Happy Halloween Limited Time 50% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 5550b640

CISA Exam Dumps - Certified Information Systems Auditor

Question # 4

Which of the following would BEST enable an IS auditor to perform an audit that requires testing the full population of data?

A.

Expertise in statistical sampling of data

B.

Proficiency in the use of data analytics tools

C.

Experience in database administration

D.

Proficiency in programming and coding

Full Access
Question # 5

Which of the following should be the PRIMARY audience for a third-party technical security assessment report?

A.

Operational IT management

B.

Board of directors

C.

Legal counsel

D.

External regulators

Full Access
Question # 6

A maturity model can be used to aid the implementation of IT governance by identifying:

A.

improvement opportunities.

B.

accountabilities.

C.

performance drivers.

D.

critical success factors.

Full Access
Question # 7

Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?

A.

To develop and integrate its applications

B.

To install and manage operating systems

C.

To establish a network and security architecture

D.

To operate third-party hosted applications

Full Access
Question # 8

Which of the following is the MOST important consideration for building resilient systems?

A.

Eliminating single points of failure

B.

Performing periodic backups

C.

Creating disaster recovery plans (DRPs)

D.

Defining recovery point objectives (RPOs)

Full Access
Question # 9

Which of the following is an IS auditor's BEST guidance regarding the use of IT frameworks?

A.

To ensure consistency throughout the organization, management should adopt a single comprehensive framework.

B.

Frameworks provide standards that enable management to benchmark against peer organizations.

C.

Frameworks encourage efficiency, provide a way to measure effectiveness, and allow for improvements

D.

Industry-specific frameworks, when available, are preferred over the more generic comprehensive frameworks.

Full Access
Question # 10

An IS auditor is verifying the adequacy of an organization’s internal and is concerned about potential circumvention of regulations. Which of the following is the BEST sampling method to use?

A.

Attribute sampling

B.

Variable Sampling

C.

Random Sampling

D.

Cluster sampling

Full Access
Question # 11

An organization's IT security policy requires annual security awareness training for all employees. Which of the following would provide the BEST evidence of the training's effectiveness?

A.

Results of a social engineering test

B.

Interviews with employees

C.

Decreased calls to the incident response team

D.

Surveys completed by randomly selected employees

Full Access
Question # 12

What would be an IS auditor’s BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

A.

Perform background verification checks.

B.

Implement change management review.

C.

Conduct a privacy impact analysis.

D.

Review third-party audit reports.

Full Access
Question # 13

Which of the following is MOST helpful for an IS auditor to review when determining the appropriateness of controls relevant to a specific audit area?

A.

Control implementation methods

B.

Control self-assessment (CSA)

C.

Enterprise architecture (EA) design

D.

Business impact analysis (BIA)

Full Access
Question # 14

Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?

A.

Potentially fraudulent invoice payments originating within the accounts payable department

B.

Completion of inappropriate cross-border transmission of personally identifiable information (Pll)

C.

Unauthorized salary or benefit changes to the payroll system generated by authorized users

D.

Issues resulting from an unsecured application automatically uploading transactions to the general ledger

Full Access
Question # 15

An organization implemented a cybersecurity policy last year. Which of the following is the GREATEST indicator that the policy may need to be revised?

A.

A significant increase in external attack attempts.

B.

A significant increase in authorized connections to third parties.

C.

A significant increase in cybersecurity audit findings.

D.

A significant increase in approved exceptions.

Full Access
Question # 16

Cross-site scripting (XSS) attacks are BEST prevented through:

A.

use of common industry frameworks.

B.

secure coding practices.

C.

application firewall policy settings.

D.

a three-tier web architecture.

Full Access
Question # 17

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure in the affected country. Which of the following would be MOST helpful in making this assessment?

A.

Reviewing data classification procedures associated with the affected jurisdiction

B.

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

C.

Identifying business processes associated with personal data exchange with the affected jurisdiction

D.

Identifying data security threats in the affected jurisdiction

Full Access
Question # 18

What is the PRIMARY reason to adopt a risk-based IS audit strategy?

A.

To achieve synergy between audit and other risk management functions

B.

To identity key threats, risks, and controls for the organization

C.

To reduce the time and effort needed to perform a full audit cycle

D.

To prioritize available resources and focus on areas with significant risk

Full Access
Question # 19

Which of the following is MOST important to ensure when reviewing a global organization's controls to protect data held on its IT infrastructure across all of its locations?

A.

Relevant data protection legislation and regulations for each location are adhered to.

B.

Technical capabilities exist in each location to manage the data and recovery operations

C.

The capacity of underlying communications infrastructure in the host locations is sufficient.

D.

The threat of natural disasters in each location hosting infrastructure has been accounted for.

Full Access
Question # 20

When evaluating the ability of a disaster recovery plan (DRP) to enable the recovery of IT processing capabilities, it is MOST important for the IS auditor to verify the plan is:

A.

communicated to department heads,

B.

regularly reviewed.

C.

stored at an offsite location.

D.

periodically tested.

Full Access
Question # 21

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at rest?

A.

Use of asymmetric encryption

B.

Random key generation

C.

Use of symmetric encryption

D.

Short key length

Full Access
Question # 22

Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?

A.

Operating the risk management framework

B.

Validating enterprise risk management (ERM)

C.

Establishing a risk appetite

D.

Establishing a risk management framework

Full Access
Question # 23

Which of the following is MOST helpful in preventing a systems failure from occurring when an application is replaced using the abrupt changeover technique?

A.

Comprehensive testing

B.

Comprehensive documentation

C.

Threat and risk assessment

D.

Change management

Full Access
Question # 24

Which of the following is the MOST effective approach in assessing the quality of modifications made to financial software?

A.

The quality plan will be assessed during the design phase of development

B.

An independent auditor will be engaged to undertake a pre-implementation review

C.

Independent quality assurance (QA) activities will be undertaken at various phases of the project

D.

The quality of the implemented product will be assessed during acceptance testing

Full Access
Question # 25

Which of the following features of a library control software package would protect against unauthorized updating of source code?

A.

Access controls for source libraries

B.

Required approvals at each life cycle step

C.

Date and time stamping of source and object code

D.

Release-to-release comparison of source code

Full Access
Question # 26

Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?

A.

Standardize file naming conventions.

B.

Embed details within source code.

C.

Document details on a change register.

D.

Utilize automated version control.

Full Access
Question # 27

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

A.

The information security policy does not include mobile device provisions.

B.

The information security policy has not been approved by the chief audit executive (CAE).

C.

The information security policy has not been approved by the policy owner.

D.

The information security policy is not frequently reviewed.

Full Access
Question # 28

Which of the following would be of GREATEST concern to an IS auditor reviewing backup and recovery controls?

A.

Backups are stored in an external hard drive

B.

Restores from backups are not periodically tested

C.

Backup procedures are not documented

D.

Weekly and monthly backups are stored onsite

Full Access
Question # 29

The IS auditor has recommended that management test a new system before using it in production mode The BEST approach for management in developing a test plan is to use processing parameters that are

A.

randomly selected by the user

B.

provided by the vendor of the application.

C.

simulated by production entities and customers

D.

randomly selected by a test generator

Full Access
Question # 30

Which of the following should be the MOST important consideration when prioritizing the funding for competing IT projects?

A.

Quality and accuracy of the IT project inventory

B.

Senior management preferences

C.

Criteria used to determine the benefits of projects

D.

Skill and capabilities within the project management team

Full Access
Question # 31

During an audit of identity and access management, an IS auditory finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor’s BEST course of action?

A.

Plan to test these controls in another audit

B.

Escalate the deficiency to audit management.

C.

Add testing of third-party access controls to the scope of the audit.

D.

Determine whether the risk has been identified in the planning documents

Full Access
Question # 32

An organization needs to comply with data privacy regulations forbidding the display of personally identifiable information (Pll) on customer bills or receipts However it is a business requirement to display at least one attribute so that customers can verify the bills or receipts are intended for them What is the BEST recommendation?

A.

Data encryption

B.

Data tokenization

C.

Data masking

D.

Data sanitization

Full Access
Question # 33

AN IS auditor has been asked to perform an assurance review of an organization’s mobile computing security. To ensure the organization is able to centrally manage mobile devices to protect against data disclosure. It is MOST important for the auditor to determine whether:

A.

lost devices can be located remotely

B.

a mobile security awareness training program exists.

C.

procedures for lost devices include remote wiping of data

D.

a security exist for mobile devices.

Full Access
Question # 34

When evaluating information security governance within an organization which of the following findings should

be of MOST concern to an IS auditor?

A.

Information security policies are updated annually

B.

The data center manager has final sign-off on security projects.

C.

The information security department has difficulty filling vacancies

D.

An information security governance audit was not conducted within the past year

Full Access
Question # 35

Which of the following should an IS auditor be MOST concerned with when reviewing the IT asset disposal process?

A.

Data migration to the new asset

B.

Data stored on the asset

C.

Monetary value of the asset

D.

Certificate of destruction

Full Access
Question # 36

Which of the following security risks can be reduced by a properly configured network firewall?

A.

Phishing attacks

B.

Insider attacks

C.

Denial of service (DoS) attacks

D.

SQL injection attacks

Full Access
Question # 37

An incorrect version of source code was amended by a development team, This MOST likely indicates a weakness in:

A.

Incident management.

B.

project management.

C.

change management.

D.

quality assurance (QA)

Full Access
Question # 38

Which cloud deployment model is MOST likely to be limited in scalability?

A.

Hybrid

B.

Private

C.

Public

D.

Community

Full Access
Question # 39

The operations team of an organization has reported an IS security attack. Which of the following should be the FIRST step for the security incident response team?

A.

Document lessons learned.

B.

Perform a damage assessment.

C.

Report results to management.

D.

Prioritize resources for corrective action.

Full Access
Question # 40

Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?

A.

The evidence was not fully backed up using a cloud-based solution prior to the trial.

B.

The evidence was collected by the Internal forensics team.

C.

The logs failed to identify the person handling the evidence.

D.

The person who collected the evidence is not qualified to represent the case.

Full Access
Question # 41

Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?

A.

Ensuring the test work supports observations

B.

Updating development methodology

C.

Ensuring standards are adhered to within the development process

D.

Implementing solutions to correct defects

Full Access
Question # 42

Which of the following encryption methods offers the BEST wireless security?

A.

Secure Sockets Layer (SSL)

B.

Wi-Fi Protected Access 2 (WPA2)

C.

Wired equivalent privacy (WEP)

D.

Data encryption standard (DES)

Full Access
Question # 43

Which of the following is the BEST source of information for an IS auditor to use when determining whether an organization's information security policy is adequate?

A.

Penetration test results

B.

Risk assessment results

C.

Information security program plans

D.

Industry benchmarks

Full Access
Question # 44

Which of the following represents the HIGHEST level of maturity of an information security program?

A.

A framework is in place to measure risks and track effectiveness.

B.

Information security policies and procedures are established

C.

The program meets regulatory and compliance requirements

D.

A training program is in place to promote information security awareness

Full Access
Question # 45

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

A.

Data encryption

B.

Data tokenization

C.

Data abstraction

D.

Data masking

Full Access
Question # 46

Which of the following is the BEST way to mitigate the risk associated with malicious changes to binary code during the software development life cycle (SDLC)?

A.

Parity check

B.

Digital envelope

C.

Segregation of duties

D.

Cryptographic hash

Full Access
Question # 47

An IS auditor observes that exceptions have been approved (or an organization's information security policy. Which of the following is MOST important for the auditor to confirm?

A.

Exceptions are approved by the board of directors.

B.

Exceptions are approved for predefined periods.

C.

Exceptions require changes to the policy.

D.

Exceptions do not change residual risk.

Full Access
Question # 48

An organization's strategy to source certain IT functions from a Software as a Service (SaaS) provider should be approved by the:

A.

chief financial officer (CFO).

B.

IT steering committee

C.

chief risk officer (CRO)

D.

IT operations manager

Full Access
Question # 49

An organization has adopted a backup and recovery strategy that involves copying on-premise virtual machine (VM) images to a cloud service provider Which of the following provides the BEST assurance that VMs can be recovered in the event of a disaster?

A.

Periodic on-site restoration of VM images obtained from the cloud provider

B.

Inclusion of the right to audit in the cloud service provider contract

C.

Procurement of adequate storage for the VM images from the cloud service provider

D.

Existence of a disaster recovery plan (DRP) with specified roles for emergencies

Full Access
Question # 50

Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?

A.

To evaluate the cost-benefit of tools implemented to monitor control performance

B.

To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value

C.

To enable conclusions about the performance of the processes and target variances for follow-up analysis

D.

To assess the functionality of a software deliverable based on business processes

Full Access
Question # 51

Which of the following findings should be of GREATEST concern to an IS auditor reviewing the effectiveness of an organization's problem management practices?

A.

Problem records are prioritized based on the impact of incidents

B.

Some incidents are closed without problem resolution.

C.

Root causes are not adequately identified

D.

Problems are frequently escalated to management for resolution

Full Access
Question # 52

internal IS auditor recommends that incoming accounts payable payment files be encrypted. Which type of control is the auditor recommending?

A.

Directive

B.

Detective

C.

Preventive

D.

Corrective

Full Access
Question # 53

A company is using a software developer for a project. At which of the following points should the software quality assurance (QA) plan be developed?

A.

Prior to acceptance testing

B.

During the feasibility phase

C.

As part of software definition

D.

As part of the design phase

Full Access
Question # 54

Which of the following backup schemes is the BEST option when storage media is limited?

A.

Virtual backup

B.

Real-time backup

C.

Full backup

D.

backup Differential

Full Access
Question # 55

Which of the following implementation strategies for new applications presents the GREATEST risk during data conversion and migration from an old system to a new system?

A.

Pilot implementation

B.

Phased implementation

C.

Direct cutover

D.

Parallel simulation

Full Access
Question # 56

When an organization introduces virtualization into its architecture, which of the following should be an IS auditor's PRIMARY area of focus to verify adequate protection?

A.

Shared storage space

B.

Host operating system configuration

C.

Maintenance cycles

D.

Multiple versions of the same operating system

Full Access
Question # 57

Both statistical and nonstatistical sampling techniques:

A.

permit the auditor to quantify and fix the level of risk

B.

permit the auditor to quantity the probability of error,

C.

provide each item an equal opportunity of being selected.

D.

require judgment when defining population characteristics

Full Access
Question # 58

A client/server configuration will:

A.

keep track of all the clients using the IS facilities of a service organization.

B.

limit the clients and servers relationship by limiting the IS facilities to a single hardware system.

C.

enhance system performance through the separation of front-end and back-end processes.

D.

optimize system performance by having a server on a front-end and clients on a host.

Full Access
Question # 59

In an environment where most IT services have been outsourced, continuity planning is BEST controlled by:

A.

IT management,

B.

continuity planning specialists.

C.

business management.

D.

outsourced service provider management

Full Access
Question # 60

Which of the following is the GREATEST concern with conducting penetration testing on an internally developed application in the production environment?

A.

The testing could create application availability issues.

B.

The testing may identify only known operating system vulnerabilities.

C.

The issues identified during the testing may require significant remediation efforts.

D.

Internal security staff may not be qualified to conduct application penetration testing.

Full Access
Question # 61

Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

A.

Independent reconciliation

B.

Periodic vendor reviews

C.

Dual control

D.

Re-keying of monetary amounts

Full Access
Question # 62

An audit of the quality management system (QMS) begins with an evaluation of the:

A.

organization’s QMS policy

B.

sequence and interaction of QMS processes

C.

QMS processes and their application

D.

QMS document control procedures

Full Access
Question # 63

An airlines online booking system uses an automated script that checks whether fares are within the defined threshold of what is reasonable before the fares are displayed on the website. Which type of control is in place?

A.

Preventer control

B.

Corrective control

C.

Detective control

D.

Compensating control

Full Access
Question # 64

An IS auditor is assessing an organization’s data loss prevention (DLP) solution for protecting intellectual property from insider theft. Which of the following would the auditor consider MOST important for effective data protection?

A.

Creation of DLP policies and procedures

B.

Encryption of data copied to flash drives

C.

Employee training on information handling

D.

Identification and classification of sensitive data

Full Access
Question # 65

An organization has recently converted its infrastructure to a virtualized environment. The GREATEST benefit related to disaster recovery is that virtualized servers:

A.

eliminate the manpower necessary to restore the server.

B.

decrease the recovery time objective (RTO).

C.

reduce the time it takes to successfully create backups.

D.

can be recreated on similar hardware faster than restoring from backups.

Full Access
Question # 66

Which of the following is the BEST way to minimize the impact of a ransomware attack?

A.

Perform more frequent system backups.

B.

Maintain a regular schedule for patch updates.

C.

Provide user awareness training on ransomware attacks.

D.

Grant system access based on least privilege.

Full Access
Question # 67

An organization has outsourced its data leakage monitoring to an Internet service provider (ISP). Which of the following is the BEST way for an IS auditor to determine the effectiveness of this service?

A.

Review the data leakage clause in the SLA.

B.

verify the ISP has staff to deal with data leakage.

C.

Simulate a data leakage incident.

D.

Review the ISP's external audit report

Full Access
Question # 68

What is the PRIMARY purpose of performing a parallel run of a new system?

A.

To provide a failover plan in case of system Issues.

B.

To validate the operation of the new system against its predecessor.

C.

To verify the new system can process the production load

D.

To verify the new system provides required business functionality

Full Access
Question # 69

Which type of control is in place when an organization requires new employees to complete training on applicable privacy and data protection regulations?

A.

Preventive control

B.

Directive control

C.

Detective control

D.

Corrective control

Full Access
Question # 70

What is the BEST justification for allocating more funds to implement a control for an IT asset than the actual cost of the IT asset?

A.

To protect the associated intangible business value

B.

To comply with information security best practices

C.

To avoid future audit findings

D.

To maintain the residual value of the asset

Full Access
Question # 71

An audit has identified that business units have purchased cloud-based applications without ITs support. What is the GREATEST risk associated with this situation?

A.

The applications could be modified without advanced notice.

B.

The application purchases did not follow procurement policy.

C.

The applications are not included in business continuity plans (BCPs).

D.

The applications may not reasonably protect data.

Full Access
Question # 72

Which of the following should be the PRIMARY consideration for IT management when selecting a new information security tool that monitors suspicious file access patterns?

A.

Integration with existing architecture

B.

Ease of support and troubleshooting

C.

Data correlation and visualization capabilities

D.

Ability to contribute to key performance indicator data

Full Access
Question # 73

The PRIMARY focus of audit follow-up reports should be to:

A.

assess if new risks have developed.

B.

determine if audit recommendations have been implemented.

C.

verify the completion date of the implementation.

D.

determine if past findings are still relevant.

Full Access
Question # 74

Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an organization's incident response process?

A.

Past incident response actions

B.

Results from management testing of incident response procedures

C.

Incident response staff experience and qualifications

D.

Incident response roles and responsibilities

Full Access
Question # 75

During an exit interview senior management disagrees with some of the facts presented in the draft audit report and wants them removed from the report Which of the following would be the auditor's BEST course of action?

A.

Gather evidence to analyze senior management's objections

B.

Finalize the draft audit report without changes

C.

Revise the assessment based on senior management's objections.

D.

Escalate the issue to audit management

Full Access
Question # 76

The BEST way to prevent fraudulent payments is to implement segregation of duties between payment processing and:

A.

payment approval.

B.

requisition creation.

C.

vendor setup.

D.

check creation.

Full Access
Question # 77

An IS auditor finds that a document related to a client has been leaked. Which of the following should be the auditor's NEXT step?

A.

Report data leakage finding to regulatory authorities

B.

Determine the classification of data leaked

C.

Report data leakage finding to senior management

D.

Notify appropriate law enforcement.

Full Access
Question # 78

An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?

A.

Between virtual local area networks (VLANs)

B.

At borders of network segments with different security levels

C.

Between each host and the local network switch/hub

D.

Inside the demilitarized zone (DMZ)

Full Access
Question # 79

An internal audit department recently established a quality assurance (QA) program as part of its overall audit program. Which of the following activities is MOST important to include as part of the QA program requirements?

A.

Analyzing user satisfaction reports from business lines

B.

Benchmarking the QA framework to international standards

C.

Reporting OA program results to the audit committee

D.

Conducting long-term planning for internal audit staffing

Full Access
Question # 80

Which of the following is the GREATEST concern associated with migrating computing resources to a cloud virtualized environment?

A.

An increase in inherent vulnerability

B.

An increase in residual risk

C.

An increase in the potential for data leakage

D.

An increase in the number of e-discovery requests

Full Access
Question # 81

An organization has agreed to perform remediation related to high-risk audit findings. The remediation process involves a complex reorganization of user roles as well as the Implementation of several compensating controls that may not be completed within the next audit cycle Which of the following is the BEST way for an IS auditor to follow up on their activities?

A.

Provide management with a remediation timeline and verity adherence

B.

Schedule a review of the controls after the projected remediation date

C.

Review the progress of remediation on a regular basis

D.

Continue to audit the failed controls according to the audit schedule

Full Access
Question # 82

An IS auditor is assessing the results of an organization's post-implementation review of a newly developed information system. Which of the following should be the auditor's MAIN focus?

A.

Benefits realization analysis has been completed

B.

The disaster recovery plan (DRP) has been updated

C.

The procurement contract has been closed

D.

Lessons learned have been identified

Full Access
Question # 83

A company laptop has been stolen and all photos on the laptop have been published on social media. Which of the following is the IS auditor's BEST course of action?

A.

Determine if the laptop had the appropriate level of encryption

B.

Verify the organization's incident reporting policy was followed

C.

Ensure that the appropriate authorities have been notified

D.

Review the photos to determine whether they were for business or personal purposes

Full Access
Question # 84

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items to the inventory system Which control would have BEST prevented this type of fraud in a retail environment?

A.

Statistical sampling of adjustment transactions

B.

Unscheduled audits of lost stock lines

C.

An edit check for the validity of the inventory transaction

D.

Separate authorization for input of transactions

Full Access
Question # 85

Spreadsheets are used to calculate project cost estimates Totals for each cost category are then keyed into the job-costing system. What is the BIST control to ensure that data are accurately entered into the system?

A.

Validity checks preventing entry of character data

B.

Reconciliation total amounts by project

C.

Display back of project detail after entry

D.

Reasonableness checks for each cost type

Full Access
Question # 86

To develop a robust data security program, the FIRST course of action should be to:

A.

perform an inventory of assets.

B.

implement data loss prevention controls.

C.

interview IT senior management.

D.

implement monitoring, controls

Full Access
Question # 87

An employee has accidentally posted confidential data to the company's social media page. Which of the following is the BEST control to prevent this from recurring?

A.

Perform periodic audits of social media updates.

B.

Implement a moderator approval process.

C.

Require all updates to be made by the marketing director.

D.

Establish two-factor access control for social media accounts.

Full Access
Question # 88

Which of the following human resources management practices BEST leads to the detection of fraudulent activity?

A.

Background checks

B.

Time reporting

C.

Employee code of ethics

D.

Mandatory time off

Full Access
Question # 89

Which of the following is the BEST source of information for an IS auditor when planning an audit of a business application's controls?

A.

Process flow diagrams

B.

User documentation

C.

Access control lists

D.

Change control procedures

Full Access
Question # 90

After an external IS audit, which of the following should be IT management's MAIN consideration when determining the prioritization of follow-up activities?

A.

The availability of the external auditors

B.

The scheduling of major changes in the control environment

C.

The materiality of the reported findings

D.

The amount of time since the initial audit was completed

Full Access
Question # 91

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

A.

the access control system's configuration.

B.

the access rights that have been granted

C.

the access control system's log settings.

D.

how the latest system changes were implemented

Full Access
Question # 92

An IS auditor identifies key controls that have been overridden by management. The next step the IS auditor should take is to

A.

Perform procedures to quantify the irregularities

B.

Withdraw from the engagement

C.

Recommend compensating controls

D.

Report the absence of key controls to regulators

Full Access
Question # 93

Which of the following is the BEST sampling method when performing an audit test to determine the number of access requests without approval signatures?

A.

Attribute sampling

B.

Judgment sampling

C.

Stratified sampling

D.

Stop-or-go sampling

Full Access
Question # 94

Which of the following is an objective of data transfer controls?

A.

To ensure there are sufficient dedicated resources in place to facilitate data transfer

B.

To ensure receiving data fields have been configured according to the structure of the transmitted data

C.

To ensure the data is backed up on a regular basis

D.

To ensure access control lists are accurately and completely maintained

Full Access
Question # 95

Which of the following provides the MOST useful information to an IS auditor reviewing the relationships between critical business processes and IT systems?

A.

IT Portfolio Management

B.

Enterprise architecture (EA)

C.

Configuration management database (CMDB)

D.

IT Service Management

Full Access
Question # 96

Which of the following is a concern associated with virtualization?

A.

Performance issues with the host could impact the guest operating systems.

B.

One host have multiple versioning of the same operating system.

C.

The physical footprint of servers could decrease within the data center.

D.

Processing capacity may be shared across multiple operating systems.

Full Access
Question # 97

During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:

A.

future compatibility of the design.

B.

controls incorporated into the system specifications.

C.

proposed functionality of the application.

D.

development methodology employed.

Full Access
Question # 98

Which of the following is the BEST incident of an effective problem management process?

A.

The time to close an incident is reduced.

B.

Incident are logged in a centralized system.

C.

Incidents are assigned to engineers immediately.

D.

The number of repeat incidents is reduced.

Full Access
Question # 99

Which of the following is a benefit of increasing the use of data analytics in audits?

A.

Less time spent on verifying completeness and accuracy of the total population

B.

More time spent on analyzing the outers identified and the root cause

C.

Less time spent on selecting adequate audit programs and scope

D.

More time spent on select and reviewing samples for testing

Full Access
Question # 100

Which of the following should be the FIRST step in a data migration project?

A.

Creating data conversion scripts.

B.

Reviewing decisions on how processes should be conducted in the new system

C.

Completing data cleanup in the current database to eliminate inconsistencies

D.

Understanding the new system’s data structure

Full Access
Question # 101

Which of the following is the GREATEST concern when using a cold backup site?

A.

Compatibility problems with existing equipment might exist.

B.

Peripheral equipment might not be sufficient to handle critical applications.

C.

It is difficult to test critical applications at the backup site

D.

Physical security requirements at the backup site might not be met.

Full Access
Question # 102

Which of the following should be the PRIMARY objective of a migration audit?

A.

Data integrity

B.

Business continuity

C.

System performance

D.

Control adequacy

Full Access
Question # 103

Which of the following should an IS auditor validate FIRST when reviewing the security of an organization’s IT infrastructure as it relates to Internet of Things (loT) devices?

A.

Identification and inventory of loT devices

B.

Access control and network segmentation for loT devices

C.

Strong password protection for loT devices

D.

Physical security of loT devices

Full Access
Question # 104

Which of the following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?

A.

Identify aggregate residual IT risk for each business line.

B.

Obtain a complete listing of the entity's IT processes

C.

Obtain a complete listing of assets fundamental to the entity's businesses.

D.

Identify key control objectives for each business line's core processes

Full Access
Question # 105

Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (IDSs)?

A.

An increase in the number of internally reported critical incidents

B.

An increase in the number of detected incidents not previously identified

C.

An increase in the number of identified false positives

D.

An increase in the number of unfamiliar sources of intruders

Full Access
Question # 106

Which of the following would be the MOST effective method to identify high risk areas in the business to be included in the audit plan?

A.

Review external audit reports of the business.

B.

Review industry reports to identify common risk areas

C.

Validate current risk from poor internal audit findings.

D.

Engage with management to understand the business.

Full Access
Question # 107

When planning an end-user computing (EUC) audit, it is MOST important for the IS auditor to:

A.

determine EUC materiality and complexity thresholds.

B.

evaluate EUC threats and vulnerabilities.

C.

obtain an inventory of EUC applications.

D.

evaluate the organization's EUC policy.

Full Access
Question # 108

During a business process re-engineering (BPR) program, IT can assist with:

A.

segregation of duties

B.

streamlining of tasks

C.

total cost of ownership,

D.

focusing on value-added tasks.

Full Access
Question # 109

Which of the following is the GREATEST risk associated with the use of instant messaging (IM)?

A.

Data leakage

B.

Loss of employee productivity

C.

Internet Protocol (IP) address spoofing

D.

Excess bandwidth consumption

Full Access
Question # 110

A bank recently experienced fraud where unauthorized payments were inserted into the payments transaction process. An IS auditor has reviewed the application systems and databases along the processing chain but has not identified the entry point of the fraudulent transactions. Where should the auditor look NEXT?

A.

Operating system patch levels

B.

Interfaces between systems

C.

Change management repository

D.

System backup and archiving

Full Access
Question # 111

An IS auditor finds that the process for removing access for terminated employee is not documented. What is the MOST significant risk from this observation?

A.

Access rights may not be removed in a timely manner

B.

Unauthorized access cannot be identified

C.

Procedures may not align with the practices

D.

HR records may not match system access

Full Access
Question # 112

While reviewing an organization s business continuity plan (BCP) an IS auditor observes that a recently developed application is not included. The IS auditor should:

A.

ignore the observation as the application is not mission critical.

B.

recommend that the application b# incorporated in the BCP.

C.

ensure that the criticality of the application is determined

D.

include m the audit findings that the BCP is incomplete

Full Access
Question # 113

During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that not all critical systems are covered. What should the auditor do NEXT?

A.

Verify whether the systems are part of the business impact analysis (BIA).

B.

Evaluate the impact of not covering the systems.

C.

Evaluate the prior year's audit results regarding critical system coverage.

D.

Escalate the finding to senior management.

Full Access
Question # 114

An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application The audit manager Is the only one in the audit department with IT project management experience. What is the BEST course of action?

A.

Manage the audit since there is no one else with the appropriate experience

B.

Outsource the audit to independent and qualified resources

C.

Have a senior IS auditor manage the project with the IS audit manager performing

final review

D.

Transfer the assignment to a different audit manager despite lack of IT project

management experience

Full Access
Question # 115

Of the following, who are the MOST appropriate staff for ensuring the alignment of user authorization tables with approved authorization forms?

A.

IT managers

B.

Database administrators (DBAs)

C.

System owners

D.

Security administrators

Full Access
Question # 116

Using swipe cards to limit employee access to restricted areas requires implementing which additional control?

A.

Periodic review of access profiles by management

B.

Physical sign-in of all employees for access to restricted areas

C.

Initial escort of all new hires by a current employee

D.

Employee-access criteria determined on the basis of IS experience

Full Access
Question # 117

To develop meaningful recommendations for findings, which of the following is MOST important for an IS auditor to determine and understand?

A.

Root cause

B.

Criteria

C.

Responsible party

D.

Impact

Full Access
Question # 118

Which of the following controls is BEST implemented through system configuration?

A.

Application user access is reviewed every 180 days for appropriateness

B.

Computer operations personnel initiate batch processing jobs daily

C.

Financial data in key reports is traced to source systems for completeness and

accuracy.

D.

Network user accounts for temporary workers expire after 90 days.

Full Access
Question # 119

Which of the following would BEST prevent the potential leakage of sensitive corporate data from personal mobile devices accessing corporate applications?

A.

Creating a separate secure partition on the devices

B.

Monitoring employee connections to the corporate network

C.

Requiring employees to sign acknowledgment of an acceptable use policy

D.

Limiting access and capabilities when connecting to the Internet

Full Access
Question # 120

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Full Access
Question # 121

End users have been demanding the ability to use their own devices for work, but want to keep personal information out of corporate control. Which of the following would be MOST effective at reducing the risk of security incidents while satisfying end user requirements?

A.

Enable remote wipe capabilities for the devices.

B.

Encrypt corporate data on the devices.

C.

Implement an acceptable use policy.

D.

Require complex passwords.

Full Access
Question # 122

Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?

A.

Applicable laws and regulations

B.

End user access rights

C.

Data ownership

D.

Business requirements and data flows

Full Access
Question # 123

Which of the following would be MOST time and cost efficient when performing a control self-assessment (CSA) for an organization with a large number of widely dispersed employees?

A.

Facilitated workshops

B.

Survey questionnaire

C.

Face-to-face interviews

D.

Top-down and bottom-up analysis

Full Access
Question # 124

Which of the following is the PRIMARY objective of baselining the IT control environment?

A.

Align IT strategy with business strategy.

B.

Detect control deviations.

C.

Define process and control ownership.

D.

Ensure IT security strategy and policies are effective.

Full Access
Question # 125

Which of the following should be of GREATEST concern to an IS auditor planning to employ data analytics in an upcoming audit?

A.

Data fields are used for multiple purposes

B.

There is no documented data model.

C.

Data is from the previous reporting period

D.

Available data is incomplete

Full Access
Question # 126

Which of the following BEST enables system resiliency for an e-commerce organization that requires a low recovery time objective (RTO) ana a few recovery point objective (RPO)?

A.

Remote backups

B.

Redundant arrays

C.

Nightly backups

D.

Mirrored sites

Full Access
Question # 127

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?

A.

Backups were only performed within the local network.

B.

Employees were not trained on cybersecurity policies and procedures.

C.

The most recent security patches were not tested prior to implementation.

D.

Antivirus software was unable to prevent the attack even though it was properly updated.

Full Access
Question # 128

Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

A.

Cost of projects divided by total IT cost

B.

Expected return divided by total project cost

C.

Net present value (NPV) of the portfolio

D.

Total cost of each project

Full Access
Question # 129

When developing customer-tearing IT applications, in which stage of the system development the cycle (SDLC) is it MOST beneficial to consider data privacy principles?

A.

Requirements definition

B.

User acceptance testing (UAT)

C.

Systems design and architecture

D.

Software selection and acquisition

Full Access
Question # 130

An IS auditor is analysing a sample of assesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found. Which sampling method would be appropriate?

A.

Stratified sampling

B.

Variable sampling

C.

Judgemental sampling

D.

Discovery sampling

Full Access
Question # 131

Which of the following is MOST important to include within a business continuity plan (BCP) so that backup and replication is configured in a way that ensures data availability?

A.

Recovery time objective (RTO)

B.

Resource management plan

C.

Disaster recovery location site

D.

Recovery point objective (RPO)

Full Access
Question # 132

An internal audit department reports directly to the chief financial officer (CFO) of an organization This MOST likely leads to

A.

audit findings becoming more business-oriented

B.

biased audit findings and recommendations.

C.

concern over the independence of the auditor

D.

audit recommendations receiving greater attention.

Full Access
Question # 133

Which of the following is MOST important to consider when scheduling follow-up audits?

A.

The efforts required for independent verification with new auditors

B.

The amount of time the auditee has agreed to spend with auditors

C.

The impact if corrective actions are not taken

D.

Controls and detection risks related to the observations

Full Access
Question # 134

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (BIA)?

A.

Recovery scenarios

B.

Completeness of critical asset inventory

C.

Risk appetite

D.

Critical applications in the cloud

Full Access
Question # 135

Which of the following is an example of a corrective control?

A.

Generating automated batch job failure notifications

B.

Employing only qualified personnel to execute tasks

C.

Restoring system information from data backups

D.

Utilizing processes that enforce segregation of duties

Full Access
Question # 136

When is the BEST time to commence continuity planning for a new application system?

A.

immediately after implementation

B.

During the design phase

C.

Following successful user testing

D.

Just prior to the handover to the system maintenance group

Full Access
Question # 137

O: 690

An IS auditor performing an audit of backup procedures observes that backup tapes are picked up weekly and stored offsite at a third-party hosting facility. Which of the following recommendations would be the BEST way to protect the integrity of the data on the backup tapes?

A.

Ensure that the transport company obtains signatures for all shipments

B.

Ensure that data is encrypted before leaving the facility.

C.

Confirm that data transfers are logged and recorded.

D.

Confirm that data is transported in locked tamper-evident containers.

Full Access
Question # 138

In an IT organization where many responsibilities are shared, which of the following would be the BEST control for detecting unauthorized data changes?

A.

Data changes are independently reviewed by another group.

B.

Users are required to periodically rotate responsibilities.

C.

Segregation of duties conflicts are periodically reviewed.

D.

Data changes are logged in an outside application.

Full Access
Question # 139

An organization is planning to re-purpose workstations mat were used to handle confidential information. Which of the following would be the IS auditor's BEST recommendation to dispose of this information?

A.

Overwrite the disks with random data

B.

Erase the disks by degaussing.

C.

Delete the disk partitions.

D.

Reformat the disks.

Full Access
Question # 140

An IS auditor performing an application development review attends development team meetings. The IS auditor's independence will be compromised if the IS auditor:

A.

designs and executes the user's acceptance test plan.

B.

assists in developing an integrated test facility on the system.

C.

reviews the result of systems tests that were performed by the development team.

D.

re-performs test procedures used by the development team.

Full Access
Question # 141

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organizations information security policy?

A.

Business objectives

B.

Alignment with the IT tactical plan

C.

Compliance with industry best practice

D.

IT steering committee minutes

Full Access
Question # 142

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceeding?

A.

Documentation evidence handling by personnel throughout the forensic investigation

B.

Engaging an independent third party to perform the forensic investigation

C.

Restricting evidence access to professionally certified forensic investigation

D.

Performing investigate procedures on the original hard drives rather than images of the hard drives

Full Access
Question # 143

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

A.

Jobs are scheduled to be completed daily end data is transmitted using a secure Fife Transfer Protocol (SFTP)

B.

Job failure alerts are automatically generated and routed to support personnel

C.

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management

D.

Jobs are scheduled and a log of this activity n retained for subsequent review

Full Access
Question # 144

What is the MOST difficult aspect of access control in a multiplatform, multiple-site client/server environment?

A.

Restricting a local user to necessary resources on a local platform

B.

Maintaining consistency throughout all platforms

C.

Restricting a local user to necessary resources on the host server

D.

Creating new user IDs valid only on a few hosts

Full Access
Question # 145

An IS auditor discovers an option in a database that allows the administrator to directly modify any table This option is necessary to overcome Dugs in the software, but is rarefy used Changes to tables are automatically logged The IS auditors FIRST action should be to:

A.

recommend that the option to directly modify the database be removed immediately

B.

determine whether the audit trail is secured and reviewed

C.

determine whether the log of changes lo the tables is backed up

D.

recommend that the system require two persons to be involved in modifying the database

Full Access
Question # 146

Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor's BEST recommendation to protect data in case of recurrence?

A.

Enhance physical security

B.

Encrypt the disk drive

C.

Require two-factor authentication

D.

Require the use of cable locks

Full Access