Pre-Winter Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Isaca CISA Dumps

Page: 1 / 90
Total 1195 questions

Certified Information Systems Auditor Questions and Answers

Question 1

An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Options:

A.

Require employees to attend security awareness training.

B.

Password protect critical data files.

C.

Configure to auto-wipe after multiple failed access attempts.

D.

Enable device auto-lock function.

Buy Now
Question 2

Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

Options:

A.

Effectiveness of the security program

B.

Security incidents vs. industry benchmarks

C.

Total number of hours budgeted to security

D.

Total number of false positives

Question 3

An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:

Options:

A.

establish criteria for reviewing alerts.

B.

recruit more monitoring personnel.

C.

reduce the firewall rules.

D.

fine tune the intrusion detection system (IDS).

Question 4

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?

Options:

A.

Reconciliation of total amounts by project

B.

Validity checks, preventing entry of character data

C.

Reasonableness checks for each cost type

D.

Display the back of the project detail after the entry

Question 5

An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

Options:

A.

There is not a defined IT security policy.

B.

The business strategy meeting minutes are not distributed.

C.

IT is not engaged in business strategic planning.

D.

There is inadequate documentation of IT strategic planning.

Question 6

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

Options:

A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Question 7

Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Options:

A.

Availability of the site in the event of multiple disaster declarations

B.

Coordination with the site staff in the event of multiple disaster declarations

C.

Reciprocal agreements with other organizations

D.

Complete testing of the recovery plan

Question 8

One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

Options:

A.

basis for allocating indirect costs.

B.

cost of replacing equipment.

C.

estimated cost of ownership.

D.

basis for allocating financial resources.

Question 9

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

Options:

A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

Question 10

Which of the following is the BEST data integrity check?

Options:

A.

Counting the transactions processed per day

B.

Performing a sequence check

C.

Tracing data back to the point of origin

D.

Preparing and running test data

Question 11

Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Options:

A.

Monitor access to stored images and snapshots of virtual machines.

B.

Restrict access to images and snapshots of virtual machines.

C.

Limit creation of virtual machine images and snapshots.

D.

Review logical access controls on virtual machines regularly.

Question 12

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Options:

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization's policies and procedures

Question 13

Which of the following should be done FIRST when planning a penetration test?

Options:

A.

Execute nondisclosure agreements (NDAs).

B.

Determine reporting requirements for vulnerabilities.

C.

Define the testing scope.

D.

Obtain management consent for the testing.

Question 14

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

Options:

A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Question 15

Which of the following is a social engineering attack method?

Options:

A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Question 16

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the Internet.

B.

the demilitarized zone (DMZ).

C.

the organization's web server.

D.

the organization's network.

Question 17

Which of the following is the BEST method to safeguard data on an organization's laptop computers?

Options:

A.

Disabled USB ports

B.

Full disk encryption

C.

Biometric access control

D.

Two-factor authentication

Question 18

Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

Options:

A.

File level encryption

B.

File Transfer Protocol (FTP)

C.

Instant messaging policy

D.

Application-level firewalls

Question 19

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

Options:

A.

Review system and error logs to verify transaction accuracy.

B.

Review input and output control reports to verify the accuracy of the system decisions.

C.

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.

Review system documentation to ensure completeness.

Question 20

To confirm integrity for a hashed message, the receiver should use:

Options:

A.

the same hashing algorithm as the sender's to create a binary image of the file.

B.

a different hashing algorithm from the sender's to create a binary image of the file.

C.

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.

a different hashing algorithm from the sender's to create a numerical representation of the file.

Question 21

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

Options:

A.

Assign responsibility for improving data quality.

B.

Invest in additional employee training for data entry.

C.

Outsource data cleansing activities to reliable third parties.

D.

Implement business rules to validate employee data entry.

Question 22

Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

Options:

A.

Implement network access control.

B.

Implement outbound firewall rules.

C.

Perform network reviews.

D.

Review access control lists.

Question 23

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

Options:

A.

Verify the disaster recovery plan (DRP) has been tested.

B.

Ensure the intrusion prevention system (IPS) is effective.

C.

Assess the security risks to the business.

D.

Confirm the incident response team understands the issue.

Question 24

Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

Options:

A.

The lack of technical documentation to support the program code

B.

The lack of completion of all requirements at the end of each sprint

C.

The lack of acceptance criteria behind user requirements.

D.

The lack of a detailed unit and system test plan

Question 25

What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

Options:

A.

Full test results

B.

Completed test plans

C.

Updated inventory of systems

D.

Change management processes

Question 26

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.

Projected impact of current business on future business

B.

Cost-benefit analysis of running the current business

C.

Cost of regulatory compliance

D.

Expected costs for recovering the business

Question 27

An IT balanced scorecard is the MOST effective means of monitoring:

Options:

A.

governance of enterprise IT.

B.

control effectiveness.

C.

return on investment (ROI).

D.

change management effectiveness.

Question 28

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

Options:

A.

Modify applications to no longer require direct access to the database.

B.

Introduce database access monitoring into the environment

C.

Modify the access management policy to make allowances for application accounts.

D.

Schedule downtime to implement password changes.

Question 29

Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

Options:

A.

Periodic vendor reviews

B.

Dual control

C.

Independent reconciliation

D.

Re-keying of monetary amounts

E.

Engage an external security incident response expert for incident handling.

Question 30

Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

Options:

A.

Write access to production program libraries

B.

Write access to development data libraries

C.

Execute access to production program libraries

D.

Execute access to development program libraries

Question 31

Which of the following is the BEST justification for deferring remediation testing until the next audit?

Options:

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management's planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Question 32

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Options:

A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Question 33

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

Options:

A.

Segregation of duties between staff ordering and staff receiving information assets

B.

Complete and accurate list of information assets that have been deployed

C.

Availability and testing of onsite backup generators

D.

Knowledge of the IT staff regarding data protection requirements

Question 34

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Question 35

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Options:

A.

Data masking

B.

Data tokenization

C.

Data encryption

D.

Data abstraction

Question 36

An organizations audit charier PRIMARILY:

Options:

A.

describes the auditors' authority to conduct audits.

B.

defines the auditors' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Question 37

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Options:

A.

Senior management's request

B.

Prior year's audit findings

C.

Organizational risk assessment

D.

Previous audit coverage and scope

Question 38

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Options:

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Question 39

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

Options:

A.

Phishing

B.

Using a dictionary attack of encrypted passwords

C.

Intercepting packets and viewing passwords

D.

Flooding the site with an excessive number of packets

Question 40

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

Options:

A.

The IS auditor provided consulting advice concerning application system best practices.

B.

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

C.

The IS auditor designed an embedded audit module exclusively for auditing the application system.

D.

The IS auditor implemented a specific control during the development of the application system.

Question 41

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

Options:

A.

business impact analysis (BIA).

B.

threat and risk assessment.

C.

business continuity plan (BCP).

D.

disaster recovery plan (DRP).

Question 42

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Options:

A.

Invoking the disaster recovery plan (DRP)

B.

Backing up data frequently

C.

Paying the ransom

D.

Requiring password changes for administrative accounts

Question 43

An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

Options:

A.

The number of users deleting the email without reporting because it is a phishing email

B.

The number of users clicking on the link to learn more about the sender of the email

C.

The number of users forwarding the email to their business unit managers

D.

The number of users reporting receipt of the email to the information security team

Question 44

Coding standards provide which of the following?

Options:

A.

Program documentation

B.

Access control tables

C.

Data flow diagrams

D.

Field naming conventions

Question 45

The decision to accept an IT control risk related to data quality should be the responsibility of the:

Options:

A.

information security team.

B.

IS audit manager.

C.

chief information officer (CIO).

D.

business owner.

Question 46

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Options:

A.

Assurance that the new system meets functional requirements

B.

More time for users to complete training for the new system

C.

Significant cost savings over other system implemental or approaches

D.

Assurance that the new system meets performance requirements

Question 47

Which of the following is the MOST effective way for an organization to project against data loss?

Options:

A.

Limit employee internet access.

B.

Implement data classification procedures.

C.

Review firewall logs for anomalies.

D.

Conduct periodic security awareness training.

Question 48

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

Options:

A.

Purchasing guidelines and policies

B.

Implementation methodology

C.

Results of line processing

D.

Test results

Question 49

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Options:

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Question 50

Which of the following BEST indicates the effectiveness of an organization's risk management program?

Options:

A.

Inherent risk is eliminated.

B.

Residual risk is minimized.

C.

Control risk is minimized.

D.

Overall risk is quantified.

Question 51

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:

A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Question 52

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Options:

A.

Walk-through reviews

B.

Substantive testing

C.

Compliance testing

D.

Design documentation reviews

Question 53

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

Options:

A.

Blocking attachments in IM

B.

Blocking external IM traffic

C.

Allowing only corporate IM solutions

D.

Encrypting IM traffic

Question 54

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

Options:

A.

Notify the cyber insurance company.

B.

Shut down the affected systems.

C.

Quarantine the impacted systems.

D.

Notify customers of the breach.

Question 55

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

Options:

A.

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.

Ensuring evidence is sufficient to support audit conclusions

C.

Ensuring appropriate statistical sampling methods were used

D.

Ensuring evidence is labeled to show it was obtained from an approved source

Question 56

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Question 57

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Options:

A.

Developing and communicating test procedure best practices to audit teams

B.

Developing and implementing an audit data repository

C.

Decentralizing procedures and Implementing periodic peer review

D.

Centralizing procedures and implementing change control

Question 58

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Options:

A.

Agile auditing

B.

Continuous auditing

C.

Outsourced auditing

D.

Risk-based auditing

Question 59

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

Options:

A.

Carbon dioxide

B.

FM-200

C.

Dry pipe

D.

Halon

Question 60

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

Options:

A.

Key performance indicators (KPIs)

B.

Maximum allowable downtime (MAD)

C.

Recovery point objective (RPO)

D.

Mean time to restore (MTTR)

Question 61

An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:

Options:

A.

indicate whether the organization meets quality standards.

B.

ensure that IT staff meet performance requirements.

C.

train and educate IT staff.

D.

assess IT functions and processes.

Question 62

In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the:

Options:

A.

allocation of IT staff.

B.

project management methodologies used.

C.

major IT initiatives.

D.

links to operational tactical plans.

Question 63

Which of the following is MOST likely to be reduced when implementing optimal risk management strategies?

Options:

A.

Sampling risk

B.

Residual risk

C.

Detection risk

D.

Inherent risk

Question 64

Which of the following should be the PRIMARY consideration when validating a data analytic algorithm that has never been used before?

Options:

A.

Enhancing the design of data visualization

B.

Increasing speed and efficiency of audit procedures

C.

Confirming completeness and accuracy

D.

Decreasing the time for data analytics execution

Question 65

An organization has both an IT strategy committee and an IT steering committee. When reviewing the minutes of the IT steering committee, an IS auditor would expect to find that the

committee:

Options:

A.

assessed the contribution of IT to the business.

B.

acquired and assigned appropriate resources for projects.

C.

compared the risk and return of IT investments.

D.

reviewed the achievement of the strategic IT objective.

Question 66

Which of the following would be an IS auditor's BEST recommendation to senior management when several IT initiatives are found to be misaligned with the organization's strategy?

Options:

A.

Define key performance indicators (KPIs) for IT.

B.

Modify IT initiatives that do not map to business strategies.

C.

Reassess the return on investment (ROI) for the IT initiatives.

D.

Reassess IT initiatives that do not map to business strategies.

Question 67

Which of the following is MOST important when defining the IS audit scope?

Options:

A.

Minimizing the time and cost to the organization of IS audit procedures

B.

Involving business in the formulation of the scope statement

C.

Aligning the IS audit procedures with IT management priorities

D.

Understanding the relationship between IT and business risks

Question 68

To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?

Options:

A.

Review of the general IS controls followed by a review of the application controls

B.

Detailed examination of financial transactions followed by review of the general ledger

C.

Review of major financial applications followed by a review of IT governance processes

D.

Review of application controls followed by a test of key business process controls

Question 69

An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?

Options:

A.

Review the decision-making logic built into the system.

B.

Interview the system owner.

C.

Understand the purpose and functionality of the system.

D.

Verify system adherence to corporate policy.

Question 70

Which of the following is the MOST effective way to evaluate the physical security of a data center?

Options:

A.

Review data center access logs.

B.

Interview data center stakeholders.

C.

Review camera footage from the data center.

D.

Perform a data center tour.

Question 71

Which of the following network communication protocols is used by network devices such as routers to send error messages and operational information indicating success or failure when communicating with another IP address?

Options:

A.

Transmission Control Protocol/Internet Protocol (TCP/IP)

B.

Internet Control Message Protocol

C.

Multipurpose Transaction Protocol

D.

Point-to-Point Tunneling Protocol

Question 72

Which of the following is MOST important when creating a forensic image of a hard drive?

Options:

A.

Requiring an independent third party be present while imaging

B.

Securing a backup copy of the hard drive

C.

Generating a content hash of the hard drive

D.

Choosing an industry-leading forensics software tool

Question 73

Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?

Options:

A.

Understanding the purpose of each spreadsheet

B.

Identifying the spreadsheets with built-in macros

C.

Reviewing spreadsheets based on file size

D.

Ascertaining which spreadsheets are most frequently used

Question 74

An IS auditor finds that a recently deployed application has a number of developers with inappropriate update access left over from the testing environment. Which of the following would have BEST prevented the update access from being migrated?

Options:

A.

Establishing a role-based matrix for provisioning users

B.

Re-assigning user access rights in the quality assurance (QA) environment

C.

Holding the application owner accountable for application security

D.

Including a step within the system development life cycle (SDLC) to clean up access prior to go-live

Question 75

What should be the PRIMARY focus during a review of a business process improvement project?

Options:

A.

Business project plan

B.

Continuous monitoring plans

C.

The cost of new controls

D.

Business impact

Question 76

Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to existing server performance will be prevented?

Options:

A.

Reviewing results from simulated high-demand stress test scenarios

B.

Performing a root cause analysis for past performance incidents

C.

Anticipating current service level agreements (SLAs) will remain unchanged

D.

Duplicating existing disk drive systems to improve redundancy and data storage

Question 77

Audit frameworks can assist the IS audit function by:

Options:

A.

defining the authority and responsibility of the IS audit function.

B.

providing direction and information regarding the performance of audits.

C.

outlining the specific steps needed to complete audits.

D.

providing details on how to execute the audit program.

Question 78

Which of the following would be an IS auditor's BEST recommendation to senior management when several IT initiatives are found to be misaligned with the organization's strategy?

Options:

A.

Modify IT initiatives that do not map to business strategies.

B.

Reassess IT initiatives that do not map to business strategies.

C.

Define key performance indicators (KPIs) for IT.

D.

Reassess the return on investment (ROI) for the IT initiatives.

Question 79

During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report. Which of the following is the auditor's BEST course of action?

Options:

A.

Request that the IT manager be removed from the remaining meetings and future audits.

B.

Modify the finding to include the IT manager's comments and inform the audit manager of the changes.

C.

Remove the finding from the report and continue presenting the remaining findings.

D.

Provide the evidence which supports the finding and keep the finding in the report.

Question 80

What is the PRIMARY reason to adopt a risk-based IS audit strategy?

Options:

A.

To achieve synergy between audit and other risk management functions

B.

To prioritize available resources and focus on areas with significant risk

C.

To reduce the time and effort needed to perform a full audit cycle

D.

To identify key threats, risks, and controls for the organization

Question 81

Which of the following is MOST helpful for evaluating benefits realized by IT projects?

Options:

A.

Benchmarking IT project management practices with industry peers

B.

Evaluating compliance with key security controls

C.

Comparing planned versus actual return on investment (ROI)

D.

Reviewing system development life cycle (SDLC) processes

Question 82

A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?

Options:

A.

Business objectives

B.

Business impact analysis (BIA)

C.

Enterprise architecture (EA)

D.

Recent incident trends

Question 83

During an information security review, an IS auditor learns an organizational policy requires all employ-ees to attend information security training during the first week of each new year. What is

the auditor's BEST recommendation to ensure employees hired after January receive adequate guid-ance regarding security awareness?

Options:

A.

Ensure new employees read and sign acknowledgment of the acceptable use policy.

B.

Revise the policy to include security training during onboarding.

C.

Revise the policy to require security training every six months for all employees.

D.

Require management of new employees to provide an overview of security awareness.

Question 84

Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

Options:

A.

Invite external auditors and regulators to perform regular assessments of the IS audit function.

B.

Implement rigorous managerial review and sign-off of IS audit deliverables.

C.

Frequently review IS audit policies, procedures, and instruction manuals.

D.

Establish and embed quality assurance (QA) within the IS audit function.

Question 85

Which of the following would BEST prevent an arbitrary application of a patch?

Options:

A.

Database access control

B.

Established maintenance windows

C.

Network based access controls

D.

Change management

Question 86

What type of control has been implemented when secure code reviews are conducted as part of a deployment program?

Options:

A.

Monitoring

B.

Deterrent

C.

Detective

D.

Corrective

Question 87

An organization requires the use of a key card to enter its data center. Recently, a control was implemented that requires biometric authentication for each employee.

Which type of control has been added?

Options:

A.

Corrective

B.

Compensating

C.

Preventive

D.

Detective

Question 88

An IS auditor learns that a business owner violated the organization's security policy by creating a web page with access to production data. The auditor's NEXT step should be to:

Options:

A.

determine if sufficient access controls exist.

B.

assess the sensitivity of the production data.

C.

shut down the web page.

D.

escalate to senior management.

Question 89

During which phase of the software development life cycle should an IS auditor be consulted to recommend security controls?

Options:

A.

Design and development

B.

Final acceptance testing

C.

Implementation of software

D.

Requirements definition

Question 90

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's incident response management program?

Options:

A.

All incidents have a severity level assigned.

B.

All identified incidents are escalated to the CEO and the CISO.

C.

Incident response is within defined service level agreements (SLAs).

D.

The alerting tools and incident response team can detect incidents.

Question 91

Which of the following is the PRIMARY objective of enterprise architecture (EA)?

Options:

A.

Maintaining detailed system documentation

B.

Managing and planning for IT investments

C.

Executing customized development and delivery of projects

D.

Enforcing the IT policy across the organization

Question 92

A new regulation has been enacted that mandates specific information security practices for the protection of customer data. Which of the following is MOST useful for an IS auditor to review when auditing against the regulation?

Options:

A.

Compliance gap analysis

B.

Customer data protection roles and responsibilities

C.

Customer data flow diagram

D.

Benchmarking studies of adaptation to the new regulation

Question 93

Which of the following applications has the MOST inherent risk and should be prioritized during audit planning?

Options:

A.

A decommissioned legacy application

B.

An onsite application that is unsupported

C.

An outsourced accounting application

D.

An internally developed application

Question 94

An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release. Which of the following should be the auditor's NEXT step?

Options:

A.

Evaluate developer training.

B.

Evaluate the incident management process.

C.

Evaluate the change management process.

D.

Evaluate secure code practices.

Question 95

Which of the following controls is BEST implemented through system configuration?

    Network user accounts for temporary workers expire after 90 days.

    Application user access is reviewed every 180 days for appropriateness.

    Financial data in key reports is traced to source systems for completeness and accuracy.

Options:

A.

Computer operations personnel initiate batch processing jobs daily.

Question 96

An IS auditor finds that a new network connection allows communication between the Internet and the internal enterprise resource planning (ERP) system. Which of the following is the PRIMARY business impact to include when presenting this observation to management?

Options:

A.

An increase to the threat landscape

B.

A decrease in data quality in the ERP system

C.

A decrease in network performance

D.

An increase in potential fines from regulators

Question 97

Which of the following criteria is MOST important for the successful delivery of benefits from an IT project?

Options:

A.

Assessing the impact of changes to individuals and business units within the organization

B.

Involving key stakeholders during the development and execution phases of the project

C.

Ensuring that IT project managers have sign-off authority on the business case

D.

Quantifying the size of the software development effort required by the project

Question 98

While reviewing the effectiveness of an incident response program, an IS auditor notices a high number of reported incidents involving malware originating from removable media found by employees. Which of the following is the MOST appropriate recommendation to management?

Options:

A.

Restrict access to removable media ports on company devices.

B.

Install an additional antivirus program to increase protection.

C.

Ensure the antivirus program contains up-to-date signature files for all company devices.

D.

Implement an organization-wide removable media policy.

Question 99

In an annual audit cycle, the audit of an organization's IT department resulted in many findings. Which of the following would be the MOST important consideration when planning the next audit?

Options:

A.

Postponing the review until all of the findings have been rectified

B.

Limiting the review to the deficient areas

C.

Verifying that all recommendations have been implemented

D.

Following up on the status of all recommendations

Question 100

Which of the following BEST indicates that the effectiveness of an organization's security awareness program has improved?

Options:

A.

A decrease in the number of information security audit findings

B.

An increase in the number of staff who complete awareness training

C.

An increase in the number of phishing emails reported by employees

D.

A decrease in the number of malware outbreaks

Question 101

In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?

Options:

A.

Value-added activity analysis

B.

Risk management techniques

C.

Access control rules

D.

Incident management techniques

Question 102

Which of the following is the BEST way to strengthen the security of smart devices to prevent data leakage?

Options:

A.

Enforce strong security settings on smart devices.

B.

Require employees to formally acknowledge security procedures.

C.

Review access logs to the organization's sensitive data in a timely manner.

D.

Include usage restrictions in bring your own device (BYOD) security procedures.

Question 103

Which of the following tasks would cause the GREATEST segregation of duties (SoD) concern if performed by the person who reconciles the organization's device inventory?

Options:

A.

Tracking devices used for spare parts

B.

Creating the device policy

C.

vIssuing devices to employees

D.

Approving the issuing of devices

Question 104

Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?

Options:

A.

Data privacy must be managed in accordance with the regulations applicable to the organization.

B.

Data privacy must be monitored in accordance with industry standards and best practices.

C.

No personal information may be transferred to the service provider without notifying the customer.

D.

Customer data transferred to the service provider must be reported to the regulatory authority.

Question 105

A steering committee established to oversee an organization's digital transformation program is MOSTlikely to be involved with which of the following activities?

Options:

A.

Preparing project status reports

B.

Designing interface controls

C.

Reviewing escalated project issues

D.

Documenting requirements

Question 106

At the end of each business day, a business-critical application generates a report of financial transac-tions greater than a certain value, and an employee

then checks these transactions for errors. What type of control is in place?

Options:

A.

Detective

B.

Preventive

C.

Corrective

D.

Deterrent

Question 107

Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?

Options:

A.

Review of monthly performance reports submitted by the vendor

B.

Certifications maintained by the vendor

C.

Regular independent assessment of the vendor

D.

Substantive log file review of the vendor's system

Question 108

Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor's BEST recommendation?

Options:

A.

Create regional centers of excellence.

B.

Engage an IT governance consultant.

C.

Create regional IT steering committees.

D.

Update the IT steering committee's formal charter.

Question 109

An organization's information security policies should be developed PRIMARILY on the basis of:

Options:

A.

enterprise architecture (EA).

B.

industry best practices.

C.

a risk management process.

D.

past information security incidents.

Question 110

Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

Options:

A.

Scalability

B.

Maintainability

C.

Nonrepudiation

D.

Privacy

Question 111

In order for a firewall to effectively protect a network against external attacks, what fundamental practice must be followed?

Options:

A.

The firewall must be placed in the demilitarized zone (DMZ).

B.

Only essential external services should be permitted.

C.

Filters for external information must be defined.

D.

All external communication must be via the firewall.

Question 112

Which of the following is the PRIMARY reason to involve IS auditors in the software acquisition process?

Options:

A.

To help ensure hardware and operating system requirements are considered

B.

To help ensure proposed contracts and service level agreements (SLAs) address key elements

C.

To help ensure the project management process complies with policies and procedures

D.

To help ensure adequate controls to address common threats and risks are considered

Question 113

An IS auditor finds a user account where privileged access is not appropriate for the user’s role. Which of the following would provide the BEST evidence to determine whether the risk of this access has been exploited?

Options:

A.

Activity log for the account

B.

Interview with the user's manager

C.

Last logon date for the account

D.

Documented approval for the account

Question 114

A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:

Options:

A.

the audit committee.

B.

audit management.

C.

auditee line management.

D.

the police.

Question 115

Which of the following is MOST important to the effectiveness of smoke detectors installed in a data processing facility?

Options:

A.

Detectors trigger audible alarms when activated.

B.

Detectors have the correct industry certification.

C.

Detectors are linked to dry pipe fire suppression systems.

D.

Detectors are linked to wet pipe fire suppression systems.

Question 116

The waterfall life cycle model of software development is BEST suited for which of the following situations?

Options:

A.

The project will involve the use of new technology.

B.

The project intends to apply an object-oriented design approach.

C.

The project requirements are well understood.

D.

The project is subject to time pressures.

Question 117

A mission-critical application utilizes a one-node database server. On multiple occasions, the database service has been stopped to perform routine patching, causing application outages. Which of the following should be the IS auditor’s GREATEST concern?

Options:

A.

Revenue lost due to application outages

B.

Patching performed by the vendor

C.

A large number of scheduled database changes

D.

The presence of a single point of failure

Question 118

Which of the following cloud capabilities BEST enables an organization to meet unexpectedly high service demand?

Options:

A.

Scalability

B.

High availability

C.

Alternate routing

D.

Flexibility

Question 119

An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?

Options:

A.

Senior management representation

B.

Ability to meet the time commitment required

C.

Agile project management experience

D.

ERP implementation experience

Question 120

Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

Options:

A.

Provide notification to employees about possible email monitoring.

B.

Develop an information classification scheme.

C.

Require all employees to sign nondisclosure agreements (NDAs).

D.

Develop an acceptable use policy for end-user computing (EUC).

Question 121

Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?

Options:

A.

Policies and procedures for managing documents provided by department heads

B.

A system-generated list of staff and their project assignments. roles, and responsibilities

C.

Previous audit reports related to other departments' use of the same system

D.

Information provided by the audit team lead an the authentication systems used by the department

Question 122

Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?

Options:

A.

Lessons learned were documented and applied.

B.

Business and IT stakeholders participated in the post-implementation review.

C.

Post-implementation review is a formal phase in the system development life cycle (SDLC).

D.

Internal audit follow-up was completed without any findings.

Question 123

When is it MOST important for an IS auditor to apply the concept of materiality in an audit?

Options:

A.

When planning an audit engagement

B.

When gathering information for the fieldwork

C.

When a violation of a regulatory requirement has been identified

D.

When evaluating representations from the auditee

Question 124

An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?

Options:

A.

The cloud provider's external auditor

B.

The cloud provider

C.

The operating system vendor

D.

The organization

Question 125

Which of the following is MOST helpful to an IS auditor when assessing the effectiveness of controls?

Options:

A.

A control self-assessment (CSA)

B.

Results of control testing

C.

Interviews with management

D.

A control matrix

Question 126

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

Options:

A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Question 127

Which of the following is the BEST way to minimize sampling risk?

Options:

A.

Use a larger sample size

B.

Perform statistical sampling

C.

Perform judgmental sampling

D.

Enhance audit testing procedures

Question 128

Which of the following provides the BEST assurance of data integrity after file transfers?

Options:

A.

Check digits

B.

Monetary unit sampling

C.

Hash values

D.

Reasonableness check

Question 129

A computer forensic audit is MOST relevant in which of the following situations?

Options:

A.

Inadequate controls in the IT environment

B.

Mismatches in transaction data

C.

Missing server patches

D.

Data loss due to hacking of servers

Question 130

A firewall between internal network segments improves security and reduces risk by:

Options:

A.

Jogging all packets passing through network segments

B.

inspecting all traffic flowing between network segments and applying security policies

C.

monitoring and reporting on sessions between network participants

D.

ensuring all connecting systems have appropriate security controls enabled.

Question 131

An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

Options:

A.

Degradation of services

B.

Limited tolerance for damage

C.

Decreased mean time between failures (MTBF)

D.

Single point of failure

Question 132

Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?

Options:

A.

Electronic copies of customer sales receipts are maintained.

B.

Monthly bank statements are reconciled without exception.

C.

Nightly batch processing has been replaced with real-time processing.

D.

The data transferred over the POS interface is encrypted.

Question 133

Controls related to authorized modifications to production programs are BEST tested by:

Options:

A.

tracing modifications from the original request for change forward to the executable program.

B.

tracing modifications from the executable program back to the original request for change.

C.

testing only the authorizations to implement the new program.

D.

reviewing only the actual lines of source code changed in the program.

Question 134

Which of the following are used in a firewall to protect the entity's internal resources?

Options:

A.

Remote access servers

B.

Secure Sockets Layers (SSLs)

C.

Internet Protocol (IP) address restrictions

D.

Failover services

Question 135

An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?

Options:

A.

KPI data is not being analyzed

B.

KPIs are not clearly defined

C.

Some KPIs are not documented

D.

KPIs have never been updated

Question 136

Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

Options:

A.

Data owners are not trained on the use of data conversion tools.

B.

A post-implementation lessons-learned exercise was not conducted.

C.

There is no system documentation available for review.

D.

System deployment is routinely performed by contractors.

Question 137

Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's IT strategy development process?

Options:

A.

The IT strategy was developed before the business plan

B.

A business impact analysis (BIA) was not performed to support the IT strategy

C.

The IT strategy was developed based on the current IT capability

D.

Information security was not included as a key objective m the IT strategic plan.

Question 138

An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

Options:

A.

Review test procedures and scenarios

B.

Conduct a mock conversion test

C.

Establish a configuration baseline

D.

Automate the test scripts

Question 139

Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?

Options:

A.

Inaccurate business impact analysis (BIA)

B.

Inadequate IT change management practices

C.

Lack of a benchmark analysis

D.

Inadequate IT portfolio management

Question 140

When assessing the overall effectiveness of an organization's disaster recovery planning process, which of the following is MOST important for the IS auditor to verify?

Options:

A.

Management contracts with a third party for warm site services.

B.

Management schedules an annual tabletop exercise.

C.

Management documents and distributes a copy of the plan to all personnel.

D.

Management reviews and updates the plan annually or as changes occur.

Question 141

An organization is planning to implement a work-from-home policy that allows users to work remotely as needed. Which of the following is the BEST solution for ensuring secure remote access to corporate resources?

Options:

A.

Additional firewall rules

B.

Multi-factor authentication

C.

Virtual private network (VPN)

D.

Virtual desktop

Question 142

In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?

Options:

A.

Planning phase

B.

Execution phase

C.

Follow-up phase

D.

Selection phase

Question 143

Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?

Options:

A.

Installation manuals

B.

Onsite replacement availability

C.

Insurance coverage

D.

Maintenance procedures

Question 144

Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?

Options:

A.

Data leakage as a result of employees leaving to work for competitors

B.

Noncompliance fines related to storage of regulated information

C.

Unauthorized logical access to information through an application interface

D.

Physical theft of media on which information is stored

Question 145

Which of the following is the MOST appropriate control to ensure integrity of online orders?

Options:

A.

Data Encryption Standard (DES)

B.

Digital signature

C.

Public key encryption

D.

Multi-factor authentication

Question 146

An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center, which of the following findings should be of GREATEST concern to the auditor?

Options:

A.

The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (ORP).

B.

The SLA has not been reviewed in more than a year.

C.

Backup data is hosted online only.

D.

The recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan (DRP).

Question 147

A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?

Options:

A.

Performance audit

B.

Integrated audit

C.

Cyber audit

D.

Financial audit

Question 148

Which of the following is the PRIMARY purpose of obtaining a baseline image during an operating system audit?

Options:

A.

To identify atypical running processes

B.

To verify antivirus definitions

C.

To identify local administrator account access

D.

To verify the integrity of operating system backups

Question 149

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

Options:

A.

Only new employees are required to attend the program

B.

Metrics have not been established to assess training results

C.

Employees do not receive immediate notification of results

D.

The timing for program updates has not been determined

Question 150

What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?

Options:

A.

Ensure the open issues are retained in the audit results.

B.

Terminate the follow-up because open issues are not resolved

C.

Recommend compensating controls for open issues.

D.

Evaluate the residual risk due to open issues.

Question 151

During which phase of the software development life cycle is it BEST to initiate the discussion of application controls?

Options:

A.

Business case development phase when stakeholders are identified

B.

Application design phase process functionalities are finalized

C.

User acceptance testing (UAT) phase when test scenarios are designed

D.

Application coding phase when algorithms are developed to solve business problems

Question 152

A characteristic of a digital signature is that it

Options:

A.

is under control of the receiver

B.

is unique to the message

C.

is validated when data are changed

D.

has a reproducible hashing algorithm

Question 153

Which of the following is the BEST indication of effective IT investment management?

Options:

A.

IT investments are implemented and monitored following a system development life cycle (SDLC)

B.

IT investments are mapped to specific business objectives

C.

Key performance indicators (KPIs) are defined for each business requiring IT Investment

D.

The IT Investment budget is significantly below industry benchmarks

Question 154

Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?

Options:

A.

Deviation detection

B.

Cluster sampling

C.

Random sampling

D.

Classification

Question 155

The PRIMARY purpose of a configuration management system is to:

Options:

A.

track software updates.

B.

define baselines for software.

C.

support the release procedure.

D.

standardize change approval.

Question 156

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

Options:

A.

The policy aligns with corporate policies and practices.

B.

The policy aligns with global best practices.

C.

The policy aligns with business goals and objectives.

D.

The policy aligns with local laws and regulations.

Question 157

The use of which of the following is an inherent risk in the application container infrastructure?

Options:

A.

Shared registries

B.

Host operating system

C.

Shared data

D.

Shared kernel

Question 158

An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?

Options:

A.

Backlog consumption reports

B.

Critical path analysis reports

C.

Developer status reports

D.

Change management logs

Question 159

Which of the following would protect the confidentiality of information sent in email messages?

Options:

A.

Secure Hash Algorithm 1(SHA-1)

B.

Digital signatures

C.

Encryption

D.

Digital certificates

Question 160

A checksum is classified as which type of control?

Options:

A.

Detective control

B.

Preventive control

C.

Corrective control

D.

Administrative control

Question 161

During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?

Options:

A.

Report the deviation by the control owner in the audit report.

B.

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.

C.

Cancel the follow-up audit and reschedule for the next audit period.

D.

Request justification from management for not implementing the recommended control.

Question 162

A new system development project is running late against a critical implementation deadline Which of the following is the MOST important activity?

Options:

A.

Document last-minute enhancements

B.

Perform a pre-implementation audit

C.

Perform user acceptance testing (UAT)

D.

Ensure that code has been reviewed

Question 163

The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?

Options:

A.

Report results to management

B.

Document lessons learned

C.

Perform a damage assessment

D.

Prioritize resources for corrective action

Question 164

An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.

What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted

application?

Options:

A.

Financial regulations affecting the organization

B.

Data center physical access controls whore the application is hosted

C.

Privacy regulations affecting the organization

D.

Per-unit cost charged by the hosting services provider for storage

Question 165

An organization is concerned with meeting new regulations for protecting data confidentiality and asks an IS auditor to evaluate their procedures for transporting data. Which of the

following would BEST support the organization's objectives?

Options:

A.

Cryptographic hashes

B.

Virtual local area network (VLAN)

C.

Encryption

D.

Dedicated lines

Question 166

What is the PRIMARY purpose of performing a parallel run of a now system?

Options:

A.

To train the end users and supporting staff on the new system

B.

To verify the new system provides required business functionality

C.

To reduce the need for additional testing

D.

To validate the new system against its predecessor

Question 167

Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?

Options:

A.

Security policies are not applicable across all business units

B.

End users are not required to acknowledge security policy training

C.

The security policy has not been reviewed within the past year

D.

Security policy documents are available on a public domain website

Question 168

Which of the following be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business-critical server hardware?

Options:

A.

Preventive maintenance costs exceed the business allocated budget.

B.

Preventive maintenance has not been approved by the information system

C.

Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs)

D.

The preventive maintenance schedule is based on mean time between failures (MTBF) parameters.

Question 169

Which of the following should be the FIRST step when conducting an IT risk assessment?

Options:

A.

Identify potential threats.

B.

Assess vulnerabilities.

C.

Identify assets to be protected.

D.

Evaluate controls in place.

Question 170

When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the

Options:

A.

scope and methodology meet audit requirements

B.

service provider is independently certified and accredited

C.

report confirms that service levels were not violated

D.

report was released within the last 12 months

Question 171

Which of the following is an advantage of using agile software development methodology over the waterfall methodology?

Options:

A.

Less funding required overall

B.

Quicker deliverables

C.

Quicker end user acceptance

D.

Clearly defined business expectations

Question 172

Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?

Options:

A.

Average the business units’ IT risk levels

B.

Identify the highest-rated IT risk level among the business units

C.

Prioritize the organization's IT risk scenarios

D.

Establish a global IT risk scoring criteria

Question 173

Which of the following is MOST important to consider when reviewing an organization's defined data backup and restoration procedures?

Options:

A.

Business continuity plan (BCP)

B.

Recovery point objective (RPO)

C.

Mean time to restore (MTTR)

D.

Mean time between failures (MTBF)

Question 174

Which of the following is the BEST indicator for measuring performance of IT help desk function?

Options:

A.

Percentage of problems raised from incidents

B.

Mean time to categorize tickets

C.

Number 0t incidents reported

D.

Number of reopened tickets

Question 175

Which of the following is the MOST important responsibility of user departments associated with program changes?

Options:

A.

Providing unit test data

B.

Analyzing change requests

C.

Updating documentation lo reflect latest changes

D.

Approving changes before implementation

Question 176

What is the PRIMARY benefit of using one-time passwords?

Options:

A.

An intercepted password cannot be reused

B.

Security for applications can be automated

C.

Users do not have to memorize complex passwords

D.

Users cannot be locked out of an account

Question 177

Which of the following is the MOST appropriate indicator of change management effectiveness?

Options:

A.

Time lag between changes to the configuration and the update of records

B.

Number of system software changes

C.

Time lag between changes and updates of documentation materials

D.

Number of incidents resulting from changes

Question 178

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

Options:

A.

A significant increase in authorized connections to third parties

B.

A significant increase in cybersecurity audit findings

C.

A significant increase in approved exceptions

D.

A significant increase in external attack attempts

Question 179

A disaster recovery plan (DRP) should include steps for:

Options:

A.

assessing and quantifying risk.

B.

negotiating contracts with disaster planning consultants.

C.

identifying application control requirements.

D.

obtaining replacement supplies.

Question 180

Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

Options:

A.

Degaussing

B.

Random character overwrite

C.

Physical destruction

D.

Low-level formatting

Question 181

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Question 182

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Options:

A.

Verifying that access privileges have been reviewed

B.

investigating access rights for expiration dates

C.

Updating the continuity plan for critical resources

D.

Updating the security policy

Question 183

Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Options:

A.

Audit charter

B.

IT steering committee

C.

Information security policy

D.

Audit best practices

Question 184

Which of the following concerns is BEST addressed by securing production source libraries?

Options:

A.

Programs are not approved before production source libraries are updated.

B.

Production source and object libraries may not be synchronized.

C.

Changes are applied to the wrong version of production source libraries.

D.

Unauthorized changes can be moved into production.

Question 185

Which of the following BEST Indicates that an incident management process is effective?

Options:

A.

Decreased time for incident resolution

B.

Increased number of incidents reviewed by IT management

C.

Decreased number of calls lo the help desk

D.

Increased number of reported critical incidents

Question 186

Upon completion of audit work, an IS auditor should:

Options:

A.

provide a report to senior management prior to discussion with the auditee.

B.

distribute a summary of general findings to the members of the auditing team.

C.

provide a report to the auditee stating the initial findings.

D.

review the working papers with the auditee.

Question 187

An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?

Options:

A.

Conduct security awareness training.

B.

Implement an acceptable use policy

C.

Create inventory records of personal devices

D.

Configure users on the mobile device management (MDM) solution

Question 188

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

Options:

A.

The certificate revocation list has not been updated.

B.

The PKI policy has not been updated within the last year.

C.

The private key certificate has not been updated.

D.

The certificate practice statement has not been published

Question 189

Stress testing should ideally be earned out under a:

Options:

A.

test environment with production workloads.

B.

production environment with production workloads.

C.

production environment with test data.

D.

test environment with test data.

Question 190

Which of the following business continuity activities prioritizes the recovery of critical functions?

Options:

A.

Business continuity plan (BCP) testing

B.

Business impact analysis (BIA)

C.

Disaster recovery plan (DRP) testing

D.

Risk assessment

Question 191

To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Options:

A.

Root cause

B.

Responsible party

C.

impact

D.

Criteria

Question 192

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.

Obtain error codes indicating failed data feeds.

B.

Purchase data cleansing tools from a reputable vendor.

C.

Appoint data quality champions across the organization.

D.

Implement business rules to reject invalid data.

Question 193

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

Options:

A.

Staff members who failed the test did not receive follow-up education

B.

Test results were not communicated to staff members.

C.

Staff members were not notified about the test beforehand.

D.

Security awareness training was not provided prior to the test.

Question 194

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Options:

A.

Logs are being collected in a separate protected host

B.

Automated alerts are being sent when a risk is detected

C.

Insider attacks are being controlled

D.

Access to configuration files Is restricted.

Question 195

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?

Options:

A.

Service management standards are not followed.

B.

Expected time to resolve incidents is not specified.

C.

Metrics are not reported to senior management.

D.

Prioritization criteria are not defined.

Question 196

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Evaluate the appropriateness of the remedial action taken.

B.

Conduct a risk analysis incorporating the change.

C.

Report results of the follow-up to the audit committee.

D.

Inform senior management of the change in approach.

Question 197

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

Options:

A.

reflect current practices.

B.

include new systems and corresponding process changes.

C.

incorporate changes to relevant laws.

D.

be subject to adequate quality assurance (QA).

Question 198

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

Options:

A.

Observing the execution of a daily backup run

B.

Evaluating the backup policies and procedures

C.

Interviewing key personnel evolved In the backup process

D.

Reviewing a sample of system-generated backup logs

Question 199

Which of the following is the BEST reason for an organization to use clustering?

Options:

A.

To decrease system response time

B.

To Improve the recovery lime objective (RTO)

C.

To facilitate faster backups

D.

To improve system resiliency

Question 200

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

Options:

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

Question 201

During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?

Options:

A.

Perform substantive testing of terminated users' access rights.

B.

Perform a review of terminated users' account activity

C.

Communicate risks to the application owner.

D.

Conclude that IT general controls ate ineffective.

Question 202

Which of the following findings from an IT governance review should be of GREATEST concern?

Options:

A.

The IT budget is not monitored

B.

All IT services are provided by third parties.

C.

IT value analysis has not been completed.

D.

IT supports two different operating systems.

Question 203

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

Options:

A.

Security cameras deployed outside main entrance

B.

Antistatic mats deployed at the computer room entrance

C.

Muddy footprints directly inside the emergency exit

D.

Fencing around facility is two meters high

Question 204

UESTION NO: 210

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

Options:

A.

There Is a reconciliation process between the spreadsheet and the finance system

B.

A separate copy of the spreadsheet is routinely backed up

C.

The spreadsheet is locked down to avoid inadvertent changes

D.

Access to the spreadsheet is given only to those who require access

Question 205

Which of the following occurs during the issues management process for a system development project?

Options:

A.

Contingency planning

B.

Configuration management

C.

Help desk management

D.

Impact assessment

Question 206

An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?

Options:

A.

Data encryption on the mobile device

B.

Complex password policy for mobile devices

C.

The triggering of remote data wipe capabilities

D.

Awareness training for mobile device users

Question 207

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

Options:

A.

Staff were not involved in the procurement process, creating user resistance to the new system.

B.

Data is not converted correctly, resulting in inaccurate patient records.

C.

The deployment project experienced significant overruns, exceeding budget projections.

D.

The new system has capacity issues, leading to slow response times for users.

Question 208

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Options:

A.

Expected deliverables meeting project deadlines

B.

Sign-off from the IT team

C.

Ongoing participation by relevant stakeholders

D.

Quality assurance (OA) review

Question 209

Which of the following is the MAIN purpose of an information security management system?

Options:

A.

To identify and eliminate the root causes of information security incidents

B.

To enhance the impact of reports used to monitor information security incidents

C.

To keep information security policies and procedures up-to-date

D.

To reduce the frequency and impact of information security incidents

Question 210

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

Question 211

Which of the following represents the HIGHEST level of maturity of an information security program?

Options:

A.

A training program is in place to promote information security awareness.

B.

A framework is in place to measure risks and track effectiveness.

C.

Information security policies and procedures are established.

D.

The program meets regulatory and compliance requirements.

Question 212

IT disaster recovery time objectives (RTOs) should be based on the:

Options:

A.

maximum tolerable loss of data.

B.

nature of the outage

C.

maximum tolerable downtime (MTD).

D.

business-defined criticality of the systems.

Question 213

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

Options:

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Question 214

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Options:

A.

Testing

B.

Replication

C.

Staging

D.

Development

Question 215

Which of the following is a social engineering attack method?

Options:

A.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

B.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

C.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

D.

An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.

Question 216

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Options:

A.

Require written authorization for all payment transactions

B.

Restrict payment authorization to senior staff members.

C.

Reconcile payment transactions with invoices.

D.

Review payment transaction history

Question 217

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.

Statement of work (SOW)

B.

Nondisclosure agreement (NDA)

C.

Service level agreement (SLA)

D.

Privacy agreement

Question 218

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the organization's web server.

B.

the demilitarized zone (DMZ).

C.

the organization's network.

D.

the Internet

Question 219

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Options:

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Question 220

An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?

Options:

A.

System event correlation report

B.

Database log

C.

Change log

D.

Security incident and event management (SIEM) report

Question 221

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

Options:

A.

compare the organization's strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Question 222

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Options:

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Question 223

The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

Options:

A.

Technology risk

B.

Detection risk

C.

Control risk

D.

Inherent risk

Question 224

Which of the following security risks can be reduced by a property configured network firewall?

Options:

A.

SQL injection attacks

B.

Denial of service (DoS) attacks

C.

Phishing attacks

D.

Insider attacks

Question 225

Which of the following BEST enables the timely identification of risk exposure?

Options:

A.

External audit review

B.

Internal audit review

C.

Control self-assessment (CSA)

D.

Stress testing

Question 226

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

Options:

A.

violation reports may not be reviewed in a timely manner.

B.

a significant number of false positive violations may be reported.

C.

violations may not be categorized according to the organization's risk profile.

D.

violation reports may not be retained according to the organization's risk profile.

Question 227

A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Establish key performance indicators (KPls) for timely identification of security incidents.

B.

Engage an external security incident response expert for incident handling.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Include the requirement in the incident management response plan.

Question 228

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

Options:

A.

The organization's systems inventory is kept up to date.

B.

Vulnerability scanning results are reported to the CISO.

C.

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.

Access to the vulnerability scanning tool is periodically reviewed

Question 229

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

Options:

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Question 230

Which of the following is MOST important to consider when scheduling follow-up audits?

Options:

A.

The efforts required for independent verification with new auditors

B.

The impact if corrective actions are not taken

C.

The amount of time the auditee has agreed to spend with auditors

D.

Controls and detection risks related to the observations

Question 231

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

Options:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Question 232

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

Options:

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Question 233

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

Options:

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Question 234

Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

Options:

A.

An increase in the number of identified false positives

B.

An increase in the number of detected Incidents not previously identified

C.

An increase in the number of unfamiliar sources of intruders

D.

An increase in the number of internally reported critical incidents

Question 235

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

Options:

A.

Available resources for the activities included in the action plan

B.

A management response in the final report with a committed implementation date

C.

A heal map with the gaps and recommendations displayed in terms of risk

D.

Supporting evidence for the gaps and recommendations mentioned in the audit report

Question 236

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

Options:

A.

Training was not provided to the department that handles intellectual property and patents

B.

Logging and monitoring for content filtering is not enabled.

C.

Employees can share files with users outside the company through collaboration tools.

D.

The collaboration tool is hosted and can only be accessed via an Internet browser

Question 237

What is the MAIN reason to use incremental backups?

Options:

A.

To improve key availability metrics

B.

To reduce costs associates with backups

C.

To increase backup resiliency and redundancy

D.

To minimize the backup time and resources

Question 238

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Options:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Question 239

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

Options:

A.

Revise the assessment based on senior management's objections.

B.

Escalate the issue to audit management.

C.

Finalize the draft audit report without changes.

D.

Gather evidence to analyze senior management's objections

Question 240

The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:

Options:

A.

randomly selected by a test generator.

B.

provided by the vendor of the application.

C.

randomly selected by the user.

D.

simulated by production entities and customers.

Question 241

When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?

Options:

A.

Data backups

B.

Decision support system

C.

Operating system

D.

Applications

Question 242

Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?

Options:

A.

Adding the developers to the change approval board

B.

A small number of people have access to deploy code

C.

Post-implementation change review

D.

Creation of staging environments

Question 243

Which of the following BEST facilitates strategic program management?

Options:

A.

Implementing stage gates

B.

Establishing a quality assurance (QA) process

C.

Aligning projects with business portfolios

D.

Tracking key project milestones

Question 244

Which of the following is the MOST important consideration for a contingency facility?

Options:

A.

The contingency facility has the same badge access controls as the primary site.

B.

Both the contingency facility and the primary site have the same number of business assets in their inventory.

C.

The contingency facility is located a sufficient distance away from the primary site.

D.

Both the contingency facility and the primary site are easily identifiable.

Question 245

Which of the following is the MOST effective control over visitor access to highly secured areas?

Options:

A.

Visitors are required to be escorted by authorized personnel.

B.

Visitors are required to use biometric authentication.

C.

Visitors are monitored online by security cameras

D.

Visitors are required to enter through dead-man doors.

Question 246

Which of the following is the MOST important advantage of participating in beta testing of software products?

Options:

A.

It increases an organization's ability to retain staff who prefer to work with new technology.

B.

It improves vendor support and training.

C.

It enhances security and confidentiality.

D.

It enables an organization to gain familiarity with new products and their functionality.

Question 247

What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?

Options:

A.

Determine service level requirements.

B.

Complete a risk assessment.

C.

Perform a business impact analysis (BIA)

D.

Conduct a vendor audit.

Question 248

A security administrator is called in the middle of the night by the on-call programmer A number of programs have failed, and the programmer has asked for access to the live system. What IS the BEST course of action?

Options:

A.

Require that a change request be completed and approved

B.

Give the programmer an emergency ID for temporary access and review the activity

C.

Give the programmer read-only access to investigate the problem

D.

Review activity logs the following day and investigate any suspicious activity

Question 249

Which of the following is MOST important to ensure when developing an effective security awareness program?

Options:

A.

Training personnel are information security professionals.

B.

Outcome metrics for the program are established.

C.

Security threat scenarios are included in the program content.

D.

Phishing exercises are conducted post-training

Question 250

Which of the following is MOST important to include in security awareness training?

Options:

A.

How to respond to various types of suspicious activity

B.

The importance of complex passwords

C.

Descriptions of the organization's security infrastructure

D.

Contact information for the organization's security team

Question 251

An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?

Options:

A.

Computer-assisted technique

B.

Stratified sampling

C.

Statistical sampling

D.

Process walk-through

Question 252

An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Identify existing mitigating controls.

B.

Disclose the findings to senior management.

C.

Assist in drafting corrective actions.

D.

Attempt to exploit the weakness.

Question 253

Which of the following is the BEST point in time to conduct a post-implementation review?

Options:

A.

After a full processing cycle

B.

Immediately after deployment

C.

After the warranty period

D.

Prior to the annual performance review

Question 254

Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

Options:

A.

Documentation of exit routines

B.

System initialization logs

C.

Change control log

D.

Security system parameters

Question 255

An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

Options:

A.

To test the intrusion detection system (IDS)

B.

To provide training to security managers

C.

To collect digital evidence of cyberattacks

D.

To attract attackers in order to study their behavior

Question 256

An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality. Which of the following is the MOST important consideration when making this decision?

Options:

A.

Maximum tolerable downtime (MTD)

B.

Recovery time objective (RTO)

C.

Recovery point objective (RPO)

D.

Mean time to repair (MTTR)

Question 257

Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?

Options:

A.

Variable sampling

B.

Judgmental sampling

C.

Stop-or-go sampling

D.

Discovery sampling

Question 258

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

Options:

A.

Performing a cyber resilience test

B.

Performing a full interruption test

C.

Performing a tabletop test

D.

Performing a parallel test

Question 259

Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?

Options:

A.

The recovery plan does not contain the process and application dependencies.

B.

The duration of tabletop exercises is longer than the recovery point objective (RPO).

C.

The duration of tabletop exercises is longer than the recovery time objective (RTO).

D.

The recovery point objective (RPO) and recovery time objective (R TO) are not the same.

Question 260

An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following is the BEST way to prevent this vulnerability from being exploited?

Options:

A.

Implement security awareness training.

B.

Install vendor patches

C.

Review hardware vendor contracts.

D.

Review security log incidents.

Question 261

An organization has shifted from a bottom-up approach to a top-down approach in the development of IT policies. This should result in:

Options:

A.

greater consistency across the organization.

B.

a synthesis of existing operational policies.

C.

a more comprehensive risk assessment plan.

D.

greater adherence to best practices.

Question 262

An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

Options:

A.

structured query language (SQL) injection

B.

buffer overflow.

C.

denial of service (DoS).

D.

phishing.

Question 263

An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management

experience. What is the BEST course of action?

Options:

A.

Transfer the assignment to a different audit manager despite lack of IT project management experience.

B.

Outsource the audit to independent and qualified resources.

C.

Manage the audit since there is no one else with the appropriate experience.

D.

Have a senior IS auditor manage the project with the IS audit manager performing final review.

Question 264

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

Options:

A.

Recipient's public key

B.

Sender's private key

C.

Sender's public key

D.

Recipient's private key

Question 265

Which of the following BEST supports the effectiveness of a compliance program?

Options:

A.

Implementing an awareness plan regarding compliance regulation requirements

B.

Implementing a governance, risk, and compliance (GRC) tool to track compliance to regulations

C.

Assessing and tracking all compliance audit findings

D.

Monitoring which compliance regulations apply to the organization

Question 266

Which of the following is an example of a preventive control for physical access?

Options:

A.

Keeping log entries for all visitors to the building

B.

Implementing a fingerprint-based access control system for the building

C.

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

D.

Implementing a centralized logging server to record instances of staff logging into workstations

Question 267

An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?

Options:

A.

Lack of data for measuring compliance

B.

Violation of industry standards

C.

Noncompliance with documentation requirements

D.

Lack of user accountability

Question 268

During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?

Options:

A.

Conduct a follow-up audit after a suitable period has elapsed.

B.

Reschedule the audit assignment for the next financial year.

C.

Reassign the audit to an internal audit subject matter expert.

D.

Extend the duration of the audit to give the auditor more time.

Question 269

Which of the following is MOST useful when planning to audit an organization's compliance with cybersecurity regulations in foreign countries?

Options:

A.

Prioritize the audit to focus on the country presenting the greatest amount of operational risk.

B.

Follow the cybersecurity regulations of the country with the most stringent requirements.

C.

Develop a template that standardizes the reporting of findings from each country's audit team

D.

Map the different regulatory requirements to the organization's IT governance framework

Question 270

Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?

Options:

A.

Detective control

B.

Preventive control

C.

Directive control

D.

Corrective control

Question 271

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

Options:

A.

The audit program does not involve periodic engagement with external assessors.

B.

Quarterly reports are not distributed to the audit committee.

C.

Results of corrective actions are not tracked consistently.

D.

Substantive testing is not performed during the assessment phase of some audits.

Question 272

An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?

Options:

A.

Hardware configurations

B.

Access control requirements

C.

Help desk availability

D.

Perimeter network security diagram

Question 273

Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor's BEST recommendation to protect data in case of recurrence?

Options:

A.

Encrypt the disk drive.

B.

Require two-factor authentication

C.

Enhance physical security

D.

Require the use of cable locks

Question 274

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

Options:

A.

integrated test facility (ITF).

B.

parallel simulation.

C.

transaction tagging.

D.

embedded audit modules.

Question 275

If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?

Options:

A.

Comparison of object and executable code

B.

Review of audit trail of compile dates

C.

Comparison of date stamping of source and object code

D.

Review of developer comments in executable code

Question 276

An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data

classification in this project?

Options:

A.

Information security officer

B.

Database administrator (DBA)

C.

Information owner

D.

Data architect

Question 277

Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?

Options:

A.

The organization's software inventory is not complete.

B.

Applications frequently need to be rebooted for patches to take effect.

C.

Software vendors are bundling patches.

D.

Testing patches takes significant time.

Question 278

The record-locking option of a database management system (DBMS) serves to.

Options:

A.

eliminate the risk of concurrent updates to a record

B.

allow database administrators (DBAs) to record the activities of users.

C.

restrict users from changing certain values within records.

D.

allow users to lock others out of their files.

Question 279

Which of the following is MOST critical to the success of an information security program?

Options:

A.

User accountability for information security

B.

Management's commitment to information security

C.

Integration of business and information security

D.

Alignment of information security with IT objectives

Question 280

In an organization's feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?

Options:

A.

Alternatives for financing the acquisition

B.

Financial stability of potential vendors

C.

Reputation of potential vendors

D.

Cost-benefit analysis of available products

Question 281

A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger. While management states a system fix has been implemented, what should the IS auditor recommend to validate the interface is working in the future?

Options:

A.

Perform periodic reconciliations.

B.

Ensure system owner sign-off for the system fix.

C.

Conduct functional testing.

D.

Improve user acceptance testing (UAT).

Question 282

An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST

recommendation to address this situation?

Options:

A.

Suspend contracts with third-party providers that handle sensitive data.

B.

Prioritize contract amendments for third-party providers.

C.

Review privacy requirements when contracts come up for renewal.

D.

Require third-party providers to sign nondisclosure agreements (NDAs).

Question 283

Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?

Options:

A.

Critical business applications

B.

Business processes

C.

Existing IT controls

D.

Recent audit results

Question 284

An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?

Options:

A.

Administrator passwords do not meet organizational security and complexity requirements.

B.

The number of support staff responsible for job scheduling has been reduced.

C.

The scheduling tool was not classified as business-critical by the IT department.

D.

Maintenance patches and the latest enhancement upgrades are missing.

Question 285

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options:

A.

Target architecture is defined at a technical level.

B.

The previous year's IT strategic goals were not achieved.

C.

Strategic IT goals are derived solely from the latest market trends.

D.

Financial estimates of new initiatives are disclosed within the document.

Question 286

Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change

management process?

Options:

A.

The added functionality has not been documented.

B.

The new functionality may not meet requirements.

C.

The project may fail to meet the established deadline.

D.

The project may go over budget.

Question 287

During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.

Which of the following is the BEST recommendation to help prevent this situation in the future?

Options:

A.

Introduce escalation protocols.

B.

Develop a competency matrix.

C.

Implement fallback options.

D.

Enable an emergency access ID.

Question 288

An IT strategic plan that BEST leverages IT in achieving organizational goals will include:

Options:

A.

a comparison of future needs against current capabilities.

B.

a risk-based ranking of projects.

C.

enterprise architecture (EA) impacts.

D.

IT budgets linked to the organization's budget.

Question 289

Which of the following is the MOST important control for virtualized environments?

Options:

A.

Regular updates of policies for the operation of the virtualized environment

B.

Hardening for the hypervisor and guest machines

C.

Redundancy of hardware resources and network components

D.

Monitoring utilization of resources at the guest operating system level

Question 290

Which of the following is the BEST indication of effective governance over IT infrastructure?

Options:

A.

The ability to deliver continuous, reliable performance

B.

A requirement for annual security awareness programs

C.

An increase in the number of IT infrastructure servers

D.

A decrease in the number of information security incidents

Question 291

An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

Options:

A.

Differential backup

B.

Full backup

C.

Incremental backup

D.

Mirror backup

Question 292

An organization has partnered with a third party to transport backup drives to an offsite storage facility. Which of the following is MOST important before sending the drives?

Options:

A.

Creating a chain of custody to accompany the drive in transit

B.

Ensuring data protection is aligned with the data classification policy

C.

Encrypting the drive with strong protection standards

D.

Ensuring the drive is placed in a tamper-evident mechanism

Question 293

An organization has assigned two new IS auditors to audit a new system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which of the following is MOST important to meet the IS audit standard for proficiency?

Options:

A.

Team member assignments must be based on individual competencies

B.

Technical co-sourcing must be used to help the new staff

C.

The standard is met as long as one member has a globally recognized audit certification.

D.

The standard is met as long as a supervisor reviews the new auditors' work

Question 294

What is the PRIMARY reason for an organization to classify the data stored on its internal networks?

Options:

A.

To determine data retention policy

B.

To implement data protection requirements

C.

To comply with the organization's data policies

D.

To follow industry best practices

Question 295

An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the

business continuity plan (BCP). Which of the following is the auditor's BEST course of action?

Options:

A.

Confirm the BCP has been recently updated.

B.

Review the effectiveness of the business response.

C.

Raise an audit issue for the lack of simulated testing.

D.

Interview staff members to obtain commentary on the BCP's effectiveness.

Question 296

An IS auditor is providing input to an RFP to acquire a financial application system. Which of the following is MOST important for the auditor to recommend?

Options:

A.

The application should meet the organization's requirements.

B.

Audit trails should be included in the design.

C.

Potential suppliers should have experience in the relevant area.

D.

Vendor employee background checks should be conducted regularly.

Question 297

Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?

Options:

A.

Review exception reports

B.

Review IT staffing schedules.

C.

Analyze help desk ticket logs

D.

Conduct IT management interviews

Question 298

Which of the following is the MOST important responsibility of data owners when implementing a data classification process?

Options:

A.

Reviewing emergency changes to data

B.

Authorizing application code changes

C.

Determining appropriate user access levels

D.

Implementing access rules over database tables

Question 299

Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?

Options:

A.

Hash totals

B.

Online review of description

C.

Comparison to historical order pattern

D.

Self-checking digit

Question 300

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.

Requiring policy acknowledgment and nondisclosure agreements signed by employees

B.

Providing education and guidelines to employees on use of social networking sites

C.

Establishing strong access controls on confidential data

D.

Monitoring employees' social networking usage

Question 301

Which of the following issues associated with a data center's closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?

Options:

A.

CCTV recordings are not regularly reviewed.

B.

CCTV cameras are not installed in break rooms

C.

CCTV records are deleted after one year.

D.

CCTV footage is not recorded 24 x 7.

Question 302

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.

Use an electronic vault for incremental backups

B.

Deploy a fully automated backup maintenance system.

C.

Periodically test backups stored in a remote location

D.

Use both tape and disk backup systems

Question 303

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Question 304

An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:

Options:

A.

reclassify the data to a lower level of confidentiality

B.

require the business owner to conduct regular access reviews.

C.

implement a strong password schema for users.

D.

recommend corrective actions to be taken by the security administrator.

Question 305

An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?

Options:

A.

Users are not required to change their passwords on a regular basis

B.

Management does not review application user activity logs

C.

User accounts are shared between users

D.

Password length is set to eight characters

Question 306

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Question 307

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

Options:

A.

SIEM reporting is customized.

B.

SIEM configuration is reviewed annually

C.

The SIEM is decentralized.

D.

SIEM reporting is ad hoc.

Question 308

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

Options:

A.

Unit testing

B.

Pilot testing

C.

System testing

D.

Integration testing

Question 309

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Options:

A.

Mobile device tracking program

B.

Mobile device upgrade program

C.

Mobile device testing program

D.

Mobile device awareness program

Question 310

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

Options:

A.

The contract does not contain a right-to-audit clause.

B.

An operational level agreement (OLA) was not negotiated.

C.

Several vendor deliverables missed the commitment date.

D.

Software escrow was not negotiated.

Question 311

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Options:

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Question 312

An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

Options:

A.

Increasing the frequency of risk-based IS audits for each business entity

B.

Developing a risk-based plan considering each entity's business processes

C.

Conducting an audit of newly introduced IT policies and procedures

D.

Revising IS audit plans to focus on IT changes introduced after the split

Question 313

Which of the following backup schemes is the BEST option when storage media is limited?

Options:

A.

Real-time backup

B.

Virtual backup

C.

Differential backup

D.

Full backup

Question 314

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

Options:

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Question 315

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

Options:

A.

Customer service complaints

B.

Automated monitoring of logs

C.

Server crashes

D.

Penetration testing

Question 316

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Options:

A.

Using smart cards with one-time passwords

B.

Periodically reviewing log files

C.

Configuring the router as a firewall

D.

Installing biometrics-based authentication

Question 317

An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

Options:

A.

The applications are not included in business continuity plans (BCFs)

B.

The applications may not reasonably protect data.

C.

The application purchases did not follow procurement policy.

D.

The applications could be modified without advanced notice.

Question 318

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Options:

A.

Utilize a network-based firewall.

B.

Conduct regular user security awareness training.

C.

Perform domain name system (DNS) server security hardening.

D.

Enforce a strong password policy meeting complexity requirement.

Question 319

If enabled within firewall rules, which of the following services would present the GREATEST risk?

Options:

A.

Simple mail transfer protocol (SMTP)

B.

Simple object access protocol (SOAP)

C.

Hypertext transfer protocol (HTTP)

D.

File transfer protocol (FTP)

Question 320

An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

Options:

A.

Improve the change management process

B.

Establish security metrics.

C.

Perform a penetration test

D.

Perform a configuration review

Question 321

Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

Options:

A.

Change management

B.

Problem management

C.

incident management

D.

Configuration management

Question 322

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

Options:

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Question 323

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Options:

A.

Network penetration tests are not performed

B.

The network firewall policy has not been approved by the information security officer.

C.

Network firewall rules have not been documented.

D.

The network device inventory is incomplete.

Question 324

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

Options:

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Question 325

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

Options:

A.

data analytics findings.

B.

audit trails

C.

acceptance lasting results

D.

rollback plans

Question 326

An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?

Options:

A.

Procedures may not align with best practices

B.

Human resources (HR) records may not match system access.

C.

Unauthorized access cannot he identified.

D.

Access rights may not be removed in a timely manner.

Question 327

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Question 328

The PRIMARY objective of value delivery in reference to IT governance is to:

Options:

A.

promote best practices

B.

increase efficiency.

C.

optimize investments.

D.

ensure compliance.

Question 329

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Question 330

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Options:

A.

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.

Review compliance with data loss and applicable mobile device user acceptance policies.

C.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.

Verify employees have received appropriate mobile device security awareness training.

Question 331

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.

the provider has alternate service locations.

B.

the contract includes compensation for deficient service levels.

C.

the provider's information security controls are aligned with the company's.

D.

the provider adheres to the company's data retention policies.

Question 332

An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:

Options:

A.

deleted data cannot easily be retrieved.

B.

deleting the files logically does not overwrite the files' physical data.

C.

backup copies of files were not deleted as well.

D.

deleting all files separately is not as efficient as formatting the hard disk.

Question 333

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

Options:

A.

each information asset is to a assigned to a different classification.

B.

the security criteria are clearly documented for each classification

C.

Senior IT managers are identified as information owner.

D.

the information owner is required to approve access to the asset

Question 334

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

Question 335

An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

Options:

A.

Loss of application support

B.

Lack of system integrity

C.

Outdated system documentation

D.

Developer access 1o production

Question 336

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Options:

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Question 337

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

Options:

A.

Disposal policies and procedures are not consistently implemented

B.

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.

Business units are allowed to dispose printers directly to

D.

Inoperable printers are stored in an unsecured area.

Question 338

An IS auditor assessing the controls within a newly implemented call center would First

Options:

A.

gather information from the customers regarding response times and quality of service.

B.

review the manual and automated controls in the call center.

C.

test the technical infrastructure at the call center.

D.

evaluate the operational risk associated with the call center.

Question 339

Which of the following BEST describes an audit risk?

Options:

A.

The company is being sued for false accusations.

B.

The financial report may contain undetected material errors.

C.

Employees have been misappropriating funds.

D.

Key employees have not taken vacation for 2 years.

Question 340

Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

Options:

A.

Project segments are established.

B.

The work is separated into phases.

C.

The work is separated into sprints.

D.

Project milestones are created.

Question 341

An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

Options:

A.

Alarm system with CCTV

B.

Access control log

C.

Security incident log

D.

Access card allocation records

Question 342

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

Options:

A.

Misconfiguration and missing updates

B.

Malicious software and spyware

C.

Zero-day vulnerabilities

D.

Security design flaws

Question 343

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Options:

A.

Restricting evidence access to professionally certified forensic investigators

B.

Documenting evidence handling by personnel throughout the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Engaging an independent third party to perform the forensic investigation

Question 344

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Options:

A.

Improved disaster recovery

B.

Better utilization of resources

C.

Stronger data security

D.

Increased application performance

Question 345

In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?

Options:

A.

Approved test scripts and results prior to implementation

B.

Written procedures defining processes and controls

C.

Approved project scope document

D.

A review of tabletop exercise results

Question 346

During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?

Options:

A.

Leverage the work performed by external audit for the internal audit testing.

B.

Ensure both the internal and external auditors perform the work simultaneously.

C.

Request that the external audit team leverage the internal audit work.

D.

Roll forward the general controls audit to the subsequent audit year.

Question 347

in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

Options:

A.

application programmer

B.

systems programmer

C.

computer operator

D.

quality assurance (QA) personnel

Question 348

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

Options:

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

Question 349

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.

Determine the resources required to make the control

effective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Question 350

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Options:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Question 351

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

Options:

A.

To address the overall risk associated with the activity under review

B.

To identify areas with relatively high probability of material problems

C.

To help ensure maximum use of audit resources during the engagement

D.

To help prioritize and schedule auditee meetings

Question 352

Which of the following is a challenge in developing a service level agreement (SLA) for network services?

Options:

A.

Establishing a well-designed framework for network servirces.

B.

Finding performance metrics that can be measured properly

C.

Ensuring that network components are not modified by the client

D.

Reducing the number of entry points into the network

Question 353

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Options:

A.

Identify approved data workflows across the enterprise.

B.

Conduct a threat analysis against sensitive data usage.

C.

Create the DLP pcJc.es and templates

D.

Conduct a data inventory and classification exercise

Question 354

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Options:

A.

Perform a business impact analysis (BIA).

B.

Determine which databases will be in scope.

C.

Identify the most critical database controls.

D.

Evaluate the types of databases being used

Question 355

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Options:

A.

Perform background verification checks.

B.

Review third-party audit reports.

C.

Implement change management review.

D.

Conduct a privacy impact analysis.

Question 356

Which of the following provides the BEST providence that outsourced provider services are being properly managed?

Options:

A.

The service level agreement (SLA) includes penalties for non-performance.

B.

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.

The vendor provides historical data to demonstrate its performance.

D.

Internal performance standards align with corporate strategy.

Question 357

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.

Review the documentation of recant changes to implement sequential order numbering.

B.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.

Examine a sample of system generated purchase orders obtained from management

Question 358

Which of the following is a corrective control?

Options:

A.

Separating equipment development testing and production

B.

Verifying duplicate calculations in data processing

C.

Reviewing user access rights for segregation

D.

Executing emergency response plans

Page: 1 / 90
Total 1195 questions