Which of the following would BEST enable an IS auditor to perform an audit that requires testing the full population of data?
Which of the following should be the PRIMARY audience for a third-party technical security assessment report?
A maturity model can be used to aid the implementation of IT governance by identifying:
Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?
Which of the following is the MOST important consideration for building resilient systems?
Which of the following is an IS auditor's BEST guidance regarding the use of IT frameworks?
An IS auditor is verifying the adequacy of an organizationâ€™s internal and is concerned about potential circumvention of regulations. Which of the following is the BEST sampling method to use?
An organization's IT security policy requires annual security awareness training for all employees. Which of the following would provide the BEST evidence of the training's effectiveness?
What would be an IS auditorâ€™s BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?
Which of the following is MOST helpful for an IS auditor to review when determining the appropriateness of controls relevant to a specific audit area?
Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?
An organization implemented a cybersecurity policy last year. Which of the following is the GREATEST indicator that the policy may need to be revised?
Cross-site scripting (XSS) attacks are BEST prevented through:
A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure in the affected country. Which of the following would be MOST helpful in making this assessment?
What is the PRIMARY reason to adopt a risk-based IS audit strategy?
Which of the following is MOST important to ensure when reviewing a global organization's controls to protect data held on its IT infrastructure across all of its locations?
When evaluating the ability of a disaster recovery plan (DRP) to enable the recovery of IT processing capabilities, it is MOST important for the IS auditor to verify the plan is:
Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at rest?
Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
Which of the following is MOST helpful in preventing a systems failure from occurring when an application is replaced using the abrupt changeover technique?
Which of the following is the MOST effective approach in assessing the quality of modifications made to financial software?
Which of the following features of a library control software package would protect against unauthorized updating of source code?
Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?
Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
Which of the following would be of GREATEST concern to an IS auditor reviewing backup and recovery controls?
The IS auditor has recommended that management test a new system before using it in production mode The BEST approach for management in developing a test plan is to use processing parameters that are
Which of the following should be the MOST important consideration when prioritizing the funding for competing IT projects?
During an audit of identity and access management, an IS auditory finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditorâ€™s BEST course of action?
An organization needs to comply with data privacy regulations forbidding the display of personally identifiable information (Pll) on customer bills or receipts However it is a business requirement to display at least one attribute so that customers can verify the bills or receipts are intended for them What is the BEST recommendation?
AN IS auditor has been asked to perform an assurance review of an organizationâ€™s mobile computing security. To ensure the organization is able to centrally manage mobile devices to protect against data disclosure. It is MOST important for the auditor to determine whether:
When evaluating information security governance within an organization which of the following findings should
be of MOST concern to an IS auditor?
Which of the following should an IS auditor be MOST concerned with when reviewing the IT asset disposal process?
Which of the following security risks can be reduced by a properly configured network firewall?
An incorrect version of source code was amended by a development team, This MOST likely indicates a weakness in:
Which cloud deployment model is MOST likely to be limited in scalability?
The operations team of an organization has reported an IS security attack. Which of the following should be the FIRST step for the security incident response team?
Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?
Which of the following encryption methods offers the BEST wireless security?
Which of the following is the BEST source of information for an IS auditor to use when determining whether an organization's information security policy is adequate?
Which of the following represents the HIGHEST level of maturity of an information security program?
An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?
Which of the following is the BEST way to mitigate the risk associated with malicious changes to binary code during the software development life cycle (SDLC)?
An IS auditor observes that exceptions have been approved (or an organization's information security policy. Which of the following is MOST important for the auditor to confirm?
An organization's strategy to source certain IT functions from a Software as a Service (SaaS) provider should be approved by the:
An organization has adopted a backup and recovery strategy that involves copying on-premise virtual machine (VM) images to a cloud service provider Which of the following provides the BEST assurance that VMs can be recovered in the event of a disaster?
Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?
Which of the following findings should be of GREATEST concern to an IS auditor reviewing the effectiveness of an organization's problem management practices?
internal IS auditor recommends that incoming accounts payable payment files be encrypted. Which type of control is the auditor recommending?
A company is using a software developer for a project. At which of the following points should the software quality assurance (QA) plan be developed?
Which of the following backup schemes is the BEST option when storage media is limited?
Which of the following implementation strategies for new applications presents the GREATEST risk during data conversion and migration from an old system to a new system?
When an organization introduces virtualization into its architecture, which of the following should be an IS auditor's PRIMARY area of focus to verify adequate protection?
Both statistical and nonstatistical sampling techniques:
A client/server configuration will:
In an environment where most IT services have been outsourced, continuity planning is BEST controlled by:
Which of the following is the GREATEST concern with conducting penetration testing on an internally developed application in the production environment?
Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?
An audit of the quality management system (QMS) begins with an evaluation of the:
An airlines online booking system uses an automated script that checks whether fares are within the defined threshold of what is reasonable before the fares are displayed on the website. Which type of control is in place?
An IS auditor is assessing an organizationâ€™s data loss prevention (DLP) solution for protecting intellectual property from insider theft. Which of the following would the auditor consider MOST important for effective data protection?
An organization has recently converted its infrastructure to a virtualized environment. The GREATEST benefit related to disaster recovery is that virtualized servers:
Which of the following is the BEST way to minimize the impact of a ransomware attack?
An organization has outsourced its data leakage monitoring to an Internet service provider (ISP). Which of the following is the BEST way for an IS auditor to determine the effectiveness of this service?
What is the PRIMARY purpose of performing a parallel run of a new system?
Which type of control is in place when an organization requires new employees to complete training on applicable privacy and data protection regulations?
What is the BEST justification for allocating more funds to implement a control for an IT asset than the actual cost of the IT asset?
An audit has identified that business units have purchased cloud-based applications without ITs support. What is the GREATEST risk associated with this situation?
Which of the following should be the PRIMARY consideration for IT management when selecting a new information security tool that monitors suspicious file access patterns?
The PRIMARY focus of audit follow-up reports should be to:
Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an organization's incident response process?
During an exit interview senior management disagrees with some of the facts presented in the draft audit report and wants them removed from the report Which of the following would be the auditor's BEST course of action?
The BEST way to prevent fraudulent payments is to implement segregation of duties between payment processing and:
An IS auditor finds that a document related to a client has been leaked. Which of the following should be the auditor's NEXT step?
An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?
An internal audit department recently established a quality assurance (QA) program as part of its overall audit program. Which of the following activities is MOST important to include as part of the QA program requirements?
Which of the following is the GREATEST concern associated with migrating computing resources to a cloud virtualized environment?
An organization has agreed to perform remediation related to high-risk audit findings. The remediation process involves a complex reorganization of user roles as well as the Implementation of several compensating controls that may not be completed within the next audit cycle Which of the following is the BEST way for an IS auditor to follow up on their activities?
An IS auditor is assessing the results of an organization's post-implementation review of a newly developed information system. Which of the following should be the auditor's MAIN focus?
A company laptop has been stolen and all photos on the laptop have been published on social media. Which of the following is the IS auditor's BEST course of action?
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items to the inventory system Which control would have BEST prevented this type of fraud in a retail environment?
Spreadsheets are used to calculate project cost estimates Totals for each cost category are then keyed into the job-costing system. What is the BIST control to ensure that data are accurately entered into the system?
To develop a robust data security program, the FIRST course of action should be to:
An employee has accidentally posted confidential data to the company's social media page. Which of the following is the BEST control to prevent this from recurring?
Which of the following human resources management practices BEST leads to the detection of fraudulent activity?
Which of the following is the BEST source of information for an IS auditor when planning an audit of a business application's controls?
After an external IS audit, which of the following should be IT management's MAIN consideration when determining the prioritization of follow-up activities?
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
An IS auditor identifies key controls that have been overridden by management. The next step the IS auditor should take is to
Which of the following is the BEST sampling method when performing an audit test to determine the number of access requests without approval signatures?
Which of the following is an objective of data transfer controls?
Which of the following provides the MOST useful information to an IS auditor reviewing the relationships between critical business processes and IT systems?
Which of the following is a concern associated with virtualization?
During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:
Which of the following is the BEST incident of an effective problem management process?
Which of the following is a benefit of increasing the use of data analytics in audits?
Which of the following should be the FIRST step in a data migration project?
Which of the following is the GREATEST concern when using a cold backup site?
Which of the following should be the PRIMARY objective of a migration audit?
Which of the following should an IS auditor validate FIRST when reviewing the security of an organizationâ€™s IT infrastructure as it relates to Internet of Things (loT) devices?
Which of the following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?
Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (IDSs)?
Which of the following would be the MOST effective method to identify high risk areas in the business to be included in the audit plan?
When planning an end-user computing (EUC) audit, it is MOST important for the IS auditor to:
During a business process re-engineering (BPR) program, IT can assist with:
Which of the following is the GREATEST risk associated with the use of instant messaging (IM)?
A bank recently experienced fraud where unauthorized payments were inserted into the payments transaction process. An IS auditor has reviewed the application systems and databases along the processing chain but has not identified the entry point of the fraudulent transactions. Where should the auditor look NEXT?
An IS auditor finds that the process for removing access for terminated employee is not documented. What is the MOST significant risk from this observation?
While reviewing an organization s business continuity plan (BCP) an IS auditor observes that a recently developed application is not included. The IS auditor should:
During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that not all critical systems are covered. What should the auditor do NEXT?
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application The audit manager Is the only one in the audit department with IT project management experience. What is the BEST course of action?
Of the following, who are the MOST appropriate staff for ensuring the alignment of user authorization tables with approved authorization forms?
Using swipe cards to limit employee access to restricted areas requires implementing which additional control?
To develop meaningful recommendations for findings, which of the following is MOST important for an IS auditor to determine and understand?
Which of the following controls is BEST implemented through system configuration?
Which of the following would BEST prevent the potential leakage of sensitive corporate data from personal mobile devices accessing corporate applications?
A review of an organizationâ€™s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.
End users have been demanding the ability to use their own devices for work, but want to keep personal information out of corporate control. Which of the following would be MOST effective at reducing the risk of security incidents while satisfying end user requirements?
Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
Which of the following would be MOST time and cost efficient when performing a control self-assessment (CSA) for an organization with a large number of widely dispersed employees?
Which of the following is the PRIMARY objective of baselining the IT control environment?
Which of the following should be of GREATEST concern to an IS auditor planning to employ data analytics in an upcoming audit?
Which of the following BEST enables system resiliency for an e-commerce organization that requires a low recovery time objective (RTO) ana a few recovery point objective (RPO)?
Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?
Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
When developing customer-tearing IT applications, in which stage of the system development the cycle (SDLC) is it MOST beneficial to consider data privacy principles?
An IS auditor is analysing a sample of assesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found. Which sampling method would be appropriate?
Which of the following is MOST important to include within a business continuity plan (BCP) so that backup and replication is configured in a way that ensures data availability?
An internal audit department reports directly to the chief financial officer (CFO) of an organization This MOST likely leads to
Which of the following is MOST important to consider when scheduling follow-up audits?
As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (BIA)?
Which of the following is an example of a corrective control?
When is the BEST time to commence continuity planning for a new application system?
An IS auditor performing an audit of backup procedures observes that backup tapes are picked up weekly and stored offsite at a third-party hosting facility. Which of the following recommendations would be the BEST way to protect the integrity of the data on the backup tapes?
In an IT organization where many responsibilities are shared, which of the following would be the BEST control for detecting unauthorized data changes?
An organization is planning to re-purpose workstations mat were used to handle confidential information. Which of the following would be the IS auditor's BEST recommendation to dispose of this information?
An IS auditor performing an application development review attends development team meetings. The IS auditor's independence will be compromised if the IS auditor:
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organizations information security policy?
Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceeding?
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
What is the MOST difficult aspect of access control in a multiplatform, multiple-site client/server environment?
An IS auditor discovers an option in a database that allows the administrator to directly modify any table This option is necessary to overcome Dugs in the software, but is rarefy used Changes to tables are automatically logged The IS auditors FIRST action should be to:
Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor's BEST recommendation to protect data in case of recurrence?