chart. Which of the following roles within the chart would provide this information?

A.

Consulted

B.

Informed

C.

Responsible

D.

Accountable

Full Access
Question # 117

A KEY benefit of integrated auditing is that it:

A.

Facilitates the business in reviewing its control environment.

B.

Enables continuous auditing and monitoring.

C.

Improves the review of audit work by team leaders.

D.

Combines skill sets from operational, functional, and IS auditors.

Full Access
Question # 118

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?

A.

Risk appetite

B.

Critical applications m the cloud

C.

Completeness of critical asset inventory

D.

Recovery scenarios

Full Access
Question # 119

Capacity management enables organizations to:

A.

forecast technology trends

B.

establish the capacity of network communication links

C.

identify the extent to which components need to be upgraded

D.

determine business transaction volumes.

Full Access
Question # 120

Which of the following risks is BEST mitigated by implementing an automated three-way match?

A.

Inaccurate customer records

B.

Purchase order delays

C.

lnaccurate customer discounts

D.

Invalid payment processing

Full Access
Question # 121

An IS auditor is assessing backup performance and observes that the system administrator manually initiates backups during unexpected peak usage. Which of the following is the auditor ' s BEST course of action?

A.

Review separation of duties documentation.

B.

Verify the load balancer configuration.

C.

Recommend using cloud-based backups.

D.

Inspect logs to verify timely execution of backups.

Full Access
Question # 122

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

A.

Verify all patches have been applied to the software system ' s outdated version.

B.

Close all unused ports on the outdated software system.

C.

Monitor network traffic attempting to reach the outdated software system.

D.

Segregate the outdated software system from the main network.

Full Access
Question # 123

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

A.

Purchasing guidelines and policies

B.

Implementation methodology

C.

Results of line processing

D.

Test results

Full Access
Question # 124

Which of the following is an IS auditor’s BEST approach when low-risk anomalies have been identified?

A.

Reprioritize further testing of the anomalies and refocus on issues with higher risk

B.

Update the audit plan to include the information collected during the audit

C.

Ask auditees to promptly remediate the anomalies

D.

Document the anomalies in audit workpapers

Full Access
Question # 125

During the course of an IS audit, management verbally agreed with an issue identified by the IS auditor. However, when presented in a draft report, management disagreed with the finding. What should the auditor do NEXT?

A.

Rewrite the finding according to management’s suggestion.

B.

Discontinue further consultation and issue a final report as written.

C.

Provide evidence for the finding and request a follow-up meeting.

D.

Report the matter immediately to the chair of the audit committee.

Full Access
Question # 126

Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?

A.

Installation manuals

B.

Onsite replacement availability

C.

Insurance coverage

D.

Maintenance procedures

Full Access
Question # 127

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

A.

Assignment of responsibility for each project to an IT team member

B.

Adherence to best practice and industry approved methodologies

C.

Controls to minimize risk and maximize value for the IT portfolio

D.

Frequency of meetings where the business discusses the IT portfolio

Full Access
Question # 128

Which of the following would be the GREATEST concern to an IS auditor when reviewing the outsourcing contract for an organization ' s cloud service provider?

A.

There is no change management process defined in the contract.

B.

There are no procedures for incident escalation.

C.

There is no dispute resolution process defined in the contract.

D.

There is no right-to-audit clause defined in the contract.

Full Access
Question # 129

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

A.

Review the documentation of recant changes to implement sequential order numbering.

B.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.

Examine a sample of system generated purchase orders obtained from management

Full Access
Question # 130

Which of the following is the MOST important consideration when implementing a Zero Trust strategy for mobile, wireless, and Internet of Things (IoT) devices?

A.

Ensuring the latest firmware updates are applied regularly to all devices

B.

Validating the identity of all devices and users before granting access to resources

C.

Focusing on user training and awareness to prevent phishing attacks

D.

Implementing strong encryption protocols for data in transit and at rest

Full Access
Question # 131

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization ' s information cannot be accessed?

A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Full Access
Question # 132

Which of the following provides the BEST evidence of the validity and integrity of logs in an organization ' s security information and event management (SIEM) system?

A.

Compliance testing

B.

Stop-or-go sampling

C.

Substantive testing

D.

Variable sampling

Full Access
Question # 133

A sample for testing must include the 80 largest client balances and a random sample of the rest. What should the IS auditor recommend?

A.

Query the database.

B.

Develop an integrated test facility (ITF).

C.

Use generalized audit software.

D.

Leverage a random number generator.

Full Access
Question # 134

Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?

A.

Data privacy must be managed in accordance with the regulations applicable to the organization.

B.

Data privacy must be monitored in accordance with industry standards and best practices.

C.

No personal information may be transferred to the service provider without notifying the customer.

D.

Customer data transferred to the service provider must be reported to the regulatory authority.

Full Access
Question # 135

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

A.

The contract does not contain a right-to-audit clause.

B.

An operational level agreement (OLA) was not negotiated.

C.

Several vendor deliverables missed the commitment date.

D.

Software escrow was not negotiated.

Full Access
Question # 136

An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

A.

Degradation of services

B.

Limited tolerance for damage

C.

Decreased mean time between failures (MTBF)

D.

Single point of failure

Full Access
Question # 137

Which of the following should be the FIRST step in the incident response process for a suspected breach?

A.

Inform potentially affected customers of the security breach

B.

Notify business management of the security breach.

C.

Research the validity of the alerted breach

D.

Engage a third party to independently evaluate the alerted breach.

Full Access
Question # 138

What should be the PRIMARY focus during a review of a business process improvement project?

A.

Business project plan

B.

Continuous monitoring plans

C.

The cost of new controls

D.

Business impact

Full Access
Question # 139

Which of the following findings from a network security review presents the GREATEST risk to the organization?

A.

There are shared administrator accounts on internet-facing routers.

B.

An internet server in the demilitarized zone (DMZ) hosts a test web page.

C.

Operating system patches released last week have not been applied.

D.

The intrusion detection system (IDS) has pending updates from within the last week.

Full Access
Question # 140

Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?

A.

Validate the audit observations_

B.

Identify business risks associated with the observations.

C.

Assist the management with control enhancements.

D.

Record the proposed course of corrective action.

Full Access
Question # 141

Which of the following is the GREATEST concern when applying emergency patches?

A.

A change record may not be properly maintained.

B.

Temporary administrative permissions may be needed to apply patches.

C.

Patch-related risk may not be adequately assessed.

D.

Documented approvals may not be required before applying the emergency patch.

Full Access
Question # 142

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

A.

Inspecting a sample of alerts generated from the central log repository

B.

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

C.

Inspecting a sample of alert settings configured in the central log repository

D.

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

Full Access
Question # 143

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

A.

The system does not have a maintenance plan.

B.

The system contains several minor defects.

C.

The system deployment was delayed by three weeks.

D.

The system was over budget by 15%.

Full Access
Question # 144

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

A.

Available resources for the activities included in the action plan

B.

A management response in the final report with a committed implementation date

C.

A heal map with the gaps and recommendations displayed in terms of risk

D.

Supporting evidence for the gaps and recommendations mentioned in the audit report

Full Access
Question # 145

Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?

A.

EUC inventory

B.

EUC availability controls

C.

EUC access control matrix

D.

EUC tests of operational effectiveness

Full Access
Question # 146

A checksum is classified as which type of control?

A.

Detective control

B.

Preventive control

C.

Corrective control

D.

Administrative control

Full Access
Question # 147

Which of the following is the BEST method to prevent wire transfer fraud by bank employees?

A.

Independent reconciliation

B.

Re-keying of wire dollar amounts

C.

Two-factor authentication control

D.

System-enforced dual control

Full Access
Question # 148

Which of the following is the MOST effective way for an IS auditor to ensure information is preserved when conducting a forensic investigation?

A.

Harden computer hardware and software.

B.

Image residual data and deleted files.

C.

Encode system logs and intrusion detection system (IDS) logs.

D.

Document all application programming interface (API) connections with third parties.

Full Access
Question # 149

An IS auditor is planning a review of an organizations cybersecurity incident response maturity Which of the following methodologies would provide the MOST reliable conclusions?

A.

Judgmental sampling

B.

Data analytics testing

C.

Variable sampling

D.

Compliance testing

Full Access
Question # 150

Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?

A.

Error log review

B.

Total number of items

C.

Hash totals

D.

Aggregate monetary amount

Full Access
Question # 151

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Full Access
Question # 152

Which of the following is the BEST reason for an IS auditor to emphasize to management the importance of using an IT governance framework?

A.

Frameworks enable IT benchmarks against competitors

B.

Frameworks can be tailored and optimized for different organizations

C.

Frameworks help facilitate control self-assessments (CSAs)

D.

Frameworks help organizations understand and manage IT risk

Full Access
Question # 153

Which of the following is the MOST effective way to ensure adequate system resources are available for high-priority activities?

A.

System virtualization

B.

Job scheduling

C.

Zero Trust

D.

Code optimization

Full Access
Question # 154

When developing customer-facing IT applications, in which stage of the system development life cycle (SDLC) is it MOST beneficial to consider data privacy principles?

A.

Systems design and architecture

B.

Software selection and acquisition

C.

User acceptance testing (UAT)

D.

Requirements definition

Full Access
Question # 155

Which of the following is MOST important for an IS auditor to validate when auditing network device management?

A.

Devices cannot be accessed through service accounts.

B.

Backup policies include device configuration files.

C.

All devices have current security patches assessed.

D.

All devices are located within a protected network segment.

Full Access
Question # 156

The PRIMARY reason to perform a capacity management review of technology resources is to ensure that:

A.

infrastructure and processes can meet current and future business needs.

B.

available capacity is operated in a secure and compliant manner.

C.

technology resource acquisitions align with current needed capacity.

D.

technology resource capacity requirements are properly defined.

Full Access
Question # 157

Which of the following is the BEST way to prevent social engineering incidents?

A.

Maintain an onboarding and annual security awareness program.

B.

Ensure user workstations are running the most recent version of antivirus software.

C.

Include security responsibilities in job descriptions and require signed acknowledgment.

D.

Enforce strict email security gateway controls

Full Access
Question # 158

An IS auditor has been asked to review the integrity of data transfer between two business-critical systems that have not been tested since implementation. Which of the following would provide the MOST useful information to plan an audit?

A.

Quality assurance (QA) testing

B.

System change logs

C.

IT testing policies and procedures

D.

Previous system interface testing records

Full Access
Question # 159

When evaluating whether the expected benefits of a project have been achieved, it is MOST important for an IS auditor to review:

A.

The business case.

B.

The project schedule.

C.

Proposed enhancements.

D.

Quality assurance (QA) results.

Full Access
Question # 160

What is the PRIMARY purpose of performing a parallel run of a now system?

A.

To train the end users and supporting staff on the new system

B.

To verify the new system provides required business functionality

C.

To reduce the need for additional testing

D.

To validate the new system against its predecessor

Full Access
Question # 161

An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-circuit television (CCTV) systems located in a patient care area. Which of the following is the GREATEST concern?

A.

Cameras are not monitored 24/7.

B.

There are no notices indicating recording IS in progress.

C.

The retention period for video recordings is undefined

D.

There are no backups of the videos.

Full Access
Question # 162

A bank has a combination of corporate customer accounts (higher monetary value) and small business accounts (lower monetary value) as part of online banking. Which of the following is the BEST sampling approach for an IS auditor to use for these accounts?

A.

Difference estimation sampling

B.

Stratified mean per unit sampling

C.

Customer unit sampling

D.

Unstratified mean per unit sampling

Full Access
Question # 163

Control self-assessments (CSAs) can be used to:

A.

Determine the value of assets.

B.

Establish baselines.

C.

Evaluate strategic business goals.

D.

Replace audits.

Full Access
Question # 164

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

A.

The certificate revocation list has not been updated.

B.

The PKI policy has not been updated within the last year.

C.

The private key certificate has not been updated.

D.

The certificate practice statement has not been published

Full Access
Question # 165

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization ' s information security policy is adequate?

A.

Information security program plans

B.

Penetration test results

C.

Risk assessment results

D.

Industry benchmarks

Full Access
Question # 166

Which of the following features of a library control software package would protect against unauthorized updating of source code?

A.

Required approvals at each life cycle step

B.

Date and time stamping of source and object code

C.

Access controls for source libraries

D.

Release-to-release comparison of source code

Full Access
Question # 167

IT management has accepted the risk associated with an IS auditor ' s finding due to the cost and complexity of the corrective actions. Which of the following should be the auditor ' s NEXT course of action?

A.

Perform a cost-benefit analysis.

B.

Document and inform the audit committee.

C.

Report the finding to external regulators.

D.

Notify senior management.

Full Access
Question # 168

Which of the following is MOST important to include in a feasibility study when developing a business case for an IT investment?

A.

An analysis of costs and benefits associated with proposed solutions

B.

Availability of IT resources proposed for the project

C.

Evidence that all possible risk scenarios have been considered

D.

Key stakeholders responsible for review and approval of proposed solutions

Full Access
Question # 169

Which of the following is the GREATEST risk associated with lack of IT involvement in the organization ' s strategic planning initiatives?

A.

Business strategies may not align with IT capabilities.

B.

Business strategies may not consider emerging technologies.

C.

IT strategies may not align with business strategies.

D.

IT strategic goals may not be considered by the business.

Full Access
Question # 170

Which of the following should an IS auditor review when evaluating information systems governance for a large organization?

A.

Approval processes for new system implementations

B.

Procedures for adding a new user to the invoice processing system

C.

Approval processes for updating the corporate website

D.

Procedures for regression testing system changes

Full Access
Question # 171

An IS auditor has discovered that a software system still in regular use is outdated and no longer supported. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

A.

Verify all patches have been applied to the outdated software system.

B.

Encrypt network traffic to the outdated software system.

C.

Isolate the outdated software system from the main network.

D.

Close all unused ports on the outdated software system.

Full Access
Question # 172

Which of the following controls is MOST crucial to ensure an organization will be able to recover its data from backup media in the event of a disaster?

A.

Storing backup media at an offsite facility

B.

Keeping a current inventory of backup media

C.

Periodically restoring backup media for key databases

D.

Encrypting data on backup media

Full Access
Question # 173

An organization ' s security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

A.

Percentage of new hires that have completed the training.

B.

Number of new hires who have violated enterprise security policies.

C.

Number of reported incidents by new hires.

D.

Percentage of new hires who report incidents

Full Access
Question # 174

An organization has partnered with a third party to transport backup drives to an offsite storage facility. Which of the following is MOST important before sending the drives?

A.

Creating a chain of custody to accompany the drive in transit

B.

Ensuring data protection is aligned with the data classification policy

C.

Encrypting the drive with strong protection standards

D.

Ensuring the drive is placed in a tamper-evident mechanism

Full Access
Question # 175

Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?

A.

Access to change testing strategy and results is not restricted to staff outside the IT team.

B.

Some user acceptance testing (IJAT) was completed by members of the IT team.

C.

IT administrators have access to the production and development environment

D.

Post-implementation testing is not conducted for all system releases.

Full Access
Question # 176

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization ' s information security policy?

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Full Access
Question # 177

Which type of attack targets security vulnerabilities in web applications to gain access to data sets?

A.

Denial of service (DOS)

B.

SQL injection

C.

Phishing attacks

D.

Rootkits

Full Access
Question # 178

In an area susceptible to unexpected increases in electrical power, which of the following would MOST effectively protect the system?

A.

Generator

B.

Voltage regulator

C.

Circuit breaker

D.

Alternate power supply line

Full Access
Question # 179

What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?

A.

Establish rules for converting data from one format to another

B.

Implement data entry controls for new and existing applications

C.

Implement a consistent database indexing strategy

D.

Develop a metadata repository to store and access metadata

Full Access
Question # 180

An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?

A.

Hardware configurations

B.

Access control requirements

C.

Help desk availability

D.

Perimeter network security diagram

Full Access
Question # 181

Which of the following is the BEST method for converting system-generated log files into a format suitable for data analysis?

A.

Extraction

B.

Data acquisition

C.

Imaging

D.

Normalization

Full Access
Question # 182

An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which ot the following should the auditor do FIRSTS

A.

Determine whether another DBA could make the changes

B.

Report a potential segregation of duties violation

C.

identify whether any compensating controls exist

D.

Ensure a change management process is followed prior to implementation

Full Access
Question # 183

Which of the following is the GREATEST risk associated with hypervisors in virtual environments?

A.

Availability issues

B.

Virtual sprawl

C.

Single point of failure

D.

Lack of patches

Full Access
Question # 184

Which of the following BEST describes an audit risk?

A.

The company is being sued for false accusations.

B.

The financial report may contain undetected material errors.

C.

Employees have been misappropriating funds.

D.

Key employees have not taken vacation for 2 years.

Full Access
Question # 185

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Full Access
Question # 186

When assessing the overall effectiveness of an organization ' s disaster recovery planning process, which of the following is MOST important for the IS auditor to verify?

A.

Management contracts with a third party for warm site services.

B.

Management schedules an annual tabletop exercise.

C.

Management documents and distributes a copy of the plan to all personnel.

D.

Management reviews and updates the plan annually or as changes occur.

Full Access
Question # 187

Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization ' s data loss prevention (DLP) controls?

A.

Verify that confidential files cannot be transmitted to a personal USB device.

B.

Conduct interviews to identify possible data protection vulnerabilities.

C.

Review data classification levels based on industry best practice.

D.

Verify that current DLP software is installed on all computer systems.

Full Access
Question # 188

An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following is the BEST way to prevent this vulnerability from being exploited?

A.

Implement security awareness training.

B.

Install vendor patches

C.

Review hardware vendor contracts.

D.

Review security log incidents.

Full Access
Question # 189

When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?

A.

Overwriting multiple times

B.

Encrypting the disk

C.

Reformatting

D.

Deleting files sequentially

Full Access
Question # 190

An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?

A.

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

B.

Vulnerability in the virtualization platform affecting multiple hosts

C.

Data center environmental controls not aligning with new configuration

D.

System documentation not being updated to reflect changes in the environment

Full Access
Question # 191

An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

A.

Differential backup

B.

Full backup

C.

Incremental backup

D.

Mirror backup

Full Access
Question # 192

Which of the following should be restricted from a network administrator ' s privileges in an adequately segregated IT environment?

A.

Monitoring network traffic

B.

Changing existing configurations for applications

C.

Hardening network ports

D.

Ensuring transmission protocols are functioning correctly

Full Access
Question # 193

An IS auditor is reviewing a machine learning algorithm-based system for loan approvals and is preparing a data set to test the algorithm for bias. Which of the following is MOST important for the auditor’s test data set to include?

A.

Applicants of all ages

B.

Applicants from a range of geographic areas and income levels

C.

Incomplete records and incorrectly formatted data

D.

Duplicate records

Full Access
Question # 194

The decision to accept an IT control risk related to data quality should be the responsibility of the:

A.

information security team.

B.

IS audit manager.

C.

chief information officer (CIO).

D.

business owner.

Full Access
Question # 195

An IS auditor is reviewing the operational database management of an organization that uses cloud systems for hosting. Which of the following should be the auditor ' s PRIMARY area of focus?

A.

Cloud vendor security certifications

B.

Auto-scaling of provisioning costs

C.

Security settings configuration

D.

Large-scale data transfers

Full Access
Question # 196

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

A.

Testing

B.

Replication

C.

Staging

D.

Development

Full Access
Question # 197

An IS auditor finds that a number of key patches have not been applied in a timely manner due to re-source constraints. Which of the following is the GREATEST risk to the organization in this

situation?

A.

Systems may not be supported by the vendor.

B.

Known security vulnerabilities may not be mitigated.

C.

Different systems may not be compatible.

D.

The systems may not meet user requirements.

Full Access
Question # 198

Who is PRIMARILY responsible for the design of IT controls to meet control objectives?

A.

Business management

B.

Internal auditor

C.

Risk management

D.

ITC manager

Full Access
Question # 199

Which of the following is the GREATEST risk of project dashboards being set without sufficiently defined criteria?

A.

Adverse findings from internal and external auditors

B.

Lack of project portfolio status oversight

C.

Lack of alignment of project status reports

D.

Inadequate decision-making and prioritization

Full Access
Question # 200

The use of which of the following would BEST enhance a process improvement program?

A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Full Access
Question # 201

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

A.

Utilize a network-based firewall.

B.

Conduct regular user security awareness training.

C.

Perform domain name system (DNS) server security hardening.

D.

Enforce a strong password policy meeting complexity requirement.

Full Access
Question # 202

The IS quality assurance (OA) group is responsible for:

A.

ensuring that program changes adhere to established standards.

B.

designing procedures to protect data against accidental disclosure.

C.

ensuring that the output received from system processing is complete.

D.

monitoring the execution of computer processing tasks.

Full Access
Question # 203

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor ' s BEST course of action would be to determine if:

A.

the patches were updated.

B.

The logs were monitored.

C.

The network traffic was being monitored.

D.

The domain controller was classified for high availability.

Full Access
Question # 204

Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization ' s enterprise architecture (EA) program?

A.

IT application owners have sole responsibility for architecture approval.

B.

The architecture review board is chaired by the CIO.

C.

Information security requirements are reviewed by the EA program.

D.

The EA program governs projects that are not IT-related.

Full Access
Question # 205

Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

A.

IT value analysis

B.

Prior audit reports

C.

IT balanced scorecard

D.

Vulnerability assessment report

Full Access
Question # 206

Results from which of the following would BEST provide assurance to a governing body that an organization’s information system controls have been reviewed objectively?

A.

Administrative audit.

B.

External audit.

C.

Forensic audit.

D.

Internal audit.

Full Access
Question # 207

During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor ' s BEST course of action?

A.

Recommend the utilization of software licensing monitoring tools

B.

Recommend the purchase of additional software license keys

C.

Validate user need for shared software licenses

D.

Verify whether the licensing agreement allows shared use

Full Access
Question # 208

An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?

A.

Audit transparency

B.

Data confidentiality

C.

Professionalism

D.

Audit efficiency

Full Access
Question # 209

Which of the following should an organization do FIRST when an employee is terminated for fraudulent activity?

A.

Review transactions approved by the employee.

B.

Escort the employee off the premises.

C.

Disable the employee’s logical access.

D.

Back up the employee’s hard drive.

Full Access
Question # 210

Data Loss Prevention (DLP) tools provide the MOST protection against:

A.

The installation of unknown malware.

B.

Malicious programs running on organizational systems.

C.

The downloading of sensitive information to devices by employees.

D.

The sending of corrupt data files to external parties via email.

Full Access
Question # 211

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

A.

Abuses by employees have not been reported.

B.

Lessons learned have not been properly documented

C.

vulnerabilities have not been properly addressed

D.

Security incident policies are out of date.

Full Access
Question # 212

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Full Access
Question # 213

An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?

A.

Data encryption on the mobile device

B.

Complex password policy for mobile devices

C.

The triggering of remote data wipe capabilities

D.

Awareness training for mobile device users

Full Access
Question # 214

Which of the following is a detective control?

A.

Programmed edit checks for data entry

B.

Backup procedures

C.

Use of pass cards to gain access to physical facilities

D.

Verification of hash totals

Full Access
Question # 215

Coding standards provide which of the following?

A.

Program documentation

B.

Access control tables

C.

Data flow diagrams

D.

Field naming conventions

Full Access
Question # 216

Which of the following presents the GREATEST risk to an organization ' s ability to manage quality control (QC) processes?

A.

Lack of segregation of duties

B.

Lack of a dedicated QC function

C.

Lack of policies and procedures

D.

Lack of formal training and attestation

Full Access
Question # 217

A staff accountant regularly uploads spreadsheets with inventory levels to the organization ' s financial reporting system. The transfers are executed through a customized interface created by an in-house developer. Which of the following is MOST important for the IS auditor to confirm during a review of the interface?

A.

The data in the spreadsheet is correctly recorded in the financial system.

B.

The financial system transfers are performed by the accountant at predefined intervals.

C.

The spreadsheets do not contain malware or malicious macros.

D.

The data transfer connection does not support full duplex communication.

Full Access
Question # 218

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

Full Access
Question # 219

A white box testing method is applicable with which of the following testing processes?

A.

Integration testing

B.

Parallel testing

C.

Sociability testing

D.

User acceptance testing (UAT)

Full Access
Question # 220

Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?

A.

Project charter

B.

Project plan

C.

Project issue log

D.

Project business case

Full Access
Question # 221

Which of the following is the BEST way to identify key areas for a risk-based audit plan?

A.

Review peer benchmarking results.

B.

Review open issues from recent audit reports.

C.

Interview relevant stakeholders in the business.

D.

Conduct a risk survey with the CIO.

Full Access
Question # 222

Which of the following BEST helps to ensure data integrity across system interfaces?

A.

Environment segregation

B.

Reconciliation

C.

System backups

D.

Access controls

Full Access
Question # 223

Which of the following would be the GREATEST concern for an IS auditor conducting a pre-implementation review of a data loss prevention (DLP > tool?

A.

The tool is implemented in monitor mode rather than block mode.

B.

Crawlers are used to discover sensitive data.

C.

Deep packet inspection opens data packets in transit.

D.

Encryption keys are not centrally managed.

Full Access
Question # 224

Which of the following network topologies will provide the GREATEST fault tolerance?

A.

Star configuration

B.

Ring configuration

C.

Bus configuration

D.

Mesh configuration

Full Access
Question # 225

Which of the following is the PRIMARY purpose of a business impact analysts (BIA) in an organization ' s overall risk management strategy?

A.

Evaluating business investment opportunities for the organization

B.

Identifying critical business processes to effectively prioritize recovery efforts

C.

Ensuring compliance with regulations through regular audits

D.

Conducting vulnerability assessments to enhance network security measures

Full Access
Question # 226

An organization has decided to build a data warehouse using source data from several disparate systems to support strategic decision-making.

Which of the following is the BEST way to ensure the accuracy and completeness of the data used to support business decisions?

A.

The source data is pre-selected so that it already supports senior management ' s desired business decision outcome.

B.

The source data is from the current year of operations so that irrelevant data from prior years is not included.

C.

The source data is modified in the data warehouse to remove confidential or sensitive information.

D.

The source data is standardized and cleansed before loading into the data warehouse.

Full Access
Question # 227

Which of the following is the MOST appropriate indicator of change management effectiveness?

A.

Time lag between changes to the configuration and the update of records

B.

Number of system software changes

C.

Time lag between changes and updates of documentation materials

D.

Number of incidents resulting from changes

Full Access
Question # 228

Which of the following observations should be of GREATEST concern to an IS auditor assessing access controls for the accounts payable module of a finance system?

A.

Payment files are stored on a shared drive in a writable format prior to processing.

B.

Accounts payable staff have access to update vendor bank account details.

C.

The IS auditor was granted access to create purchase orders.

D.

Configured delegation limits do not align to the organization ' s delegation’s policy.

Full Access
Question # 229

Which of the following is the MOST effective control when granting access to a service provider for a ctoud-6ased application?

A.

Administrator access is provided for a limited period with an expiration date.

B.

Access has been provided on a need-to-know basis.

C.

User IDs are deleted when work is completed.

D.

Access is provided to correspond with the service level agreement (SLA).

Full Access
Question # 230

An IS auditor is reviewing documentation from a change that was applied to an application. Which of the following findings would be the GREATEST concern?

A.

Testing documentation does not show manager approval.

B.

Testing documentation is dated three weeks before the system implementation date.

C.

Testing documentation is approved prior to completion of user acceptance testing (UAT).

D.

Testing documentation is kept in hard copy format.

Full Access
Question # 231

Which of the following BEST indicates the effectiveness of an organization ' s risk management program?

A.

Inherent risk is eliminated.

B.

Residual risk is minimized.

C.

Control risk is minimized.

D.

Overall risk is quantified.

Full Access
Question # 232

An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

A.

structured query language (SQL) injection

B.

buffer overflow.

C.

denial of service (DoS).

D.

phishing.

Full Access
Question # 233

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

A.

Capacity management plan

B.

Training plans

C.

Database conversion results

D.

Stress testing results

Full Access
Question # 234

Which of the following key performance indicators (KPIs) provides stakeholders with the MOST useful information about whether information security risk is being managed?

A.

Time from identifying security threats to implementing solutions

B.

The number of security controls audited

C.

Time from security log capture to log analysis

D.

The number of entries in the security risk register

Full Access
Question # 235

Having knowledge in which of the following areas is MOST relevant for an IS auditor reviewing public key infrastructure (PKI)?

A.

Design and application of key controls in public audit

B.

Security strategy in public cloud Infrastructure as a Service (IaaS)

C.

Modern encoding methods for digital communications

D.

Technology and process life cycle for digital certificates and key pairs

Full Access
Question # 236

Which of the following provides the MOST comprehensive information about inherent risk within an organization?

A.

Risk assessments.

B.

Risk-based audit findings.

C.

Peer benchmarking.

D.

Business impact analysis (BIA).

Full Access
Question # 237

A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?

A.

Terminated staff

B.

Unauthorized access

C.

Deleted log data

D.

Hacktivists

Full Access
Question # 238

Which of the following is the MOST cost-effective way to determine the effectiveness of a business continuity plan (BCP)?

A.

Stress test

B.

Tabletop exercise

C.

Full operational test

D.

Post-implementation review

Full Access
Question # 239

An IS auditor learns that a business owner violated the organization ' s security policy by creating a web page with access to production data. The auditor ' s NEXT step should be to:

A.

determine if sufficient access controls exist.

B.

assess the sensitivity of the production data.

C.

shut down the web page.

D.

escalate to senior management.

Full Access
Question # 240

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Full Access
Question # 241

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?

A.

Enable automatic encryption decryption and electronic signing of data files

B.

implement software to perform automatic reconciliations of data between systems

C.

Have coders perform manual reconciliation of data between systems

D.

Automate the transfer of data between systems as much as feasible

Full Access
Question # 242

Which of the following BEST describes the concept of fault tolerance in system resiliency?

A.

It enables switching to redundant systems in case of faults.

B.

It minimizes downtime and ensures continuous operations.

C.

It allows systems to continue operating in the presence of faults.

D.

It distributes workloads across multiple servers to prevent overload.

Full Access
Question # 243

Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?

A.

Using a continuous auditing module

B.

Interviewing business management

C.

Confirming accounts

D.

Reviewing program documentation

Full Access
Question # 244

The management of a small e-commerce firm is concerned about the impact of AI adoption on its intellectual property. Which of the following BEST addresses this concern?

A.

Developing an AI acceptable use policy

B.

Sanctioning employees for using generative AI

C.

Performing manual reviews of AI web traffic logs

D.

Deny-listing chat-based AI websites and plugins

Full Access
Question # 245

Which of the following should be the PRIMARY consideration when incorporating user training and awareness into a data loss prevention (DLP) strategy?

A.

Avoiding financial penalties and reputational risk

B.

Ensuring data availability

C.

Promoting secure data handling practices

D.

Adhering to data governance policies

Full Access
Question # 246

The MOST effective way to reduce sampling risk is to increase:

A.

confidence interval.

B.

population.

C.

audit sampling training.

D.

sample size.

Full Access
Question # 247

An IS auditor is planning a review of an organizations robotic process automation (RPA) technology. Which of the following MUST be included in the audit work plan?

A.

Integration architecture

B.

Change management

C.

Cost-benefit analysis

D.

Employee training content

Full Access
Question # 248

Which of the following controls helps to ensure that data extraction queries run by the database administrator (DBA) are monitored?

A.

Restricting access to DBA activities

B.

Performing periodic access reviews

C.

Storing logs of database access

D.

Reviewing activity logs of the DBA

Full Access
Question # 249

Which of the following roles is PRIMARILY responsible for mitigating the risk of benefits not being realized in an IT project?

A.

Project sponsor

B.

Project manager

C.

Quality assurance (QA) manager

D.

Chief risk officer (CRO)

Full Access
Question # 250

Which of the following BEST facilitates the successful implementation of IT performance monitoring?

A.

Determining goals for IT resources and processes

B.

Identifying tools to automate performance measurement

C.

Establishing templates for periodic reporting to management

D.

Adopting global standards and measurement norms

Full Access
Question # 251

An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release. Which of the following should be the auditor ' s NEXT step?

A.

Evaluate developer training.

B.

Evaluate the incident management process.

C.

Evaluate the change management process.

D.

Evaluate secure code practices.

Full Access
Question # 252

Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

A.

Establish the timing of testing.

B.

Identify milestones.

C.

Determine the test reporting

D.

Establish the rules of engagement.

Full Access
Question # 253

Which of the following poses the GREATEST potential concern for an organization that decides to consolidate mission-critical applications on a large server as part of IT capacity management?

A.

More applications may be negatively affected by outages on the server.

B.

Continuous monitoring efforts for server capacity may be costly.

C.

Network bandwidth may be degraded during peak hours.

D.

Accurate server capacity forecasting may be more difficult.

Full Access
Question # 254

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

A.

Implement a process to actively monitor postings on social networking sites.

B.

Adjust budget for network usage to include social media usage.

C.

Use data loss prevention (DLP) tools on endpoints.

D.

implement policies addressing acceptable usage of social media during working hours.

Full Access
Question # 255

IT disaster recovery time objectives (RTOs) should be based on the:

A.

maximum tolerable loss of data.

B.

nature of the outage

C.

maximum tolerable downtime (MTD).

D.

business-defined criticality of the systems.

Full Access
Question # 256

Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?

A.

The design of controls

B.

Industry standards and best practices

C.

The results of the previous audit

D.

The amount of time since the previous audit

Full Access
Question # 257

Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?

A.

Audit staff interviews

B.

Quality control reviews

C.

Control self-assessments (CSAs)

D.

Corrective action plans

Full Access
Question # 258

Which of the following is the MOST efficient control to reduce the risk associated with a systems administrator having network administrator responsibilities?

A.

The administrator must obtain temporary access to make critical changes.

B.

The administrator will need to request additional approval for critical changes.

C.

The administrator must sign a due diligence agreement.

D.

The administrator will be subject to unannounced audits.

Full Access
Question # 259

Which of the following is MOST important to successfully implement a corporate data classification program?

A.

Identify industry best practices.

B.

Conduct a privacy impact assessment (PIA).

C.

Select a data loss prevention (DLP) product.

D.

Approve a data classification policy.

Full Access
Question # 260

Which of the following would be MOST important to include in an IS audit report?

A.

Observations not reported as findings due to inadequate evidence

B.

The roadmap for addressing the various risk areas

C.

The level of unmitigated risk along with business impact

D.

Specific technology solutions for each audit observation

Full Access
Question # 261

Which of the following can only be provided by asymmetric encryption?

A.

Information privacy

B.

256-brt key length

C.

Data availability

D.

Nonrepudiation

Full Access
Question # 262

Which type of testing is used to identify security vulnerabilities in source code in the development environment?

A.

Interactive application security testing (IAST)

B.

Runtime application self-protection (RASP)

C.

Dynamic analysis security testing (DAST)

D.

Static analysis security testing (SAST)

Full Access
Question # 263

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

A.

firewall standards.

B.

configuration of the firewall

C.

firmware version of the firewall

D.

location of the firewall within the network

Full Access
Question # 264

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

A.

Phishing

B.

Using a dictionary attack of encrypted passwords

C.

Intercepting packets and viewing passwords

D.

Flooding the site with an excessive number of packets

Full Access
Question # 265

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

A.

Staff were not involved in the procurement process, creating user resistance to the new system.

B.

Data is not converted correctly, resulting in inaccurate patient records.

C.

The deployment project experienced significant overruns, exceeding budget projections.

D.

The new system has capacity issues, leading to slow response times for users.

Full Access
Question # 266

Which of the following is the MOST important advantage of participating in beta testing of software products?

A.

It increases an organization ' s ability to retain staff who prefer to work with new technology.

B.

It improves vendor support and training.

C.

It enhances security and confidentiality.

D.

It enables an organization to gain familiarity with new products and their functionality.

Full Access
Question # 267

An organization has purchased a new cloud-based application from a vendor. Which of the following should be the FIRST consideration when implementing the system?

A.

Preventing alterations to the source code during implementation.

B.

Ensuring vendor default accounts and passwords have been disabled.

C.

Verifying that the vendor is meeting maintenance agreements.

D.

Deleting the old copies of the program from escrow to avoid wrong versions.

Full Access
Question # 268

Which of the following should be of GREATEST concern to an IS auditor when auditing an organization ' s IT strategy development process?

A.

The IT strategy was developed before the business plan

B.

A business impact analysis (BIA) was not performed to support the IT strategy

C.

The IT strategy was developed based on the current IT capability

D.

Information security was not included as a key objective m the IT strategic plan.

Full Access
Question # 269

An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

A.

Installing security software on the devices

B.

Partitioning the work environment from personal space on devices

C.

Preventing users from adding applications

D.

Restricting the use of devices for personal purposes during working hours

Full Access
Question # 270

Which of the following security risks can be reduced by a property configured network firewall?

A.

SQL injection attacks

B.

Denial of service (DoS) attacks

C.

Phishing attacks

D.

Insider attacks

Full Access
Question # 271

Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

A.

The organization ' s security policy

B.

The number of remote nodes

C.

The firewalls ' default settings

D.

The physical location of the firewalls

Full Access
Question # 272

Which of the following should be used as the PRIMARY basis for prioritizing IT projects and initiatives?

A.

Estimated cost and time

B.

Level of risk reduction

C.

Expected business value

D.

Available resources

Full Access
Question # 273

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Full Access
Question # 274

Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

A.

An increase in the number of identified false positives

B.

An increase in the number of detected Incidents not previously identified

C.

An increase in the number of unfamiliar sources of intruders

D.

An increase in the number of internally reported critical incidents

Full Access
Question # 275

Which of the following is the BEST compensating control against separation of duties conflicts in new code development?

A.

Post-implementation change review

B.

Adding the developers to the change approval board

C.

Creation of staging environments

D.

A small number of people have access to deploy code

Full Access
Question # 276

Which of the following is the MOST important consideration when defining an operational log management strategy?

A.

Event response procedures.

B.

Audit recommendations.

C.

Industry benchmarking.

D.

Stakeholder requirements.

Full Access
Question # 277

Which of the following is the PRIMARY reason for using a digital signature?

A.

Provide availability to the transmission

B.

Authenticate the sender of a message

C.

Provide confidentiality to the transmission

D.

Verify the integrity of the data and the identity of the recipient

Full Access
Question # 278

An organization has both an IT strategy committee and an IT steering committee. When reviewing the minutes of the IT steering committee, an IS auditor would expect to find that the

committee:

A.

assessed the contribution of IT to the business.

B.

acquired and assigned appropriate resources for projects.

C.

compared the risk and return of IT investments.

D.

reviewed the achievement of the strategic IT objective.

Full Access
Question # 279

An IS auditor is reviewing a data conversion project. Which of the following is the auditor ' s BEST recommendation prior to go-live?

A.

Conduct a mock conversion test.

B.

Review test procedures and scenarios.

C.

Automate the test scripts.

D.

Establish a configuration baseline.

Full Access
Question # 280

Which of the following is an IS auditor ' s BEST recommendation to help an organization increase the efficiency of computing resources?

A.

Virtualization

B.

Hardware upgrades

C.

Overclocking the central processing unit (CPU)

D.

Real-time backups

Full Access
Question # 281

Which of the following represents the HIGHEST level of maturity of an information security program?

A.

A training program is in place to promote information security awareness.

B.

A framework is in place to measure risks and track effectiveness.

C.

Information security policies and procedures are established.

D.

The program meets regulatory and compliance requirements.

Full Access
Question # 282

An IS auditor is providing input to an RFP to acquire a financial application system. Which of the following is MOST important for the auditor to recommend?

A.

The application should meet the organization ' s requirements.

B.

Audit trails should be included in the design.

C.

Potential suppliers should have experience in the relevant area.

D.

Vendor employee background checks should be conducted regularly.

Full Access
Question # 283

Which of the following provides the MOST assurance of the integrity of a firewall log?

A.

The log is reviewed on a monthly basis.

B.

Authorized access is required to view the log.

C.

The log cannot be modified.

D.

The log is retained per policy.

Full Access
Question # 284

Which of the following is MOST effective in keeping a database management system (DBMS) at maximum performance?

A.

Periodic database maintenance.

B.

Data consistency control.

C.

Database logging.

D.

Data model normalization.

Full Access
Question # 285

Which of the following management decisions presents the GREATEST risk associated with data leakage?

A.

There is no requirement for desktops to be encrypted

B.

Staff are allowed to work remotely

C.

Security awareness training is not provided to staff

D.

Security policies have not been updated in the past year

Full Access
Question # 286

Which of the following is the MAIN purpose of an information security management system?

A.

To identify and eliminate the root causes of information security incidents

B.

To enhance the impact of reports used to monitor information security incidents

C.

To keep information security policies and procedures up-to-date

D.

To reduce the frequency and impact of information security incidents

Full Access
Question # 287

A new regulation has been enacted that mandates specific information security practices for the protection of customer data. Which of the following is MOST useful for an IS auditor to review when auditing against the regulation?

A.

Compliance gap analysis

B.

Customer data protection roles and responsibilities

C.

Customer data flow diagram

D.

Benchmarking studies of adaptation to the new regulation

Full Access
Question # 288

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

A.

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.

Job failure alerts are automatically generated and routed to support personnel.

Full Access
Question # 289

A review of an organization ' s enterprise architecture (EA) BEST enables an IS auditor to determine:

A.

alignment of IT service levels with business objectives.

B.

the organization ' s level of compliance with regulations.

C.

adherence to budget for current IT initiative implementations.

D.

alignment of the IT strategy with business strategy.

Full Access
Question # 290

The waterfall life cycle model of software development is BEST suited for which of the following situations?

A.

The project will involve the use of new technology.

B.

The project intends to apply an object-oriented design approach.

C.

The project requirements are well understood.

D.

The project is subject to time pressures.

Full Access
Question # 291

Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

A.

Implement network access control.

B.

Implement outbound firewall rules.

C.

Perform network reviews.

D.

Review access control lists.

Full Access
Question # 292

An IS auditor learns of a new regulation which imposes penalties based on the number of individuals whose personally identifiable information (PII) is exposed by a security breach. What would be the BEST recommendation to help the organization limit the liability associated with a breach to its customer information database?

A.

Database segmentation

B.

Database normalization

C.

Database harmonization

D.

Database optimization

Full Access
Question # 293

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Full Access
Question # 294

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor ' s NEXT course of action?

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Full Access
Question # 295

During the planning stage of a compliance audit, an IS auditor discovers that a bank ' s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

A.

Ask management why the regulatory changes have not been Included.

B.

Discuss potential regulatory issues with the legal department

C.

Report the missing regulatory updates to the chief information officer (CIO).

D.

Exclude recent regulatory changes from the audit scope.

Full Access
Question # 296

An organization has recently moved to an agile model for deploying custom code to its in-house accounting software system. When reviewing the procedures in place for production code deployment, which of the following is the MOST significant security concern to address?

A.

Software vulnerability scanning is done on an ad hoc basis.

B.

Change control does not include testing and approval from quality assurance (QA).

C.

Production code deployment is not automated.

D.

Current DevSecOps processes have not been independently verified.

Full Access
Question # 297

Which of the following approaches would present the GREATEST concern for the implementation of a quality assurance (QA) function?

A.

Developers introducing the changes will review the work, as they are most familiar with them.

B.

Peer developers from the same development team who are unfamiliar with the changes will review them.

C.

Developers from a separate development team in the organization will review the submitted changes.

D.

Reviewers outside the development group who do not have development roles will review the changes.

Full Access
Question # 298

Which of the following responses to risk associated with separation of duties would incur the LOWEST initial cost?

A.

Risk mitigation

B.

Risk acceptance

C.

Risk transference

D.

Risk reduction

Full Access
Question # 299

An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of

MOST concern?

A.

Confidentiality of the user list

B.

Timeliness of the user list review

C.

Completeness of the user list

D.

Availability of the user list

Full Access
Question # 300

An organization is disposing of removable onsite media which contains sensitive information. Which of the following is the MOST effective method to prevent disclosure of sensitive data?

A.

Encrypting and destroying keys

B.

Machine shredding

C.

Software formatting

D.

Wiping and rewriting three times

Full Access
Question # 301

Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?

A.

Adding the developers to the change approval board

B.

A small number of people have access to deploy code

C.

Post-implementation change review

D.

Creation of staging environments

Full Access
Question # 302

What is the MAIN purpose of an organization ' s internal IS audit function?

A.

Identify and initiate necessary changes in the control environment to help ensure sustainable improvement.

B.

Independently attest the organization’s compliance with applicable legal and regulatory requirements.

C.

Review the organization ' s policies and procedures against industry best practices and standards.

D.

Provide assurance to management about the effectiveness of the organization ' s risk management and internal controls.

Full Access
Question # 303

An IS auditor learns that an organization did not conduct any penetration testing over one internet-facing webpage prior to of the following is the auditor ' s BEST course of action?

A.

Revise IT security procedures to require penetration tests for internally developed services prior to deployment.

B.

Report a control deficiency, as no penetration test has been conducted and documented.

C.

Confirm whether vulnerability scanning was conducted after the webpage was deployed.

D.

Meet with IT and the information security team to determine why testing was not completed.

Full Access
Question # 304

Which of the following staff should an IS auditor interview FIRST to obtain a general overview of the various technologies used across different programs?

A.

Technical architect

B.

Enterprise architect

C.

Program manager

D.

Solution architect

Full Access
Question # 305

Which of the following recommendations would BEST prevent the implementation of IT projects without collaborating with the business?

A.

Partner with the business units to evaluate IT projects.

B.

Review the projects to identify similarities and eliminate duplication.

C.

Periodically review the projects ' return on investment (ROI).

D.

Prioritize protects based on business and IT resource availability.

Full Access
Question # 306

Which of the following is the MOST important course of action to ensure a cloud access security broker (CASB) effectively detects and responds to threats?

A.

Monitoring data movement

B.

Implementing a long-term CASB contract

C.

Reviewing the information security policy

D.

Evaluating firewall effectiveness

Full Access
Question # 307

If a recent release of a program has to be backed out of production, the corresponding changes within the delta version of the code should be:

A.

filed in production for future reference in researching the problem.

B.

applied to the source code that reflects the version in production.

C.

eliminated from the source code that reflects the version in production.

D.

reinstalled when replacing the version back into production.

Full Access
Question # 308

Which of the following provides the MOST protection against emerging threats?

A.

Demilitarized zone (DMZ)

B.

Heuristic intrusion detection system (IDS)

C.

Real-time updating of antivirus software

D.

Signature-based intrusion detection system (IDS)

Full Access
Question # 309

Which of the following is the MOST important consideration for patching mission critical business application servers against known vulnerabilities?

A.

Patches are implemented in a test environment prior to rollout into production.

B.

Network vulnerability scans are conducted after patches are implemented.

C.

Vulnerability assessments are periodically conducted according to defined schedules.

D.

Roles and responsibilities for implementing patches are defined

Full Access
Question # 310

Which of the following will BEST ensure that archived electronic information of permanent importance remains accessible over time?

A.

Performing preventive maintenance on old hardware

B.

Acquiring applications that emulate old software

C.

Regularly migrating data to current technology

D.

Periodically backing up archived data

Full Access
Question # 311

Which of the following criteria is MOST important for the successful delivery of benefits from an IT project?

A.

Assessing the impact of changes to individuals and business units within the organization

B.

Involving key stakeholders during the development and execution phases of the project

C.

Ensuring that IT project managers have sign-off authority on the business case

D.

Quantifying the size of the software development effort required by the project

Full Access
Question # 312

An IS auditor Is renewing the deployment of a new automated system Which of the following findings presents the MOST significant risk?

A.

The new system has resulted m layoffs of key experienced personnel.

B.

Users have not been trained on the new system.

C.

Data from the legacy system is not migrated correctly to the new system.

D.

The new system is not platform agnostic

Full Access
Question # 313

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor ' s PRIMARY concern would be:

A.

failure to maximize the use of equipment

B.

unanticipated increase in business s capacity needs.

C.

cost of excessive data center storage capacity

D.

impact to future business project funding.

Full Access
Question # 314

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

A.

Improvement opportunities are not centrally tracked.

B.

The audit function is not subject to independent periodic external review.

C.

Substantive testing is not performed during the assessment phase of some audits.

D.

Quarterly reports are not distributed to the audit committee.

Full Access
Question # 315

An IS auditor is tasked to review an organization ' s plan-do-check-act (PDCA) method for improving IT-related processes and wants to determine the accuracy of defined targets to be achieved. Which of the following steps in the PDCA process should the auditor PRIMARILY focus on in this situation?

A.

Check

B.

Plan

C.

Do

D.

Act

Full Access
Question # 316

Which of the following approaches BEST enables an IS auditor to detect security vulnerabilities within an application?

A.

Threat modeling

B.

Concept mapping

C.

Prototyping

D.

Threat intelligence

Full Access
Question # 317

Which of the following should be the PRIMARY objective of conducting an audit follow-up of management action plans?

A.

To verify that risks listed in the audit report have been properly mitigated

B.

To identify new risks and controls for the organizationTo ensure senior management is aware of the audit findingsTo align the management action plans with business requirements

Full Access
Question # 318

An IS auditor wants to gain a better understanding of an organization’s selected IT operating system software. Which of the following would be MOST helpful to review?

A.

Service level agreements (SLAs)

B.

Project steering committee charter

C.

IT audit reports

D.

Enterprise architecture (EA)

Full Access
Question # 319

During a pre-implementation review, an IS auditor notes that some scenarios have not been tested. Management has indicated that the project is critical and cannot be postponed. Which of the following is the auditor ' s BEST course of action?

A.

Determine whether the tested scenarios covered the most significant project risks.

B.

Help management complete remaining scenario testing before implementation.

C.

Recommend project implementation be postponed until all scenarios have been tested.

D.

Perform remaining scenario testing in the production environment post implementation.

Full Access
Question # 320

Which of the following is MOST important for the successful establishment of a security vulnerability management program?

A.

A robust tabletop exercise plan

B.

A comprehensive asset inventory

C.

A tested incident response plan

D.

An approved patching policy

Full Access
Question # 321

Upon completion of a penetration test with findings for an IT system, the NEXT step should be:

A.

Vulnerability scanning and reconfirmation.

B.

Analyzing all changes made to the system.

C.

Remediation and retesting.

D.

Maintaining the confidentiality of the testing report.

Full Access
Question # 322

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

A.

Customer service complaints

B.

Automated monitoring of logs

C.

Server crashes

D.

Penetration testing

Full Access
Question # 323

Which of the following is an example of a preventive control for physical access?

A.

Keeping log entries for all visitors to the building

B.

Implementing a fingerprint-based access control system for the building

C.

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

D.

Implementing a centralized logging server to record instances of staff logging into workstations

Full Access
Question # 324

Which of the following would BEST facilitate the successful implementation of an IT-related framework?

A.

Aligning the framework to industry best practices

B.

Establishing committees to support and oversee framework activities

C.

Involving appropriate business representation within the framework

D.

Documenting IT-related policies and procedures

Full Access
Question # 325

Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly. Which of the following tests during the quality assurance (QA) phase would have identified this concern?

A.

Stress

B.

Regression

C.

Interface

D.

Integration

Full Access
Question # 326

Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

A.

Invite external auditors and regulators to perform regular assessments of the IS audit function.

B.

Implement rigorous managerial review and sign-off of IS audit deliverables.

C.

Frequently review IS audit policies, procedures, and instruction manuals.

D.

Establish and embed quality assurance (QA) within the IS audit function.

Full Access
Question # 327

Which of the following is MOST critical to the success of an information security program?

A.

Alignment of information security with IT objectives

B.

Management’s commitment to information security

C.

Integration of business and information security

D.

User accountability for information security

Full Access
Question # 328

Which of the following is the GREATEST risk associated with security patches being automatically downloaded and applied to production servers?

A.

Supporting documentation is not updated.

B.

Anti-malware is disabled during patch installation.

C.

Patches may be installed regardless of their criticality.

D.

Patches may result in major service failures.

Full Access
Question # 329

Which of the following should be of MOST concern to an IS auditor when reviewing an intrusion detection system (IDS)?

A.

High false-positive rate

B.

Delay in signature updates

C.

High false-negative rate

D.

Decrease in processing speed

Full Access
Question # 330

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

A.

Preserving the same data classifications

B.

Preserving the same data inputs

C.

Preserving the same data structure

D.

Preserving the same data interfaces

Full Access
Question # 331

When reviewing an organization ' s information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

A.

a risk management process.

B.

an information security framework.

C.

past information security incidents.

D.

industry best practices.

Full Access
Question # 332

A proper audit trail of changes to server start-up procedures would include evidence of:

A.

subsystem structure.

B.

program execution.

C.

security control options.

D.

operator overrides.

Full Access
Question # 333

Which of the following protocols should be used when transferring data via the internet?

A.

User Datagram Protocol (UDP)

B.

Hypertext Transfer Protocol (HTTP)

C.

Secure File Transfer Protocol (SFTP)

D.

Remote Desktop Protocol (RDP)

Full Access
Question # 334

An IS auditor reviewing an organization’s IT systems finds that the organization frequently purchases systems that are incompatible with the technologies already in the organization. Which of the following is the MOST likely reason?

A.

Ineffective risk management policy

B.

Lack of enterprise architecture (EA)

C.

Lack of a maturity model

D.

Outdated enterprise resource planning (ERP) system

Full Access
Question # 335

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

A.

Misconfiguration and missing updates

B.

Malicious software and spyware

C.

Zero-day vulnerabilities

D.

Security design flaws

Full Access
Question # 336

Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?

A.

Review of monthly performance reports submitted by the vendor

B.

Certifications maintained by the vendor

C.

Regular independent assessment of the vendor

D.

Substantive log file review of the vendor ' s system

Full Access
Question # 337

During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data from any Internet-connected web browser. Which of the following is the

auditor ' s BEST recommendation to help prevent unauthorized access?

A.

Utilize strong anti-malware controls on all computing devices.

B.

Update security policies and procedures.

C.

Implement an intrusion detection system (IDS).

D.

Implement multi-factor authentication.

Full Access
Question # 338

An organization that processes credit card information employs a remote workforce. Which of the following is the MOST effective way to mitigate risk associated with data exfiltration?

A.

Require employees to sign acknowledgment of the data security policy.

B.

Deploy a data loss prevention (DLP) system.

C.

Enable a web application firewall (WAF) along with an intrusion detection system (IDS).

D.

Implement a security information and event management (SIEM) solution.

Full Access
Question # 339

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

A.

Availability of IS audit resources

B.

Remediation dates included in management responses

C.

Peak activity periods for the business

D.

Complexity of business processes identified in the audit

Full Access
Question # 340

The PRIMARY benefit of automating application testing is to:

A.

provide test consistency.

B.

provide more flexibility.

C.

replace all manual test processes.

D.

reduce the time to review code.

Full Access
Question # 341

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Full Access
Question # 342

When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?

A.

Data backups

B.

Decision support system

C.

Operating system

D.

Applications

Full Access
Question # 343

To protect the organization from malware transmitted by physical media, IT administrators have disabled USB access for storage devices. Which of the following BEST describes this type of control?

A.

Corrective

B.

Administrative

C.

Preventive

D.

Physical

Full Access
Question # 344

Which of the following BEST enables a benefits realization process for a system development project?

A.

Metrics for the project have been selected before the project begins.

B.

Project budget includes costs to execute the project and costs associated with the solution.

C.

Estimates of business benefits are backed by similar previously completed projects.

D.

Metrics are evaluated immediately after the project has been implemented.

Full Access
Question # 345

Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?

A.

Enabling remote data destruction capabilities

B.

Implementing mobile device management (MDM)

C.

Disabling unnecessary network connectivity options

D.

Requiring security awareness training for mobile users

Full Access
Question # 346

Which of the following is an example of a preventative control in an accounts payable system?

A.

The system only allows payments to vendors who are included In the system ' s master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

Full Access
Question # 347

Which of the following parameters reflects the risk threshold for an organization experiencing a service disruption?

A.

Maximum tolerable outage (MTO)

B.

Recovery point objective (RPO)

C.

Service delivery objective (SDO)

D.

Allowable interruption window (AIW)

Full Access
Question # 348

What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

A.

Earned value analysis (EVA)

B.

Return on investment (ROI) analysis

C.

Gantt chart

D.

Critical path analysis

Full Access
Question # 349

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?

A.

Reconciliation of total amounts by project

B.

Validity checks, preventing entry of character data

C.

Reasonableness checks for each cost type

D.

Display the back of the project detail after the entry

Full Access
Question # 350

An organization is permanently transitioning from onsite to fully remote business operations. When should the existing business impact analysis (BIA) be reviewed?

A.

During the next scheduled review

B.

At least one year after the transition

C.

As soon as the decision about the transition is announced

D.

As soon as the new operating model is in place

Full Access
Question # 351

Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?

A.

Role-based access control policies

B.

Types of data that can be uploaded to the platform

C.

Processes for on-boarding and off-boarding users to the platform

D.

Processes for reviewing administrator activity

Full Access
Question # 352

Using swipe cards to limit employee access to restricted areas requires implementing which additional control?

A.

Physical sign-in of all employees for access to restricted areas

B.

Implementation of additional PIN pads

C.

Periodic review of access profiles by management

D.

Installation of closed-circuit television (CCTV)

Full Access
Question # 353

Which of the following would be an auditor ' s GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?

A.

Undocumented code formats data and transmits directly to the database.

B.

There is not a complete inventory of spreadsheets, and file naming is inconsistent.

C.

The department data protection policy has not been reviewed or updated for two years.

D.

Spreadsheets are accessible by all members of the finance department.

Full Access
Question # 354

Which of the following BEST describes a digital signature?

A.

It is under control of the receiver.

B.

It is capable of authorization.

C.

It dynamically validates modifications of data.

D.

It is unique to the sender using it.

Full Access
Question # 355

Which of the following should be the GREATEST concern for an IS auditor reviewing recent disaster recovery operations?

A.

The recovery point objective (RPO) was not defined.

B.

Test data was lost during a recovery operation.

C.

A warm site was used as a recovery strategy.

D.

A full backup was only performed once a week.

Full Access
Question # 356

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Full Access
Question # 357

An IS auditor is asked to provide feedback on the systems options analysis for a new project. The BEST course of action for the IS auditor would be to:

A.

Identify the best alternative.

B.

Retain comments as findings for the audit report.

C.

Comment on the criteria used to assess the alternatives.

D.

Request at least one other alternative.

Full Access
Question # 358

Which of the following is MOST important when creating a forensic image of a hard drive?

A.

Requiring an independent third party be present while imaging

B.

Securing a backup copy of the hard drive

C.

Generating a content hash of the hard drive

D.

Choosing an industry-leading forensics software tool

Full Access
Question # 359

Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?

A.

Function point analysis

B.

Work breakdown structure

C.

Critical path analysts

D.

Software cost estimation

Full Access
Question # 360

An IS auditor is reviewing desktop software profiles and notes that a user has downloaded and installed several games that are not approved by the company. Which of the following is the MOST significant risk that could result from this situation?

A.

Violation of user ' s privacy

B.

Potential for malware

C.

Noncompliance with the acceptable use policy

D.

Interoperability issues with company software

Full Access
Question # 361

Which of the following should an IS auditor do FIRST when auditing a robotics process automation (RPA) implementation?

A.

Evaluate the overall solution architecture.

B.

Analyze the sequence of activities performed by the robot.

C.

Understand the business processes automated by the robot.

D.

Identity the credentials used by the robot and where they are stored.

Full Access
Question # 362

Which of the following BEST enables a governing body to monitor IT performance based on metrics?

A.

Metrics defined at the operational level are aligned with service delivery objectives (SDOs).

B.

IT asset metrics are defined based on manufacturers’ recommendations.

C.

Metrics are derived from quantitatively measurable data generated automatically by systems.

D.

Business goals have been properly aligned with IT performance metrics.

Full Access
Question # 363

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

A.

architecture and cloud environment of the system.

B.

business process supported by the system.

C.

policies and procedures of the business area being audited.

D.

availability reports associated with the cloud-based system.

Full Access
Question # 364

An IS auditor has been tasked with analyzing an organization ' s capital expenditures against its repair and maintenance costs. Which of the following is the BEST reason to use a data analytics tool for this purpose?

A.

It reduces the error rate.

B.

It improves the reliability of the data.

C.

It enables the auditor to work with 100% of the transactions.

D.

It reduces the sample size required to perform the audit.

Full Access
Question # 365

Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

A.

An assessment of whether requirements will be fully met

B.

An assessment indicating security controls will operateeffectively

C.

An assessment of whether the expected benefits can beachieved

D.

An assessment indicating the benefits will exceed the implement

Full Access
Question # 366

An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?

A.

Evaluate key performance indicators (KPIs).

B.

Conduct a gap analysis.

C.

Develop a maturity model.

D.

Implement a control self-assessment (CSA).

Full Access
Question # 367

Which of the following is the PRIMARY objective of enterprise architecture (EA)?

A.

Maintaining detailed system documentation

B.

Managing and planning for IT investments

C.

Executing customized development and delivery of projects

D.

Enforcing the IT policy across the organization

Full Access
Question # 368

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Network segmentation

D.

Web application firewall (WAF)

Full Access
Question # 369

Which of the following is MOST useful for determining the strategy for IT portfolio management?

A.

IT metrics dashboards

B.

IT roadmap

C.

Capability maturity model

D.

Life cycle cost-benefit analysis

Full Access
Question # 370

Which of the following should be the PRIMARY purpose of conducting tabletop exercises when re-viewing a security incident response plan?

A.

To provide efficiencies for alignment with incident response test scenarios

B.

To determine process improvement options for the incident response plan

C.

To gather documentation for responding to security audit inquiries

D.

To confirm that technology is in place to support the incident response plan

Full Access
Question # 371

Which of the following metrics would BEST measure the agility of an organization ' s IT function?

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Full Access
Question # 372

Which of the following provides the MOST reliable method of preventing unauthonzed logon?

A.

issuing authentication tokens

B.

Reinforcing current security policies

C.

Limiting after-hours usage

D.

Installing an automatic password generator

Full Access
Question # 373

Which of the following is necessary for effective risk management in IT governance?

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Full Access
Question # 374

Which of the following is the PRIMARY purpose of conducting a control self-assessment (CSA)?

A.

To replace audit responsibilities

B.

To reduce control costs

C.

To promote control ownership

D.

To enable early detection of risks

Full Access
Question # 375

Which of the following establishes the PRIMARY difference between a business continuity plan (BCP) and a disaster recovery plan (DRP)?

A.

The annual testing requirements

B.

The focus on system recovery

C.

The timeframe for plan activation

D.

The involvement of senior management

Full Access
Question # 376

The PRIMARY objective of a control self-assessment (CSA) is to:

A.

educate functional areas on risks and controls.

B.

ensure appropriate access controls are implemented.

C.

eliminate the audit risk by leveraging management ' s analysis.

D.

gain assurance for business functions that cannot be audited.

Full Access
Question # 377

When planning a review of IT governance, an IS auditor is MOST likely to:

A.

assess whether business process owner responsibilities are consistent.

B.

obtain information about the control framework adopted by management.

C.

examine audit committee minutes for IT-related controls.

D.

define key performance indicators (KPIs).

Full Access
Question # 378

Which of the following presents the GREATEST risk of data leakage in the cloud environment?

A.

Lack of data retention policy

B.

Multi-tenancy within the same database

C.

Lack of role-based access

D.

Expiration of security certificate

Full Access
Question # 379

A web application is developed in-house by an organization. Which of the following would provide the BEST evidence to an IS auditor that the application is secure from external attack?

A.

Web application firewall (WAF) implementation

B.

Penetration test results

C.

Code review by a third party

D.

Database application monitoring logs

Full Access
Question # 380

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

Full Access
Question # 381

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

A.

Double-posting of a single journal entry

B.

Inability to support new business transactions

C.

Unauthorized alteration of account attributes

D.

Inaccuracy of financial reporting

Full Access
Question # 382

Which of the following constitutes an effective detective control in a distributed processing environment?

A.

A log of privileged account use is reviewed.

B.

A disaster recovery plan (DRP)4% in place for the entire system.

C.

User IDs are suspended after three incorrect passwords have been entered.

D.

Users are required to request additional access via an electronic mail system.

Full Access
Question # 383

An IS auditor has been asked to provide support to the control self-assessment (CSA) program. Which of the following BEST represents the scope of the auditor’s role in the program?

A.

The auditor should act as a program facilitator.

B.

The auditor should focus on improving process productivity

C.

The auditor should perform detailed audit procedures

D.

The auditor ' s presence replaces the audit responsibilities of other team members.

Full Access
Question # 384

Email required for business purposes is being stored on employees ' personal devices.

Which of the following is an IS auditor ' s BEST recommendation?

A.

Require employees to utilize passwords on personal devices

B.

Prohibit employees from storing company email on personal devices

C.

Ensure antivirus protection is installed on personal devices

D.

Implement an email containerization solution on personal devices

Full Access
Question # 385

Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

A.

Availability integrity

B.

Data integrity

C.

Entity integrity

D.

Referential integrity

Full Access
Question # 386

Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

A.

Change management

B.

Problem management

C.

incident management

D.

Configuration management

Full Access
Question # 387

A new system is being developed externally for an organization. Which of the following is the MOST important requirement to include in the vendor contract to ensure service continuity?

A.

Support documentation must be provided by the vendor.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization’s staff to manage the new software.

Full Access
Question # 388

Which of the following is the BEST metric to measure the quality of software developed in an organization?

A.

Amount of successfully migrated software changes

B.

Reduction in the help desk budget

C.

Number of defects discovered in production

D.

Increase in quality assurance (QA) activities

Full Access
Question # 389

Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?

A.

Variable sampling

B.

Judgmental sampling

C.

Stop-or-go sampling

D.

Discovery sampling

Full Access
Question # 390

A financial organization has learned that one of its business partners utilizes a cloud solution extending servers to several foreign countries. Which of the following should be of GREATEST concern to the organization?

A.

Data process outsourcing under the current scheme may violate regulations.

B.

Data integrity may be harmed as the result of distributed server deployment.

C.

Data classification may become invalid once data is stored in overseas servers.

D.

Data ownership between the bank and business partner may become unclear.

Full Access
Question # 391

An IS auditor has been tasked with auditing the inventory control process for a large organization that processes millions of data transactions. Which of the following is the BEST testing strategy to adopt?

A.

Continuous monitoring

B.

Control self-assessments (CSAs)

C.

Risk assessments

D.

Stop-or-go sampling

Full Access
Question # 392

Which of the following is an IS auditor’s BEST approach to obtain assurance that an organization’s IT policies have been effectively implemented?

A.

Review the organization’s external certifications.

B.

Benchmark the policies against industry standards.

C.

Determine the level of employee adherence to the policies.

D.

Determine whether there has been an increase in IT security breaches.

Full Access
Question # 393

An IS auditor wants to verify alignment of the organization ' s business continuity plan (BCP) with the business strategy. Which of the following would be MOST helpful to review?

A.

Disaster recovery plan (DRP) testing results

B.

Business impact analysis (BIA)

C.

Corporate risk management policy

D.

Key performance indicators (KPIs)

Full Access
Question # 394

Stress testing should ideally be earned out under a:

A.

test environment with production workloads.

B.

production environment with production workloads.

C.

production environment with test data.

D.

test environment with test data.

Full Access
Question # 395

Which of the following is the MOST important outcome of an information security program?

A.

Operating system weaknesses are more easily identified.

B.

Emerging security technologies are better understood and accepted.

C.

The cost to mitigate information security risk is reduced.

D.

Organizational awareness of security responsibilities is improved.

Full Access
Question # 396

Which of the following should be the FIRST step in a data migration project?

A.

Reviewing decisions on how business processes should be conducted in the new system

B.

Completing data cleanup in the current database to eliminate inconsistencies

C.

Understanding the new system ' s data structure

D.

Creating data conversion scripts

Full Access
Question # 397

Aligning IT strategy with business strategy PRIMARILY helps an organization to:

A.

optimize investments in IT.

B.

create risk awareness across business units.

C.

increase involvement of senior management in IT.

D.

monitor the effectiveness of IT.

Full Access
Question # 398

Which of the following is the BEST way to prevent social engineering incidents?

A.

Ensure user workstations are running the most recent version of antivirus software.

B.

Maintain an onboarding and annual security awareness program.

C.

Include security responsibilities in job descriptions and require signed acknowledgment.

D.

Enforce strict email security gateway controls.

Full Access
Question # 399

An IS auditor discovers that backups of critical systems are not being performed in accordance with the recovery point objective (RPO) established in the business continuity plan (BCP). What should the auditor do NEXT?

A.

Request an immediate backup be performed.

B.

Expand the audit scope.

C.

Identify the root cause.

D.

Include the observation in the report.

Full Access
Question # 400

Which of the following statements appearing in an organization ' s acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?

A.

Any information assets transmitted over a public network must be approved by executive management.

B.

All information assets must be encrypted when stored on the organization ' s systems.

C.

Information assets should only be accessed by persons with a justified need.

D.

All information assets will be assigned a clearly defined level to facilitate proper employee handling.

Full Access
Question # 401

For security awareness training to be MOST effective, management should ensure the training:

A.

covers all aspects of the IT environment.

B.

is conducted by IT personnel.

C.

is tailored to specific groups.

D.

occurs annually.

Full Access
Question # 402

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization ' s security policy?

A.

Reviewing the parameter settings

B.

Reviewing the system log

C.

Interviewing the firewall administrator

D.

Reviewing the actual procedures

Full Access
Question # 403

Which of the following is the MOST important consideration for a contingency facility?

A.

The contingency facility has the same badge access controls as the primary site.

B.

Both the contingency facility and the primary site have the same number of business assets in their inventory.

C.

The contingency facility is located a sufficient distance away from the primary site.

D.

Both the contingency facility and the primary site are easily identifiable.

Full Access
Question # 404

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

A.

Developing and communicating test procedure best practices to audit teams

B.

Developing and implementing an audit data repository

C.

Decentralizing procedures and Implementing periodic peer review

D.

Centralizing procedures and implementing change control

Full Access
Question # 405

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

A.

The audit program does not involve periodic engagement with external assessors.

B.

Quarterly reports are not distributed to the audit committee.

C.

Results of corrective actions are not tracked consistently.

D.

Substantive testing is not performed during the assessment phase of some audits.

Full Access
Question # 406

Which of the following provides the MOST useful information for performing a business impact analysis (B1A)?

A.

inventory of relevant business processes

B.

Policies for business procurement

C.

Documentation of application configurations

D.

Results of business resumption planning efforts

Full Access
Question # 407

Which of the following documents should specify roles and responsibilities within an IT audit organization?

A.

Organizational chart

B.

Audit charier

C.

Engagement letter

D.

Annual audit plan

Full Access
Question # 408

An IS auditor is reviewing database fields updated in real-time and displayed through other applications in multiple organizational functions. When validating business approval for these various use cases, which of the following sources of information would be the BEST starting point?

A.

Network map from the network administrator

B.

Historical database change log records

C.

List of integrations from the database administrator (DBA)

D.

Business process flow from management

Full Access
Question # 409

Which of the following technologies is BEST suited to fulfill a business requirement for nonrepudiation of business-to-business transactions with external parties without the need for a mutually trusted entity?

A.

Public key infrastructure (PKI)

B.

Blockchain distributed ledger

C.

Artificial intelligence (Al)

D.

Centralized ledger technology

Full Access
Question # 410

Which of the following technologies BEST assists in protection of digital evidence as part of forensic investigation acquisition?

A.

Hardware-based media write blocker

B.

Data encryption

C.

Differential backups

D.

Source media sanitization

Full Access
Question # 411

An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.

Which of the following is the BEST course of action to address this issue?

A.

Examine the workflow to identify gaps in asset-handling responsibilities.

B.

Escalate the finding to the asset owner for remediation.

C.

Recommend the drives be sent to the vendor for destruction.

D.

Evaluate the corporate asset-handling policy for potential gaps.

Full Access
Question # 412

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

A.

reflect current practices.

B.

include new systems and corresponding process changes.

C.

incorporate changes to relevant laws.

D.

be subject to adequate quality assurance (QA).

Full Access
Question # 413

Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?

A.

Monitoring tools are configured to alert in case of downtime

B.

A comprehensive security review is performed every quarter.

C.

Data for different tenants is segregated by database schema

D.

Tenants are required to implement data classification polices

Full Access
Question # 414

Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?

A.

The architecture review board is chaired by the CIO

B.

IT application owners have sole responsibility for architecture approval

C.

The EA program governs projects that are not IT-related

D.

Information security requirements are reviewed by the EA program

Full Access
Question # 415

Which of the following tests is MOST likely to detect an error in one subroutine resulting from a recent change in another subroutine?

A.

User acceptance testing (UAT)

B.

Black-box testing

C.

Regression testing

D.

Stress testing

Full Access
Question # 416

Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

A.

Periodic vendor reviews

B.

Dual control

C.

Independent reconciliation

D.

Re-keying of monetary amounts

E.

Engage an external security incident response expert for incident handling.

Full Access
Question # 417

An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime?

A.

Big bang

B.

Phased

C.

Cutover

D.

Parallel

Full Access
Question # 418

The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:

A.

audit resources are used most effectively.

B.

internal audit activity conforms with audit standards and methodology.

C.

the audit function is adequately governed and meets performance metrics.

D.

inherent risk in audits is minimized.

Full Access
Question # 419

Which of the following BEST enables an organization to improve the effectiveness of its incident response team?

A.

Conducting periodic testing and incorporating lessons learned

B.

Increasing the mean resolution time and publishing key performance indicator (KPI) metrics

C.

Disseminating incident response procedures and requiring signed acknowledgment by team members

D.

Ensuring all team members understand information systems technology

Full Access
Question # 420

Which of the following is the BEST way to ensure a vendor complies with system security requirements?

A.

Require security training for vendor staff.

B.

Review past incidents reported by the vendor.

C.

Review past audits on the vendor ' s security compliance.

D.

Require a compliance clause in the vendor contract.

Full Access
Question # 421

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor ' s GREATEST concern?

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Full Access
Question # 422

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

A.

Identify approved data workflows across the enterprise.

B.

Conduct a threat analysis against sensitive data usage.

C.

Create the DLP pcJc.es and templates

D.

Conduct a data inventory and classification exercise

Full Access
Question # 423

Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

A.

Restricting program functionality according to user security profiles

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator’s user ID as a field in every transaction record created

D.

Ensuring that audit trails exist for transactions

Full Access
Question # 424

Which of the following is the MOST important area of focus for an IS auditor assessing the management of cryptographic keys in a public key infrastructure (PKI)?

A.

Checking the subscription of the key management system

B.

Identifying unusual activities by the key processors

C.

Reviewing key compromise detection activities

D.

Reviewing PKI documentation

Full Access
Question # 425

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank ' s customers. Which of the following controls is MOST important for the auditor to confirm is in place?

A.

The default configurations have been changed.

B.

All tables in the database are normalized.

C.

The service port used by the database server has been changed.

D.

The default administration account is used after changing the account password.

Full Access
Question # 426

Which of the following is an example of a passive attack method?

A.

Keystroke logging

B.

Piggybacking

C.

Eavesdropping

D.

Phishing

Full Access
Question # 427

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

A.

Conduct periodic on-site assessments using agreed-upon criteria.

B.

Periodically review the service level agreement (SLA) with the vendor.

C.

Conduct an unannounced vulnerability assessment of vendor ' s IT systems.

D.

Obtain evidence of the vendor ' s control self-assessment (CSA).

Full Access
Question # 428

The following findings are the result of an IS auditor ' s post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?

A.

A lessons-learned session was never conducted.

B.

The projects 10% budget overrun was not reported to senior management.

C.

Measurable benefits were not defined.

D.

Monthly dashboards did not always contain deliverables.

Full Access
Question # 429

Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?

A.

Identify staff training needs related to compliance requirements.

B.

Analyze historical compliance-related audit findings.

C.

Research and purchase an industry-recognized IT compliance tool

D.

Identify applicable laws, regulations, and standards.

Full Access
Question # 430

A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

A.

The survey results were not presented in detail lo management.

B.

The survey questions did not address the scope of the business case.

C.

The survey form template did not allow additional feedback to be provided.

D.

The survey was issued to employees a month after implementation.

Full Access
Question # 431

Which of the following should be an IS auditor’s PRIMARY focus when performing a post-implementation review for a critical IT project?

A.

Confirm the project steering committee included business representation.

B.

Determine if project goals were met as expected.

C.

Determine if project completion was on time and on budget.

D.

Confirm key stakeholders signed off on project closure.

Full Access
Question # 432

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

A.

Use of stateful firewalls with default configuration

B.

Ad hoc monitoring of firewall activity

C.

Misconfiguration of the firewall rules

D.

Potential back doors to the firewall software

Full Access
Question # 433

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

A.

To address the overall risk associated with the activity under review

B.

To identify areas with relatively high probability of material problems

C.

To help ensure maximum use of audit resources during the engagement

D.

To help prioritize and schedule auditee meetings

Full Access
Question # 434

Which of the following would BEST reduce the risk of application programming interface (API) unavailability?

A.

Establishing dedicated servers for incoming API requests

B.

Implementing a continuous integration and deployment process

C.

Conducting periodic stress testing

D.

Limiting the rate of incoming requests

Full Access
Question # 435

Which of the following is the MOST important control for virtualized environments?

A.

Regular updates of policies for the operation of the virtualized environment

B.

Hardening for the hypervisor and guest machines

C.

Redundancy of hardware resources and network components

D.

Monitoring utilization of resources at the guest operating system level

Full Access
Question # 436

Which of the following is a corrective control?

A.

Separating equipment development testing and production

B.

Verifying duplicate calculations in data processing

C.

Reviewing user access rights for segregation

D.

Executing emergency response plans

Full Access
Question # 437

Which of the following BEST supports an organization ' s objective of restricting the use of removable storage devices by users?

A.

Data management policy

B.

Updated anti-malware solutions

C.

Data loss prevention (DLP)

D.

Online monitoring

Full Access
Question # 438

Upon completion of audit work, an IS auditor should:

A.

provide a report to senior management prior to discussion with the auditee.

B.

distribute a summary of general findings to the members of the auditing team.

C.

provide a report to the auditee stating the initial findings.

D.

review the working papers with the auditee.

Full Access
Question # 439

Which of the following occurs during the issues management process for a system development project?

A.

Contingency planning

B.

Configuration management

C.

Help desk management

D.

Impact assessment

Full Access
Question # 440

An IS auditor is reviewing a machine learning (ML) model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?

A.

An open source programming language was used to develop the model.

B.

The model was tested with data drawn from the same population as the training data.

C.

When the model was tested with data drawn from a different population, the accuracy decreased.

D.

The dataset for training the model was obtained from an unreliable source.

Full Access
Question # 441

Which of the following is the PRIMARY advantage of using an automated security log monitoring tool instead of conducting a manual review to monitor the use of privileged access?

A.

Reduced costs associated with automating the review

B.

Increased likelihood of detecting suspicious activity

C.

Ease of storing and maintaining log file

D.

Ease of log retrieval for audit purposes

Full Access
Question # 442

An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST

A.

Escalate to audit management to discuss the audit plan

B.

Notify the chief operating officer (COO) and discuss the audit plan risks

C.

Exclude IS audits from the upcoming year ' s plan

D.

Increase the number of IS audits in the clan

Full Access
Question # 443

An IS auditor finds that a recently deployed application has a number of developers with inappropriate update access left over from the testing environment. Which of the following would have BEST prevented the update access from being migrated?

A.

Establishing a role-based matrix for provisioning users

B.

Re-assigning user access rights in the quality assurance (QA) environment

C.

Holding the application owner accountable for application security

D.

Including a step within the system development life cycle (SDLC) to clean up access prior to go-live

Full Access
Question # 444

What would be the PRIMARY reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center?

A.

To improve traceability

B.

To prevent piggybacking

C.

To implement multi-factor authentication

D.

To reduce maintenance costs

Full Access
Question # 445

Which of the following is the PRIMARY role of an IS auditor in a control self-assessment (CSA)?

A.

Facilitating workshops.

B.

Documenting processes.

C.

Identifying control weaknesses.

D.

Monitoring internal controls.

Full Access
Question # 446

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Full Access
Question # 447

Which of the following should an IS auditor be MOST concerned with when reviewing the IT asset disposal process?

A.

Monetary value of the asset.

B.

Certificate of destruction.

C.

Data migration to the new asset.

D.

Data stored on the asset.

Full Access
Question # 448

Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERR) system?

A.

Bank confirmation

B.

Goods delivery notification

C.

Purchase requisition

D.

Purchase order

Full Access
Question # 449

An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.

What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted

application?

A.

Financial regulations affecting the organization

B.

Data center physical access controls whore the application is hosted

C.

Privacy regulations affecting the organization

D.

Per-unit cost charged by the hosting services provider for storage

Full Access
Question # 450

Which of the following is the MOST important success factor for implementing a data loss prevention (DLP) tool?

A.

Implementing the tool in monitor mode to avoid unnecessary blocking of communication

B.

Defining and configuring policies and tool rule sets to monitor sensitive data movement

C.

Testing the tool in a test environment before moving to the production environment

D.

Assigning responsibilities for maintaining the tool to applicable data owners and stakeholders

Full Access
Question # 451

Which of the following threats is mitigated by a firewall?

A.

Intrusion attack

B.

Asynchronous attack

C.

Passive assault

D.

Trojan horse

Full Access
Question # 452

Which of the following should be an IS auditor ' s PRIMARY focus when evaluating the response process for cybercrimes?

A.

Communication with law enforcement

B.

Notification to regulators

C.

Root cause analysis

D.

Evidence collection

Full Access
Question # 453

Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

A.

Cross-site scripting (XSS)

B.

Copyright violations

C.

Social engineering

D.

Adverse posts about the organization

Full Access
Question # 454

Which of the following should be an IS auditor ' s GREATEST concern when reviewing an organization ' s security controls for policy compliance?

A.

The security policy has not been reviewed within the past year.

B.

Security policy documents are available on a public domain website.

C.

Security policies are not applicable across all business units.

D.

End users are not required to acknowledge security policy training.

Full Access
Question # 455

An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system ' s security settings Where would the auditor MOST likely find this information?

A.

System event correlation report

B.

Database log

C.

Change log

D.

Security incident and event management (SIEM) report

Full Access
Question # 456

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

A.

Recipient ' s public key

B.

Sender ' s private key

C.

Sender ' s public key

D.

Recipient ' s private key

Full Access
Question # 457

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Full Access
Question # 458

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Full Access
Question # 459

Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

A.

IT strategies are communicated to all Business stakeholders

B.

Organizational strategies are communicated to the chief information officer (CIO).

C.

Business stakeholders are Involved In approving the IT strategy.

D.

The chief information officer (CIO) is involved In approving the organizational strategies

Full Access
Question # 460

To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?

A.

Performance feedback from the user community

B.

Contract with the server vendor

C.

Server CPU usage trends

D.

Mean time between failure (MTBF) of each server

Full Access
Question # 461

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

A.

well understood by all employees.

B.

based on industry standards.

C.

developed by process owners.

D.

updated frequently.

Full Access
Question # 462

The PRIMARY role of an IS auditor in the remediation of problems found during an audit engagement is to:

A.

help auditee management by providing the solution.

B.

explain the findings and provide general advice.

C.

present updated policies to management for approval.

D.

take ownership of the problems and oversee remediation efforts.

Full Access
Question # 463

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

A.

Requiring policy acknowledgment and nondisclosure agreements signed by employees

B.

Providing education and guidelines to employees on use of social networking sites

C.

Establishing strong access controls on confidential data

D.

Monitoring employees ' social networking usage

Full Access
Question # 464

Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?

A.

A high percentage of stakeholders satisfied with the quality of IT

B.

Ahigh percentage of incidents being quickly resolved

C.

Ahigh percentage of IT processes reviewed by quality assurance (QA)

D.

Ahigh percentage of IT employees attending quality training

Full Access
Question # 465

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

A.

incident management.

B.

quality assurance (QA).

C.

change management.

D.

project management.

Full Access
Question # 466

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Full Access
Question # 467

Which of the following would be of MOST concern to an IS auditor reviewing a data loss prevention (DLP) solution implementation for endpoints?

A.

The DLP solution does not support all types of servers.

B.

The solution has been implemented in blocking mode prior to performing tuning.

C.

The organization has never finished tuning the solution.

D.

The solution does not prevent data leakage because it is still in the monitoring phase.

Full Access
Question # 468

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management ' s decision. Which of the following should be the IS auditor ' s NEXT course of action?

A.

Accept management ' s decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Full Access
Question # 469

An IS auditor is reviewing an organization ' s primary router access control list. Which of the following should result in a finding?

A.

There are conflicting permit and deny rules for the IT group.

B.

The network security group can change network address translation (NAT).

C.

Individual permissions are overriding group permissions.

D.

There is only one rule per group with access privileges.

Full Access
Question # 470

Which of the following non-audit activities may impair an IS auditor ' s independence and objectivity?

A.

Evaluating a third-party customer satisfaction survey

B.

Providing advice on an IT project management framework

C.

Designing security controls for a new cloud-based workforce management system

D.

Reviewing secure software development guidelines adopted by an organization

Full Access
Question # 471

Which of the following should be identified FIRST during the risk assessment process?

A.

Vulnerability to threats

B.

Existing controls

C.

Information assets

D.

Legal requirements

Full Access
Question # 472

How does public key infrastructure (PKI) help to verify that a digitally signed document is not a forgery?

A.

By decrypting the signature with the signer’s public key

B.

By verifying the signature with the signer’s private key

C.

By checking the signature against the receiver’s public key

D.

By checking the signed document’s audit history

Full Access
Question # 473

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

A.

Unit testing

B.

Pilot testing

C.

System testing

D.

Integration testing

Full Access
Question # 474

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

A.

each information asset is to a assigned to a different classification.

B.

the security criteria are clearly documented for each classification

C.

Senior IT managers are identified as information owner.

D.

the information owner is required to approve access to the asset

Full Access
Question # 475

An organization has developed processes to recover critical files in the event of a ransomware attack. Which type of control do these processes represent?

A.

Compensating

B.

Preventive

C.

Detective

D.

Corrective

Full Access
Question # 476

The PRIMARY advantage of using open-source-based solutions is that they:

A.

Have well-defined support levels.

B.

Are easily implemented.

C.

Reduce dependence on vendors.

D.

Offer better security features.

Full Access
Question # 477

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor ' s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

A.

the organization ' s web server.

B.

the demilitarized zone (DMZ).

C.

the organization ' s network.

D.

the Internet

Full Access