Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium Isaca CISA Dumps Questions Answers

Page: 1 / 105
Total 1404 questions

Certified Information Systems Auditor Questions and Answers

Question 1

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Options:

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The retention period complies with data owner responsibilities.

D.

The total transaction amount has no impact on financial reporting

Buy Now
Question 2

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

Options:

A.

Data migration is not part of the contracted activities.

B.

The replacement is occurring near year-end reporting

C.

The user department will manage access rights.

D.

Testing was performed by the third-party consultant

Question 3

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

Options:

A.

Staff members who failed the test did not receive follow-up education

B.

Test results were not communicated to staff members.

C.

Staff members were not notified about the test beforehand.

D.

Security awareness training was not provided prior to the test.

Question 4

Which of the following is the GREATEST risk associated with storing customer data on a web server?

Options:

A.

Data availability

B.

Data confidentiality

C.

Data integrity

D.

Data redundancy

Question 5

IT disaster recovery time objectives (RTOs) should be based on the:

Options:

A.

maximum tolerable loss of data.

B.

nature of the outage

C.

maximum tolerable downtime (MTD).

D.

business-defined criticality of the systems.

Question 6

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

Options:

A.

the patches were updated.

B.

The logs were monitored.

C.

The network traffic was being monitored.

D.

The domain controller was classified for high availability.

Question 7

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Options:

A.

Logs are being collected in a separate protected host

B.

Automated alerts are being sent when a risk is detected

C.

Insider attacks are being controlled

D.

Access to configuration files Is restricted.

Question 8

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

Options:

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization's staff to manage the new software

Question 9

In order to be useful, a key performance indicator (KPI) MUST

Options:

A.

be approved by management.

B.

be measurable in percentages.

C.

be changed frequently to reflect organizational strategy.

D.

have a target value.

Question 10

Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

Options:

A.

Data from the source and target system may be intercepted.

B.

Data from the source and target system may have different data formats.

C.

Records past their retention period may not be migrated to the new system.

D.

System performance may be impacted by the migration

Question 11

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Options:

A.

Testing

B.

Replication

C.

Staging

D.

Development

Question 12

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Options:

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Question 13

During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?

Options:

A.

Perform substantive testing of terminated users' access rights.

B.

Perform a review of terminated users' account activity

C.

Communicate risks to the application owner.

D.

Conclude that IT general controls ate ineffective.

Question 14

An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

Options:

A.

The security of the desktop PC is enhanced.

B.

Administrative security can be provided for the client.

C.

Desktop application software will never have to be upgraded.

D.

System administration can be better managed

Question 15

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

Options:

A.

Information security program plans

B.

Penetration test results

C.

Risk assessment results

D.

Industry benchmarks

Question 16

Which of the following security risks can be reduced by a property configured network firewall?

Options:

A.

SQL injection attacks

B.

Denial of service (DoS) attacks

C.

Phishing attacks

D.

Insider attacks

Question 17

An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

Options:

A.

Data with customer personal information

B.

Data reported to the regulatory body

C.

Data supporting financial statements

D.

Data impacting business objectives

Question 18

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Options:

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Question 19

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.

Statement of work (SOW)

B.

Nondisclosure agreement (NDA)

C.

Service level agreement (SLA)

D.

Privacy agreement

Question 20

In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?

Options:

A.

Discovery

B.

Attacks

C.

Planning

D.

Reporting

Question 21

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

Options:

A.

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.

Identifying data security threats in the affected jurisdiction

C.

Reviewing data classification procedures associated with the affected jurisdiction

D.

Identifying business processes associated with personal data exchange with the affected jurisdiction

Question 22

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

Options:

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Question 23

Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?

Options:

A.

The person who collected the evidence is not qualified to represent the case.

B.

The logs failed to identify the person handling the evidence.

C.

The evidence was collected by the internal forensics team.

D.

The evidence was not fully backed up using a cloud-based solution prior to the trial.

Question 24

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Options:

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Question 25

Which of the following is MOST important to consider when scheduling follow-up audits?

Options:

A.

The efforts required for independent verification with new auditors

B.

The impact if corrective actions are not taken

C.

The amount of time the auditee has agreed to spend with auditors

D.

Controls and detection risks related to the observations

Question 26

Providing security certification for a new system should include which of the following prior to the system's implementation?

Options:

A.

End-user authorization to use the system in production

B.

External audit sign-off on financial controls

C.

Testing of the system within the production environment

D.

An evaluation of the configuration management practices

Question 27

What is the MAIN reason to use incremental backups?

Options:

A.

To improve key availability metrics

B.

To reduce costs associates with backups

C.

To increase backup resiliency and redundancy

D.

To minimize the backup time and resources

Question 28

Which of the following is MOST helpful for measuring benefits realization for a new system?

Options:

A.

Function point analysis

B.

Balanced scorecard review

C.

Post-implementation review

D.

Business impact analysis (BIA)

Question 29

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

Options:

A.

violation reports may not be reviewed in a timely manner.

B.

a significant number of false positive violations may be reported.

C.

violations may not be categorized according to the organization's risk profile.

D.

violation reports may not be retained according to the organization's risk profile.

Question 30

Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

Options:

A.

IT strategies are communicated to all Business stakeholders

B.

Organizational strategies are communicated to the chief information officer (CIO).

C.

Business stakeholders are Involved In approving the IT strategy.

D.

The chief information officer (CIO) is involved In approving the organizational strategies

Question 31

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

Options:

A.

The job scheduler application has not been designed to display pop-up error messages.

B.

Access to the job scheduler application has not been restricted to a maximum of two staff members

C.

Operations shift turnover logs are not utilized to coordinate and control the processing environment

D.

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

Question 32

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

Options:

A.

Reviewing the last compile date of production programs

B.

Manually comparing code in production programs to controlled copies

C.

Periodically running and reviewing test data against production programs

D.

Verifying user management approval of modifications

Question 33

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Question 34

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Options:

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Question 35

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

Options:

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Question 36

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

Options:

A.

The organization's systems inventory is kept up to date.

B.

Vulnerability scanning results are reported to the CISO.

C.

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.

Access to the vulnerability scanning tool is periodically reviewed

Question 37

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?

Options:

A.

Number of successful penetration tests

B.

Percentage of protected business applications

C.

Financial impact per security event

D.

Number of security vulnerability patches

Question 38

Which of the following is the MAIN purpose of an information security management system?

Options:

A.

To identify and eliminate the root causes of information security incidents

B.

To enhance the impact of reports used to monitor information security incidents

C.

To keep information security policies and procedures up-to-date

D.

To reduce the frequency and impact of information security incidents

Question 39

An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

Options:

A.

An imaging process was used to obtain a copy of the data from each computer.

B.

The legal department has not been engaged.

C.

The chain of custody has not been documented.

D.

Audit was only involved during extraction of the Information

Question 40

Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?

Options:

A.

Guest operating systems are updated monthly

B.

The hypervisor is updated quarterly.

C.

A variety of guest operating systems operate on one virtual server

D.

Antivirus software has been implemented on the guest operating system only.

Question 41

Which of the following is a social engineering attack method?

Options:

A.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

B.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

C.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

D.

An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.

Question 42

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

Options:

A.

A single point of failure for both voice and data communications

B.

Inability to use virtual private networks (VPNs) for internal traffic

C.

Lack of integration of voice and data communications

D.

Voice quality degradation due to packet toss

Question 43

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Options:

A.

Require written authorization for all payment transactions

B.

Restrict payment authorization to senior staff members.

C.

Reconcile payment transactions with invoices.

D.

Review payment transaction history

Question 44

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

Options:

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Question 45

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

Options:

A.

Attack vectors are evolving for industrial control systems.

B.

There is a greater risk of system exploitation.

C.

Disaster recovery plans (DRPs) are not in place.

D.

Technical specifications are not documented.

Question 46

An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?

Options:

A.

The standard is met as long as one member has a globally recognized audit certification.

B.

Technical co-sourcing must be used to help the new staff.

C.

Team member assignments must be based on individual competencies.

D.

The standard is met as long as a supervisor reviews the new auditors' work.

Question 47

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

Options:

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

Question 48

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.

Obtain error codes indicating failed data feeds.

B.

Purchase data cleansing tools from a reputable vendor.

C.

Appoint data quality champions across the organization.

D.

Implement business rules to reject invalid data.

Question 49

Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

Options:

A.

Ensuring that audit trails exist for transactions

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator's user ID as a field in every transaction record created

D.

Restricting program functionality according to user security profiles

Question 50

Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Designing controls to protect personal data

C.

Defining roles within the organization related to privacy

D.

Developing procedures to monitor the use of personal data

Question 51

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

Options:

A.

compare the organization's strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Question 52

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

Options:

A.

Training was not provided to the department that handles intellectual property and patents

B.

Logging and monitoring for content filtering is not enabled.

C.

Employees can share files with users outside the company through collaboration tools.

D.

The collaboration tool is hosted and can only be accessed via an Internet browser

Question 53

The PRIMARY focus of a post-implementation review is to verify that:

Options:

A.

enterprise architecture (EA) has been complied with.

B.

user requirements have been met.

C.

acceptance testing has been properly executed.

D.

user access controls have been adequately designed.

Question 54

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Evaluate the appropriateness of the remedial action taken.

B.

Conduct a risk analysis incorporating the change.

C.

Report results of the follow-up to the audit committee.

D.

Inform senior management of the change in approach.

Question 55

Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?

Options:

A.

The design of controls

B.

Industry standards and best practices

C.

The results of the previous audit

D.

The amount of time since the previous audit

Question 56

Which of the following metrics would BEST measure the agility of an organization's IT function?

Options:

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Question 57

Which of the following is the BEST reason for an organization to use clustering?

Options:

A.

To decrease system response time

B.

To Improve the recovery lime objective (RTO)

C.

To facilitate faster backups

D.

To improve system resiliency

Question 58

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

Options:

A.

Review sign-off documentation

B.

Review the source code related to the calculation

C.

Re-perform the calculation with audit software

D.

Inspect user acceptance lest (UAT) results

Question 59

Which of the following findings from an IT governance review should be of GREATEST concern?

Options:

A.

The IT budget is not monitored

B.

All IT services are provided by third parties.

C.

IT value analysis has not been completed.

D.

IT supports two different operating systems.

Question 60

An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

Options:

A.

The exact definition of the service levels and their measurement

B.

The alerting and measurement process on the application servers

C.

The actual availability of the servers as part of a substantive test

D.

The regular performance-reporting documentation

Question 61

Which of the following are BEST suited for continuous auditing?

Options:

A.

Low-value transactions

B.

Real-lime transactions

C.

Irregular transactions

D.

Manual transactions

Question 62

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.

Staging

B.

Testing

C.

Integration

D.

Development

Question 63

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

Options:

A.

Use of stateful firewalls with default configuration

B.

Ad hoc monitoring of firewall activity

C.

Misconfiguration of the firewall rules

D.

Potential back doors to the firewall software

Question 64

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

Options:

A.

well understood by all employees.

B.

based on industry standards.

C.

developed by process owners.

D.

updated frequently.

Question 65

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

Options:

A.

the access control system's log settings.

B.

how the latest system changes were implemented.

C.

the access control system's configuration.

D.

the access rights that have been granted.

Question 66

To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

Options:

A.

Review IT staff job descriptions for alignment

B.

Develop quarterly training for each IT staff member.

C.

Identify required IT skill sets that support key business processes

D.

Include strategic objectives m IT staff performance objectives

Question 67

To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Options:

A.

Root cause

B.

Responsible party

C.

impact

D.

Criteria

Question 68

Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?

Options:

A.

Water sprinkler

B.

Fire extinguishers

C.

Carbon dioxide (CO2)

D.

Dry pipe

Question 69

Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?

Options:

A.

Ensure the third party allocates adequate resources to meet requirements.

B.

Use analytics within the internal audit function

C.

Conduct a capacity planning exercise

D.

Utilize performance monitoring tools to verify service level agreements (SLAs)

Question 70

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

Options:

A.

reflect current practices.

B.

include new systems and corresponding process changes.

C.

incorporate changes to relevant laws.

D.

be subject to adequate quality assurance (QA).

Question 71

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

Options:

A.

Reviewing the parameter settings

B.

Reviewing the system log

C.

Interviewing the firewall administrator

D.

Reviewing the actual procedures

Question 72

Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?

Options:

A.

Critical business applications

B.

Business processes

C.

Existing IT controls

D.

Recent audit results

Question 73

An IS auditor has been tasked with auditing the inventory control process for a large organization that processes millions of data transactions. Which of the following is the BEST testing strategy to adopt?

Options:

A.

Continuous monitoring

B.

Control self-assessments (CSAs)

C.

Risk assessments

D.

Stop-or-go sampling

Question 74

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Review the list of end users and evaluate for authorization.

B.

Report this control process weakness to senior management.

C.

Verify managements approval for this exemption

D.

Obtain a verbal confirmation from IT for this exemption.

Question 75

Stress testing should ideally be carried out under a:

Options:

A.

test environment with production workloads.

B.

test environment with test data.

C.

production environment with production workloads.

D.

production environment with test data.

Question 76

An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?

Options:

A.

Document the findings in the audit report.

B.

Identify who approved the policies.

C.

Escalate the situation to the lead auditor.

D.

Communicate the observation to the auditee.

Question 77

Which type of risk would MOST influence the selection of a sampling methodology?

Options:

A.

Inherent

B.

Residual

C.

Control

D.

Detection

Question 78

When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?

Options:

A.

Ensuring the scope of penetration testing is restricted to the test environment

B.

Obtaining management's consent to the testing scope in writing

C.

Notifying the IT security department regarding the testing scope

D.

Agreeing on systems to be excluded from the testing scope with the IT department

Question 79

Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?

Options:

A.

Risk acceptance

B.

Risk mitigation

C.

Risk transference

D.

Risk reduction

Question 80

The BEST way to provide assurance that a project is adhering to the project plan is to:

Options:

A.

require design reviews at appropriate points in the life cycle.

B.

have an IS auditor participate on the steering committee.

C.

have an IS auditor participate on the quality assurance (QA) team.

D.

conduct compliance audits at major system milestones.

Question 81

Which of the following is MOST important to include in security awareness training?

Options:

A.

How to respond to various types of suspicious activity

B.

The importance of complex passwords

C.

Descriptions of the organization's security infrastructure

D.

Contact information for the organization's security team

Question 82

Which of the following BEST facilitates strategic program management?

Options:

A.

Implementing stage gates

B.

Establishing a quality assurance (QA) process

C.

Aligning projects with business portfolios

D.

Tracking key project milestones

Question 83

Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?

Options:

A.

Purchase requisitions and purchase orders

B.

Invoices and reconciliations

C.

Vendor selection and statements of work

D.

Good receipts and payments

Question 84

The PRIMARY purpose of an incident response plan is to:

Options:

A.

reduce the impact of an adverse event on information assets.

B.

increase the effectiveness of preventive controls.

C.

reduce the maximum tolerable downtime (MTD) of impacted systems.

D.

increase awareness of impacts from adverse events to IT systems.

Question 85

Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?

Options:

A.

Progress updates indicate that the implementation of agreed actions is on track.

B.

Sufficient time has elapsed since implementation to provide evidence of control operation.

C.

Business management has completed the implementation of agreed actions on schedule.

D.

Regulators have announced a timeline for an inspection visit.

Question 86

An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's

GREATEST concern?

Options:

A.

User access rights have not been periodically reviewed by the client.

B.

Payroll processing costs have not been included in the IT budget.

C.

The third-party contract has not been reviewed by the legal department.

D.

The third-party contract does not comply with the vendor management policy.

Question 87

Which type of attack targets security vulnerabilities in web applications to gain access to data sets?

Options:

A.

Denial of service (DOS)

B.

SQL injection

C.

Phishing attacks

D.

Rootkits

Question 88

Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERR) system?

Options:

A.

Bank confirmation

B.

Goods delivery notification

C.

Purchase requisition

D.

Purchase order

Question 89

Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?

Options:

A.

Attempt to submit new account applications with invalid dates of birth.

B.

Review the business requirements document for date of birth field requirements.

C.

Review new account applications submitted in the past month for invalid dates of birth.

D.

Evaluate configuration settings for the date of birth field requirements

Question 90

Which of the following is MOST likely to be a project deliverable of an agile software development methodology?

Options:

A.

Strictly managed software requirements baselines

B.

Extensive project documentation

C.

Automated software programming routines

D.

Rapidly created working prototypes

Question 91

Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?

Options:

A.

Configuration management database (CMDB)

B.

Enterprise architecture (EA)

C.

IT portfolio management

D.

IT service management

Question 92

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Options:

A.

Legacy data has not been purged.

B.

Admin account passwords are not set to expire.

C.

Default settings have not been changed.

D.

Database activity logging is not complete.

Question 93

The FIRST step in an incident response plan is to:

Options:

A.

validate the incident.

B.

notify the head of the IT department.

C.

isolate systems impacted by the incident.

D.

initiate root cause analysis.

Question 94

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

Options:

A.

Installing security cameras at the doors

B.

Changing to a biometric access control system

C.

Implementing a monitored mantrap at entrance and exit points

D.

Requiring two-factor authentication at entrance and exit points

Question 95

An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST

recommendation to address this situation?

Options:

A.

Suspend contracts with third-party providers that handle sensitive data.

B.

Prioritize contract amendments for third-party providers.

C.

Review privacy requirements when contracts come up for renewal.

D.

Require third-party providers to sign nondisclosure agreements (NDAs).

Question 96

An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?

Options:

A.

Overviews of interviews between data center personnel and the auditor

B.

Prior audit reports involving other corporate disaster recovery audits

C.

Summary memos reflecting audit opinions regarding noted weaknesses

D.

Detailed evidence of the successes and weaknesses of all contingency testing

Question 97

Which of the following is MOST critical to the success of an information security program?

Options:

A.

Alignment of information security with IT objectives

B.

Management’s commitment to information security

C.

Integration of business and information security

D.

User accountability for information security

Question 98

Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

Options:

A.

It demonstrates the maturity of the incident response program.

B.

It reduces the likelihood of an incident occurring.

C.

It identifies deficiencies in the operating environment.

D.

It increases confidence in the team's response readiness.

Question 99

Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

Options:

A.

Establish the timing of testing.

B.

Identify milestones.

C.

Determine the test reporting

D.

Establish the rules of engagement.

Question 100

During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?

Options:

A.

The business case reflects stakeholder requirements.

B.

The business case is based on a proven methodology.

C.

The business case passed a quality review by an independent party.

D.

The business case identifies specific plans for cost allocation.

Question 101

Which of the following is the GREATEST risk when relying on reports generated by end-user computing (EUC)?

Options:

A.

Data may be inaccurate.

B.

Reports may not work efficiently.

C.

Reports may not be timely.

D.

Historical data may not be available.

Question 102

An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?

Options:

A.

Lack of data for measuring compliance

B.

Violation of industry standards

C.

Noncompliance with documentation requirements

D.

Lack of user accountability

Question 103

Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?

Options:

A.

The organization's software inventory is not complete.

B.

Applications frequently need to be rebooted for patches to take effect.

C.

Software vendors are bundling patches.

D.

Testing patches takes significant time.

Question 104

To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?

Options:

A.

Performance feedback from the user community

B.

Contract with the server vendor

C.

Server CPU usage trends

D.

Mean time between failure (MTBF) of each server

Question 105

Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?

Options:

A.

The recovery plan does not contain the process and application dependencies.

B.

The duration of tabletop exercises is longer than the recovery point objective (RPO).

C.

The duration of tabletop exercises is longer than the recovery time objective (RTO).

D.

The recovery point objective (RPO) and recovery time objective (R TO) are not the same.

Question 106

Which of the following is the MOST effective control over visitor access to highly secured areas?

Options:

A.

Visitors are required to be escorted by authorized personnel.

B.

Visitors are required to use biometric authentication.

C.

Visitors are monitored online by security cameras

D.

Visitors are required to enter through dead-man doors.

Question 107

Aligning IT strategy with business strategy PRIMARILY helps an organization to:

Options:

A.

optimize investments in IT.

B.

create risk awareness across business units.

C.

increase involvement of senior management in IT.

D.

monitor the effectiveness of IT.

Question 108

Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?

Options:

A.

Continuous network monitoring

B.

Periodic network vulnerability assessments

C.

Review of electronic access logs

D.

Physical security reviews

Question 109

An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

Options:

A.

To test the intrusion detection system (IDS)

B.

To provide training to security managers

C.

To collect digital evidence of cyberattacks

D.

To attract attackers in order to study their behavior

Question 110

Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?

Options:

A.

Data ownership

B.

Applicable laws and regulations

C.

Business requirements and data flows

D.

End-user access rights

Question 111

An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

Options:

A.

To collect digital evidence of cyberattacks

B.

To attract attackers in order to study their behavior

C.

To provide training to security managers

D.

To test the intrusion detection system (IDS)

Question 112

Which of the following is the MOST important responsibility of data owners when implementing a data classification process?

Options:

A.

Reviewing emergency changes to data

B.

Authorizing application code changes

C.

Determining appropriate user access levels

D.

Implementing access rules over database tables

Question 113

Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

Options:

A.

Requiring users to save files in secured folders instead of a company-wide shared drive

B.

Reviewing data transfer logs to determine historical patterns of data flow

C.

Developing a DLP policy and requiring signed acknowledgment by users

D.

Identifying where existing data resides and establishing a data classification matrix

Question 114

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

Options:

A.

integrated test facility (ITF).

B.

parallel simulation.

C.

transaction tagging.

D.

embedded audit modules.

Question 115

Which of the following should be identified FIRST during the risk assessment process?

Options:

A.

Vulnerability to threats

B.

Existing controls

C.

Information assets

D.

Legal requirements

Question 116

An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.

Which of the following is the BEST course of action to address this issue?

Options:

A.

Examine the workflow to identify gaps in asset-handling responsibilities.

B.

Escalate the finding to the asset owner for remediation.

C.

Recommend the drives be sent to the vendor for destruction.

D.

Evaluate the corporate asset-handling policy for potential gaps.

Question 117

Which of the following is MOST important for the successful establishment of a security vulnerability management program?

Options:

A.

A robust tabletop exercise plan

B.

A comprehensive asset inventory

C.

A tested incident response plan

D.

An approved patching policy

Question 118

An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality. Which of the following is the MOST important consideration when making this decision?

Options:

A.

Maximum tolerable downtime (MTD)

B.

Recovery time objective (RTO)

C.

Recovery point objective (RPO)

D.

Mean time to repair (MTTR)

Question 119

An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?

Options:

A.

Database clustering

B.

Data caching

C.

Reindexing of the database table

D.

Load balancing

Question 120

Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?

Options:

A.

To prevent confidential data loss

B.

To comply with legal and regulatory requirements

C.

To identify data at rest and data in transit for encryption

D.

To provide options to individuals regarding use of their data

Question 121

The use of which of the following would BEST enhance a process improvement program?

Options:

A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Question 122

In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?

Options:

A.

Discovery sampling

B.

Variable sampling

C.

Stop-or-go sampling

D.

Judgmental sampling

Question 123

Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?

Options:

A.

Any information assets transmitted over a public network must be approved by executive management.

B.

All information assets must be encrypted when stored on the organization's systems.

C.

Information assets should only be accessed by persons with a justified need.

D.

All information assets will be assigned a clearly defined level to facilitate proper employee handling.

Question 124

A security administrator is called in the middle of the night by the on-call programmer A number of programs have failed, and the programmer has asked for access to the live system. What IS the BEST course of action?

Options:

A.

Require that a change request be completed and approved

B.

Give the programmer an emergency ID for temporary access and review the activity

C.

Give the programmer read-only access to investigate the problem

D.

Review activity logs the following day and investigate any suspicious activity

Question 125

Which of the following is the BEST indication of effective governance over IT infrastructure?

Options:

A.

The ability to deliver continuous, reliable performance

B.

A requirement for annual security awareness programs

C.

An increase in the number of IT infrastructure servers

D.

A decrease in the number of information security incidents

Question 126

Which of the following is MOST critical to the success of an information security program?

Options:

A.

Management's commitment to information security

B.

User accountability for information security

C.

Alignment of information security with IT objectives

D.

Integration of business and information security

Question 127

Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?

Options:

A.

Validate the audit observations_

B.

Identify business risks associated with the observations.

C.

Assist the management with control enhancements.

D.

Record the proposed course of corrective action.

Question 128

An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?

Options:

A.

Version control issues

B.

Reduced system performance

C.

Inability to recover from cybersecurity attacks

D.

Increase in IT investment cost

Question 129

When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following is the auditor's BEST course of action?

Options:

A.

Inform senior management.

B.

Reevaluate internal controls.

C.

Inform audit management.

D.

Re-perform past audits to ensure independence.

Question 130

Which of the following is MOST important to ensure when developing an effective security awareness program?

Options:

A.

Training personnel are information security professionals.

B.

Outcome metrics for the program are established.

C.

Security threat scenarios are included in the program content.

D.

Phishing exercises are conducted post-training

Question 131

During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor's BEST recommendation?

Options:

A.

System administrators should ensure consistency of assigned rights.

B.

IT security should regularly revoke excessive system rights.

C.

Human resources (HR) should delete access rights of terminated employees.

D.

Line management should regularly review and request modification of access rights

Question 132

During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?

Options:

A.

The project manager will have to be replaced.

B.

The project reporting to the board of directors will be incomplete.

C.

The project steering committee cannot provide effective governance.

D.

The project will not withstand a quality assurance (QA) review.

Question 133

An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

Options:

A.

Differential backup

B.

Full backup

C.

Incremental backup

D.

Mirror backup

Question 134

Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?

Options:

A.

Variable sampling

B.

Judgmental sampling

C.

Stop-or-go sampling

D.

Discovery sampling

Question 135

A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger. While management states a system fixhas been implemented, what should the IS auditor recommend to validate the interface is working in the future?

Options:

A.

Perform periodic reconciliations.

B.

Ensure system owner sign-off for the system fix.

C.

Conduct functional testing.

D.

Improve user acceptance testing (UAT).

Question 136

Which of the following should be done FIRST to minimize the risk of unstructured data?

Options:

A.

Identify repositories of unstructured data.

B.

Purchase tools to analyze unstructured data.

C.

Implement strong encryption for unstructured data.

D.

Implement user access controls to unstructured data.

Question 137

Which of the following is the BEST reason to implement a data retention policy?

Options:

A.

To establish a recovery point objective (RPO) for disaster recovery procedures

B.

To limit the liability associated with storing and protecting information

C.

To document business objectives for processing data within the organization

D.

To assign responsibility and ownership for data protection outside IT

Question 138

During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?

Options:

A.

Perform a skills assessment to identify members from other business units with knowledge of Al.

B.

Remove the Al portion from the audit scope and proceed with the audit.

C.

Delay the audit until the team receives training on Al.

D.

Engage external consultants who have audit experience and knowledge of Al.

Question 139

Which of the following is the MOST important advantage of participating in beta testing of software products?

Options:

A.

It increases an organization's ability to retain staff who prefer to work with new technology.

B.

It improves vendor support and training.

C.

It enhances security and confidentiality.

D.

It enables an organization to gain familiarity with new products and their functionality.

Question 140

An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data

classification in this project?

Options:

A.

Information security officer

B.

Database administrator (DBA)

C.

Information owner

D.

Data architect

Question 141

Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?

Options:

A.

adequate measurement of key risk indicators (KRIS)

B.

Inadequate alignment of IT plans and business objectives

C.

Inadequate business impact analysis (BIA) results and predictions

D.

Inadequate measurement of key performance indicators (KPls)

Question 142

A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?

Options:

A.

Analyzing the root cause of the outage to ensure the incident will not reoccur

B.

Restoring the system to operational state as quickly as possible

C.

Ensuring all resolution steps are fully documented prior to returning thesystem to service

D.

Rolling back the unsuccessful change to the previous state

Question 143

An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?

Options:

A.

Senior management representation

B.

Ability to meet the time commitment required

C.

Agile project management experience

D.

ERP implementation experience

Question 144

Which of the following parameters reflects the risk threshold for an organization experiencing a service disruption?

Options:

A.

Maximum tolerable outage (MTO)

B.

Recovery point objective (RPO)

C.

Service delivery objective (SDO)

D.

Allowable interruption window (AIW)

Question 145

When drafting a disaster recovery strategy, what should be the MOST important outcome of a business impact analysis (BIA)?

Options:

A.

Establishing recovery point objectives (RPOs)

B.

Determining recovery priorities

C.

Establishing recovery time objectives (RTOs)

D.

Determining recovery costs

Question 146

An organization has decided to reengineer business processes to improve the performance of overall IT service delivery. Which of the following recommendations from the project team should be the GREATEST concern to the IS auditor?

Options:

A.

Disable operational logging to enhance the processing speed and save storage.

B.

Adopt a service delivery model based on insights from peer organizations.

C.

Delegate business decisions to the chief risk officer (CRO).

D.

Eliminate certain reports and key performance indicators (KPIs)

Question 147

The PRIMARY objective of a follow-up audit is to:

Options:

A.

assess the appropriateness of recommendations.

B.

verify compliance with policies.

C.

evaluate whether the risk profile has changed.

D.

determine adequacy of actions taken on recommendations.

Question 148

Which of the following is the PRIMARY advantage of using an automated security log monitoring tool over a manual review to monitor the use of privileged access?

Options:

A.

Increased likelihood of detecting suspicious activity

B.

Reduced costs associated with automating the review

C.

Improved incident response time

D.

Reduced manual effort of reviewing logs

Question 149

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT-related customer service project?

Options:

A.

The project risk exceeds the organization's risk appetite.

B.

Executing the project will require additional investments.

C.

Expected business value is expressed in qualitative terms.

D.

The organization will be the first to offer the proposed services.

Question 150

Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Options:

A.

Risk classification

B.

Control self-assessment (CSA)

C.

Risk identification

D.

Impact assessment

Question 151

Which of the following system attack methods is executed by entering malicious code into the search box of a vulnerable website, causing the server to reveal restricted information?

Options:

A.

Man-m-the-middle

B.

Denial of service (DoS)

C.

SQL injection

D.

Cross-site scripting

Question 152

An IS auditor can BEST evaluate the business impact of system failures by:

Options:

A.

assessing user satisfaction levels.

B.

interviewing the security administrator.

C.

analyzing equipment maintenance logs.

D.

reviewing system-generated logs.

Question 153

Which of the following is the MOST important regulatory consideration for an organization determining whether to use its customer data to train AI algorithms?

Options:

A.

Documentation of AI algorithm accuracy during the training process

B.

Ethical and optimal utilization of data computing resources

C.

Collection of data and obtaining data subject consent

D.

Continuous monitoring of AI algorithm performance

Question 154

Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?

Options:

A.

Changes are promoted to production by the development group.

B.

Object code can be accessed by the development group.

C.

Developers have access to the testing environment.

D.

Change approvals are not formally documented.

Question 155

Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?

Options:

A.

Integration testing results

B.

Sign-off from senior management

C.

User acceptance testing (UAT) results

D.

Regression testing results

Question 156

Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?

Options:

A.

The architecture review board is chaired by the CIO

B.

IT application owners have sole responsibility for architecture approval

C.

The EA program governs projects that are not IT-related

D.

Information security requirements are reviewed by the EA program

Question 157

Which of the following is the MOST important task of an IS auditor during an application post-implementation review?

Options:

A.

Conduct a business impact analysis (BIA)

B.

Perform penetration testing

C.

identify project delays

D.

Verify user access controls

Question 158

A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?

Options:

A.

Business objectives

B.

Business impact analysis (BIA)

C.

Enterprise architecture (EA)

D.

Recent incident trends

Question 159

An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?

Options:

A.

Between each host and the local network switch/hub

B.

Between virtual local area networks (VLANs)

C.

Inside the demilitarized zone (DMZ)

D.

At borders of network segments with different security levels

Question 160

Which of the following is the BEST way to ensure a vendor complies with system security requirements?

Options:

A.

Require security training for vendor staff.

B.

Review past incidents reported by the vendor.

C.

Review past audits on the vendor's security compliance.

D.

Require a compliance clause in the vendor contract.

Question 161

In an area susceptible to unexpected increases in electrical power, which of the following would MOST effectively protect the system?

Options:

A.

Generator

B.

Voltage regulator

C.

Circuit breaker

D.

Alternate power supply line

Question 162

Which of the following approaches BEST enables an IS auditor to detect security vulnerabilities within an application?

Options:

A.

Threat modeling

B.

Concept mapping

C.

Prototyping

D.

Threat intelligence

Question 163

Which of the following is the BEST way to ensure email confidentiality in transit?

Options:

A.

Encryption of corporate network traffic

B.

Complex user passwords

C.

End-to-end encryption

D.

Digital signatures

Question 164

An organization requires the use of a key card to enter its data center. Recently, a control was implemented that requires biometric authentication for each employee.

Which type of control has been added?

Options:

A.

Corrective

B.

Compensating

C.

Preventive

D.

Detective

Question 165

An IS auditor is reviewing an organization that performs backups on local database servers every two weeks and does not have a formal policy to govern data backup and restoration procedures. Which of the following findings presents the GREATEST risk to the organization?

Options:

A.

Lack of offsite data backups

B.

Absence of a data backup policy

C.

Lack of periodic data restoration testing

D.

Insufficient data backup frequency

Question 166

Which of the following network communication protocols is used by network devices such as routers to send error messages and operational information indicating success or failure when communicating with another IP address?

Options:

A.

Transmission Control Protocol/Internet Protocol (TCP/IP)

B.

Internet Control Message Protocol

C.

Multipurpose Transaction Protocol

D.

Point-to-Point Tunneling Protocol

Question 167

Which of the following responses to risk associated with separation of duties would incur the LOWEST initial cost?

Options:

A.

Risk mitigation

B.

Risk acceptance

C.

Risk transference

D.

Risk reduction

Question 168

An IS auditor is reviewing an organization's system development life cycle (SDLC) Which of the following MUST be included in the review?

Options:

A.

Ownership of the system quality management plan

B.

Utilization of standards in the system development processes and procedures

C.

Validation that system development processes adhere to quality standards

D.

Definition of quality attributes to be associated with the system

Question 169

Which of the following should be of GREATEST concern to an IS auditor reviewing system interfaces used to transfer publicly available information?

Options:

A.

A system interface tracking program is not enabled.

B.

The data has not been encrypted.

C.

Data is intercepted while in transit between systems.

D.

The data from the originating system differs from the downloaded data.

Question 170

Which of the following is an analytical review procedure for a payroll system?

Options:

A.

Performing reasonableness tests by multiplying the number of employees by the average wage rate

B.

Evaluating the performance of the payroll system using benchmarking software

C.

Performing penetration attempts on the payroll system

D.

Testing hours reported on time sheets

Question 171

A national bank recently migrated a large number of business-critical applications to the cloud. Which of the following is MOST important to ensuring the resiliency of the applications?

Options:

A.

Negotiating a nondisclosure agreement (NDA) with the provider

B.

Conducting periodic system stress testing

C.

Creating restore points for critical applications

D.

Using a monitoring tool to assess uptime

Question 172

How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?

Options:

A.

Easy software version rollback

B.

Smaller incremental changes

C.

Fewer manual milestones

D.

Automated software testing

Question 173

Which of the following can BEST reduce the impact of a long-term power failure?

Options:

A.

Power conditioning unit

B.

Emergency power-off switches

C.

Battery bank

D.

Redundant power source

Question 174

Which of the following BEST enables an organization to standardize its IT infrastructure to align with business goals?

Options:

A.

Enterprise architecture (EA)

B.

Operational technologies

C.

Data architecture

D.

Robotic process automation (RPA)

Question 175

The PRIMARY goal of capacity management is to:

Options:

A.

minimize data storage needs across the organization.

B.

provide necessary IT resources to meet business requirements.

C.

minimize system idle time to optimize cost.

D.

ensure that IT teams have sufficient personnel.

Question 176

Which of the following would a digital signature MOST likely prevent?

Options:

A.

Repudiation

B.

Unauthorized change

C.

Corruption

D.

Disclosure

Question 177

Which of the following is MOST important when creating a forensic image of a hard drive?

Options:

A.

Requiring an independent third party be present while imaging

B.

Securing a backup copy of the hard drive

C.

Generating a content hash of the hard drive

D.

Choosing an industry-leading forensics software tool

Question 178

An IS auditor is reviewing a medical device that is attached to a patient’s body, which automatically takes and uploads measurements to a cloud server. Treatment may be updated based on the measurements. Which of the following should be the auditor's PRIMARY focus?

Options:

A.

Physical access controls on the device

B.

Security and quality certification of the device

C.

Device identification and authentication

D.

Confirmation that the device is regularly updated

Question 179

Audit frameworks can assist the IS audit function by:

Options:

A.

defining the authority and responsibility of the IS audit function.

B.

providing direction and information regarding the performance of audits.

C.

outlining the specific steps needed to complete audits.

D.

providing details on how to execute the audit program.

Question 180

Which of the following threats is mitigated by a firewall?

Options:

A.

Intrusion attack

B.

Asynchronous attack

C.

Passive assault

D.

Trojan horse

Question 181

Which of the following is the BEST disposal method for flash drives that previously stored confidential data?

Options:

A.

Destruction

B.

Degaussing

C.

Cryptographic erasure

D.

Overwriting

Question 182

The PRIMARY advantage of using open-source-based solutions is that they:

Options:

A.

Have well-defined support levels.

B.

Are easily implemented.

C.

Reduce dependence on vendors.

D.

Offer better security features.

Question 183

An organization establishes capacity utilization thresholds and monitors for instances when thresholds are exceeded. Which of the following is BEST supported by this activity?

Options:

A.

Integrity

B.

Availability

C.

Confidentiality

D.

Nonrepudiation

Question 184

Which of the following BEST mitigates the risk associated with the deployment of a new production system?

Options:

A.

Problem management

B.

Incident management

C.

Configuration management

D.

Release management

Question 185

Which of the following should be of GREATEST concern to an IS auditor assessing an organization's patch management program?

Options:

A.

Patches are deployed from multiple deployment servers.

B.

There is no process in place to scan the network to identify missing patches.

C.

Patches for medium- and low-risk vulnerabilities are omitted.

D.

There is no process in place to quarantine servers that have not been patched.

Question 186

Which of the following should be done FIRST following an incident that has caused internal servers to be inaccessible, disrupting normal business operations?

Options:

A.

Document the servers' dates, times, and locations, as well as the individual who last used them

B.

Make a bit-level copy of the affected servers and calculate the hash value of the copy.

C.

Copy all key directories and files on the affected servers and generate the hash value of the copy.

D.

Unplug all power cables immediately to prevent further actions of the attacker on the servers.

Question 187

Which of the following is MOST helpful for understanding an organization’s key driver to modernize application platforms?

Options:

A.

Vendor software inventories

B.

Network architecture diagrams

C.

System-wide incident reports

D.

Inventory of end-of-life software

Question 188

An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

When the model was tested with data drawn from a different population, the accuracy decreased.

B.

The data set for training the model was obtained from an unreliable source.

C.

An open-source programming language was used to develop the model.

D.

The model was tested with data drawn from the same population as the training data.

Question 189

Which type of testing is used to identify security vulnerabilities in source code in the development environment?

Options:

A.

Interactive application security testing (IAST)

B.

Runtime application self-protection (RASP)

C.

Dynamic analysis security testing (DAST)

D.

Static analysis security testing (SAST)

Question 190

Which of the following is the BEST way to mitigate risk to an organization's network associated with devices permitted under a bring your own device (BYOD) policy?

Options:

A.

Require personal devices to be reviewed by IT staff.

B.

Enable port security on all network switches.

C.

Implement a network access control system.

D.

Ensure the policy requires antivirus software on devices.

Question 191

An organization is enhancing the security of a client-facing web application following a proposal to acquire personal information for a business purpose. Which of the following is MOST important to review before implementing this initiative?

Options:

A.

Regulatory compliance requirements

B.

Data ownership assignments

C.

Encryption capabilities

D.

Customer notification procedures

Question 192

During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report. Which of the following is the auditor's BEST course of action?

Options:

A.

Request that the IT manager be removed from the remaining meetings and future audits.

B.

Modify the finding to include the IT manager's comments and inform the audit manager of the changes.

C.

Remove the finding from the report and continue presenting the remaining findings.

D.

Provide the evidence which supports the finding and keep the finding in the report.

Question 193

Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

Options:

A.

Scalability

B.

Maintainability

C.

Nonrepudiation

D.

Privacy

Question 194

Which of the following is an IS auditor's BEST recommendation to help an organization increase the efficiency of computing resources?

Options:

A.

Virtualization

B.

Hardware upgrades

C.

Overclocking the central processing unit (CPU)

D.

Real-time backups

Question 195

Which of the following should be the GREATEST concern to an IS auditor reviewing the information security framework of an organization?

Options:

A.

The information security policy has not been updated in the last two years.

B.

Senior management was not involved in the development of the information security policy.

C.

A list of critical information assets was not included in the information security policy.

D.

The information security policy is not aligned with regulatory requirements.

Question 196

An IS auditor finds that irregularities have occurred and that auditee management has chosen to ignore them. If reporting to external authorities is required which of the following is the BEST action for the IS auditor to take?

Options:

A.

Submit the report to appropriate regulators immediately.

B.

Obtain approval from audit management to submit the report.

C.

Obtain approval from auditee management to release the report.

D.

Obtain approval from both audit and auditee management to release the report.

Question 197

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system. Which of the following is the IS

auditor's BEST recommendation?

Options:

A.

Enable automatic encryption, decryption, and electronic signing of data files.

B.

Automate the transfer of data between systems as much as is feasible.

C.

Have coders perform manual reconciliation of data between systems.D

D.

Implement software to perform automatic reconciliations of data between systems.

Question 198

Which of the following is an effective way to ensure the integrity of file transfers in a peer-to-peer (P2P) computing environment?

Options:

A.

Associate a message authentication code with each file transferred.

B.

Ensure the files are transferred through an intrusion detection system (IDS).

C.

Encrypt the packets shared between peers within the environment.

D.

Connect the client computers in the environment to a jump server.

Question 199

Which of the following operational log management considerations is MOST important for an organization undergoing a digital transformation?

Options:

A.

Changes in operating costs for log management

B.

Centralization of current log management

C.

Tuning of log reviews to provide enhanced oversight

D.

IT resource capability to manage application uptime

Question 200

Which of the following is the MOST important reason for an organization to automate data purging?

Options:

A.

Protection against privacy breaches

B.

Storage cost reduction

C.

Disaster recovery planning

D.

Ransomware protection

Question 201

Which of the following controls is the BEST recommendation to prevent the skimming of debit or credit card data in point of sale (POS) systems?

Options:

A.

Encryption

B.

Chip and PIN

C.

Hashing

D.

Biometric authentication

Question 202

An organization is planning to implement a control self-assessment (CSA) program for selected business processes. Which of the following should be the role of the internal audit team for this program?

Options:

A.

Perform testing to validate the accuracy of management's self-assessment.

B.

Advise management on the self-assessment process.

C.

Design testing procedures for management to assess process controls effectively.

D.

De-scope business processes to be covered by CSAs from future audit plans.

Question 203

An IS auditor is reviewing the service management of an outsourced help desk. Which of the following is the BEST indicator of how effectively the service provider is performing this function?

Options:

A.

Average ticket age

B.

Number of calls worked

C.

Customer satisfaction ratings

D.

Call transcript reviews

Question 204

A checksum is classified as which type of control?

Options:

A.

Corrective control

B.

Administrative control

C.

Detective control

D.

Preventive control

Question 205

An IS auditor is reviewing a machine learning algorithm-based system for loan approvals and is preparing a data set to test the algorithm for bias. Which of the following is MOST important for the auditor’s test data set to include?

Options:

A.

Applicants of all ages

B.

Applicants from a range of geographic areas and income levels

C.

Incomplete records and incorrectly formatted data

D.

Duplicate records

Question 206

What should be the PRIMARY focus during a review of a business process improvement project?

Options:

A.

Business project plan

B.

Continuous monitoring plans

C.

The cost of new controls

D.

Business impact

Question 207

Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?

Options:

A.

Identify staff training needs related to compliance requirements.

B.

Analyze historical compliance-related audit findings.

C.

Research and purchase an industry-recognized IT compliance tool

D.

Identify applicable laws, regulations, and standards.

Question 208

An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:

Options:

A.

indicate whether the organization meets quality standards.

B.

ensure that IT staff meet performance requirements.

C.

train and educate IT staff.

D.

assess IT functions and processes.

Question 209

Which of the following is the GREATEST risk associated with security patches being automatically downloaded and applied to production servers?

Options:

A.

Supporting documentation is not updated.

B.

Anti-malware is disabled during patch installation.

C.

Patches may be installed regardless of their criticality.

D.

Patches may result in major service failures.

Question 210

An IS auditor determines elevated administrator accounts for servers that are not properly checked out and then back in after each use. Which of the following is the MOST appropriate sampling technique to determine the scope of the problem?

Options:

A.

Haphazard sampling

B.

Random sampling

C.

Statistical sampling

D.

Stratified sampling

Question 211

The business case for an information system investment should be available for review until the:

Options:

A.

information system investment is retired.

B.

information system has reached end of life.

C.

formal investment decision is approved.

D.

benefits have been fully realized.

Question 212

Which of the following provides the BEST assurance that vendor-supported software remains up to date?

Options:

A.

Release and patch management

B.

Licensing agreement and escrow

C.

Software asset management

D.

Version management

Question 213

As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following is the BEST course of action for the IS auditor?

Options:

A.

Accept the auditee's response and perform additional testing.

B.

Suggest hiring a third-party consultant to perform a current state assessment.

C.

Conduct further discussions with the auditee to develop a mitigation plan.

D.

Issue a final report without including the opinion of the auditee.

Question 214

One advantage of monetary unit sampling is the fact that

Options:

A.

results are stated m terms of the frequency of items in error

B.

it can easily be applied manually when computer resources are not available

C.

large-value population items are segregated and audited separately

D.

it increases the likelihood of selecting material items from the population

Question 215

Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the

Options:

A.

computer room closest to the uninterruptible power supply (UPS) module

B.

computer room closest to the server computers

C.

system administrators’ office

D.

booth used by the building security personnel

Question 216

Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?

Options:

A.

Gap analysis

B.

Audit reports

C.

Risk profile

D.

Risk register

Question 217

An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST

Options:

A.

Escalate to audit management to discuss the audit plan

B.

Notify the chief operating officer (COO) and discuss the audit plan risks

C.

Exclude IS audits from the upcoming year's plan

D.

Increase the number of IS audits in the clan

Question 218

An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet, which of the following should be a concern for the auditor?

Options:

A.

The system is hosted on an external third-party service provider’s server.

B.

The system is hosted in a hybrid-cloud platform managed by a service provider.

C.

The system is hosted within a demilitarized zone (DMZ) of a corporate network.

D.

The system is hosted within an internal segment of a corporate network.

Question 219

An IS auditor is reviewing the perimeter security design of a network. Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?

Options:

A.

Intrusion detection system (IDS)

B.

Security information and event management (SIEM) system

C.

Stateful firewall

D.

Load balancer

Question 220

What is the PRIMARY purpose of performing a parallel run of a now system?

Options:

A.

To train the end users and supporting staff on the new system

B.

To verify the new system provides required business functionality

C.

To reduce the need for additional testing

D.

To validate the new system against its predecessor

Question 221

Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?

Options:

A.

Controls to adequately safeguard the data may not be applied.

B.

Data may not be encrypted by the system administrator.

C.

Competitors may be able to view the data.

D.

Control costs may exceed the intrinsic value of the IT asset.

Question 222

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

Options:

A.

Inspecting a sample of alerts generated from the central log repository

B.

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

C.

Inspecting a sample of alert settings configured in the central log repository

D.

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

Question 223

To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?

Options:

A.

Data retention

B.

Data minimization

C.

Data quality

D.

Data integrity

Question 224

Which of the following is the BEST performance indicator for the effectiveness of an incident management program?

Options:

A.

Average time between incidents

B.

Incident alert meantime

C.

Number of incidents reported

D.

Incident resolution meantime

Question 225

Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?

Options:

A.

Implement controls to prohibit downloads of unauthorized software.

B.

Conduct periodic software scanning.

C.

Perform periodic counting of licenses.

D.

Require senior management approval when installing licenses.

Question 226

In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?

Options:

A.

Implementation

B.

Development

C.

Feasibility

D.

Design

Question 227

Which of the following provides the MOST assurance of the integrity of a firewall log?

Options:

A.

The log is reviewed on a monthly basis.

B.

Authorized access is required to view the log.

C.

The log cannot be modified.

D.

The log is retained per policy.

Question 228

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

Options:

A.

Only new employees are required to attend the program

B.

Metrics have not been established to assess training results

C.

Employees do not receive immediate notification of results

D.

The timing for program updates has not been determined

Question 229

An organization has recently moved to an agile model for deploying custom code to its in-house accounting software system. When reviewing the procedures in place for production code deployment, which of the following is the MOST significant security concern to address?

Options:

A.

Software vulnerability scanning is done on an ad hoc basis.

B.

Change control does not include testing and approval from quality assurance (QA).

C.

Production code deployment is not automated.

D.

Current DevSecOps processes have not been independently verified.

Question 230

Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?

Options:

A.

Regression testing

B.

Unit testing

C.

Integration testing

D.

Acceptance testing

Question 231

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

Options:

A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Question 232

Which of the following is a PRIMARY responsibility of an IT steering committee?

Options:

A.

Prioritizing IT projects in accordance with business requirements

B.

Reviewing periodic IT risk assessments

C.

Validating and monitoring the skill sets of IT department staff

D.

Establishing IT budgets for the business

Question 233

Which of the following is the MOST appropriate indicator of change management effectiveness?

Options:

A.

Time lag between changes to the configuration and the update of records

B.

Number of system software changes

C.

Time lag between changes and updates of documentation materials

D.

Number of incidents resulting from changes

Question 234

An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services Which of the following would BEST enable the organization to resolve this issue?

Options:

A.

Problem management

B.

Incident management

C.

Service level management

D.

Change management

Question 235

An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy. What is the BEST way (or the auditor to address this issue?

Options:

A.

Recommend the application be patched to meet requirements.

B.

Inform the IT director of the policy noncompliance.

C.

Verify management has approved a policy exception to accept the risk.

D.

Take no action since the application will be decommissioned in three months.

Question 236

An IS auditor reviewing the throat assessment for a data cantor would be MOST concerned if:

Options:

A.

some of the identified threats are unlikely to occur.

B.

all identified threats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations' operations have been included.

Question 237

When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the

Options:

A.

scope and methodology meet audit requirements

B.

service provider is independently certified and accredited

C.

report confirms that service levels were not violated

D.

report was released within the last 12 months

Question 238

Which of the following is the BEST way to minimize sampling risk?

Options:

A.

Use a larger sample size

B.

Perform statistical sampling

C.

Perform judgmental sampling

D.

Enhance audit testing procedures

Question 239

Which of the following provides the MOST reliable method of preventing unauthonzed logon?

Options:

A.

issuing authentication tokens

B.

Reinforcing current security policies

C.

Limiting after-hours usage

D.

Installing an automatic password generator

Question 240

Which of the following is the MOST important responsibility of user departments associated with program changes?

Options:

A.

Providing unit test data

B.

Analyzing change requests

C.

Updating documentation lo reflect latest changes

D.

Approving changes before implementation

Question 241

A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting. What would be MOST important to consider before including this audit in the program?

Options:

A.

Whether system delays result in more frequent use of manual processing

B.

Whether the system's performance poses a significant risk to the organization

C.

Whether stakeholders are committed to assisting with the audit

D.

Whether internal auditors have the required skills to perform the audit

Question 242

The FIRST step in auditing a data communication system is to determine:

Options:

A.

traffic volumes and response-time criteria

B.

physical security for network equipment

C.

the level of redundancy in the various communication paths

D.

business use and types of messages to be transmitted

Question 243

Which of the following is the PRIMARY reason to perform a risk assessment?

Options:

A.

To determine the current risk profile

B.

To ensure alignment with the business impact analysis (BIA)

C.

To achieve compliance with regulatory requirements

D.

To help allocate budget for risk mitigation controls

Question 244

An IS auditor is preparing a plan for audits to be carried out over a specified period. Which of the following activities should the IS auditor perform FIRST?

Options:

A.

Allocate audit resources.

B.

Prioritize risks.

C.

Review prior audit reports.

D.

Determine the audit universe.

Question 245

An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?

Options:

A.

Single sign-on is not enabled

B.

Audit logging is not enabled

C.

Security baseline is not consistently applied

D.

Complex passwords are not required

Question 246

Backup procedures for an organization's critical data are considered to be which type of control?

Options:

A.

Directive

B.

Corrective

C.

Detective

D.

Compensating

Question 247

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?

Options:

A.

Risk appetite

B.

Critical applications m the cloud

C.

Completeness of critical asset inventory

D.

Recovery scenarios

Question 248

Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly. Which of the following tests during the quality assurance (QA) phase would have identified this concern?

Options:

A.

Stress

B.

Regression

C.

Interface

D.

Integration

Question 249

During the discussion of a draft audit report IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective Which of the following is the auditor's BEST action?

Options:

A.

Explain to IT management that the new control will be evaluated during follow-up

B.

Add comments about the action taken by IT management in the report

C.

Change the conclusion based on evidence provided by IT management

D.

Re-perform the audit before changing the conclusion

Question 250

Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?

Options:

A.

Installation manuals

B.

Onsite replacement availability

C.

Insurance coverage

D.

Maintenance procedures

Question 251

Which of the following provides the BEST assurance of data integrity after file transfers?

Options:

A.

Check digits

B.

Monetary unit sampling

C.

Hash values

D.

Reasonableness check

Question 252

Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

Options:

A.

IT value analysis

B.

Prior audit reports

C.

IT balanced scorecard

D.

Vulnerability assessment report

Question 253

Which of the following technologies has the SMALLEST maximum range for data transmission between devices?

Options:

A.

Wi-Fi

B.

Bluetooth

C.

Long-term evolution (LTE)

D.

Near-field communication (NFC)

Question 254

Which of the following is MOST important for an IS auditor to validate when auditing network device management?

Options:

A.

Devices cannot be accessed through service accounts.

B.

Backup policies include device configuration files.

C.

All devices have current security patches assessed.

D.

All devices are located within a protected network segment.

Question 255

An organization has replaced all of the storage devices at its primary data center with new higher-capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether

Options:

A.

the recovery site devices can handle the storage requirements

B.

hardware maintenance contract is in place for both old and new storage devices

C.

the procurement was in accordance with corporate policies and procedures

D.

the relocation plan has been communicated to all concerned parties

Question 256

Which of the following should an IS auditor recommend be done FIRST when an organization is made aware of a new regulation that is likely to impact IT security requirements?

Options:

A.

Update security policies based on the new regulation.

B.

Determine which systems and IT-related processes may be impacted.

C.

Evaluate how security awareness and training content may be impacted.

D.

Review the design and effectiveness of existing IT controls.

Question 257

Which of the following BEST protects evidence in a forensic investigation?

Options:

A.

imaging the affected system

B.

Powering down the affected system

C.

Protecting the hardware of the affected system

D.

Rebooting the affected system

Question 258

An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which ot the following should the auditor do FIRSTS

Options:

A.

Determine whether another DBA could make the changes

B.

Report a potential segregation of duties violation

C.

identify whether any compensating controls exist

D.

Ensure a change management process is followed prior to implementation

Question 259

An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?

Options:

A.

KPI data is not being analyzed

B.

KPIs are not clearly defined

C.

Some KPIs are not documented

D.

KPIs have never been updated

Question 260

Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

Options:

A.

Cross-site scripting (XSS)

B.

Copyright violations

C.

Social engineering

D.

Adverse posts about the organization

Question 261

Which of the following is an advantage of using agile software development methodology over the waterfall methodology?

Options:

A.

Less funding required overall

B.

Quicker deliverables

C.

Quicker end user acceptance

D.

Clearly defined business expectations

Question 262

Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?

Options:

A.

Switch

B.

Intrusion prevention system (IPS)

C.

Gateway

D.

Router

Question 263

Which of the following is the BEST indication of effective IT investment management?

Options:

A.

IT investments are implemented and monitored following a system development life cycle (SDLC)

B.

IT investments are mapped to specific business objectives

C.

Key performance indicators (KPIs) are defined for each business requiring IT Investment

D.

The IT Investment budget is significantly below industry benchmarks

Question 264

An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?

Options:

A.

Audit transparency

B.

Data confidentiality

C.

Professionalism

D.

Audit efficiency

Question 265

Which of the following is MOST important during software license audits?

Options:

A.

Judgmental sampling

B.

Substantive testing

C.

Compliance testing

D.

Stop-or-go sampling

Question 266

Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

Options:

A.

Readily available resources such as domains and risk and control methodologies

B.

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

C.

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

D.

Wide acceptance by different business and support units with IT governance objectives

Question 267

When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:

Options:

A.

database conflicts are managed during replication.

B.

end users are trained in the replication process.

C.

the source database is backed up on both sites.

D.

user rights are identical on both databases.

Question 268

An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?

Options:

A.

implement a control self-assessment (CSA)

B.

Conduct a gap analysis

C.

Develop a maturity model

D.

Evaluate key performance indicators (KPIs)

Question 269

Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?

Options:

A.

Increased number of false negatives in security logs

B.

Decreased effectiveness of roof cause analysis

C.

Decreased overall recovery time

D.

Increased demand for storage space for logs

Question 270

Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

Options:

A.

Availability integrity

B.

Data integrity

C.

Entity integrity

D.

Referential integrity

Question 271

During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?

Options:

A.

Report the deviation by the control owner in the audit report.

B.

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.

C.

Cancel the follow-up audit and reschedule for the next audit period.

D.

Request justification from management for not implementing the recommended control.

Question 272

A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

Options:

A.

Trace a sample of complete PCR forms to the log of all program changes

B.

Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date

C.

Review a sample of PCRs for proper approval throughout the program change process

D.

Trace a sample of program change from the log to completed PCR forms

Question 273

An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

Options:

A.

Degradation of services

B.

Limited tolerance for damage

C.

Decreased mean time between failures (MTBF)

D.

Single point of failure

Question 274

Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?

Options:

A.

Chief information security officer (CISO)

B.

Information security steering committee

C.

Board of directors

D.

Chief information officer (CIO)

Question 275

The PRIMARY benefit of automating application testing is to:

Options:

A.

provide test consistency.

B.

provide more flexibility.

C.

replace all manual test processes.

D.

reduce the time to review code.

Question 276

in a post-implantation Nation review of a recently purchased system it is MOST important for the iS auditor to determine whether the:

Options:

A.

stakeholder expectations were identified

B.

vendor product offered a viable solution.

C.

user requirements were met.

D.

test scenarios reflected operating activities.

Question 277

During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor's GREATEST concern with this situation?

Options:

A.

Unrealistic milestones

B.

Inadequate deliverables

C.

Unclear benefits

D.

Incomplete requirements

Question 278

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''

Options:

A.

Steps taken to address identified vulnerabilities are not formally documented

B.

Results are not reported to individuals with authority to ensure resolution

C.

Scans are performed less frequently than required by the organization's vulnerability scanning schedule

D.

Results are not approved by senior management

Question 279

Which of the following should be the FIRST step when conducting an IT risk assessment?

Options:

A.

Identify potential threats.

B.

Assess vulnerabilities.

C.

Identify assets to be protected.

D.

Evaluate controls in place.

Question 280

Which of the following is the BEST source of information to determine the required level of data protection on a file server?

Options:

A.

Data classification policy and procedures

B.

Access rights of similar file servers

C.

Previous data breach incident reports

D.

Acceptable use policy and privacy statements

Question 281

Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?

Options:

A.

Voice recovery

B.

Alternative routing

C.

Long-haul network diversity

D.

Last-mile circuit protection

Question 282

Which of the following is the BEST way to prevent social engineering incidents?

Options:

A.

Maintain an onboarding and annual security awareness program.

B.

Ensure user workstations are running the most recent version of antivirus software.

C.

Include security responsibilities in job descriptions and require signed acknowledgment.

D.

Enforce strict email security gateway controls

Question 283

What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?

Options:

A.

Ensure the open issues are retained in the audit results.

B.

Terminate the follow-up because open issues are not resolved

C.

Recommend compensating controls for open issues.

D.

Evaluate the residual risk due to open issues.

Question 284

Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides assurance that the BEST transactions were recovered successfully?

Options:

A.

Review transaction recovery logs to ensure no errors were recorded.

B.

Recount the transaction records to ensure no records are missing.

C.

Rerun the process on a backup machine to verify the results are the same.

D.

Compare transaction values against external statements to verify accuracy.

Question 285

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

Options:

A.

Ensure corrected program code is compiled in a dedicated server.

B.

Ensure change management reports are independently reviewed.

C.

Ensure programmers cannot access code after the completion of program edits.

D.

Ensure the business signs off on end-to-end user acceptance test (UAT) results.

Question 286

To confirm integrity for a hashed message, the receiver should use:

Options:

A.

the same hashing algorithm as the sender's to create a binary image of the file.

B.

a different hashing algorithm from the sender's to create a binary image of the file.

C.

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.

a different hashing algorithm from the sender's to create a numerical representation of the file.

Question 287

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.

Obtain error codes indicating failed data feeds.

B.

Appoint data quality champions across the organization.

C.

Purchase data cleansing tools from a reputable vendor.

D.

Implement business rules to reject invalid data.

Question 288

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

Options:

A.

Assignment of responsibility for each project to an IT team member

B.

Adherence to best practice and industry approved methodologies

C.

Controls to minimize risk and maximize value for the IT portfolio

D.

Frequency of meetings where the business discusses the IT portfolio

Question 289

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Options:

A.

Invoking the disaster recovery plan (DRP)

B.

Backing up data frequently

C.

Paying the ransom

D.

Requiring password changes for administrative accounts

Question 290

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

Options:

A.

Capacity management plan

B.

Training plans

C.

Database conversion results

D.

Stress testing results

Question 291

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Options:

A.

Senior management's request

B.

Prior year's audit findings

C.

Organizational risk assessment

D.

Previous audit coverage and scope

Question 292

The implementation of an IT governance framework requires that the board of directors of an organization:

Options:

A.

Address technical IT issues.

B.

Be informed of all IT initiatives.

C.

Have an IT strategy committee.

D.

Approve the IT strategy.

Question 293

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

Options:

A.

Implement overtime pay and bonuses for all development staff.

B.

Utilize new system development tools to improve productivity.

C.

Recruit IS staff to expedite system development.

D.

Deliver only the core functionality on the initial target date.

Question 294

A proper audit trail of changes to server start-up procedures would include evidence of:

Options:

A.

subsystem structure.

B.

program execution.

C.

security control options.

D.

operator overrides.

Question 295

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:

A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Question 296

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

Options:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

Question 297

Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

Options:

A.

Whether there is explicit permission from regulators to collect personal data

B.

The organization's legitimate purpose for collecting personal data

C.

Whether sharing of personal information with third-party service providers is prohibited

D.

The encryption mechanism selected by the organization for protecting personal data

Question 298

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Options:

A.

Walk-through reviews

B.

Substantive testing

C.

Compliance testing

D.

Design documentation reviews

Question 299

Which of the following would be a result of utilizing a top-down maturity model process?

Options:

A.

A means of benchmarking the effectiveness of similar processes with peers

B.

A means of comparing the effectiveness of other processes within the enterprise

C.

Identification of older, more established processes to ensure timely review

D.

Identification of processes with the most improvement opportunities

Question 300

Which of the following is MOST important to ensure when planning a black box penetration test?

Options:

A.

The management of the client organization is aware of the testing.

B.

The test results will be documented and communicated to management.

C.

The environment and penetration test scope have been determined.

D.

Diagrams of the organization's network architecture are available.

Question 301

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

Options:

A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Question 302

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Options:

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Question 303

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?

Options:

A.

Examine the computer to search for evidence supporting the suspicions.

B.

Advise management of the crime after the investigation.

C.

Contact the incident response team to conduct an investigation.

D.

Notify local law enforcement of the potential crime before further investigation.

Question 304

Which of the following is the BEST justification for deferring remediation testing until the next audit?

Options:

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management's planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Question 305

Which of the following is MOST important with regard to an application development acceptance test?

Options:

A.

The programming team is involved in the testing process.

B.

All data files are tested for valid information before conversion.

C.

User management approves the test design before the test is started.

D.

The quality assurance (QA) team is in charge of the testing process.

Question 306

Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Options:

A.

Lessons learned were implemented.

B.

Management approved the PIR report.

C.

The review was performed by an external provider.

D.

Project outcomes have been realized.

Question 307

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Options:

A.

Agile auditing

B.

Continuous auditing

C.

Outsourced auditing

D.

Risk-based auditing

Question 308

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

Options:

A.

allocation of resources during an emergency.

B.

frequency of system testing.

C.

differences in IS policies and procedures.

D.

maintenance of hardware and software compatibility.

Question 309

One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

Options:

A.

basis for allocating indirect costs.

B.

cost of replacing equipment.

C.

estimated cost of ownership.

D.

basis for allocating financial resources.

Question 310

Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?

Options:

A.

Configure a single server as a primary authentication server and a second server as a secondary authentication server.

B.

Configure each authentication server as belonging to a cluster of authentication servers.

C.

Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.

D.

Configure each authentication server and ensure that the disks of each server form part of a duplex.

Question 311

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

Options:

A.

Implementation plan

B.

Project budget provisions

C.

Requirements analysis

D.

Project plan

Question 312

Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Options:

A.

Risk identification

B.

Risk classification

C.

Control self-assessment (CSA)

D.

Impact assessment

Question 313

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

Options:

A.

Portfolio management

B.

Business plans

C.

Business processes

D.

IT strategic plans

Question 314

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

Alignment with the IT tactical plan

B.

IT steering committee minutes

C.

Compliance with industry best practice

D.

Business objectives

Question 315

During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?

Options:

A.

Explain to IT management that the new control will be evaluated during follow-up

B.

Re-perform the audit before changing the conclusion.

C.

Change the conclusion based on evidence provided by IT management.

D.

Add comments about the action taken by IT management in the report.

Question 316

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Options:

A.

Balanced scorecard

B.

Enterprise dashboard

C.

Enterprise architecture (EA)

D.

Key performance indicators (KPIs)

Question 317

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?

Options:

A.

Implement a new system that can be patched.

B.

Implement additional firewalls to protect the system.

C.

Decommission the server.

D.

Evaluate the associated risk.

Question 318

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?

Options:

A.

Increase the capacity of existing systems.

B.

Upgrade hardware to newer technology.

C.

Hire temporary contract workers for the IT function.

D.

Build a virtual environment.

Question 319

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.

Identifying relevant roles for an enterprise IT governance framework

B.

Making decisions regarding risk response and monitoring of residual risk

C.

Verifying that legal, regulatory, and contractual requirements are being met

D.

Providing independent and objective feedback to facilitate improvement of IT processes

Question 320

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Accept management's decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Question 321

The PRIMARY advantage of object-oriented technology is enhanced:

Options:

A.

efficiency due to the re-use of elements of logic.

B.

management of sequential program execution for data access.

C.

grouping of objects into methods for data access.

D.

management of a restricted variety of data types for a data object.

Question 322

During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

Options:

A.

Review working papers with the auditee.

B.

Request the auditee provide management responses.

C.

Request management wait until a final report is ready for discussion.

D.

Present observations for discussion only.

Question 323

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?

Options:

A.

Enterprise risk manager

B.

Project sponsor

C.

Information security officer

D.

Project manager

Question 324

Which of the following BEST guards against the risk of attack by hackers?

Options:

A.

Tunneling

B.

Encryption

C.

Message validation

D.

Firewalls

Question 325

Which of the following MOST effectively minimizes downtime during system conversions?

Options:

A.

Phased approach

B.

Direct cutover

C.

Pilot study

D.

Parallel run

Question 326

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B.

Establishing strong access controls on confidential data

C.

Providing education and guidelines to employees on use of social networking sites

D.

Monitoring employees' social networking usage

Question 327

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

Options:

A.

perform a business impact analysis (BIA).

B.

issue an intermediate report to management.

C.

evaluate the impact on current disaster recovery capability.

D.

conduct additional compliance testing.

Question 328

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

Options:

A.

The IS auditor provided consulting advice concerning application system best practices.

B.

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

C.

The IS auditor designed an embedded audit module exclusively for auditing the application system.

D.

The IS auditor implemented a specific control during the development of the application system.

Question 329

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

Options:

A.

Implement a process to actively monitor postings on social networking sites.

B.

Adjust budget for network usage to include social media usage.

C.

Use data loss prevention (DLP) tools on endpoints.

D.

implement policies addressing acceptable usage of social media during working hours.

Question 330

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Question 331

Which of the following should be done FIRST when planning a penetration test?

Options:

A.

Execute nondisclosure agreements (NDAs).

B.

Determine reporting requirements for vulnerabilities.

C.

Define the testing scope.

D.

Obtain management consent for the testing.

Question 332

Which of the following is a social engineering attack method?

Options:

A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Question 333

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Question 334

Which of the following is MOST important for an effective control self-assessment (CSA) program?

Options:

A.

Determining the scope of the assessment

B.

Performing detailed test procedures

C.

Evaluating changes to the risk environment

D.

Understanding the business process

Question 335

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Options:

A.

Developing and communicating test procedure best practices to audit teams

B.

Developing and implementing an audit data repository

C.

Decentralizing procedures and Implementing periodic peer review

D.

Centralizing procedures and implementing change control

Question 336

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

Options:

A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Question 337

Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

Options:

A.

The lack of technical documentation to support the program code

B.

The lack of completion of all requirements at the end of each sprint

C.

The lack of acceptance criteria behind user requirements.

D.

The lack of a detailed unit and system test plan

Question 338

During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

Options:

A.

Notify the chair of the audit committee.

B.

Notify the audit manager.

C.

Retest the control.

D.

Close the audit finding.

Question 339

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

Options:

A.

Assign responsibility for improving data quality.

B.

Invest in additional employee training for data entry.

C.

Outsource data cleansing activities to reliable third parties.

D.

Implement business rules to validate employee data entry.

Question 340

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

Options:

A.

Notify the cyber insurance company.

B.

Shut down the affected systems.

C.

Quarantine the impacted systems.

D.

Notify customers of the breach.

Question 341

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Options:

A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Question 342

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Question 343

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

Options:

A.

Purchasing guidelines and policies

B.

Implementation methodology

C.

Results of line processing

D.

Test results

Question 344

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Options:

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Question 345

An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?

Options:

A.

The data is taken directly from the system.

B.

There is no privacy information in the data.

C.

The data can be obtained in a timely manner.

D.

The data analysis tools have been recently updated.

Question 346

An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:

Options:

A.

establish criteria for reviewing alerts.

B.

recruit more monitoring personnel.

C.

reduce the firewall rules.

D.

fine tune the intrusion detection system (IDS).

Question 347

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Options:

A.

Annual sign-off of acceptable use policy

B.

Regular monitoring of user access logs

C.

Security awareness training

D.

Formalized disciplinary action

Question 348

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Question 349

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Options:

A.

Assurance that the new system meets functional requirements

B.

More time for users to complete training for the new system

C.

Significant cost savings over other system implemental or approaches

D.

Assurance that the new system meets performance requirements

Question 350

Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

Options:

A.

File level encryption

B.

File Transfer Protocol (FTP)

C.

Instant messaging policy

D.

Application-level firewalls

Question 351

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

Options:

A.

recommend that the option to directly modify the database be removed immediately.

B.

recommend that the system require two persons to be involved in modifying the database.

C.

determine whether the log of changes to the tables is backed up.

D.

determine whether the audit trail is secured and reviewed.

Question 352

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

Options:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Question 353

From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Options:

A.

Inability to close unused ports on critical servers

B.

Inability to identify unused licenses within the organization

C.

Inability to deploy updated security patches

D.

Inability to determine the cost of deployed software

Question 354

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Question 355

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

Options:

A.

Phishing

B.

Using a dictionary attack of encrypted passwords

C.

Intercepting packets and viewing passwords

D.

Flooding the site with an excessive number of packets

Question 356

Which of the following BEST facilitates the legal process in the event of an incident?

Options:

A.

Right to perform e-discovery

B.

Advice from legal counsel

C.

Preserving the chain of custody

D.

Results of a root cause analysis

Question 357

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

Options:

A.

Abuses by employees have not been reported.

B.

Lessons learned have not been properly documented

C.

vulnerabilities have not been properly addressed

D.

Security incident policies are out of date.

Question 358

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

Options:

A.

Disposal policies and procedures are not consistently implemented

B.

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.

Business units are allowed to dispose printers directly to

D.

Inoperable printers are stored in an unsecured area.

Question 359

If enabled within firewall rules, which of the following services would present the GREATEST risk?

Options:

A.

Simple mail transfer protocol (SMTP)

B.

Simple object access protocol (SOAP)

C.

Hypertext transfer protocol (HTTP)

D.

File transfer protocol (FTP)

Question 360

Which of the following should be the FIRST step in the incident response process for a suspected breach?

Options:

A.

Inform potentially affected customers of the security breach

B.

Notify business management of the security breach.

C.

Research the validity of the alerted breach

D.

Engage a third party to independently evaluate the alerted breach.

Question 361

Which of the following features of a library control software package would protect against unauthorized updating of source code?

Options:

A.

Required approvals at each life cycle step

B.

Date and time stamping of source and object code

C.

Access controls for source libraries

D.

Release-to-release comparison of source code

Question 362

Which of the following BEST helps to ensure data integrity across system interfaces?

Options:

A.

Environment segregation

B.

Reconciliation

C.

System backups

D.

Access controls

Question 363

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

Options:

A.

Level of stakeholder satisfaction with the scope of planned IT projects

B.

Percentage of enterprise risk assessments that include IT-related risk

C.

Percentage of stat satisfied with their IT-related roles

D.

Frequency of business process capability maturity assessments

Question 364

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

Options:

A.

data analytics findings.

B.

audit trails

C.

acceptance lasting results

D.

rollback plans

Question 365

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

Options:

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Question 366

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.

the provider has alternate service locations.

B.

the contract includes compensation for deficient service levels.

C.

the provider's information security controls are aligned with the company's.

D.

the provider adheres to the company's data retention policies.

Question 367

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.

Determine the resources required to make the controleffective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Question 368

Which of the following is necessary for effective risk management in IT governance?

Options:

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Question 369

An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

Options:

A.

Loss of application support

B.

Lack of system integrity

C.

Outdated system documentation

D.

Developer access 1o production

Question 370

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

Options:

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Question 371

in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

Options:

A.

application programmer

B.

systems programmer

C.

computer operator

D.

quality assurance (QA) personnel

Question 372

A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

Options:

A.

IT operator

B.

System administration

C.

Emergency support

D.

Database administration

Question 373

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Options:

A.

Identify approved data workflows across the enterprise.

B.

Conduct a threat analysis against sensitive data usage.

C.

Create the DLP pcJc.es and templates

D.

Conduct a data inventory and classification exercise

Question 374

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Options:

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Question 375

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

Options:

A.

Ensure sufficient audit resources are allocated,

B.

Communicate audit results organization-wide.

C.

Ensure ownership is assigned.

D.

Test corrective actions upon completion.

Question 376

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.

Use an electronic vault for incremental backups

B.

Deploy a fully automated backup maintenance system.

C.

Periodically test backups stored in a remote location

D.

Use both tape and disk backup systems

Question 377

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

Options:

A.

Implement key performance indicators (KPIs)

B.

Implement annual third-party audits.

C.

Benchmark organizational performance against industry peers.

D.

Require executive management to draft IT strategy

Question 378

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.

Review the documentation of recant changes to implement sequential order numbering.

B.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.

Examine a sample of system generated purchase orders obtained from management

Question 379

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

The cost of outsourcing is lower than in-house development.

B.

The vendor development team is located overseas.

C.

A training plan for business users has not been developed.

D.

The data model is not clearly documented.

Question 380

Which of the following backup schemes is the BEST option when storage media is limited?

Options:

A.

Real-time backup

B.

Virtual backup

C.

Differential backup

D.

Full backup

Question 381

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

Options:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

report on the internal control weaknesses.

D.

provide solutions for control weaknesses.

Question 382

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

Options:

A.

failure to maximize the use of equipment

B.

unanticipated increase in business s capacity needs.

C.

cost of excessive data center storage capacity

D.

impact to future business project funding.

Question 383

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Options:

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Question 384

An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:

Options:

A.

deleted data cannot easily be retrieved.

B.

deleting the files logically does not overwrite the files' physical data.

C.

backup copies of files were not deleted as well.

D.

deleting all files separately is not as efficient as formatting the hard disk.

Question 385

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

Options:

A.

The contract does not contain a right-to-audit clause.

B.

An operational level agreement (OLA) was not negotiated.

C.

Several vendor deliverables missed the commitment date.

D.

Software escrow was not negotiated.

Question 386

Which of the following would be MOST useful when analyzing computer performance?

Options:

A.

Statistical metrics measuring capacity utilization

B.

Operations report of user dissatisfaction with response time

C.

Tuning of system software to optimize resource usage

D.

Report of off-peak utilization and response time

Question 387

Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

Options:

A.

Project segments are established.

B.

The work is separated into phases.

C.

The work is separated into sprints.

D.

Project milestones are created.

Question 388

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Options:

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Question 389

Which of the following presents the GREATEST challenge to the alignment of business and IT?

Options:

A.

Lack of chief information officer (CIO) involvement in board meetings

B.

Insufficient IT budget to execute new business projects

C.

Lack of information security involvement in business strategy development

D.

An IT steering committee chaired by the chief information officer (CIO)

Question 390

Which of the following is MOST important when planning a network audit?

Options:

A.

Determination of IP range in use

B.

Analysis of traffic content

C.

Isolation of rogue access points

D.

Identification of existing nodes

Question 391

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Question 392

An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?

Options:

A.

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

B.

Vulnerability in the virtualization platform affecting multiple hosts

C.

Data center environmental controls not aligning with new configuration

D.

System documentation not being updated to reflect changes in the environment

Question 393

What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

Options:

A.

it facilitates easier audit follow-up

B.

it enforces action plan consensus between auditors and auditees

C.

it establishes accountability for the action plans

D.

it helps to ensure factual accuracy of findings

Question 394

Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

Options:

A.

Cost of projects divided by total IT cost

B.

Expected return divided by total project cost

C.

Net present value (NPV) of the portfolio

D.

Total cost of each project

Question 395

An IS auditor assessing the controls within a newly implemented call center would First

Options:

A.

gather information from the customers regarding response times and quality of service.

B.

review the manual and automated controls in the call center.

C.

test the technical infrastructure at the call center.

D.

evaluate the operational risk associated with the call center.

Question 396

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

Options:

A.

The end-to-end process is understood and documented.

B.

Roles and responsibilities are defined for the business processes in scope.

C.

A benchmarking exercise of industry peers who use RPA has been completed.

D.

A request for proposal (RFP) has been issued to qualified vendors.

Question 397

An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:

Options:

A.

reclassify the data to a lower level of confidentiality

B.

require the business owner to conduct regular access reviews.

C.

implement a strong password schema for users.

D.

recommend corrective actions to be taken by the security administrator.

Question 398

Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

Options:

A.

Shared facilities

B.

Adequacy of physical and environmental controls

C.

Results of business continuity plan (BCP) test

D.

Retention policy and period

Question 399

Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software?

Options:

A.

Assign the security risk analysis to a specially trained member of the project management office.

B.

Deploy changes in a controlled environment and observe for security defects.

C.

Include a mandatory step to analyze the security impact when making changes.

D.

Mandate that the change analyses are documented in a standard format.

Question 400

Which of the following is a challenge in developing a service level agreement (SLA) for network services?

Options:

A.

Establishing a well-designed framework for network servirces.

B.

Finding performance metrics that can be measured properly

C.

Ensuring that network components are not modified by the client

D.

Reducing the number of entry points into the network

Question 401

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Question 402

During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?

Options:

A.

There are documented compensating controls over the business processes.

B.

The risk acceptances were previously reviewed and approved by appropriate senior management

C.

The business environment has not significantly changed since the risk acceptances were approved.

D.

The risk acceptances with issues reflect a small percentage of the total population

Question 403

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Question 404

Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

Options:

A.

The IT strategy is modified in response to organizational change.

B.

The IT strategy is approved by executive management.

C.

The IT strategy is based on IT operational best practices.

D.

The IT strategy has significant impact on the business strategy

Question 405

Which of the following is MOST critical for the effective implementation of IT governance?

Options:

A.

Strong risk management practices

B.

Internal auditor commitment

C.

Supportive corporate culture

D.

Documented policies

Question 406

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

Options:

A.

SIEM reporting is customized.

B.

SIEM configuration is reviewed annually

C.

The SIEM is decentralized.

D.

SIEM reporting is ad hoc.

Question 407

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

Options:

A.

Customer service complaints

B.

Automated monitoring of logs

C.

Server crashes

D.

Penetration testing

Question 408

Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

Options:

A.

An assessment of whether requirements will be fully met

B.

An assessment indicating security controls will operateeffectively

C.

An assessment of whether the expected benefits can beachieved

D.

An assessment indicating the benefits will exceed the implement

Question 409

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

Options:

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization's policies.

D.

the procurement project invited lenders from at least three different suppliers.

Question 410

An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

Options:

A.

Improve the change management process

B.

Establish security metrics.

C.

Perform a penetration test

D.

Perform a configuration review

Question 411

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Developing procedures to monitor the use of personal data

C.

Defining roles within the organization related to privacy

D.

Designing controls to protect personal data

Question 412

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Question 413

An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

Options:

A.

some of the identified throats are unlikely to occur.

B.

all identified throats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations operations have been included.

Question 414

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Options:

A.

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.

Review compliance with data loss and applicable mobile device user acceptance policies.

C.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.

Verify employees have received appropriate mobile device security awareness training.

Question 415

A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

Options:

A.

The survey results were not presented in detail lo management.

B.

The survey questions did not address the scope of the business case.

C.

The survey form template did not allow additional feedback to be provided.

D.

The survey was issued to employees a month after implementation.

Question 416

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Options:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Question 417

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Options:

A.

Improved disaster recovery

B.

Better utilization of resources

C.

Stronger data security

D.

Increased application performance

Question 418

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

Options:

A.

each information asset is to a assigned to a different classification.

B.

the security criteria are clearly documented for each classification

C.

Senior IT managers are identified as information owner.

D.

the information owner is required to approve access to the asset

Question 419

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Question 420

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Options:

A.

Inability to utilize the site when required

B.

Inability to test the recovery plans onsite

C.

Equipment compatibility issues at the site

D.

Mismatched organizational security policies

Question 421

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Options:

A.

Restricting evidence access to professionally certified forensic investigators

B.

Documenting evidence handling by personnel throughout the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Engaging an independent third party to perform the forensic investigation

Exam Detail
Vendor: Isaca
Certification: Isaca Certification
Exam Code: CISA
Last Update: Apr 2, 2025
CISA Question Answers
Page: 1 / 105
Total 1404 questions