Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?
Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?
Which of the following is the GREATEST risk associated with storing customer data on a web server?
IT disaster recovery time objectives (RTOs) should be based on the:
Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:
Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?
A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
In order to be useful, a key performance indicator (KPI) MUST
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?
Which of the following security risks can be reduced by a property configured network firewall?
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?
Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?
In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?
A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?
During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?
Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
Which of the following is MOST important to consider when scheduling follow-up audits?
Providing security certification for a new system should include which of the following prior to the system's implementation?
What is the MAIN reason to use incremental backups?
Which of the following is MOST helpful for measuring benefits realization for a new system?
An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:
Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?
Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?
An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?
An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?
Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?
Which of the following is the MAIN purpose of an information security management system?
An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?
Which of the following is a social engineering attack method?
An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?
Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?
Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?
Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?
The PRIMARY focus of a post-implementation review is to verify that:
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?
Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?
Which of the following metrics would BEST measure the agility of an organization's IT function?
Which of the following is the BEST reason for an organization to use clustering?
During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?
Which of the following findings from an IT governance review should be of GREATEST concern?
An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?
Which of the following are BEST suited for continuous auditing?
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?
An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?
Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?
Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?
Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?
An IS auditor has been tasked with auditing the inventory control process for a large organization that processes millions of data transactions. Which of the following is the BEST testing strategy to adopt?
An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?
Stress testing should ideally be carried out under a:
An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?
Which type of risk would MOST influence the selection of a sampling methodology?
When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?
Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?
The BEST way to provide assurance that a project is adhering to the project plan is to:
Which of the following is MOST important to include in security awareness training?
Which of the following BEST facilitates strategic program management?
Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?
The PRIMARY purpose of an incident response plan is to:
Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?
An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's
GREATEST concern?
Which type of attack targets security vulnerabilities in web applications to gain access to data sets?
Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERR) system?
Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?
Which of the following is MOST likely to be a project deliverable of an agile software development methodology?
Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?
Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?
The FIRST step in an incident response plan is to:
A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?
An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST
recommendation to address this situation?
An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?
Which of the following is MOST critical to the success of an information security program?
Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?
Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?
During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?
Which of the following is the GREATEST risk when relying on reports generated by end-user computing (EUC)?
An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?
Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?
To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?
Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?
Which of the following is the MOST effective control over visitor access to highly secured areas?
Aligning IT strategy with business strategy PRIMARILY helps an organization to:
Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?
An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?
Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?
Which of the following is the MOST important responsibility of data owners when implementing a data classification process?
Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?
In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:
Which of the following should be identified FIRST during the risk assessment process?
An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.
Which of the following is the BEST course of action to address this issue?
Which of the following is MOST important for the successful establishment of a security vulnerability management program?
An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality. Which of the following is the MOST important consideration when making this decision?
An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?
Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?
The use of which of the following would BEST enhance a process improvement program?
In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?
Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?
A security administrator is called in the middle of the night by the on-call programmer A number of programs have failed, and the programmer has asked for access to the live system. What IS the BEST course of action?
Which of the following is the BEST indication of effective governance over IT infrastructure?
Which of the following is MOST critical to the success of an information security program?
Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?
An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?
When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following is the auditor's BEST course of action?
Which of the following is MOST important to ensure when developing an effective security awareness program?
During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor's BEST recommendation?
During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?
An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?
Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?
A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger. While management states a system fixhas been implemented, what should the IS auditor recommend to validate the interface is working in the future?
Which of the following should be done FIRST to minimize the risk of unstructured data?
Which of the following is the BEST reason to implement a data retention policy?
During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?
Which of the following is the MOST important advantage of participating in beta testing of software products?
An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data
classification in this project?
Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?
A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?
An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?
Which of the following parameters reflects the risk threshold for an organization experiencing a service disruption?
When drafting a disaster recovery strategy, what should be the MOST important outcome of a business impact analysis (BIA)?
An organization has decided to reengineer business processes to improve the performance of overall IT service delivery. Which of the following recommendations from the project team should be the GREATEST concern to the IS auditor?
The PRIMARY objective of a follow-up audit is to:
Which of the following is the PRIMARY advantage of using an automated security log monitoring tool over a manual review to monitor the use of privileged access?
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT-related customer service project?
Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?
Which of the following system attack methods is executed by entering malicious code into the search box of a vulnerable website, causing the server to reveal restricted information?
An IS auditor can BEST evaluate the business impact of system failures by:
Which of the following is the MOST important regulatory consideration for an organization determining whether to use its customer data to train AI algorithms?
Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?
Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?
Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?
Which of the following is the MOST important task of an IS auditor during an application post-implementation review?
A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?
An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?
Which of the following is the BEST way to ensure a vendor complies with system security requirements?
In an area susceptible to unexpected increases in electrical power, which of the following would MOST effectively protect the system?
Which of the following approaches BEST enables an IS auditor to detect security vulnerabilities within an application?
Which of the following is the BEST way to ensure email confidentiality in transit?
An organization requires the use of a key card to enter its data center. Recently, a control was implemented that requires biometric authentication for each employee.
Which type of control has been added?
An IS auditor is reviewing an organization that performs backups on local database servers every two weeks and does not have a formal policy to govern data backup and restoration procedures. Which of the following findings presents the GREATEST risk to the organization?
Which of the following network communication protocols is used by network devices such as routers to send error messages and operational information indicating success or failure when communicating with another IP address?
Which of the following responses to risk associated with separation of duties would incur the LOWEST initial cost?
An IS auditor is reviewing an organization's system development life cycle (SDLC) Which of the following MUST be included in the review?
Which of the following should be of GREATEST concern to an IS auditor reviewing system interfaces used to transfer publicly available information?
Which of the following is an analytical review procedure for a payroll system?
A national bank recently migrated a large number of business-critical applications to the cloud. Which of the following is MOST important to ensuring the resiliency of the applications?
How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?
Which of the following can BEST reduce the impact of a long-term power failure?
Which of the following BEST enables an organization to standardize its IT infrastructure to align with business goals?
The PRIMARY goal of capacity management is to:
Which of the following would a digital signature MOST likely prevent?
Which of the following is MOST important when creating a forensic image of a hard drive?
An IS auditor is reviewing a medical device that is attached to a patient’s body, which automatically takes and uploads measurements to a cloud server. Treatment may be updated based on the measurements. Which of the following should be the auditor's PRIMARY focus?
Audit frameworks can assist the IS audit function by:
Which of the following threats is mitigated by a firewall?
Which of the following is the BEST disposal method for flash drives that previously stored confidential data?
The PRIMARY advantage of using open-source-based solutions is that they:
An organization establishes capacity utilization thresholds and monitors for instances when thresholds are exceeded. Which of the following is BEST supported by this activity?
Which of the following BEST mitigates the risk associated with the deployment of a new production system?
Which of the following should be of GREATEST concern to an IS auditor assessing an organization's patch management program?
Which of the following should be done FIRST following an incident that has caused internal servers to be inaccessible, disrupting normal business operations?
Which of the following is MOST helpful for understanding an organization’s key driver to modernize application platforms?
An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?
Which type of testing is used to identify security vulnerabilities in source code in the development environment?
Which of the following is the BEST way to mitigate risk to an organization's network associated with devices permitted under a bring your own device (BYOD) policy?
An organization is enhancing the security of a client-facing web application following a proposal to acquire personal information for a business purpose. Which of the following is MOST important to review before implementing this initiative?
During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report. Which of the following is the auditor's BEST course of action?
Which of the following should an IS auditor be MOST concerned with when a system uses RFID?
Which of the following is an IS auditor's BEST recommendation to help an organization increase the efficiency of computing resources?
Which of the following should be the GREATEST concern to an IS auditor reviewing the information security framework of an organization?
An IS auditor finds that irregularities have occurred and that auditee management has chosen to ignore them. If reporting to external authorities is required which of the following is the BEST action for the IS auditor to take?
A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system. Which of the following is the IS
auditor's BEST recommendation?
Which of the following is an effective way to ensure the integrity of file transfers in a peer-to-peer (P2P) computing environment?
Which of the following operational log management considerations is MOST important for an organization undergoing a digital transformation?
Which of the following is the MOST important reason for an organization to automate data purging?
Which of the following controls is the BEST recommendation to prevent the skimming of debit or credit card data in point of sale (POS) systems?
An organization is planning to implement a control self-assessment (CSA) program for selected business processes. Which of the following should be the role of the internal audit team for this program?
An IS auditor is reviewing the service management of an outsourced help desk. Which of the following is the BEST indicator of how effectively the service provider is performing this function?
A checksum is classified as which type of control?
An IS auditor is reviewing a machine learning algorithm-based system for loan approvals and is preparing a data set to test the algorithm for bias. Which of the following is MOST important for the auditor’s test data set to include?
What should be the PRIMARY focus during a review of a business process improvement project?
Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?
An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:
Which of the following is the GREATEST risk associated with security patches being automatically downloaded and applied to production servers?
An IS auditor determines elevated administrator accounts for servers that are not properly checked out and then back in after each use. Which of the following is the MOST appropriate sampling technique to determine the scope of the problem?
The business case for an information system investment should be available for review until the:
Which of the following provides the BEST assurance that vendor-supported software remains up to date?
As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following is the BEST course of action for the IS auditor?
One advantage of monetary unit sampling is the fact that
Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the
Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?
An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST
An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet, which of the following should be a concern for the auditor?
An IS auditor is reviewing the perimeter security design of a network. Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?
What is the PRIMARY purpose of performing a parallel run of a now system?
Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?
An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?
To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?
Which of the following is the BEST performance indicator for the effectiveness of an incident management program?
Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?
In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?
Which of the following provides the MOST assurance of the integrity of a firewall log?
Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?
An organization has recently moved to an agile model for deploying custom code to its in-house accounting software system. When reviewing the procedures in place for production code deployment, which of the following is the MOST significant security concern to address?
Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?
Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?
Which of the following is a PRIMARY responsibility of an IT steering committee?
Which of the following is the MOST appropriate indicator of change management effectiveness?
An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services Which of the following would BEST enable the organization to resolve this issue?
An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy. What is the BEST way (or the auditor to address this issue?
An IS auditor reviewing the throat assessment for a data cantor would be MOST concerned if:
When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the
Which of the following is the BEST way to minimize sampling risk?
Which of the following provides the MOST reliable method of preventing unauthonzed logon?
Which of the following is the MOST important responsibility of user departments associated with program changes?
A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting. What would be MOST important to consider before including this audit in the program?
The FIRST step in auditing a data communication system is to determine:
Which of the following is the PRIMARY reason to perform a risk assessment?
An IS auditor is preparing a plan for audits to be carried out over a specified period. Which of the following activities should the IS auditor perform FIRST?
An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?
Backup procedures for an organization's critical data are considered to be which type of control?
As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?
Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly. Which of the following tests during the quality assurance (QA) phase would have identified this concern?
During the discussion of a draft audit report IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective Which of the following is the auditor's BEST action?
Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?
Which of the following provides the BEST assurance of data integrity after file transfers?
Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?
Which of the following technologies has the SMALLEST maximum range for data transmission between devices?
Which of the following is MOST important for an IS auditor to validate when auditing network device management?
An organization has replaced all of the storage devices at its primary data center with new higher-capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether
Which of the following should an IS auditor recommend be done FIRST when an organization is made aware of a new regulation that is likely to impact IT security requirements?
Which of the following BEST protects evidence in a forensic investigation?
An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which ot the following should the auditor do FIRSTS
An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?
Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?
Which of the following is an advantage of using agile software development methodology over the waterfall methodology?
Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?
Which of the following is the BEST indication of effective IT investment management?
An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?
Which of the following is MOST important during software license audits?
Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?
When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:
An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?
Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?
Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?
A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?
An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?
Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?
The PRIMARY benefit of automating application testing is to:
in a post-implantation Nation review of a recently purchased system it is MOST important for the iS auditor to determine whether the:
During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor's GREATEST concern with this situation?
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''
Which of the following should be the FIRST step when conducting an IT risk assessment?
Which of the following is the BEST source of information to determine the required level of data protection on a file server?
Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?
Which of the following is the BEST way to prevent social engineering incidents?
What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides assurance that the BEST transactions were recovered successfully?
Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?
To confirm integrity for a hashed message, the receiver should use:
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?
Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?
Which of the following is the BEST way to mitigate the impact of ransomware attacks?
An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?
What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?
The implementation of an IT governance framework requires that the board of directors of an organization:
A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?
A proper audit trail of changes to server start-up procedures would include evidence of:
Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?
An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:
Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?
Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?
Which of the following would be a result of utilizing a top-down maturity model process?
Which of the following is MOST important to ensure when planning a black box penetration test?
An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?
Which of the following is the BEST justification for deferring remediation testing until the next audit?
Which of the following is MOST important with regard to an application development acceptance test?
Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
Which audit approach is MOST helpful in optimizing the use of IS audit resources?
During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:
One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:
Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?
When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?
Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?
Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?
Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?
Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?
The PRIMARY advantage of object-oriented technology is enhanced:
During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?
Which of the following BEST guards against the risk of attack by hackers?
Which of the following MOST effectively minimizes downtime during system conversions?
An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST
Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?
An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?
The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:
Which of the following should be done FIRST when planning a penetration test?
Which of the following is a social engineering attack method?
Secure code reviews as part of a continuous deployment program are which type of control?
Which of the following is MOST important for an effective control self-assessment (CSA) program?
Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?
In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?
During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?
An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?
A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?
Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?
When an intrusion into an organization network is deleted, which of the following should be done FIRST?
An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?
An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:
Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?
Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?
An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:
While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:
From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?
When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:
Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?
Which of the following BEST facilitates the legal process in the event of an incident?
An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?
Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?
If enabled within firewall rules, which of the following services would present the GREATEST risk?
Which of the following should be the FIRST step in the incident response process for a suspected breach?
Which of the following features of a library control software package would protect against unauthorized updating of source code?
Which of the following BEST helps to ensure data integrity across system interfaces?
Which of the following is the BEST metric to measure the alignment of IT and business strategy?
When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;
Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?
A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
What should an IS auditor do FIRST when management responses
to an in-person internal control questionnaire indicate a key internal
control is no longer effective?
Which of the following is necessary for effective risk management in IT governance?
An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?
A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.
in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:
A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?
Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?
Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?
Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''
An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?
An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?
An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?
Which of the following backup schemes is the BEST option when storage media is limited?
The PRIMARY role of a control self-assessment (CSA) facilitator is to:
An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:
Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?
Which of the following would be MOST useful when analyzing computer performance?
Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?
Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?
Which of the following presents the GREATEST challenge to the alignment of business and IT?
Which of the following is MOST important when planning a network audit?
Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?
What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?
Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
An IS auditor assessing the controls within a newly implemented call center would First
Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?
An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:
Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?
Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software?
Which of the following is a challenge in developing a service level agreement (SLA) for network services?
An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?
Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?
Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?
Which of the following is MOST critical for the effective implementation of IT governance?
Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?
Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?
Which of the following is MOST important for an IS auditor to look
for in a project feasibility study?
An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that
An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?
Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:
During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?
A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?
A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:
Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?
When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?
Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?