New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CISA Questions and Answers

Question # 6

Which of the following BEST describes an audit risk?

A.

The company is being sued for false accusations.

B.

The financial report may contain undetected material errors.

C.

Employees have been misappropriating funds.

D.

Key employees have not taken vacation for 2 years.

Full Access
Question # 7

An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

A.

Improve the change management process

B.

Establish security metrics.

C.

Perform a penetration test

D.

Perform a configuration review

Full Access
Question # 8

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

A.

Misconfiguration and missing updates

B.

Malicious software and spyware

C.

Zero-day vulnerabilities

D.

Security design flaws

Full Access
Question # 9

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

A.

Analyzing risks posed by new regulations

B.

Developing procedures to monitor the use of personal data

C.

Defining roles within the organization related to privacy

D.

Designing controls to protect personal data

Full Access
Question # 10

Which of the following BEST helps to ensure data integrity across system interfaces?

A.

Environment segregation

B.

Reconciliation

C.

System backups

D.

Access controls

Full Access
Question # 11

The PRIMARY benefit of information asset classification is that it:

A.

prevents loss of assets.

B.

helps to align organizational objectives.

C.

facilitates budgeting accuracy.

D.

enables risk management decisions.

Full Access
Question # 12

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

A.

Users can export application logs.

B.

Users can view sensitive data.

C.

Users can make unauthorized changes.

D.

Users can install open-licensed software.

Full Access
Question # 13

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

A.

Implement key performance indicators (KPIs)

B.

Implement annual third-party audits.

C.

Benchmark organizational performance against industry peers.

D.

Require executive management to draft IT strategy

Full Access
Question # 14

Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

A.

Testing incident response plans with a wide range of scenarios

B.

Prioritizing incidents after impact assessment.

C.

Linking incidents to problem management activities

D.

Training incident management teams on current incident trends

Full Access
Question # 15

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

Full Access
Question # 16

Which of the following is MOST critical for the effective implementation of IT governance?

A.

Strong risk management practices

B.

Internal auditor commitment

C.

Supportive corporate culture

D.

Documented policies

Full Access
Question # 17

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

A.

Ensure sufficient audit resources are allocated,

B.

Communicate audit results organization-wide.

C.

Ensure ownership is assigned.

D.

Test corrective actions upon completion.

Full Access
Question # 18

Which of the following presents the GREATEST challenge to the alignment of business and IT?

A.

Lack of chief information officer (CIO) involvement in board meetings

B.

Insufficient IT budget to execute new business projects

C.

Lack of information security involvement in business strategy development

D.

An IT steering committee chaired by the chief information officer (CIO)

Full Access
Question # 19

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

A.

Network penetration tests are not performed

B.

The network firewall policy has not been approved by the information security officer.

C.

Network firewall rules have not been documented.

D.

The network device inventory is incomplete.

Full Access
Question # 20

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Full Access
Question # 21

Which of the following would be MOST useful when analyzing computer performance?

A.

Statistical metrics measuring capacity utilization

B.

Operations report of user dissatisfaction with response time

C.

Tuning of system software to optimize resource usage

D.

Report of off-peak utilization and response time

Full Access
Question # 22

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

A.

Temperature sensors

B.

Humidity sensors

C.

Water sensors

D.

Air pressure sensors

Full Access
Question # 23

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Full Access
Question # 24

Which of the following is MOST important when implementing a data classification program?

A.

Understanding the data classification levels

B.

Formalizing data ownership

C.

Developing a privacy policy

D.

Planning for secure storage capacity

Full Access
Question # 25

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

A.

Process and resource inefficiencies

B.

Irregularities and illegal acts

C.

Noncompliance with organizational policies

D.

Misalignment with business objectives

Full Access
Question # 26

An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?

A.

Procedures may not align with best practices

B.

Human resources (HR) records may not match system access.

C.

Unauthorized access cannot he identified.

D.

Access rights may not be removed in a timely manner.

Full Access
Question # 27

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

A.

Determine the resources required to make the control

effective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Full Access
Question # 28

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?

A.

The cost of outsourcing is lower than in-house development.

B.

The vendor development team is located overseas.

C.

A training plan for business users has not been developed.

D.

The data model is not clearly documented.

Full Access
Question # 29

Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

A.

Change management

B.

Problem management

C.

incident management

D.

Configuration management

Full Access
Question # 30

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Full Access
Question # 31

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Full Access
Question # 32

in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

A.

application programmer

B.

systems programmer

C.

computer operator

D.

quality assurance (QA) personnel

Full Access
Question # 33

Which of the following is necessary for effective risk management in IT governance?

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Full Access
Question # 34

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

A.

Improved disaster recovery

B.

Better utilization of resources

C.

Stronger data security

D.

Increased application performance

Full Access
Question # 35

An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

A.

Loss of application support

B.

Lack of system integrity

C.

Outdated system documentation

D.

Developer access 1o production

Full Access
Question # 36

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?

A.

The use of the cloud negatively impacting IT availably

B.

Increased need for user awareness training

C.

Increased vulnerability due to anytime, anywhere accessibility

D.

Lack of governance and oversight for IT infrastructure and applications

Full Access
Question # 37

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Full Access
Question # 38

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Full Access
Question # 39

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?

A.

Enable automatic encryption decryption and electronic signing of data files

B.

implement software to perform automatic reconciliations of data between systems

C.

Have coders perform manual reconciliation of data between systems

D.

Automate the transfer of data between systems as much as feasible

Full Access
Question # 40

Which of the following provides the BEST evidence that a third-party service provider's information security controls

are effective?

A.

An audit report of the controls by the service provider's external auditor

B.

Documentation of the service provider's security configuration controls

C.

An interview with the service provider's information security officer

D.

A review of the service provider's policies and procedures

Full Access
Question # 41

Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

A.

Availability integrity

B.

Data integrity

C.

Entity integrity

D.

Referential integrity

Full Access
Question # 42

A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting. What would be MOST important to consider before including this audit in the program?

A.

Whether system delays result in more frequent use of manual processing

B.

Whether the system's performance poses a significant risk to the organization

C.

Whether stakeholders are committed to assisting with the audit

D.

Whether internal auditors have the required skills to perform the audit

Full Access
Question # 43

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

A.

The policy aligns with corporate policies and practices.

B.

The policy aligns with global best practices.

C.

The policy aligns with business goals and objectives.

D.

The policy aligns with local laws and regulations.

Full Access
Question # 44

Which of the following is the MOST important responsibility of user departments associated with program changes?

A.

Providing unit test data

B.

Analyzing change requests

C.

Updating documentation lo reflect latest changes

D.

Approving changes before implementation

Full Access
Question # 45

Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

A.

Data owners are not trained on the use of data conversion tools.

B.

A post-implementation lessons-learned exercise was not conducted.

C.

There is no system documentation available for review.

D.

System deployment is routinely performed by contractors.

Full Access
Question # 46

A checksum is classified as which type of control?

A.

Detective control

B.

Preventive control

C.

Corrective control

D.

Administrative control

Full Access
Question # 47

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

A.

Only new employees are required to attend the program

B.

Metrics have not been established to assess training results

C.

Employees do not receive immediate notification of results

D.

The timing for program updates has not been determined

Full Access
Question # 48

When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on

A.

employee retention

B.

enterprise architecture (EA)

C.

future task updates

D.

task capacity output

Full Access
Question # 49

Which of the following can only be provided by asymmetric encryption?

A.

Information privacy

B.

256-brt key length

C.

Data availability

D.

Nonrepudiation

Full Access
Question # 50

Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?

A.

Regression testing

B.

Unit testing

C.

Integration testing

D.

Acceptance testing

Full Access
Question # 51

Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?

A.

End-user computing (EUC) systems

B.

Email attachments

C.

Data sent to vendors

D.

New system applications

Full Access
Question # 52

Which of following areas is MOST important for an IS auditor to focus on when reviewing the maturity model for a technology organization?

A.

Standard operating procedures

B.

Service level agreements (SLAs)

C.

Roles and responsibility matrix

D.

Business resiliency

Full Access
Question # 53

Management has learned the implementation of a new IT system will not be completed on time and has requested an audit. Which of the following audit findings should be of GREATEST concern?

A.

The actual start times of some activities were later than originally scheduled.

B.

Tasks defined on the critical path do not have resources allocated.

C.

The project manager lacks formal certification.

D.

Milestones have not been defined for all project products.

Full Access
Question # 54

Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?

A.

Implement data loss prevention (DLP) software

B.

Review perimeter firewall logs

C.

Provide ongoing information security awareness training

D.

Establish behavioral analytics monitoring

Full Access
Question # 55

Which of the following is the MOST appropriate control to ensure integrity of online orders?

A.

Data Encryption Standard (DES)

B.

Digital signature

C.

Public key encryption

D.

Multi-factor authentication

Full Access
Question # 56

An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

A.

Biometrics

B.

Procedures for escorting visitors

C.

Airlock entrance

D.

Intruder alarms

Full Access
Question # 57

Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?

A.

The testing produces a lower number of false positive results

B.

Network bandwidth is utilized more efficiently

C.

Custom-developed applications can be tested more accurately

D.

The testing process can be automated to cover large groups of assets

Full Access
Question # 58

When testing the accuracy of transaction data, which of the following situations BEST justifies the use of a smaller sample size?

A.

The IS audit staff has a high level of experience.

B.

It is expected that the population is error-free.

C.

Proper segregation of duties is in place.

D.

The data can be directly changed by users.

Full Access
Question # 59

Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?

A.

To ensure the conclusions are adequately supported

B.

To ensure adequate sampling methods were used during fieldwork

C.

To ensure the work is properly documented and filed

D.

To ensure the work is conducted according to industry standards

Full Access
Question # 60

During which phase of the software development life cycle is it BEST to initiate the discussion of application controls?

A.

Business case development phase when stakeholders are identified

B.

Application design phase process functionalities are finalized

C.

User acceptance testing (UAT) phase when test scenarios are designed

D.

Application coding phase when algorithms are developed to solve business problems

Full Access
Question # 61

Capacity management tools are PRIMARILY used to ensure that:

A.

available resources are used efficiently and effectively

B.

computer systems are used to their maximum capacity most of the time

C.

concurrent use by a large number of users is enabled

D.

proposed hardware acquisitions meet capacity requirements

Full Access
Question # 62

Which of the following is MOST important to consider when reviewing an organization's defined data backup and restoration procedures?

A.

Business continuity plan (BCP)

B.

Recovery point objective (RPO)

C.

Mean time to restore (MTTR)

D.

Mean time between failures (MTBF)

Full Access
Question # 63

An IS auditor has been tasked to review the processes that prevent fraud within a business expense claim system. Which of the following stakeholders is MOST important to involve in this review?

A.

Information security manager

B.

Quality assurance (QA) manager

C.

Business department executive

D.

Business process owner

Full Access
Question # 64

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

A.

The method relies exclusively on the use of asymmetric encryption algorithms.

B.

The method relies exclusively on the use of 128-bit encryption.

C.

The method relies exclusively on the use of digital signatures.

D.

The method relies exclusively on the use of public key infrastructure (PKI).

Full Access
Question # 65

A characteristic of a digital signature is that it

A.

is under control of the receiver

B.

is unique to the message

C.

is validated when data are changed

D.

has a reproducible hashing algorithm

Full Access
Question # 66

Which of the following are used in a firewall to protect the entity's internal resources?

A.

Remote access servers

B.

Secure Sockets Layers (SSLs)

C.

Internet Protocol (IP) address restrictions

D.

Failover services

Full Access
Question # 67

An organization outsourced its IS functions to meet its responsibility for disaster recovery, the organization should:

A.

discontinue maintenance of the disaster recovery plan (DRP>

B.

coordinate disaster recovery administration with the outsourcing vendor

C.

delegate evaluation of disaster recovery to a third party

D.

delegate evaluation of disaster recovery to internal audit

Full Access
Question # 68

Which of the following methods will BEST reduce the risk associated with the transition to a new system using

technologies that are not compatible with the old system?

A.

Parallel changeover

B.

Modular changeover

C.

Phased operation

D.

Pilot operation

Full Access
Question # 69

During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?

A.

Input from customers

B.

Industry standard business definitions

C.

Validation of rules by the business

D.

Built-in data error prevention application controls

Full Access
Question # 70

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's data conversion and infrastructure migration plan?

A.

Strategic: goals have been considered.

B.

A rollback plan is included.

C.

A code check review is included.

D.

A migration steering committee has been formed.

Full Access
Question # 71

Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?

A.

Data leakage as a result of employees leaving to work for competitors

B.

Noncompliance fines related to storage of regulated information

C.

Unauthorized logical access to information through an application interface

D.

Physical theft of media on which information is stored

Full Access
Question # 72

When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:

A.

legitimate packets blocked by the system have increased

B.

actual attacks have not been identified

C.

detected events have increased

D.

false positives have been reported

Full Access
Question # 73

The use of which of the following is an inherent risk in the application container infrastructure?

A.

Shared registries

B.

Host operating system

C.

Shared data

D.

Shared kernel

Full Access
Question # 74

An IS auditor is reviewing the perimeter security design of a network. Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?

A.

Intrusion detection system (IDS)

B.

Security information and event management (SIEM) system

C.

Stateful firewall

D.

Load balancer

Full Access
Question # 75

An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?

A.

Interview change management personnel about completeness.

B.

Take an item from the log and trace it back to the system.

C.

Obtain management attestation of completeness.

D.

Take the last change from the system and trace it back to the log.

Full Access
Question # 76

Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

A.

Cross-site scripting (XSS)

B.

Copyright violations

C.

Social engineering

D.

Adverse posts about the organization

Full Access
Question # 77

What should an IS auditor do FIRST when a follow-up audit reveals some management action plans have not been initiated?

A.

Confirm whether the identified risks are still valid.

B.

Provide a report to the audit committee.

C.

Escalate the lack of plan completion to executive management.

D.

Request an additional action plan review to confirm the findings.

Full Access
Question # 78

During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?

A.

Report the deviation by the control owner in the audit report.

B.

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.

C.

Cancel the follow-up audit and reschedule for the next audit period.

D.

Request justification from management for not implementing the recommended control.

Full Access
Question # 79

Which of the following provides the MOST assurance of the integrity of a firewall log?

A.

The log is reviewed on a monthly basis.

B.

Authorized access is required to view the log.

C.

The log cannot be modified.

D.

The log is retained per policy.

Full Access
Question # 80

Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

A.

Industry regulations

B.

Industry standards

C.

Incident response plan

D.

Information security policy

Full Access
Question # 81

Which of the following technologies has the SMALLEST maximum range for data transmission between devices?

A.

Wi-Fi

B.

Bluetooth

C.

Long-term evolution (LTE)

D.

Near-field communication (NFC)

Full Access
Question # 82

A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?

A.

Performance audit

B.

Integrated audit

C.

Cyber audit

D.

Financial audit

Full Access
Question # 83

As part of the architecture of virtualized environments, in a bare metal or native visualization the hypervisor runs without:

A.

a host operating system.

B.

a guest operating system.

C.

any applications on the guest operating system.

D.

any applications on the host operating system.

Full Access
Question # 84

When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?

A.

The information security department has difficulty filling vacancies

B.

An information security governance audit was not conducted within the past year

C.

The data center manager has final sign-off on security projects

D.

Information security policies are updated annually

Full Access
Question # 85

Which of the following is an advantage of using agile software development methodology over the waterfall methodology?

A.

Less funding required overall

B.

Quicker deliverables

C.

Quicker end user acceptance

D.

Clearly defined business expectations

Full Access
Question # 86

Which of the following is MOST important to determine when conducting an audit Of an organization's data privacy practices?

A.

Whether a disciplinary process is established for data privacy violations

B.

Whether strong encryption algorithms are deployed for personal data protection

C.

Whether privacy technologies are implemented for personal data protection

D.

Whether the systems inventory containing personal data is maintained

Full Access
Question # 87

Which of the following should be restricted from a network administrator's privileges in an adequately segregated IT environment?

A.

Monitoring network traffic

B.

Changing existing configurations for applications

C.

Hardening network ports

D.

Ensuring transmission protocols are functioning correctly

Full Access
Question # 88

Which of the following would provide the BEST evidence of an IT strategy corrections effectiveness?

A.

The minutes from the IT strategy committee meetings

B.

Synchronization of IT activities with corporate objectives

C.

The IT strategy committee charier

D.

Business unit satisfaction survey results

Full Access
Question # 89

In the development of a new financial application, the IS auditor's FIRST involvement should be in the:

A.

control design.

B.

feasibility study.

C.

application design.

D.

system test.

Full Access
Question # 90

An organization's IT risk assessment should include the identification of:

A.

vulnerabilities

B.

compensating controls

C.

business needs

D.

business process owners

Full Access
Question # 91

An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor's GREATEST concern?

A.

Key business process end users did not participate in the business impact " analysis (BIA)

B.

Copies of the BCP have not been distributed to new business unit end users sjnce the reorganization

C.

A test plan for the BCP has not been completed during the last two years

Full Access
Question # 92

An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?

A.

Single sign-on is not enabled

B.

Audit logging is not enabled

C.

Security baseline is not consistently applied

D.

Complex passwords are not required

Full Access
Question # 93

Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?

A.

Controls to adequately safeguard the data may not be applied.

B.

Data may not be encrypted by the system administrator.

C.

Competitors may be able to view the data.

D.

Control costs may exceed the intrinsic value of the IT asset.

Full Access
Question # 94

Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?

A.

Policies and procedures for managing documents provided by department heads

B.

A system-generated list of staff and their project assignments. roles, and responsibilities

C.

Previous audit reports related to other departments' use of the same system

D.

Information provided by the audit team lead an the authentication systems used by the department

Full Access
Question # 95

Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization's security policy?

A.

Analyzing how the configuration changes are performed

B.

Analyzing log files

C.

Reviewing the rule base

D.

Performing penetration testing

Full Access
Question # 96

Which of the following is the BEST indication of effective IT investment management?

A.

IT investments are implemented and monitored following a system development life cycle (SDLC)

B.

IT investments are mapped to specific business objectives

C.

Key performance indicators (KPIs) are defined for each business requiring IT Investment

D.

The IT Investment budget is significantly below industry benchmarks

Full Access
Question # 97

To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?

A.

Data retention

B.

Data minimization

C.

Data quality

D.

Data integrity

Full Access
Question # 98

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Full Access
Question # 99

During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?

A.

Backup media are not reviewed before disposal.

B.

Degaussing is used instead of physical shredding.

C.

Backup media are disposed before the end of the retention period

D.

Hardware is not destroyed by a certified vendor.

Full Access
Question # 100

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Full Access
Question # 101

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

A.

Staff were not involved in the procurement process, creating user resistance to the new system.

B.

Data is not converted correctly, resulting in inaccurate patient records.

C.

The deployment project experienced significant overruns, exceeding budget projections.

D.

The new system has capacity issues, leading to slow response times for users.

Full Access
Question # 102

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Full Access
Question # 103

Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

A.

An increase in the number of identified false positives

B.

An increase in the number of detected Incidents not previously identified

C.

An increase in the number of unfamiliar sources of intruders

D.

An increase in the number of internally reported critical incidents

Full Access
Question # 104

UESTION NO: 210

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

A.

There Is a reconciliation process between the spreadsheet and the finance system

B.

A separate copy of the spreadsheet is routinely backed up

C.

The spreadsheet is locked down to avoid inadvertent changes

D.

Access to the spreadsheet is given only to those who require access

Full Access
Question # 105

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

A.

Preserving the same data classifications

B.

Preserving the same data inputs

C.

Preserving the same data structure

D.

Preserving the same data interfaces

Full Access
Question # 106

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Full Access
Question # 107

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

A.

Use of stateful firewalls with default configuration

B.

Ad hoc monitoring of firewall activity

C.

Misconfiguration of the firewall rules

D.

Potential back doors to the firewall software

Full Access
Question # 108

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

A.

the access control system's log settings.

B.

how the latest system changes were implemented.

C.

the access control system's configuration.

D.

the access rights that have been granted.

Full Access
Question # 109

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

A.

Observing the execution of a daily backup run

B.

Evaluating the backup policies and procedures

C.

Interviewing key personnel evolved In the backup process

D.

Reviewing a sample of system-generated backup logs

Full Access
Question # 110

Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?

A.

The person who collected the evidence is not qualified to represent the case.

B.

The logs failed to identify the person handling the evidence.

C.

The evidence was collected by the internal forensics team.

D.

The evidence was not fully backed up using a cloud-based solution prior to the trial.

Full Access
Question # 111

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

A.

A single point of failure for both voice and data communications

B.

Inability to use virtual private networks (VPNs) for internal traffic

C.

Lack of integration of voice and data communications

D.

Voice quality degradation due to packet toss

Full Access
Question # 112

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

A.

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.

Identifying data security threats in the affected jurisdiction

C.

Reviewing data classification procedures associated with the affected jurisdiction

D.

Identifying business processes associated with personal data exchange with the affected jurisdiction

Full Access
Question # 113

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

A.

architecture and cloud environment of the system.

B.

business process supported by the system.

C.

policies and procedures of the business area being audited.

D.

availability reports associated with the cloud-based system.

Full Access
Question # 114

Which of the following business continuity activities prioritizes the recovery of critical functions?

A.

Business continuity plan (BCP) testing

B.

Business impact analysis (BIA)

C.

Disaster recovery plan (DRP) testing

D.

Risk assessment

Full Access
Question # 115

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

A.

Evaluate the appropriateness of the remedial action taken.

B.

Conduct a risk analysis incorporating the change.

C.

Report results of the follow-up to the audit committee.

D.

Inform senior management of the change in approach.

Full Access
Question # 116

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

A.

Information security program plans

B.

Penetration test results

C.

Risk assessment results

D.

Industry benchmarks

Full Access
Question # 117

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The retention period complies with data owner responsibilities.

D.

The total transaction amount has no impact on financial reporting

Full Access
Question # 118

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Full Access
Question # 119

While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

A.

Use automatic document classification based on content.

B.

Have IT security staff conduct targeted training for data owners.

C.

Publish the data classification policy on the corporate web portal.

D.

Conduct awareness presentations and seminars for information classification policies.

Full Access
Question # 120

Which of the following is MOST important to consider when scheduling follow-up audits?

A.

The efforts required for independent verification with new auditors

B.

The impact if corrective actions are not taken

C.

The amount of time the auditee has agreed to spend with auditors

D.

Controls and detection risks related to the observations

Full Access
Question # 121

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?

A.

Service management standards are not followed.

B.

Expected time to resolve incidents is not specified.

C.

Metrics are not reported to senior management.

D.

Prioritization criteria are not defined.

Full Access
Question # 122

Which of the following are BEST suited for continuous auditing?

A.

Low-value transactions

B.

Real-lime transactions

C.

Irregular transactions

D.

Manual transactions

Full Access
Question # 123

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Full Access
Question # 124

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?

A.

Short key length

B.

Random key generation

C.

Use of symmetric encryption

D.

Use of asymmetric encryption

Full Access
Question # 125

A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:

A.

evaluate replacement systems and performance monitoring software.

B.

restrict functionality of system monitoring software to security-related events.

C.

re-install the system and performance monitoring software.

D.

use analytical tools to produce exception reports from the system and performance monitoring software

Full Access
Question # 126

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

A.

Implementing the remediation plan

B.

Partially completing the CSA

C.

Developing the remediation plan

D.

Developing the CSA questionnaire

Full Access
Question # 127

Which of the following is an example of a preventative control in an accounts payable system?

A.

The system only allows payments to vendors who are included In the system's master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

Full Access
Question # 128

Upon completion of audit work, an IS auditor should:

A.

provide a report to senior management prior to discussion with the auditee.

B.

distribute a summary of general findings to the members of the auditing team.

C.

provide a report to the auditee stating the initial findings.

D.

review the working papers with the auditee.

Full Access
Question # 129

Which of the following would MOST effectively ensure the integrity of data transmitted over a network?

A.

Message encryption

B.

Certificate authority (CA)

C.

Steganography

D.

Message digest

Full Access
Question # 130

Which of the following is MOST helpful for measuring benefits realization for a new system?

A.

Function point analysis

B.

Balanced scorecard review

C.

Post-implementation review

D.

Business impact analysis (BIA)

Full Access
Question # 131

Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?

A.

Historical privacy breaches and related root causes

B.

Globally accepted privacy best practices

C.

Local privacy standards and regulations

D.

Benchmark studies of similar organizations

Full Access
Question # 132

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

A.

the patches were updated.

B.

The logs were monitored.

C.

The network traffic was being monitored.

D.

The domain controller was classified for high availability.

Full Access
Question # 133

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Full Access
Question # 134

In an online application which of the following would provide the MOST information about the transaction audit trail?

A.

File layouts

B.

Data architecture

C.

System/process flowchart

D.

Source code documentation

Full Access
Question # 135

A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?

A.

Terminated staff

B.

Unauthorized access

C.

Deleted log data

D.

Hacktivists

Full Access
Question # 136

During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?

A.

Perform substantive testing of terminated users' access rights.

B.

Perform a review of terminated users' account activity

C.

Communicate risks to the application owner.

D.

Conclude that IT general controls ate ineffective.

Full Access
Question # 137

Which of the following findings from an IT governance review should be of GREATEST concern?

A.

The IT budget is not monitored

B.

All IT services are provided by third parties.

C.

IT value analysis has not been completed.

D.

IT supports two different operating systems.

Full Access
Question # 138

What is the MAIN reason to use incremental backups?

A.

To improve key availability metrics

B.

To reduce costs associates with backups

C.

To increase backup resiliency and redundancy

D.

To minimize the backup time and resources

Full Access
Question # 139

Providing security certification for a new system should include which of the following prior to the system's implementation?

A.

End-user authorization to use the system in production

B.

External audit sign-off on financial controls

C.

Testing of the system within the production environment

D.

An evaluation of the configuration management practices

Full Access
Question # 140

Which of the following is a detective control?

A.

Programmed edit checks for data entry

B.

Backup procedures

C.

Use of pass cards to gain access to physical facilities

D.

Verification of hash totals

Full Access
Question # 141

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

A.

Testing

B.

Replication

C.

Staging

D.

Development

Full Access
Question # 142

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

A.

Logs are being collected in a separate protected host

B.

Automated alerts are being sent when a risk is detected

C.

Insider attacks are being controlled

D.

Access to configuration files Is restricted.

Full Access
Question # 143

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

A.

Availability of the user list reviewed

B.

Confidentiality of the user list reviewed

C.

Source of the user list reviewed

D.

Completeness of the user list reviewed

Full Access
Question # 144

Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?

A.

To optimize system resources

B.

To follow system hardening standards

C.

To optimize asset management workflows

D.

To ensure proper change control

Full Access
Question # 145

Which of the following is a social engineering attack method?

A.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

B.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

C.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

D.

An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.

Full Access
Question # 146

Stress testing should ideally be earned out under a:

A.

test environment with production workloads.

B.

production environment with production workloads.

C.

production environment with test data.

D.

test environment with test data.

Full Access
Question # 147

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

A.

compare the organization's strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Full Access
Question # 148

Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

A.

Findings from prior audits

B.

Results of a risk assessment

C.

An inventory of personal devices to be connected to the corporate network

D.

Policies including BYOD acceptable user statements

Full Access
Question # 149

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

A.

Configure data quality alerts to check variances between the data warehouse and the source system

B.

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.

Include the data warehouse in the impact analysis (or any changes m the source system

D.

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

Full Access
Question # 150

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

A.

Revise the assessment based on senior management's objections.

B.

Escalate the issue to audit management.

C.

Finalize the draft audit report without changes.

D.

Gather evidence to analyze senior management's objections

Full Access
Question # 151

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

A.

Reviewing the parameter settings

B.

Reviewing the system log

C.

Interviewing the firewall administrator

D.

Reviewing the actual procedures

Full Access
Question # 152

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Full Access
Question # 153

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

A.

well understood by all employees.

B.

based on industry standards.

C.

developed by process owners.

D.

updated frequently.

Full Access
Question # 154

The waterfall life cycle model of software development is BEST suited for which of the following situations?

A.

The protect requirements are wall understood.

B.

The project is subject to time pressures.

C.

The project intends to apply an object-oriented design approach.

D.

The project will involve the use of new technology.

Full Access
Question # 155

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

A.

Verifying that access privileges have been reviewed

B.

investigating access rights for expiration dates

C.

Updating the continuity plan for critical resources

D.

Updating the security policy

Full Access
Question # 156

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

A.

reflect current practices.

B.

include new systems and corresponding process changes.

C.

incorporate changes to relevant laws.

D.

be subject to adequate quality assurance (QA).

Full Access
Question # 157

Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

A.

Reversing the hash function using the digest

B.

Altering the plaintext message

C.

Deciphering the receiver's public key

D.

Obtaining the sender's private key

Full Access
Question # 158

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

A.

Double-posting of a single journal entry

B.

Inability to support new business transactions

C.

Unauthorized alteration of account attributes

D.

Inaccuracy of financial reporting

Full Access
Question # 159

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Full Access
Question # 160

Which of the following is MOST important to ensure when planning a black box penetration test?

A.

The management of the client organization is aware of the testing.

B.

The test results will be documented and communicated to management.

C.

The environment and penetration test scope have been determined.

D.

Diagrams of the organization's network architecture are available.

Full Access
Question # 161

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

A.

Include the requirement in the incident management response plan.

B.

Establish key performance indicators (KPIs) for timely identification of security incidents.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Engage an external security incident response expert for incident handling.

Full Access
Question # 162

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

A.

Implement a process to actively monitor postings on social networking sites.

B.

Adjust budget for network usage to include social media usage.

C.

Use data loss prevention (DLP) tools on endpoints.

D.

implement policies addressing acceptable usage of social media during working hours.

Full Access
Question # 163

An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

A.

Percentage of new hires that have completed the training.

B.

Number of new hires who have violated enterprise security policies.

C.

Number of reported incidents by new hires.

D.

Percentage of new hires who report incidents

Full Access
Question # 164

Cross-site scripting (XSS) attacks are BEST prevented through:

A.

application firewall policy settings.

B.

a three-tier web architecture.

C.

secure coding practices.

D.

use of common industry frameworks.

Full Access
Question # 165

What is the BEST control to address SQL injection vulnerabilities?

A.

Unicode translation

B.

Secure Sockets Layer (SSL) encryption

C.

Input validation

D.

Digital signatures

Full Access
Question # 166

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?

A.

Implement a new system that can be patched.

B.

Implement additional firewalls to protect the system.

C.

Decommission the server.

D.

Evaluate the associated risk.

Full Access
Question # 167

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Full Access
Question # 168

Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

A.

Require all employees to sign nondisclosure agreements (NDAs).

B.

Develop an acceptable use policy for end-user computing (EUC).

C.

Develop an information classification scheme.

D.

Provide notification to employees about possible email monitoring.

Full Access
Question # 169

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

A.

Portfolio management

B.

Business plans

C.

Business processes

D.

IT strategic plans

Full Access
Question # 170

Which of the following is the BEST justification for deferring remediation testing until the next audit?

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management's planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Full Access
Question # 171

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

D.

Full operational test

Full Access
Question # 172

The decision to accept an IT control risk related to data quality should be the responsibility of the:

A.

information security team.

B.

IS audit manager.

C.

chief information officer (CIO).

D.

business owner.

Full Access
Question # 173

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

A.

Key performance indicators (KPIs)

B.

Maximum allowable downtime (MAD)

C.

Recovery point objective (RPO)

D.

Mean time to restore (MTTR)

Full Access
Question # 174

Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

A.

Write access to production program libraries

B.

Write access to development data libraries

C.

Execute access to production program libraries

D.

Execute access to development program libraries

Full Access
Question # 175

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

A.

The default configurations have been changed.

B.

All tables in the database are normalized.

C.

The service port used by the database server has been changed.

D.

The default administration account is used after changing the account password.

Full Access
Question # 176

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

A.

perform a business impact analysis (BIA).

B.

issue an intermediate report to management.

C.

evaluate the impact on current disaster recovery capability.

D.

conduct additional compliance testing.

Full Access
Question # 177

The implementation of an IT governance framework requires that the board of directors of an organization:

A.

Address technical IT issues.

B.

Be informed of all IT initiatives.

C.

Have an IT strategy committee.

D.

Approve the IT strategy.

Full Access
Question # 178

Which of the following is MOST important with regard to an application development acceptance test?

A.

The programming team is involved in the testing process.

B.

All data files are tested for valid information before conversion.

C.

User management approves the test design before the test is started.

D.

The quality assurance (QA) team is in charge of the testing process.

Full Access
Question # 179

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

A.

recommend that the option to directly modify the database be removed immediately.

B.

recommend that the system require two persons to be involved in modifying the database.

C.

determine whether the log of changes to the tables is backed up.

D.

determine whether the audit trail is secured and reviewed.

Full Access
Question # 180

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Full Access
Question # 181

Which of the following demonstrates the use of data analytics for a loan origination process?

A.

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Full Access
Question # 182

During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

A.

application test cases.

B.

acceptance testing.

C.

cost-benefit analysis.

D.

project plans.

Full Access
Question # 183

Which of the following is the BEST data integrity check?

A.

Counting the transactions processed per day

B.

Performing a sequence check

C.

Tracing data back to the point of origin

D.

Preparing and running test data

Full Access
Question # 184

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

A.

Limiting the size of file attachments being sent via email

B.

Automatically deleting emails older than one year

C.

Moving emails to a virtual email vault after 30 days

D.

Allowing employees to store large emails on flash drives

Full Access
Question # 185

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

A.

Modify applications to no longer require direct access to the database.

B.

Introduce database access monitoring into the environment

C.

Modify the access management policy to make allowances for application accounts.

D.

Schedule downtime to implement password changes.

Full Access
Question # 186

To confirm integrity for a hashed message, the receiver should use:

A.

the same hashing algorithm as the sender's to create a binary image of the file.

B.

a different hashing algorithm from the sender's to create a binary image of the file.

C.

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.

a different hashing algorithm from the sender's to create a numerical representation of the file.

Full Access
Question # 187

Secure code reviews as part of a continuous deployment program are which type of control?

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Full Access
Question # 188

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

A.

Periodically reviewing log files

B.

Configuring the router as a firewall

C.

Using smart cards with one-time passwords

D.

Installing biometrics-based authentication

Full Access
Question # 189

An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?

A.

The data is taken directly from the system.

B.

There is no privacy information in the data.

C.

The data can be obtained in a timely manner.

D.

The data analysis tools have been recently updated.

Full Access
Question # 190

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Full Access
Question # 191

Which of the following is MOST important to include in forensic data collection and preservation procedures?

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Full Access
Question # 192

Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

A.

Rotate job duties periodically.

B.

Perform an independent audit.

C.

Hire temporary staff.

D.

Implement compensating controls.

Full Access
Question # 193

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

A.

Audit cycle defined in the audit plan

B.

Complexity of management's action plans

C.

Recommendation from executive management

D.

Residual risk from the findings of previous audits

Full Access
Question # 194

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?

A.

Increase the capacity of existing systems.

B.

Upgrade hardware to newer technology.

C.

Hire temporary contract workers for the IT function.

D.

Build a virtual environment.

Full Access
Question # 195

Which of the following is MOST important for an effective control self-assessment (CSA) program?

A.

Determining the scope of the assessment

B.

Performing detailed test procedures

C.

Evaluating changes to the risk environment

D.

Understanding the business process

Full Access
Question # 196

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

A.

Data masking

B.

Data tokenization

C.

Data encryption

D.

Data abstraction

Full Access
Question # 197

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Full Access
Question # 198

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

A.

Assign responsibility for improving data quality.

B.

Invest in additional employee training for data entry.

C.

Outsource data cleansing activities to reliable third parties.

D.

Implement business rules to validate employee data entry.

Full Access
Question # 199

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

A.

The system does not have a maintenance plan.

B.

The system contains several minor defects.

C.

The system deployment was delayed by three weeks.

D.

The system was over budget by 15%.

Full Access
Question # 200

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

A.

Obtain error codes indicating failed data feeds.

B.

Appoint data quality champions across the organization.

C.

Purchase data cleansing tools from a reputable vendor.

D.

Implement business rules to reject invalid data.

Full Access
Question # 201

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The total transaction amount has no impact on financial reporting.

D.

The retention period complies with data owner responsibilities.

Full Access
Question # 202

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

A.

Phishing

B.

Using a dictionary attack of encrypted passwords

C.

Intercepting packets and viewing passwords

D.

Flooding the site with an excessive number of packets

Full Access
Question # 203

Which of the following is the BEST method to safeguard data on an organization's laptop computers?

A.

Disabled USB ports

B.

Full disk encryption

C.

Biometric access control

D.

Two-factor authentication

Full Access
Question # 204

Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

A.

Encryption of the spreadsheet

B.

Version history

C.

Formulas within macros

D.

Reconciliation of key calculations

Full Access
Question # 205

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Full Access
Question # 206

Which of the following would BEST facilitate the successful implementation of an IT-related framework?

A.

Aligning the framework to industry best practices

B.

Establishing committees to support and oversee framework activities

C.

Involving appropriate business representation within the framework

D.

Documenting IT-related policies and procedures

Full Access
Question # 207

Which of the following should be done FIRST when planning a penetration test?

A.

Execute nondisclosure agreements (NDAs).

B.

Determine reporting requirements for vulnerabilities.

C.

Define the testing scope.

D.

Obtain management consent for the testing.

Full Access
Question # 208

During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

A.

Notify the chair of the audit committee.

B.

Notify the audit manager.

C.

Retest the control.

D.

Close the audit finding.

Full Access
Question # 209

During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?

A.

Explain to IT management that the new control will be evaluated during follow-up

B.

Re-perform the audit before changing the conclusion.

C.

Change the conclusion based on evidence provided by IT management.

D.

Add comments about the action taken by IT management in the report.

Full Access
Question # 210

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

A.

To ensure that older versions are availability for reference

B.

To ensure that only the latest approved version of the application is used

C.

To ensure compatibility different versions of the application

D.

To ensure that only authorized users can access the application

Full Access
Question # 211

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

A.

Implement overtime pay and bonuses for all development staff.

B.

Utilize new system development tools to improve productivity.

C.

Recruit IS staff to expedite system development.

D.

Deliver only the core functionality on the initial target date.

Full Access
Question # 212

Which of the following is the MOST effective way for an organization to project against data loss?

A.

Limit employee internet access.

B.

Implement data classification procedures.

C.

Review firewall logs for anomalies.

D.

Conduct periodic security awareness training.

Full Access
Question # 213

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

A.

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.

Ensuring evidence is sufficient to support audit conclusions

C.

Ensuring appropriate statistical sampling methods were used

D.

Ensuring evidence is labeled to show it was obtained from an approved source

Full Access
Question # 214

Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

A.

Implement network access control.

B.

Implement outbound firewall rules.

C.

Perform network reviews.

D.

Review access control lists.

Full Access
Question # 215

From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

A.

Inability to close unused ports on critical servers

B.

Inability to identify unused licenses within the organization

C.

Inability to deploy updated security patches

D.

Inability to determine the cost of deployed software

Full Access
Question # 216

What is MOST important to verify during an external assessment of network vulnerability?

A.

Update of security information event management (SIEM) rules

B.

Regular review of the network security policy

C.

Completeness of network asset inventory

D.

Location of intrusion detection systems (IDS)

Full Access
Question # 217

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Full Access
Question # 218

When reviewing an IT strategic plan, the GREATEST concern would be that

A.

an IT strategy committee has not been created

B.

the plan does not support relevant organizational goals.

C.

there are no key performance indicators (KPls).

D.

the plan was not formally approved by the board of directors

Full Access
Question # 219

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

A.

Source code version control

B.

Project change management controls

C.

Existence of an architecture review board

D.

Configuration management

Full Access
Question # 220

The BEST way to provide assurance that a project is adhering to the project plan is to:

A.

require design reviews at appropriate points in the life cycle.

B.

have an IS auditor participate on the steering committee.

C.

have an IS auditor participate on the quality assurance (QA) team.

D.

conduct compliance audits at major system milestones.

Full Access
Question # 221

Which of the following BEST enables a benefits realization process for a system development project?

A.

Metrics for the project have been selected before the project begins.

B.

Project budget includes costs to execute the project and costs associated with the solution.

C.

Estimates of business benefits are backed by similar previously completed projects.

D.

Metrics are evaluated immediately after the project has been implemented.

Full Access
Question # 222

Which of the following is the MOST effective control over visitor access to highly secured areas?

A.

Visitors are required to be escorted by authorized personnel.

B.

Visitors are required to use biometric authentication.

C.

Visitors are monitored online by security cameras

D.

Visitors are required to enter through dead-man doors.

Full Access
Question # 223

Which of the following would provide management with the MOST reasonable assurance that a new data warehouse will meet the needs of the

organization?

A.

Integrating data requirements into the system development life cycle (SDLC)

B.

Appointing data stewards to provide effective data governance

C.

Classifying data quality issues by the severity of their impact to the organization

D.

Facilitating effective communication between management and developers

Full Access
Question # 224

Which of the following should be identified FIRST during the risk assessment process?

A.

Vulnerability to threats

B.

Existing controls

C.

Information assets

D.

Legal requirements

Full Access
Question # 225

Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

A.

Requiring users to save files in secured folders instead of a company-wide shared drive

B.

Reviewing data transfer logs to determine historical patterns of data flow

C.

Developing a DLP policy and requiring signed acknowledgment by users

D.

Identifying where existing data resides and establishing a data classification matrix

Full Access
Question # 226

A small IT department has embraced DevOps, which allows members of this group to deploy code to production and maintain some development access to automate releases. Which of the following is the MOST effective control?

A.

Enforce approval prior to deployment by a member of the team who has not taken part in the development.

B.

The DevOps team provides an annual policy acknowledgment that they did not develop and deploy the same code.

C.

Annual training reinforces the need to maintain segregation between developers and deployers of code

D.

The IT compliance manager performs weekly reviews to ensure the same person did not develop and deploy code.

Full Access
Question # 227

Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?

A.

Classifies documents to correctly reflect the level of sensitivity of information they contain

B.

Defines the conditions under which documents containing sensitive information may be transmitted

C.

Classifies documents in accordance with industry standards and best practices

D.

Ensures documents are handled in accordance With the sensitivity of information they contain

Full Access
Question # 228

Which of the following should be given GREATEST consideration when implementing the use of an open-source product?

A.

Support

B.

Performance

C.

Confidentiality

D.

Usability

Full Access
Question # 229

Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?

A.

To prevent confidential data loss

B.

To comply with legal and regulatory requirements

C.

To identify data at rest and data in transit for encryption

D.

To provide options to individuals regarding use of their data

Full Access
Question # 230

An IS auditor has learned that access privileges are not periodically reviewed or updated. Which of the following would provide the BEST evidence to determine whether transactions have been executed by authorized employees?

A.

Audit trails

B.

Control totals

C.

Reconciliations

D.

Change logs

Full Access
Question # 231

Which of the following is a PRIMARY responsibility of a quality assurance (QA) team?

A.

Creating test data to facilitate the user acceptance testing (IJAT) process

B.

Managing employee onboarding processes and background checks

C.

Advising the steering committee on quality management issues and remediation efforts

D.

Implementing procedures to facilitate adoption of quality management best practices

Full Access
Question # 232

Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?

A.

Purchase requisitions and purchase orders

B.

Invoices and reconciliations

C.

Vendor selection and statements of work

D.

Good receipts and payments

Full Access
Question # 233

In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?

A.

Discovery sampling

B.

Variable sampling

C.

Stop-or-go sampling

D.

Judgmental sampling

Full Access
Question # 234

Which of the following is BEST used for detailed testing of a business application's data and configuration files?

A.

Version control software

B.

Audit hooks

C.

Utility software

D.

Audit analytics tool

Full Access
Question # 235

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

A.

The method relies exclusively on the use of public key infrastructure (PKI).

B.

The method relies exclusively on the use of digital signatures.

C.

The method relies exclusively on the use of asymmetric encryption algorithms.

D.

The method relies exclusively on the use of 128-bit encryption.

Full Access
Question # 236

Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?

A.

Hash totals

B.

Online review of description

C.

Comparison to historical order pattern

D.

Self-checking digit

Full Access
Question # 237

During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS)

agreement. What should the auditor do NEXT?

A.

Verify whether IT management monitors the effectiveness of the environment.

B.

Verify whether a right-to-audit clause exists.

C.

Verify whether a third-party security attestation exists.

D.

Verify whether service level agreements (SLAs) are defined and monitored.

Full Access
Question # 238

If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?

A.

Comparison of object and executable code

B.

Review of audit trail of compile dates

C.

Comparison of date stamping of source and object code

D.

Review of developer comments in executable code

Full Access
Question # 239

When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?

A.

Data backups

B.

Decision support system

C.

Operating system

D.

Applications

Full Access
Question # 240

During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?

A.

The business case reflects stakeholder requirements.

B.

The business case is based on a proven methodology.

C.

The business case passed a quality review by an independent party.

D.

The business case identifies specific plans for cost allocation.

Full Access
Question # 241

Which of the following BEST supports the effectiveness of a compliance program?

A.

Implementing an awareness plan regarding compliance regulation requirements

B.

Implementing a governance, risk, and compliance (GRC) tool to track compliance to regulations

C.

Assessing and tracking all compliance audit findings

D.

Monitoring which compliance regulations apply to the organization

Full Access
Question # 242

Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?

A.

Progress updates indicate that the implementation of agreed actions is on track.

B.

Sufficient time has elapsed since implementation to provide evidence of control operation.

C.

Business management has completed the implementation of agreed actions on schedule.

D.

Regulators have announced a timeline for an inspection visit.

Full Access
Question # 243

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

A.

Installing security cameras at the doors

B.

Changing to a biometric access control system

C.

Implementing a monitored mantrap at entrance and exit points

D.

Requiring two-factor authentication at entrance and exit points

Full Access
Question # 244

Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?

A.

Validate the audit observations_

B.

Identify business risks associated with the observations.

C.

Assist the management with control enhancements.

D.

Record the proposed course of corrective action.

Full Access
Question # 245

During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?

A.

The project manager will have to be replaced.

B.

The project reporting to the board of directors will be incomplete.

C.

The project steering committee cannot provide effective governance.

D.

The project will not withstand a quality assurance (QA) review.

Full Access
Question # 246

Which of the following is MOST useful when planning to audit an organization's compliance with cybersecurity regulations in foreign countries?

A.

Prioritize the audit to focus on the country presenting the greatest amount of operational risk.

B.

Follow the cybersecurity regulations of the country with the most stringent requirements.

C.

Develop a template that standardizes the reporting of findings from each country's audit team

D.

Map the different regulatory requirements to the organization's IT governance framework

Full Access
Question # 247

Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?

A.

Conduct a data inventory and classification exercise.

B.

Identify approved data workflows across the enterprise_

C.

Conduct a threat analysis against sensitive data usage.

D.

Create the DLP policies and templates

Full Access
Question # 248

Which of the following is MOST critical to the success of an information security program?

A.

Alignment of information security with IT objectives

B.

Management’s commitment to information security

C.

Integration of business and information security

D.

User accountability for information security

Full Access
Question # 249

Which of the following is the MOST important control for virtualized environments?

A.

Regular updates of policies for the operation of the virtualized environment

B.

Hardening for the hypervisor and guest machines

C.

Redundancy of hardware resources and network components

D.

Monitoring utilization of resources at the guest operating system level

Full Access
Question # 250

Which of the following would be the GREATEST concern to an IS auditor when reviewing the outsourcing contract for an organization's cloud service provider?

A.

There is no change management process defined in the contract.

B.

There are no procedures for incident escalation.

C.

There is no dispute resolution process defined in the contract.

D.

There is no right-to-audit clause defined in the contract.

Full Access
Question # 251

Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERR) system?

A.

Bank confirmation

B.

Goods delivery notification

C.

Purchase requisition

D.

Purchase order

Full Access
Question # 252

Which of the following is the MOST important consideration when establishing vulnerability scanning on critical IT infrastructure?

A.

The scanning will be performed during non-peak hours.

B.

The scanning will be followed by penetration testing.

C.

The scanning will be cost-effective.

D.

The scanning will not degrade system performance.

Full Access
Question # 253

The use of control totals reduces the risk of:

A.

posting to the wrong record.

B.

incomplete processing.

C.

improper backup.

D.

improper authorization.

Full Access
Question # 254

When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?

A.

Overwriting multiple times

B.

Encrypting the disk

C.

Reformatting

D.

Deleting files sequentially

Full Access
Question # 255

Which of the following BEST contributes to the quality of an audit of a business-critical application?

A.

Assigning the audit to independent external auditors

B.

Reviewing previous findings reported by the application owner

C.

Identifying common coding errors made by the development team

D.

Involving the application owner early in the audit planning process

Full Access
Question # 256

An IS auditor is reviewing an organization's business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of data quality would be to:

A.

review data against data classification standards.

B.

outsource data cleansing to skilled service providers.

C.

consolidate data stored across separate databases into a warehouse.

D.

analyze the data against predefined specifications.

Full Access
Question # 257

When developing customer-facing IT applications, in which stage of the system development life cycle (SDLC) is it MOST beneficial to consider data privacy principles?

A.

Systems design and architecture

B.

Software selection and acquisition

C.

User acceptance testing (UAT)

D.

Requirements definition

Full Access
Question # 258

Which of the following is MOST likely to be a project deliverable of an agile software development methodology?

A.

Strictly managed software requirements baselines

B.

Extensive project documentation

C.

Automated software programming routines

D.

Rapidly created working prototypes

Full Access
Question # 259

Which of the following is the MOST important responsibility of data owners when implementing a data classification process?

A.

Reviewing emergency changes to data

B.

Authorizing application code changes

C.

Determining appropriate user access levels

D.

Implementing access rules over database tables

Full Access
Question # 260

Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?

A.

Access to change testing strategy and results is not restricted to staff outside the IT team.

B.

Some user acceptance testing (IJAT) was completed by members of the IT team.

C.

IT administrators have access to the production and development environment

D.

Post-implementation testing is not conducted for all system releases.

Full Access
Question # 261

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

A.

The audit program does not involve periodic engagement with external assessors.

B.

Quarterly reports are not distributed to the audit committee.

C.

Results of corrective actions are not tracked consistently.

D.

Substantive testing is not performed during the assessment phase of some audits.

Full Access
Question # 262

During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.

Which of the following is the BEST recommendation to help prevent this situation in the future?

A.

Introduce escalation protocols.

B.

Develop a competency matrix.

C.

Implement fallback options.

D.

Enable an emergency access ID.

Full Access
Question # 263

A bank wants to outsource a system to a cloud provider residing in another country. Which of the following would be the MOST appropriate IS audit recommendation?

A.

Find an alternative provider in the bank's home country.

B.

Ensure the provider's internal control system meets bank requirements.

C.

Proceed as intended, as the provider has to observe all laws of the clients’ countries.

D.

Ensure the provider has disaster recovery capability.

Full Access
Question # 264

An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management

experience. What is the BEST course of action?

A.

Transfer the assignment to a different audit manager despite lack of IT project management experience.

B.

Outsource the audit to independent and qualified resources.

C.

Manage the audit since there is no one else with the appropriate experience.

D.

Have a senior IS auditor manage the project with the IS audit manager performing final review.

Full Access
Question # 265

An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

A.

The applications are not included in business continuity plans (BCFs)

B.

The applications may not reasonably protect data.

C.

The application purchases did not follow procurement policy.

D.

The applications could be modified without advanced notice.

Full Access
Question # 266

An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor's independence?

A.

The auditor implemented a specific control during the development of the system.

B.

The auditor provided advice concerning best practices.

C.

The auditor participated as a member of the project team without operational responsibilities

D.

The auditor designed an embedded audit module exclusively for audit

Full Access
Question # 267

Which of the following is the MOST important advantage of participating in beta testing of software products?

A.

It increases an organization's ability to retain staff who prefer to work with new technology.

B.

It improves vendor support and training.

C.

It enhances security and confidentiality.

D.

It enables an organization to gain familiarity with new products and their functionality.

Full Access
Question # 268

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?

A.

Benchmark organizational performance against industry peers

B.

Implement key performance indicators (KPIs).

C.

Require executive management to draft IT strategy

D.

Implement annual third-party audits.

Full Access
Question # 269

Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?

A.

Configuration management database (CMDB)

B.

Enterprise architecture (EA)

C.

IT portfolio management

D.

IT service management

Full Access
Question # 270

An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

A.

structured query language (SQL) injection

B.

buffer overflow.

C.

denial of service (DoS).

D.

phishing.

Full Access
Question # 271

Audit observations should be FIRST communicated with the auditee:

A.

when drafting the report.

B.

during fieldwork.

C.

at the end of fieldwork.

D.

within the audit report

Full Access
Question # 272

An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

A.

To collect digital evidence of cyberattacks

B.

To attract attackers in order to study their behavior

C.

To provide training to security managers

D.

To test the intrusion detection system (IDS)

Full Access
Question # 273

Which of the following is the MAIN responsibility of the IT steering committee?

A.

Reviewing and assisting with IT strategy integration efforts

B.

Developing and assessing the IT security strategy

C.

Implementing processes to integrate security with business objectives

D.

Developing and implementing the secure system development framework

Full Access
Question # 274

An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality. Which of the following is the MOST important consideration when making this decision?

A.

Maximum tolerable downtime (MTD)

B.

Recovery time objective (RTO)

C.

Recovery point objective (RPO)

D.

Mean time to repair (MTTR)

Full Access
Question # 275

Stress testing should ideally be carried out under a:

A.

test environment with production workloads.

B.

test environment with test data.

C.

production environment with production workloads.

D.

production environment with test data.

Full Access
Question # 276

An organization's senior management thinks current security controls may be excessive and requests an IS auditor's advice on how to assess the adequacy of current measures. What is the auditor's BEST recommendation to management?

A.

Perform correlation analysis between incidents and investments.

B.

Downgrade security controls on low-risk systems.

C.

Introduce automated security monitoring tools.

D.

Re-evaluate the organization's risk and control framework.

Full Access
Question # 277

Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?

A.

Embed details within source code.

B.

Standardize file naming conventions.

C.

Utilize automated version control.

D.

Document details on a change register.

Full Access
Question # 278

An organization is ready to implement a new IT solution consisting of multiple modules. The last module updates the processed data into the database. Which of the following findings should be of MOST concern to the IS auditor?

A.

Absence of a formal change approval process

B.

Lack of input validation

C.

Use of weak encryption

D.

Lack of a data dictionary

Full Access
Question # 279

A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year. Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?

A.

Virtual firewall

B.

Proxy server

C.

Load balancer

D.

Virtual private network (VPN)

Full Access
Question # 280

A source code repository should be designed to:

A.

prevent changes from being incorporated into existing code.

B.

prevent developers from accessing secure source code.

C.

provide secure versioning and backup capabilities for existing code.

D.

provide automatic incorporation and distribution of modified code.

Full Access
Question # 281

Management has decided to accept a risk in response to a draft audit recommendation. Which of the following should be the IS auditor’s NEXT course of action?

A.

Document management's acceptance in the audit report.

B.

Escalate the acceptance to the board.

C.

Ensure a follow-up audit is on next year's plan.

D.

Escalate acceptance to the audit committee.

Full Access
Question # 282

Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change management process?

A.

The project may go over budget.

B.

The added functionality has not been documented.

C.

The project may fail to meet the established deadline.

D.

The new functionality may not meet requirements.

Full Access
Question # 283

Which of the following will BEST ensure that archived electronic information of permanent importance remains accessible over time?

A.

Performing preventive maintenance on old hardware

B.

Acquiring applications that emulate old software

C.

Regularly migrating data to current technology

D.

Periodically backing up archived data

Full Access
Question # 284

An IS auditor is reviewing an organization's incident management processes and procedures. Which of the following observations should be the auditor's GREATEST concern?

A.

Ineffective post-incident review

B.

Ineffective incident prioritization

C.

Ineffective incident detection

D.

Ineffective incident classification

Full Access
Question # 285

Which of the following is the MOST important consideration when developing tabletop exercises within a cybersecurity incident response plan?

A.

Ensure participants are selected from all cross-functional units in the organization.

B.

Create exercises that are challenging enough to prove inadequacies in the current incident response plan.

C.

Ensure the incident response team will have enough distractions to simulate real-life situations.

D.

Identify the scope and scenarios that are relevant to current threats faced by the organization.

Full Access
Question # 286

Which of the following is MOST important when defining the IS audit scope?

A.

Minimizing the time and cost to the organization of IS audit procedures

B.

Involving business in the formulation of the scope statement

C.

Aligning the IS audit procedures with IT management priorities

D.

Understanding the relationship between IT and business risks

Full Access
Question # 287

Which of the following would be MOST important to include in an IS audit report?

A.

Observations not reported as findings due to inadequate evidence

B.

The roadmap for addressing the various risk areas

C.

The level of unmitigated risk along with business impact

D.

Specific technology solutions for each audit observation

Full Access
Question # 288

During an audit of payment services of a branch based in a foreign country, a large global bank's audit team identifies an opportunity to use data analytics techniques to identify abnormal payments. Which of the following is the team's MOST important course of action?

A.

Consult the legal department to understand the procedure for requesting data from a different jurisdiction.

B.

Conduct a walk through of the analytical strategy with stakeholders of the audited branch to obtain their buy-in.

C.

Request the data from the branch as the team audit charter covers the country where it is based.

D.

Agree on a data extraction and sharing strategy with the IT team of the audited branch.

Full Access
Question # 289

An organization's information security policies should be developed PRIMARILY on the basis of:

A.

enterprise architecture (EA).

B.

industry best practices.

C.

a risk management process.

D.

past information security incidents.

Full Access
Question # 290

Which of the following BEST indicates to an IS auditor that an organization handles emergency changes appropriately and transparently?

A.

The application operations manual contains procedures to ensure emergency fixes do not compromise system integrity.

B.

Special logon IDs are used to grant programmers permanent access to the production environment.

C.

Change management controls are retroactively applied.

D.

Emergency changes are applied to production libraries immediately.

Full Access
Question # 291

Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

A.

Invite external auditors and regulators to perform regular assessments of the IS audit function.

B.

Implement rigorous managerial review and sign-off of IS audit deliverables.

C.

Frequently review IS audit policies, procedures, and instruction manuals.

D.

Establish and embed quality assurance (QA) within the IS audit function.

Full Access
Question # 292

A new regulation has been enacted that mandates specific information security practices for the protection of customer data. Which of the following is MOST useful for an IS auditor to review when auditing against the regulation?

A.

Compliance gap analysis

B.

Customer data protection roles and responsibilities

C.

Customer data flow diagram

D.

Benchmarking studies of adaptation to the new regulation

Full Access
Question # 293

Which of the following is the PRIMARY benefit of benchmarking an organization's software development lifecycle practices against a capability maturity model?

A.

Reliable products are guaranteed.

B.

Repeatable software development procedures are established.

C.

Programmers' efficiency is improved.

D.

Security requirements are added to software development processes.

Full Access
Question # 294

Which of the following BEST addresses the availability of an online store?

A.

RAID level 5 storage devices

B.

A mirrored site at another location

C.

Online backups

D.

Clustered architecture

Full Access
Question # 295

Which of the following is a PRIMARY function of an intrusion detection system (IDS)?

A.

Predicting an attack before it occurs

B.

Alerting when a scheduled backup job fails

C.

Blocking malicious network traffic

D.

Warning when executable programs are modified

Full Access
Question # 296

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's information security governance?

A.

Risk assessments of information assets are not periodically performed.

B.

All Control Panel Items

C.

The information security policy does not extend to service providers.

D.

There is no process to measure information security performance.

E.

The information security policy is not reviewed by executive management.

Full Access
Question # 297

Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?

A.

Understanding the purpose of each spreadsheet

B.

Identifying the spreadsheets with built-in macros

C.

Reviewing spreadsheets based on file size

D.

Ascertaining which spreadsheets are most frequently used

Full Access
Question # 298

When reviewing hard disk utilization reports, an IS auditor observes that utilization is routinely above 95%. Which of the following should be the GREATEST concern to the IS auditor?

A.

Availability

B.

Consistency

C.

Denial of service (DoS) attacks

D.

Data security

Full Access
Question # 299

An IS auditor wants to gain a better understanding of an organization’s selected IT operating system software. Which of the following would be MOST helpful to review?

A.

Service level agreements (SLAs)

B.

Project steering committee charter

C.

IT audit reports

D.

Enterprise architecture (EA)

Full Access
Question # 300

Which of the following is the GREATEST risk of project dashboards being set without sufficiently defined criteria?

A.

Adverse findings from internal and external auditors

B.

Lack of project portfolio status oversight

C.

Lack of alignment of project status reports

D.

Inadequate decision-making and prioritization

Full Access
Question # 301

During an information security review, an IS auditor learns an organizational policy requires all employ-ees to attend information security training during the first week of each new year. What is

the auditor's BEST recommendation to ensure employees hired after January receive adequate guid-ance regarding security awareness?

A.

Ensure new employees read and sign acknowledgment of the acceptable use policy.

B.

Revise the policy to include security training during onboarding.

C.

Revise the policy to require security training every six months for all employees.

D.

Require management of new employees to provide an overview of security awareness.

Full Access
Question # 302

Which of the following is the PRIMARY objective of enterprise architecture (EA)?

A.

Maintaining detailed system documentation

B.

Managing and planning for IT investments

C.

Executing customized development and delivery of projects

D.

Enforcing the IT policy across the organization

Full Access
Question # 303

An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?

A.

Between each host and the local network switch/hub

B.

Between virtual local area networks (VLANs)

C.

Inside the demilitarized zone (DMZ)

D.

At borders of network segments with different security levels

Full Access
Question # 304

Which of the following would be MOST useful to an IS auditor when making recommendations to enable continual improvement of IT processes over time?

A.

IT incident log

B.

Benchmarking studies

C.

Maturity model

D.

IT risk register

Full Access
Question # 305

Which of the following is MOST appropriate to review when determining if the work completed on an IT project is in alignment with budgeted costs?

A.

Return on investment (ROI) analysis

B.

Earned value analysis (EVA)

C.

Financial value analysis

D.

Business impact analysis (BIA)

Full Access
Question # 306

Using swipe cards to limit employee access to restricted areas requires implementing which additional control?

A.

Physical sign-in of all employees for access to restricted areas

B.

Implementation of additional PIN pads

C.

Periodic review of access profiles by management

D.

Installation of closed-circuit television (CCTV)

Full Access
Question # 307

The MOST important measure of the effectiveness of an organization's security program is the:

A.

comparison with critical incidents experienced by competitors.

B.

number of vulnerability alerts escalated to senior management.

C.

number of new vulnerabilities reported.

D.

adverse impact of incidents on critical business activities.

Full Access
Question # 308

Which of the following should be used as the PRIMARY basis for prioritizing IT projects and initiatives?

A.

Estimated cost and time

B.

Level of risk reduction

C.

Expected business value

D.

Available resources

Full Access
Question # 309

Which of the following is the GREATEST benefit of adopting an Agile audit methodology?

A.

Better ability to address key risks

B.

Less frequent client interaction

C.

Annual cost savings

D.

Reduced documentation requirements

Full Access
Question # 310

Which of the following poses the GREATEST risk to an organization related to system interfaces?

A.

There is no process documentation for some system interfaces.

B.

Notifications of data transfers through the interfaces are not retained.

C.

Parts of the data transfer process are performed manually.

D.

There is no reliable inventory of system interfaces.

Full Access
Question # 311

Which of the following should be the PRIMARY focus when communicating an IS audit issue to management?

A.

The risk to which the organization is exposed due to the issue

B.

The nature, extent, and timing of subsequent audit follow-up

C.

How the issue was found and who bears responsibility

D.

A detailed solution for resolving the issue

Full Access
Question # 312

An IS auditor is reviewing documentation from a change that was applied to an application. Which of the following findings would be the GREATEST concern?

A.

Testing documentation does not show manager approval.

B.

Testing documentation is dated three weeks before the system implementation date.

C.

Testing documentation is approved prior to completion of user acceptance testing (UAT).

D.

Testing documentation is kept in hard copy format.

Full Access
Question # 313

A steering committee established to oversee an organization's digital transformation program is MOSTlikely to be involved with which of the following activities?

A.

Preparing project status reports

B.

Designing interface controls

C.

Reviewing escalated project issues

D.

Documenting requirements

Full Access
Question # 314

During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data from any Internet-connected web browser. Which of the following is the

auditor's BEST recommendation to help prevent unauthorized access?

A.

Utilize strong anti-malware controls on all computing devices.

B.

Update security policies and procedures.

C.

Implement an intrusion detection system (IDS).

D.

Implement multi-factor authentication.

Full Access
Question # 315

An organization is implementing a new data loss prevention (DLP) tool. Which of the following will BEST enable the organization to reduce false positive alerts?

A.

Using the default policy and tool rule sets

B.

Configuring a limited set of rules

C.

Deploying the tool in monitor mode

D.

Reducing the number of detection points

Full Access
Question # 316

Having knowledge in which of the following areas is MOST relevant for an IS auditor reviewing public key infrastructure (PKI)?

A.

Design and application of key controls in public audit

B.

Security strategy in public cloud Infrastructure as a Service (IaaS)

C.

Modern encoding methods for digital communications

D.

Technology and process life cycle for digital certificates and key pairs

Full Access
Question # 317

In an annual audit cycle, the audit of an organization's IT department resulted in many findings. Which of the following would be the MOST important consideration when planning the next audit?

A.

Postponing the review until all of the findings have been rectified

B.

Limiting the review to the deficient areas

C.

Verifying that all recommendations have been implemented

D.

Following up on the status of all recommendations

Full Access
Question # 318

Which of the following is the BEST way to ensure a vendor complies with system security requirements?

A.

Require security training for vendor staff.

B.

Review past incidents reported by the vendor.

C.

Review past audits on the vendor's security compliance.

D.

Require a compliance clause in the vendor contract.

Full Access
Question # 319

Which of the following is the MOST important consideration when establishing operational log management?

A.

Types of data

B.

Log processing efficiency

C.

IT organizational structure

D.

Log retention period

Full Access
Question # 320

IT management has accepted the risk associated with an IS auditor's finding due to the cost and complexity of the corrective actions. Which of the following should be the auditor's NEXT course of action?

A.

Perform a cost-benefit analysis.

B.

Document and inform the audit committee.

C.

Report the finding to external regulators.

D.

Notify senior management.

Full Access
Question # 321

An IS auditor is reviewing a medical device that is attached to a patient’s body, which automatically takes and uploads measurements to a cloud server. Treatment may be updated based on the measurements. Which of the following should be the auditor's PRIMARY focus?

A.

Physical access controls on the device

B.

Security and quality certification of the device

C.

Device identification and authentication

D.

Confirmation that the device is regularly updated

Full Access
Question # 322

Which of the following is a threat to IS auditor independence?

A.

Internal auditors share the audit plan and control test plans with management prior to audit commencement.

B.

Internal auditors design remediation plans to address control gaps identified by internal audit.

C.

Internal auditors attend IT steering committee meetings.

D.

Internal auditors recommend appropriate controls for systems in development.

Full Access
Question # 323

Which of the following is the MOST important consideration when defining an operational log management strategy?

A.

Audit recommendations

B.

Industry benchmarking

C.

Event response procedures

D.

Stakeholder requirements

Full Access
Question # 324

Which of the following is an IS auditor's BEST recommendation for mitigating risk associated with inadvertent disclosure of sensitive information by employees?

A.

Intrusion prevention system (IPS) and firewalls

B.

Data loss prevention (DLP) technologies

C.

Cryptographic protection

D.

Email phishing simulation exercises

Full Access
Question # 325

From a risk management perspective, which of the following is the BEST approach when implementing a large and complex data center IT infrastructure?

A.

Simulating the new infrastructure before deployment

B.

Prototyping and a one-phase deployment

C.

A deployment plan based on sequenced phases

D.

A big bang deployment with a successful proof of concept

Full Access
Question # 326

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

A.

A comprehensive list of disaster recovery scenarios and priorities

B.

Business continuity plan (BCP)

C.

Test results for backup data restoration

D.

Roles and responsibilities for recovery team members

Full Access
Question # 327

Which of the following is the PRIMARY reason for using a digital signature?

A.

Provide availability to the transmission

B.

Authenticate the sender of a message

C.

Provide confidentiality to the transmission

D.

Verify the integrity of the data and the identity of the recipient

Full Access
Question # 328

An IS auditor reviewing an information processing environment decides to conduct external penetration testing. Which of the following is MOST appropriate to include in the audit scope for the organization to distinguish between the auditor's penetration attacks and actual attacks?

A.

Restricted host IP addresses of simulated attacks

B.

Testing techniques of simulated attacks

C.

Source IP addresses of simulated attacks

D.

Timing of simulated attacks

Full Access
Question # 329

A web application is developed in-house by an organization. Which of the following would provide the BEST evidence to an IS auditor that the application is secure from external attack?

A.

Web application firewall (WAF) implementation

B.

Penetration test results

C.

Code review by a third party

D.

Database application monitoring logs

Full Access
Question # 330

Which of the following should be of MOST concern to an IS auditor reviewing an organization's operational log management?

A.

Log file size has grown year over year.

B.

Critical events are being logged to immutable log files.

C.

Applications are logging events into multiple log files.

D.

Data formats have not been standardized across all logs.

Full Access
Question # 331

Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

A.

Penetration testing

B.

Application security testing

C.

Forensic audit

D.

Server security audit

Full Access
Question # 332

Which of the following BEST enables an organization to standardize its IT infrastructure to align with business goals?

A.

Enterprise architecture (EA)

B.

Operational technologies

C.

Data architecture

D.

Robotic process automation (RPA)

Full Access
Question # 333

Which of the following BEST ensures that effective change management is in place in an IS environment?

A.

User authorization procedures for application access are well established.

B.

User-prepared detailed test criteria for acceptance testing of the software.

C.

Adequate testing was carried out by the development team.

D.

Access to production source and object programs is well controlled.

Full Access
Question # 334

An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?

A.

Log feeds are uploaded via batch process.

B.

Completeness testing has not been performed on the log data.

C.

The log data is not normalized.

D.

Data encryption standards have not been considered.

Full Access
Question # 335

Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

A.

Provide notification to employees about possible email monitoring.

B.

Develop an information classification scheme.

C.

Require all employees to sign nondisclosure agreements (NDAs).

D.

Develop an acceptable use policy for end-user computing (EUC).

Full Access
Question # 336

In order for a firewall to effectively protect a network against external attacks, what fundamental practice must be followed?

A.

The firewall must be placed in the demilitarized zone (DMZ).

B.

Only essential external services should be permitted.

C.

Filters for external information must be defined.

D.

All external communication must be via the firewall.

Full Access
Question # 337

An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of

MOST concern?

A.

Confidentiality of the user list

B.

Timeliness of the user list review

C.

Completeness of the user list

D.

Availability of the user list

Full Access
Question # 338

A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?

A.

Business objectives

B.

Business impact analysis (BIA)

C.

Enterprise architecture (EA)

D.

Recent incident trends

Full Access
Question # 339

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Full Access
Question # 340

An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?

A.

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

B.

Vulnerability in the virtualization platform affecting multiple hosts

C.

Data center environmental controls not aligning with new configuration

D.

System documentation not being updated to reflect changes in the environment

Full Access
Question # 341

Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

A.

Restricting program functionality according to user security profiles

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator’s user ID as a field in every transaction record created

D.

Ensuring that audit trails exist for transactions

Full Access
Question # 342

An IS auditor assessing the controls within a newly implemented call center would First

A.

gather information from the customers regarding response times and quality of service.

B.

review the manual and automated controls in the call center.

C.

test the technical infrastructure at the call center.

D.

evaluate the operational risk associated with the call center.

Full Access
Question # 343

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Full Access
Question # 344

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

A.

Limit check

B.

Parity check

C.

Reasonableness check

D.

Validity check

Full Access
Question # 345

Which of the following features of a library control software package would protect against unauthorized updating of source code?

A.

Required approvals at each life cycle step

B.

Date and time stamping of source and object code

C.

Access controls for source libraries

D.

Release-to-release comparison of source code

Full Access
Question # 346

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Full Access
Question # 347

Which of the following provides the BEST providence that outsourced provider services are being properly managed?

A.

The service level agreement (SLA) includes penalties for non-performance.

B.

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.

The vendor provides historical data to demonstrate its performance.

D.

Internal performance standards align with corporate strategy.

Full Access
Question # 348

Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

A.

Program coding standards have been followed

B.

Acceptance test criteria have been developed

C.

Data conversion procedures have been established.

D.

The design has been approved by senior management.

Full Access
Question # 349

Which of the following should be the FIRST step in the incident response process for a suspected breach?

A.

Inform potentially affected customers of the security breach

B.

Notify business management of the security breach.

C.

Research the validity of the alerted breach

D.

Engage a third party to independently evaluate the alerted breach.

Full Access
Question # 350

During an exit meeting, an IS auditor highlights that backup cycles

are being missed due to operator error and that these exceptions

are not being managed. Which of the following is the BEST way to

help management understand the associated risk?

A.

Explain the impact to disaster recovery.

B.

Explain the impact to resource requirements.

C.

Explain the impact to incident management.

D.

Explain the impact to backup scheduling.

Full Access
Question # 351

An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

A.

Installing security software on the devices

B.

Partitioning the work environment from personal space on devices

C.

Preventing users from adding applications

D.

Restricting the use of devices for personal purposes during working hours

Full Access
Question # 352

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

A.

Analyze a new application that moots the current re

B.

Perform an analysis to determine the business risk

C.

Bring the escrow version up to date.

D.

Develop a maintenance plan to support the application using the existing code

Full Access
Question # 353

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Full Access
Question # 354

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Full Access
Question # 355

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

A.

Perform background verification checks.

B.

Review third-party audit reports.

C.

Implement change management review.

D.

Conduct a privacy impact analysis.

Full Access
Question # 356

Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?

A.

Server room access history

B.

Emergency change records

C.

IT security incidents

D.

Penetration test results

Full Access
Question # 357

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

A.

To address the overall risk associated with the activity under review

B.

To identify areas with relatively high probability of material problems

C.

To help ensure maximum use of audit resources during the engagement

D.

To help prioritize and schedule auditee meetings

Full Access
Question # 358

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

A.

Abuses by employees have not been reported.

B.

Lessons learned have not been properly documented

C.

vulnerabilities have not been properly addressed

D.

Security incident policies are out of date.

Full Access