March Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

CISA Exam Dumps - Certified Information Systems Auditor

Question # 4

In an online application which of the following would provide the MOST information about the transaction audit trail?

A.

File layouts

B.

Data architecture

C.

System/process flowchart

D.

Source code documentation

Full Access
Question # 5

Which of the following should be the FIRST step in the incident response process for a suspected breach?

A.

Inform potentially affected customers of the security breach

B.

Notify business management of the security breach.

C.

Research the validity of the alerted breach

D.

Engage a third party to independently evaluate the alerted breach.

Full Access
Question # 6

Which of the following is the BEST reason for an organization to use clustering?

A.

To decrease system response time

B.

To Improve the recovery lime objective (RTO)

C.

To facilitate faster backups

D.

To improve system resiliency

Full Access
Question # 7

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?

A.

The cost of outsourcing is lower than in-house development.

B.

The vendor development team is located overseas.

C.

A training plan for business users has not been developed.

D.

The data model is not clearly documented.

Full Access
Question # 8

Which of the following provides the BEST providence that outsourced provider services are being properly managed?

A.

The service level agreement (SLA) includes penalties for non-performance.

B.

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.

The vendor provides historical data to demonstrate its performance.

D.

Internal performance standards align with corporate strategy.

Full Access
Question # 9

IT disaster recovery time objectives (RTOs) should be based on the:

A.

maximum tolerable loss of data.

B.

nature of the outage

C.

maximum tolerable downtime (MTD).

D.

business-defined criticality of the systems.

Full Access
Question # 10

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Full Access
Question # 11

Which of the following metrics would BEST measure the agility of an organization's IT function?

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Full Access
Question # 12

In a RAO model, which of the following roles must be assigned to only one individual?

A.

Responsible

B.

Informed

C.

Consulted

D.

Accountable

Full Access
Question # 13

Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?

A.

Server room access history

B.

Emergency change records

C.

IT security incidents

D.

Penetration test results

Full Access
Question # 14

In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?

A.

Discovery

B.

Attacks

C.

Planning

D.

Reporting

Full Access
Question # 15

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

A.

Mobile device tracking program

B.

Mobile device upgrade program

C.

Mobile device testing program

D.

Mobile device awareness program

Full Access
Question # 16

Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

A.

IT strategies are communicated to all Business stakeholders

B.

Organizational strategies are communicated to the chief information officer (CIO).

C.

Business stakeholders are Involved In approving the IT strategy.

D.

The chief information officer (CIO) is involved In approving the organizational strategies

Full Access
Question # 17

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

A.

Verifying that access privileges have been reviewed

B.

investigating access rights for expiration dates

C.

Updating the continuity plan for critical resources

D.

Updating the security policy

Full Access
Question # 18

Stress testing should ideally be earned out under a:

A.

test environment with production workloads.

B.

production environment with production workloads.

C.

production environment with test data.

D.

test environment with test data.

Full Access
Question # 19

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Full Access
Question # 20

Which of the following BEST helps to ensure data integrity across system interfaces?

A.

Environment segregation

B.

Reconciliation

C.

System backups

D.

Access controls

Full Access
Question # 21

Which of the following BEST describes an audit risk?

A.

The company is being sued for false accusations.

B.

The financial report may contain undetected material errors.

C.

Employees have been misappropriating funds.

D.

Key employees have not taken vacation for 2 years.

Full Access
Question # 22

Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

A.

Shared facilities

B.

Adequacy of physical and environmental controls

C.

Results of business continuity plan (BCP) test

D.

Retention policy and period

Full Access
Question # 23

Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

A.

Project segments are established.

B.

The work is separated into phases.

C.

The work is separated into sprints.

D.

Project milestones are created.

Full Access
Question # 24

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

A.

Apply single sign-on for access control

B.

Implement segregation of duties.

C.

Enforce an internal data access policy.

D.

Enforce the use of digital signatures.

Full Access
Question # 25

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

A.

Reviewing the last compile date of production programs

B.

Manually comparing code in production programs to controlled copies

C.

Periodically running and reviewing test data against production programs

D.

Verifying user management approval of modifications

Full Access
Question # 26

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

A.

Staff members who failed the test did not receive follow-up education

B.

Test results were not communicated to staff members.

C.

Staff members were not notified about the test beforehand.

D.

Security awareness training was not provided prior to the test.

Full Access
Question # 27

Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?

A.

Guest operating systems are updated monthly

B.

The hypervisor is updated quarterly.

C.

A variety of guest operating systems operate on one virtual server

D.

Antivirus software has been implemented on the guest operating system only.

Full Access
Question # 28

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

A.

Training was not provided to the department that handles intellectual property and patents

B.

Logging and monitoring for content filtering is not enabled.

C.

Employees can share files with users outside the company through collaboration tools.

D.

The collaboration tool is hosted and can only be accessed via an Internet browser

Full Access
Question # 29

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Full Access
Question # 30

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

A.

Determine the resources required to make the control

effective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Full Access
Question # 31

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

A.

Expected deliverables meeting project deadlines

B.

Sign-off from the IT team

C.

Ongoing participation by relevant stakeholders

D.

Quality assurance (OA) review

Full Access
Question # 32

Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

A.

Data from the source and target system may be intercepted.

B.

Data from the source and target system may have different data formats.

C.

Records past their retention period may not be migrated to the new system.

D.

System performance may be impacted by the migration

Full Access
Question # 33

Capacity management enables organizations to:

A.

forecast technology trends

B.

establish the capacity of network communication links

C.

identify the extent to which components need to be upgraded

D.

determine business transaction volumes.

Full Access
Question # 34

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Full Access
Question # 35

Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

A.

Ensuring that audit trails exist for transactions

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator's user ID as a field in every transaction record created

D.

Restricting program functionality according to user security profiles

Full Access
Question # 36

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

A.

Information security program plans

B.

Penetration test results

C.

Risk assessment results

D.

Industry benchmarks

Full Access
Question # 37

An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

A.

The security of the desktop PC is enhanced.

B.

Administrative security can be provided for the client.

C.

Desktop application software will never have to be upgraded.

D.

System administration can be better managed

Full Access
Question # 38

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

A.

the organization's web server.

B.

the demilitarized zone (DMZ).

C.

the organization's network.

D.

the Internet

Full Access
Question # 39

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

A.

Staging

B.

Testing

C.

Integration

D.

Development

Full Access
Question # 40

While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

A.

Use automatic document classification based on content.

B.

Have IT security staff conduct targeted training for data owners.

C.

Publish the data classification policy on the corporate web portal.

D.

Conduct awareness presentations and seminars for information classification policies.

Full Access
Question # 41

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Full Access
Question # 42

Which of the following is an example of a preventative control in an accounts payable system?

A.

The system only allows payments to vendors who are included In the system's master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

Full Access
Question # 43

Which of the following is the MOST important activity in the data classification process?

A.

Labeling the data appropriately

B.

Identifying risk associated with the data

C.

Determining accountability of data owners

D.

Determining the adequacy of privacy controls

Full Access
Question # 44

An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?

A.

Conduct security awareness training.

B.

Implement an acceptable use policy

C.

Create inventory records of personal devices

D.

Configure users on the mobile device management (MDM) solution

Full Access
Question # 45

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Full Access
Question # 46

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

A.

Review sign-off documentation

B.

Review the source code related to the calculation

C.

Re-perform the calculation with audit software

D.

Inspect user acceptance lest (UAT) results

Full Access
Question # 47

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

A.

the access control system's log settings.

B.

how the latest system changes were implemented.

C.

the access control system's configuration.

D.

the access rights that have been granted.

Full Access
Question # 48

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

A.

document the exception in an audit report.

B.

review security incident reports.

C.

identify compensating controls.

D.

notify the audit committee.

Full Access
Question # 49

The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?

A.

Determine where delays have occurred

B.

Assign additional resources to supplement the audit

C.

Escalate to the audit committee

D.

Extend the audit deadline

Full Access
Question # 50

Which of the following represents the HIGHEST level of maturity of an information security program?

A.

A training program is in place to promote information security awareness.

B.

A framework is in place to measure risks and track effectiveness.

C.

Information security policies and procedures are established.

D.

The program meets regulatory and compliance requirements.

Full Access
Question # 51

Which of the following MUST be completed as part of the annual audit planning process?

A.

Business impact analysis (BIA)

B.

Fieldwork

C.

Risk assessment

D.

Risk control matrix

Full Access
Question # 52

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Full Access
Question # 53

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

A.

violation reports may not be reviewed in a timely manner.

B.

a significant number of false positive violations may be reported.

C.

violations may not be categorized according to the organization's risk profile.

D.

violation reports may not be retained according to the organization's risk profile.

Full Access
Question # 54

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization's staff to manage the new software

Full Access
Question # 55

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

A.

Configure data quality alerts to check variances between the data warehouse and the source system

B.

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.

Include the data warehouse in the impact analysis (or any changes m the source system

D.

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

Full Access
Question # 56

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

A.

Use of stateful firewalls with default configuration

B.

Ad hoc monitoring of firewall activity

C.

Misconfiguration of the firewall rules

D.

Potential back doors to the firewall software

Full Access
Question # 57

During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?

A.

Perform substantive testing of terminated users' access rights.

B.

Perform a review of terminated users' account activity

C.

Communicate risks to the application owner.

D.

Conclude that IT general controls ate ineffective.

Full Access
Question # 58

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?

A.

Number of successful penetration tests

B.

Percentage of protected business applications

C.

Financial impact per security event

D.

Number of security vulnerability patches

Full Access
Question # 59

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?

A.

Short key length

B.

Random key generation

C.

Use of symmetric encryption

D.

Use of asymmetric encryption

Full Access
Question # 60

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

A.

compare the organization's strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Full Access
Question # 61

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

A.

Staff were not involved in the procurement process, creating user resistance to the new system.

B.

Data is not converted correctly, resulting in inaccurate patient records.

C.

The deployment project experienced significant overruns, exceeding budget projections.

D.

The new system has capacity issues, leading to slow response times for users.

Full Access
Question # 62

Which of the following security risks can be reduced by a property configured network firewall?

A.

SQL injection attacks

B.

Denial of service (DoS) attacks

C.

Phishing attacks

D.

Insider attacks

Full Access
Question # 63

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

A.

Ask management why the regulatory changes have not been Included.

B.

Discuss potential regulatory issues with the legal department

C.

Report the missing regulatory updates to the chief information officer (CIO).

D.

Exclude recent regulatory changes from the audit scope.

Full Access
Question # 64

Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

A.

Audit charter

B.

IT steering committee

C.

Information security policy

D.

Audit best practices

Full Access
Question # 65

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

A.

Attack vectors are evolving for industrial control systems.

B.

There is a greater risk of system exploitation.

C.

Disaster recovery plans (DRPs) are not in place.

D.

Technical specifications are not documented.

Full Access
Question # 66

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

A.

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.

Identifying data security threats in the affected jurisdiction

C.

Reviewing data classification procedures associated with the affected jurisdiction

D.

Identifying business processes associated with personal data exchange with the affected jurisdiction

Full Access
Question # 67

What is the Most critical finding when reviewing an organization’s information security management?

A.

No dedicated security officer

B.

No official charier for the information security management system

C.

No periodic assessments to identify threats and vulnerabilities

D.

No employee awareness training and education program

Full Access
Question # 68

An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?

A.

There are conflicting permit and deny rules for the IT group.

B.

The network security group can change network address translation (NAT).

C.

Individual permissions are overriding group permissions.

D.

There is only one rule per group with access privileges.

Full Access
Question # 69

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Full Access
Question # 70

The GREATEST benefit of using a polo typing approach in software development is that it helps to:

A.

minimize scope changes to the system.

B.

decrease the time allocated for user testing and review.

C.

conceptualize and clarify requirements.

D.

Improve efficiency of quality assurance (QA) testing

Full Access
Question # 71

The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:

A.

randomly selected by a test generator.

B.

provided by the vendor of the application.

C.

randomly selected by the user.

D.

simulated by production entities and customers.

Full Access
Question # 72

During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?

A.

Backup media are not reviewed before disposal.

B.

Degaussing is used instead of physical shredding.

C.

Backup media are disposed before the end of the retention period

D.

Hardware is not destroyed by a certified vendor.

Full Access
Question # 73

Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?

A.

Ensure the third party allocates adequate resources to meet requirements.

B.

Use analytics within the internal audit function

C.

Conduct a capacity planning exercise

D.

Utilize performance monitoring tools to verify service level agreements (SLAs)

Full Access
Question # 74

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

A.

Evaluate the appropriateness of the remedial action taken.

B.

Conduct a risk analysis incorporating the change.

C.

Report results of the follow-up to the audit committee.

D.

Inform senior management of the change in approach.

Full Access
Question # 75

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

A.

Statement of work (SOW)

B.

Nondisclosure agreement (NDA)

C.

Service level agreement (SLA)

D.

Privacy agreement

Full Access
Question # 76

A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

A.

Establish key performance indicators (KPls) for timely identification of security incidents.

B.

Engage an external security incident response expert for incident handling.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Include the requirement in the incident management response plan.

Full Access
Question # 77

Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?

A.

Historical privacy breaches and related root causes

B.

Globally accepted privacy best practices

C.

Local privacy standards and regulations

D.

Benchmark studies of similar organizations

Full Access
Question # 78

In order to be useful, a key performance indicator (KPI) MUST

A.

be approved by management.

B.

be measurable in percentages.

C.

be changed frequently to reflect organizational strategy.

D.

have a target value.

Full Access
Question # 79

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Full Access
Question # 80

Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

A.

Reversing the hash function using the digest

B.

Altering the plaintext message

C.

Deciphering the receiver's public key

D.

Obtaining the sender's private key

Full Access
Question # 81

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

A.

architecture and cloud environment of the system.

B.

business process supported by the system.

C.

policies and procedures of the business area being audited.

D.

availability reports associated with the cloud-based system.

Full Access
Question # 82

An information systems security officer's PRIMARY responsibility for business process applications is to:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

Full Access
Question # 83

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Full Access
Question # 84

Which of the following provides the BEST evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system?

A.

Compliance testing

B.

Stop-or-go sampling

C.

Substantive testing

D.

Variable sampling

Full Access
Question # 85

An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified Which type of control is in place?

A.

Detective

B.

Compensating

C.

Corrective

D.

Directive

Full Access
Question # 86

Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?

A.

Return on investment (ROI)

B.

Business strategy

C.

Business cases

D.

Total cost of ownership (TCO)

Full Access
Question # 87

Which of the following is MOST effective for controlling visitor access to a data center?

A.

Visitors are escorted by an authorized employee

B.

Pre-approval of entry requests

C.

Visitors sign in at the front desk upon arrival

D.

Closed-circuit television (CCTV) is used to monitor the facilities

Full Access
Question # 88

Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

A.

Data owners are not trained on the use of data conversion tools.

B.

A post-implementation lessons-learned exercise was not conducted.

C.

There is no system documentation available for review.

D.

System deployment is routinely performed by contractors.

Full Access
Question # 89

Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?

A.

Voice recovery

B.

Alternative routing

C.

Long-haul network diversity

D.

Last-mile circuit protection

Full Access
Question # 90

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

A.

Inspecting a sample of alerts generated from the central log repository

B.

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

C.

Inspecting a sample of alert settings configured in the central log repository

D.

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

Full Access
Question # 91

A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger. While management states a system fix has been implemented, what should the IS auditor recommend to validate the interface is working in the future?

A.

Perform periodic reconciliations.

B.

Ensure system owner sign-off for the system fix.

C.

Conduct functional testing.

D.

Improve user acceptance testing (UAT).

Full Access
Question # 92

An organization's senior management thinks current security controls may be excessive and requests an IS auditor's advice on how to assess the adequacy of current measures. What is the auditor's BEST recommendation to management?

A.

Perform correlation analysis between incidents and investments.

B.

Downgrade security controls on low-risk systems.

C.

Introduce automated security monitoring tools.

D.

Re-evaluate the organization's risk and control framework.

Full Access
Question # 93

A bank has a combination of corporate customer accounts (higher monetary value) and small business accounts (lower monetary value) as part of online banking. Which of the following is the BEST sampling approach for an IS auditor to use for these accounts?

A.

Difference estimation sampling

B.

Stratified mean per unit sampling

C.

Customer unit sampling

D.

Unstratified mean per unit sampling

Full Access
Question # 94

in a post-implantation Nation review of a recently purchased system it is MOST important for the iS auditor to determine whether the:

A.

stakeholder expectations were identified

B.

vendor product offered a viable solution.

C.

user requirements were met.

D.

test scenarios reflected operating activities.

Full Access
Question # 95

An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?

A.

The cloud provider's external auditor

B.

The cloud provider

C.

The operating system vendor

D.

The organization

Full Access
Question # 96

Which type of attack poses the GREATEST risk to an organization's most sensitive data?

A.

Password attack

B.

Eavesdropping attack

C.

Insider attack

D.

Spear phishing attack

Full Access
Question # 97

Which of the following is a PRIMARY responsibility of a quality assurance (QA) team?

A.

Creating test data to facilitate the user acceptance testing (IJAT) process

B.

Managing employee onboarding processes and background checks

C.

Advising the steering committee on quality management issues and remediation efforts

D.

Implementing procedures to facilitate adoption of quality management best practices

Full Access
Question # 98

Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?

A.

Using passwords to allow authorized users to send documents to the printer

B.

Requiring a key code to be entered on the printer to produce hard copy

C.

Encrypting the data stream between the user's computer and the printer

D.

Producing a header page with classification level for printed documents

Full Access
Question # 99

An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?

A.

Version control issues

B.

Reduced system performance

C.

Inability to recover from cybersecurity attacks

D.

Increase in IT investment cost

Full Access
Question # 100

An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization's wider security threat and vulnerability management program.

Which of the following would BEST enable the organization to work toward improvement in this area?

A.

Implementing security logging to enhance threat and vulnerability management

B.

Maintaining a catalog of vulnerabilities that may impact mission-critical systems

C.

Using a capability maturity model to identify a path to an optimized program

D.

Outsourcing the threat and vulnerability management function to a third party

Full Access
Question # 101

Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the

A.

computer room closest to the uninterruptible power supply (UPS) module

B.

computer room closest to the server computers

C.

system administrators’ office

D.

booth used by the building security personnel

Full Access
Question # 102

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?

A.

Benchmark organizational performance against industry peers

B.

Implement key performance indicators (KPIs).

C.

Require executive management to draft IT strategy

D.

Implement annual third-party audits.

Full Access
Question # 103

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

A.

Performing a cyber resilience test

B.

Performing a full interruption test

C.

Performing a tabletop test

D.

Performing a parallel test

Full Access
Question # 104

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?

A.

Review the list of end users and evaluate for authorization.

B.

Report this control process weakness to senior management.

C.

Verify managements approval for this exemption

D.

Obtain a verbal confirmation from IT for this exemption.

Full Access
Question # 105

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

A.

The audit program does not involve periodic engagement with external assessors.

B.

Quarterly reports are not distributed to the audit committee.

C.

Results of corrective actions are not tracked consistently.

D.

Substantive testing is not performed during the assessment phase of some audits.

Full Access
Question # 106

Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?

A.

Installation manuals

B.

Onsite replacement availability

C.

Insurance coverage

D.

Maintenance procedures

Full Access
Question # 107

When assessing whether an organization's IT performance measures are comparable to other organizations in the same industry, which of the following would be MOST helpful to review?

A.

IT governance frameworks

B.

Benchmarking surveys

C.

Utilization reports

D.

Balanced scorecard

Full Access
Question # 108

Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor's BEST recommendation to protect data in case of recurrence?

A.

Encrypt the disk drive.

B.

Require two-factor authentication

C.

Enhance physical security

D.

Require the use of cable locks

Full Access
Question # 109

Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?

A.

Variable sampling

B.

Judgmental sampling

C.

Stop-or-go sampling

D.

Discovery sampling

Full Access
Question # 110

An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?

A.

Log feeds are uploaded via batch process.

B.

Completeness testing has not been performed on the log data.

C.

The log data is not normalized.

D.

Data encryption standards have not been considered.

Full Access
Question # 111

Which of the following BEST supports the effectiveness of a compliance program?

A.

Implementing an awareness plan regarding compliance regulation requirements

B.

Implementing a governance, risk, and compliance (GRC) tool to track compliance to regulations

C.

Assessing and tracking all compliance audit findings

D.

Monitoring which compliance regulations apply to the organization

Full Access
Question # 112

Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

A.

It demonstrates the maturity of the incident response program.

B.

It reduces the likelihood of an incident occurring.

C.

It identifies deficiencies in the operating environment.

D.

It increases confidence in the team's response readiness.

Full Access
Question # 113

Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

A.

Invite external auditors and regulators to perform regular assessments of the IS audit function.

B.

Implement rigorous managerial review and sign-off of IS audit deliverables.

C.

Frequently review IS audit policies, procedures, and instruction manuals.

D.

Establish and embed quality assurance (QA) within the IS audit function.

Full Access
Question # 114

Which of the following presents the GREATEST risk to an organization's ability to manage quality control (QC) processes?

A.

Lack of segregation of duties

B.

Lack of a dedicated QC function

C.

Lack of policies and procedures

D.

Lack of formal training and attestation

Full Access
Question # 115

Aligning IT strategy with business strategy PRIMARILY helps an organization to:

A.

optimize investments in IT.

B.

create risk awareness across business units.

C.

increase involvement of senior management in IT.

D.

monitor the effectiveness of IT.

Full Access
Question # 116

An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process Which of the following is the MOST appropriate population to sample from when testing for remediation?

A.

All users provisioned after the finding was originally identified

B.

All users provisioned after management resolved the audit issue

C.

All users provisioned after the final audit report was issued

D.

All users who have followed user provisioning processes provided by management

Full Access
Question # 117

An organization has engaged a third party to implement an application to perform business-critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?

A.

Key performance indicator (KPI) monitoring

B.

Change management

C.

Configuration management

D.

Quality assurance (QA)

Full Access
Question # 118

Which of the following is MOST important to determine when conducting an audit Of an organization's data privacy practices?

A.

Whether a disciplinary process is established for data privacy violations

B.

Whether strong encryption algorithms are deployed for personal data protection

C.

Whether privacy technologies are implemented for personal data protection

D.

Whether the systems inventory containing personal data is maintained

Full Access
Question # 119

Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?

A.

Project charter

B.

Project plan

C.

Project issue log

D.

Project business case

Full Access
Question # 120

Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?

A.

Document the security view as part of the EA

B.

Consider stakeholder concerns when defining the EA

C.

Perform mandatory post-implementation reviews of IT implementations

D.

Conduct EA reviews as part of the change advisory board

Full Access
Question # 121

An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?

A.

Overviews of interviews between data center personnel and the auditor

B.

Prior audit reports involving other corporate disaster recovery audits

C.

Summary memos reflecting audit opinions regarding noted weaknesses

D.

Detailed evidence of the successes and weaknesses of all contingency testing

Full Access
Question # 122

The BEST way to evaluate the effectiveness of a newly developed application is to:

A.

perform a post-implementation review-

B.

analyze load testing results.

C.

perform a secure code review.

D.

review acceptance testing results.

Full Access
Question # 123

Which of the following is the PRIMARY basis on which audit objectives are established?

A.

Audit risk

B.

Consideration of risks

C.

Assessment of prior audits

D.

Business strategy

Full Access
Question # 124

Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?

A.

Switch

B.

Intrusion prevention system (IPS)

C.

Gateway

D.

Router

Full Access
Question # 125

Which of the following is the MOST appropriate testing approach when auditing a daily data flow between two systems via an automated interface to confirm that it is complete and accurate?

A.

Confirm that the encryption standard applied to the interface is in line with best practice.

B.

Inspect interface configurations and an example output of the systems.

C.

Perform data reconciliation between the two systems for a sample of 25 days.

D.

Conduct code review for both systems and inspect design documentation.

Full Access
Question # 126

During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS)

agreement. What should the auditor do NEXT?

A.

Verify whether IT management monitors the effectiveness of the environment.

B.

Verify whether a right-to-audit clause exists.

C.

Verify whether a third-party security attestation exists.

D.

Verify whether service level agreements (SLAs) are defined and monitored.

Full Access
Question # 127

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

A.

The method relies exclusively on the use of public key infrastructure (PKI).

B.

The method relies exclusively on the use of digital signatures.

C.

The method relies exclusively on the use of asymmetric encryption algorithms.

D.

The method relies exclusively on the use of 128-bit encryption.

Full Access
Question # 128

Which of the following is a PRIMARY responsibility of an IT steering committee?

A.

Prioritizing IT projects in accordance with business requirements

B.

Reviewing periodic IT risk assessments

C.

Validating and monitoring the skill sets of IT department staff

D.

Establishing IT budgets for the business

Full Access
Question # 129

Which of the following is the BEST reason to implement a data retention policy?

A.

To establish a recovery point objective (RPO) for disaster recovery procedures

B.

To limit the liability associated with storing and protecting information

C.

To document business objectives for processing data within the organization

D.

To assign responsibility and ownership for data protection outside IT

Full Access
Question # 130

Which of the following be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business-critical server hardware?

A.

Preventive maintenance costs exceed the business allocated budget.

B.

Preventive maintenance has not been approved by the information system

C.

Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs)

D.

The preventive maintenance schedule is based on mean time between failures (MTBF) parameters.

Full Access
Question # 131

When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the

A.

scope and methodology meet audit requirements

B.

service provider is independently certified and accredited

C.

report confirms that service levels were not violated

D.

report was released within the last 12 months

Full Access
Question # 132

With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?

A.

A business impact analysis (BIA) has not been performed

B.

Business data is not sanitized in the development environment

C.

There is no plan for monitoring system downtime

D.

The process owner has not signed off on user acceptance testing (UAT)

Full Access
Question # 133

Which of the following is the MOST appropriate indicator of change management effectiveness?

A.

Time lag between changes to the configuration and the update of records

B.

Number of system software changes

C.

Time lag between changes and updates of documentation materials

D.

Number of incidents resulting from changes

Full Access
Question # 134

An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor's NEXT action1?

A.

Make recommendations to IS management as to appropriate quality standards

B.

Postpone the audit until IS management implements written standards

C.

Document and lest compliance with the informal standards

D.

Finalize the audit and report the finding

Full Access
Question # 135

When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?

A.

The information security department has difficulty filling vacancies

B.

An information security governance audit was not conducted within the past year

C.

The data center manager has final sign-off on security projects

D.

Information security policies are updated annually

Full Access
Question # 136

After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit Which of the following risks is MOST affected by this oversight?

A.

Inherent

B.

Operational

C.

Audit

D.

Financial

Full Access
Question # 137

What should an IS auditor do FIRST when a follow-up audit reveals some management action plans have not been initiated?

A.

Confirm whether the identified risks are still valid.

B.

Provide a report to the audit committee.

C.

Escalate the lack of plan completion to executive management.

D.

Request an additional action plan review to confirm the findings.

Full Access
Question # 138

Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?

A.

Enabling remote data destruction capabilities

B.

Implementing mobile device management (MDM)

C.

Disabling unnecessary network connectivity options

D.

Requiring security awareness training for mobile users

Full Access
Question # 139

An IS auditor is asked to review an organization's technology relationships, interfaces, and data. Which of the following enterprise architecture (EA) areas is MOST appropriate this review? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

A.

Reference architecture

B.

Infrastructure architecture

C.

Information security architecture

D.

Application architecture

Full Access
Question # 140

An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?

A.

Monitoring access rights on a regular basis

B.

Referencing a standard user-access matrix

C.

Granting user access using a role-based model

D.

Correcting the segregation of duties conflicts

Full Access
Question # 141

An organization's IT department and internal IS audit function all report to the chief information officer (CIO). Which of the following is the GREATEST concern associated with this reporting structure?

A.

Potential for inaccurate audit findings

B.

Compromise of IS audit independence

C.

IS audit resources being shared with other IT functions

D.

IS audit being isolated from other audit functions

Full Access
Question # 142

An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?

A.

KPI data is not being analyzed

B.

KPIs are not clearly defined

C.

Some KPIs are not documented

D.

KPIs have never been updated

Full Access
Question # 143

What is the PRIMARY benefit of using one-time passwords?

A.

An intercepted password cannot be reused

B.

Security for applications can be automated

C.

Users do not have to memorize complex passwords

D.

Users cannot be locked out of an account

Full Access
Question # 144

Which of the following helps to ensure the integrity of data for a system interface?

A.

System interface testing

B.

user acceptance testing (IJAT)

C.

Validation checks

D.

Audit logs

Full Access
Question # 145

Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?

A.

Security policies are not applicable across all business units

B.

End users are not required to acknowledge security policy training

C.

The security policy has not been reviewed within the past year

D.

Security policy documents are available on a public domain website

Full Access
Question # 146

When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?

A.

Overwriting multiple times

B.

Encrypting the disk

C.

Reformatting

D.

Deleting files sequentially

Full Access
Question # 147

Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

A.

Documentation of exit routines

B.

System initialization logs

C.

Change control log

D.

Security system parameters

Full Access
Question # 148

Which of the following is an example of a preventive control for physical access?

A.

Keeping log entries for all visitors to the building

B.

Implementing a fingerprint-based access control system for the building

C.

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

D.

Implementing a centralized logging server to record instances of staff logging into workstations

Full Access
Question # 149

The use of control totals satisfies which of the following control objectives?

A.

Transaction integrity

B.

Processing integrity

C.

Distribution control

D.

System recoverability

Full Access
Question # 150

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

A.

The method relies exclusively on the use of asymmetric encryption algorithms.

B.

The method relies exclusively on the use of 128-bit encryption.

C.

The method relies exclusively on the use of digital signatures.

D.

The method relies exclusively on the use of public key infrastructure (PKI).

Full Access
Question # 151

A database administrator (DBA) should be prevented from having end user responsibilities:

A.

having end user responsibilities

B.

accessing sensitive information

C.

having access to production files

D.

using an emergency user ID

Full Access
Question # 152

Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?

A.

Ensuring standards are adhered to within the development process

B.

Ensuring the test work supports observations

C.

Updating development methodology

D.

Implementing solutions to correct defects

Full Access
Question # 153

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Full Access
Question # 154

What is MOST important to verify during an external assessment of network vulnerability?

A.

Update of security information event management (SIEM) rules

B.

Regular review of the network security policy

C.

Completeness of network asset inventory

D.

Location of intrusion detection systems (IDS)

Full Access
Question # 155

Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

A.

Implement network access control.

B.

Implement outbound firewall rules.

C.

Perform network reviews.

D.

Review access control lists.

Full Access
Question # 156

Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

A.

Risk identification

B.

Risk classification

C.

Control self-assessment (CSA)

D.

Impact assessment

Full Access
Question # 157

Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

A.

Monitor access to stored images and snapshots of virtual machines.

B.

Restrict access to images and snapshots of virtual machines.

C.

Limit creation of virtual machine images and snapshots.

D.

Review logical access controls on virtual machines regularly.

Full Access
Question # 158

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Full Access
Question # 159

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Full Access
Question # 160

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

A.

Walk-through reviews

B.

Substantive testing

C.

Compliance testing

D.

Design documentation reviews

Full Access
Question # 161

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

A.

Modify applications to no longer require direct access to the database.

B.

Introduce database access monitoring into the environment

C.

Modify the access management policy to make allowances for application accounts.

D.

Schedule downtime to implement password changes.

Full Access
Question # 162

An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?

A.

The data is taken directly from the system.

B.

There is no privacy information in the data.

C.

The data can be obtained in a timely manner.

D.

The data analysis tools have been recently updated.

Full Access
Question # 163

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

A.

Senior management's request

B.

Prior year's audit findings

C.

Organizational risk assessment

D.

Previous audit coverage and scope

Full Access
Question # 164

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Full Access
Question # 165

An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

A.

There is not a defined IT security policy.

B.

The business strategy meeting minutes are not distributed.

C.

IT is not engaged in business strategic planning.

D.

There is inadequate documentation of IT strategic planning.

Full Access
Question # 166

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

A.

Notify the cyber insurance company.

B.

Shut down the affected systems.

C.

Quarantine the impacted systems.

D.

Notify customers of the breach.

Full Access
Question # 167

Which of the following is the BEST justification for deferring remediation testing until the next audit?

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management's planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Full Access
Question # 168

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

A.

The system does not have a maintenance plan.

B.

The system contains several minor defects.

C.

The system deployment was delayed by three weeks.

D.

The system was over budget by 15%.

Full Access
Question # 169

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

A.

Key performance indicators (KPIs)

B.

Maximum allowable downtime (MAD)

C.

Recovery point objective (RPO)

D.

Mean time to restore (MTTR)

Full Access
Question # 170

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

A.

Carbon dioxide

B.

FM-200

C.

Dry pipe

D.

Halon

Full Access
Question # 171

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

A.

Verify the disaster recovery plan (DRP) has been tested.

B.

Ensure the intrusion prevention system (IPS) is effective.

C.

Assess the security risks to the business.

D.

Confirm the incident response team understands the issue.

Full Access
Question # 172

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

A.

Audit cycle defined in the audit plan

B.

Complexity of management's action plans

C.

Recommendation from executive management

D.

Residual risk from the findings of previous audits

Full Access
Question # 173

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

A.

Segregation of duties between staff ordering and staff receiving information assets

B.

Complete and accurate list of information assets that have been deployed

C.

Availability and testing of onsite backup generators

D.

Knowledge of the IT staff regarding data protection requirements

Full Access
Question # 174

During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:

A.

note the noncompliance in the audit working papers.

B.

issue an audit memorandum identifying the noncompliance.

C.

include the noncompliance in the audit report.

D.

determine why the procedures were not followed.

Full Access
Question # 175

An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

A.

Assessment of the personnel training processes of the provider

B.

Adequacy of the service provider's insurance

C.

Review of performance against service level agreements (SLAs)

D.

Periodic audits of controls by an independent auditor

Full Access
Question # 176

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

Full Access
Question # 177

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Full Access
Question # 178

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

A.

The IS auditor provided consulting advice concerning application system best practices.

B.

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

C.

The IS auditor designed an embedded audit module exclusively for auditing the application system.

D.

The IS auditor implemented a specific control during the development of the application system.

Full Access
Question # 179

To confirm integrity for a hashed message, the receiver should use:

A.

the same hashing algorithm as the sender's to create a binary image of the file.

B.

a different hashing algorithm from the sender's to create a binary image of the file.

C.

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.

a different hashing algorithm from the sender's to create a numerical representation of the file.

Full Access
Question # 180

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

A.

Implementation plan

B.

Project budget provisions

C.

Requirements analysis

D.

Project plan

Full Access
Question # 181

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Full Access
Question # 182

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

A.

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.

Ensuring evidence is sufficient to support audit conclusions

C.

Ensuring appropriate statistical sampling methods were used

D.

Ensuring evidence is labeled to show it was obtained from an approved source

Full Access
Question # 183

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

Full Access
Question # 184

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

A.

Double-posting of a single journal entry

B.

Inability to support new business transactions

C.

Unauthorized alteration of account attributes

D.

Inaccuracy of financial reporting

Full Access
Question # 185

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

A.

incident management.

B.

quality assurance (QA).

C.

change management.

D.

project management.

Full Access
Question # 186

Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

A.

Lack of appropriate labelling

B.

Lack of recent awareness training.

C.

Lack of password protection

D.

Lack of appropriate data classification

Full Access
Question # 187

Which of the following is a social engineering attack method?

A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Full Access
Question # 188

Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

A.

The lack of technical documentation to support the program code

B.

The lack of completion of all requirements at the end of each sprint

C.

The lack of acceptance criteria behind user requirements.

D.

The lack of a detailed unit and system test plan

Full Access
Question # 189

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:

A.

review recent changes to the system.

B.

verify completeness of user acceptance testing (UAT).

C.

verify results to determine validity of user concerns.

D.

review initial business requirements.

Full Access
Question # 190

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

A.

Analyze whether predetermined test objectives were met.

B.

Perform testing at the backup data center.

C.

Evaluate participation by key personnel.

D.

Test offsite backup files.

Full Access
Question # 191

Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

A.

Whether there is explicit permission from regulators to collect personal data

B.

The organization's legitimate purpose for collecting personal data

C.

Whether sharing of personal information with third-party service providers is prohibited

D.

The encryption mechanism selected by the organization for protecting personal data

Full Access
Question # 192

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Full Access
Question # 193

An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

A.

The number of users deleting the email without reporting because it is a phishing email

B.

The number of users clicking on the link to learn more about the sender of the email

C.

The number of users forwarding the email to their business unit managers

D.

The number of users reporting receipt of the email to the information security team

Full Access
Question # 194

Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

A.

File level encryption

B.

File Transfer Protocol (FTP)

C.

Instant messaging policy

D.

Application-level firewalls

Full Access
Question # 195

During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

A.

Notify the chair of the audit committee.

B.

Notify the audit manager.

C.

Retest the control.

D.

Close the audit finding.

Full Access
Question # 196

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

D.

Full operational test

Full Access
Question # 197

During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:

A.

Future compatibility of the application.

B.

Proposed functionality of the application.

C.

Controls incorporated into the system specifications.

D.

Development methodology employed.

Full Access
Question # 198

Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

A.

To determine whether project objectives in the business case have been achieved

B.

To ensure key stakeholder sign-off has been obtained

C.

To align project objectives with business needs

D.

To document lessons learned to improve future project delivery

Full Access
Question # 199

What is the BEST control to address SQL injection vulnerabilities?

A.

Unicode translation

B.

Secure Sockets Layer (SSL) encryption

C.

Input validation

D.

Digital signatures

Full Access
Question # 200

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization's policies and procedures

Full Access
Question # 201

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

A.

Invoking the disaster recovery plan (DRP)

B.

Backing up data frequently

C.

Paying the ransom

D.

Requiring password changes for administrative accounts

Full Access
Question # 202

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

A.

allocation of resources during an emergency.

B.

frequency of system testing.

C.

differences in IS policies and procedures.

D.

maintenance of hardware and software compatibility.

Full Access
Question # 203

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

A.

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B.

Establishing strong access controls on confidential data

C.

Providing education and guidelines to employees on use of social networking sites

D.

Monitoring employees' social networking usage

Full Access
Question # 204

Which of the following is the MOST effective way for an organization to project against data loss?

A.

Limit employee internet access.

B.

Implement data classification procedures.

C.

Review firewall logs for anomalies.

D.

Conduct periodic security awareness training.

Full Access
Question # 205

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

A.

Conduct periodic on-site assessments using agreed-upon criteria.

B.

Periodically review the service level agreement (SLA) with the vendor.

C.

Conduct an unannounced vulnerability assessment of vendor's IT systems.

D.

Obtain evidence of the vendor's control self-assessment (CSA).

Full Access
Question # 206

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Full Access
Question # 207

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

A.

firewall standards.

B.

configuration of the firewall

C.

firmware version of the firewall

D.

location of the firewall within the network

Full Access
Question # 208

Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

A.

System flowchart

B.

Data flow diagram

C.

Process flowchart

D.

Entity-relationship diagram

Full Access
Question # 209

Which of the following data would be used when performing a business impact analysis (BIA)?

A.

Projected impact of current business on future business

B.

Cost-benefit analysis of running the current business

C.

Cost of regulatory compliance

D.

Expected costs for recovering the business

Full Access
Question # 210

Which of the following is MOST important to include in forensic data collection and preservation procedures?

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Full Access
Question # 211

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?

A.

Implement a new system that can be patched.

B.

Implement additional firewalls to protect the system.

C.

Decommission the server.

D.

Evaluate the associated risk.

Full Access
Question # 212

Which of the following would BEST facilitate the successful implementation of an IT-related framework?

A.

Aligning the framework to industry best practices

B.

Establishing committees to support and oversee framework activities

C.

Involving appropriate business representation within the framework

D.

Documenting IT-related policies and procedures

Full Access
Question # 213

Which of the following should be done FIRST when planning a penetration test?

A.

Execute nondisclosure agreements (NDAs).

B.

Determine reporting requirements for vulnerabilities.

C.

Define the testing scope.

D.

Obtain management consent for the testing.

Full Access
Question # 214

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

A.

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.

Job failure alerts are automatically generated and routed to support personnel.

Full Access
Question # 215

Which of the following demonstrates the use of data analytics for a loan origination process?

A.

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Full Access
Question # 216

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

A.

Report the mitigating controls.

B.

Report the security posture of the organization.

C.

Determine the value of the firewall.

D.

Determine the risk of not replacing the firewall.

Full Access
Question # 217

During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?

A.

Explain to IT management that the new control will be evaluated during follow-up

B.

Re-perform the audit before changing the conclusion.

C.

Change the conclusion based on evidence provided by IT management.

D.

Add comments about the action taken by IT management in the report.

Full Access
Question # 218

Which of the following is the BEST data integrity check?

A.

Counting the transactions processed per day

B.

Performing a sequence check

C.

Tracing data back to the point of origin

D.

Preparing and running test data

Full Access
Question # 219

Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

A.

Rotate job duties periodically.

B.

Perform an independent audit.

C.

Hire temporary staff.

D.

Implement compensating controls.

Full Access
Question # 220

Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

A.

Data conversion was performed using manual processes.

B.

Backups of the old system and data are not available online.

C.

Unauthorized data modifications occurred during conversion.

D.

The change management process was not formally documented

Full Access
Question # 221

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

A.

Blocking attachments in IM

B.

Blocking external IM traffic

C.

Allowing only corporate IM solutions

D.

Encrypting IM traffic

Full Access
Question # 222

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

A.

business impact analysis (BIA).

B.

threat and risk assessment.

C.

business continuity plan (BCP).

D.

disaster recovery plan (DRP).

Full Access
Question # 223

Which of the following is a social engineering attack method?

A.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

B.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

C.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

D.

An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.

Full Access
Question # 224

Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?

A.

Requirements may become unreasonable.

B.

The policy may conflict with existing application requirements.

C.

Local regulations may contradict the policy.

D.

Local management may not accept the policy.

Full Access
Question # 225

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

A.

A single point of failure for both voice and data communications

B.

Inability to use virtual private networks (VPNs) for internal traffic

C.

Lack of integration of voice and data communications

D.

Voice quality degradation due to packet toss

Full Access
Question # 226

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Full Access
Question # 227

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Full Access
Question # 228

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

A.

Review of program documentation

B.

Use of test transactions

C.

Interviews with knowledgeable users

D.

Review of source code

Full Access
Question # 229

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Full Access
Question # 230

Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

A.

Change management

B.

Problem management

C.

incident management

D.

Configuration management

Full Access
Question # 231

in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

A.

application programmer

B.

systems programmer

C.

computer operator

D.

quality assurance (QA) personnel

Full Access
Question # 232

Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

A.

Testing incident response plans with a wide range of scenarios

B.

Prioritizing incidents after impact assessment.

C.

Linking incidents to problem management activities

D.

Training incident management teams on current incident trends

Full Access
Question # 233

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Full Access
Question # 234

Which of the following backup schemes is the BEST option when storage media is limited?

A.

Real-time backup

B.

Virtual backup

C.

Differential backup

D.

Full backup

Full Access
Question # 235

An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

A.

some of the identified throats are unlikely to occur.

B.

all identified throats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations operations have been included.

Full Access
Question # 236

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Full Access
Question # 237

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

Full Access
Question # 238

If enabled within firewall rules, which of the following services would present the GREATEST risk?

A.

Simple mail transfer protocol (SMTP)

B.

Simple object access protocol (SOAP)

C.

Hypertext transfer protocol (HTTP)

D.

File transfer protocol (FTP)

Full Access
Question # 239

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Full Access
Question # 240

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Full Access
Question # 241

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

A.

Implement key performance indicators (KPIs)

B.

Implement annual third-party audits.

C.

Benchmark organizational performance against industry peers.

D.

Require executive management to draft IT strategy

Full Access
Question # 242

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

A.

Perform background verification checks.

B.

Review third-party audit reports.

C.

Implement change management review.

D.

Conduct a privacy impact analysis.

Full Access
Question # 243

A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

A.

IT operator

B.

System administration

C.

Emergency support

D.

Database administration

Full Access
Question # 244

What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

A.

Earned value analysis (EVA)

B.

Return on investment (ROI) analysis

C.

Gantt chart

D.

Critical path analysis

Full Access
Question # 245

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

A.

Customer service complaints

B.

Automated monitoring of logs

C.

Server crashes

D.

Penetration testing

Full Access
Question # 246

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

A.

The contract does not contain a right-to-audit clause.

B.

An operational level agreement (OLA) was not negotiated.

C.

Several vendor deliverables missed the commitment date.

D.

Software escrow was not negotiated.

Full Access
Question # 247

Which of the following BEST facilitates the legal process in the event of an incident?

A.

Right to perform e-discovery

B.

Advice from legal counsel

C.

Preserving the chain of custody

D.

Results of a root cause analysis

Full Access
Question # 248

Which of the following presents the GREATEST challenge to the alignment of business and IT?

A.

Lack of chief information officer (CIO) involvement in board meetings

B.

Insufficient IT budget to execute new business projects

C.

Lack of information security involvement in business strategy development

D.

An IT steering committee chaired by the chief information officer (CIO)

Full Access
Question # 249

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

A.

Separate authorization for input of transactions

B.

Statistical sampling of adjustment transactions

C.

Unscheduled audits of lost stock lines

D.

An edit check for the validity of the inventory transaction

Full Access
Question # 250

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

A.

Level of stakeholder satisfaction with the scope of planned IT projects

B.

Percentage of enterprise risk assessments that include IT-related risk

C.

Percentage of stat satisfied with their IT-related roles

D.

Frequency of business process capability maturity assessments

Full Access
Question # 251

During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

A.

Sampling risk

B.

Detection risk

C.

Control risk

D.

Inherent risk

Full Access
Question # 252

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

A.

Restricting evidence access to professionally certified forensic investigators

B.

Documenting evidence handling by personnel throughout the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Engaging an independent third party to perform the forensic investigation

Full Access
Question # 253

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

A.

SIEM reporting is customized.

B.

SIEM configuration is reviewed annually

C.

The SIEM is decentralized.

D.

SIEM reporting is ad hoc.

Full Access
Question # 254

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

A.

Analyze a new application that moots the current re

B.

Perform an analysis to determine the business risk

C.

Bring the escrow version up to date.

D.

Develop a maintenance plan to support the application using the existing code

Full Access
Question # 255

Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

A.

An assessment of whether requirements will be fully met

B.

An assessment indicating security controls will operate

effectively

C.

An assessment of whether the expected benefits can be

achieved

D.

An assessment indicating the benefits will exceed the implement

Full Access
Question # 256

An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

A.

The applications are not included in business continuity plans (BCFs)

B.

The applications may not reasonably protect data.

C.

The application purchases did not follow procurement policy.

D.

The applications could be modified without advanced notice.

Full Access
Question # 257

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

Full Access
Question # 258

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

A.

Process and resource inefficiencies

B.

Irregularities and illegal acts

C.

Noncompliance with organizational policies

D.

Misalignment with business objectives

Full Access
Question # 259

Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

A.

Analysis of industry benchmarks

B.

Identification of organizational goals

C.

Analysis of quantitative benefits

D.

Implementation of a balanced scorecard

Full Access
Question # 260

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

A.

failure to maximize the use of equipment

B.

unanticipated increase in business s capacity needs.

C.

cost of excessive data center storage capacity

D.

impact to future business project funding.

Full Access
Question # 261

A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

A.

The survey results were not presented in detail lo management.

B.

The survey questions did not address the scope of the business case.

C.

The survey form template did not allow additional feedback to be provided.

D.

The survey was issued to employees a month after implementation.

Full Access
Question # 262

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

A.

Use an electronic vault for incremental backups

B.

Deploy a fully automated backup maintenance system.

C.

Periodically test backups stored in a remote location

D.

Use both tape and disk backup systems

Full Access
Question # 263

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

A.

Misconfiguration and missing updates

B.

Malicious software and spyware

C.

Zero-day vulnerabilities

D.

Security design flaws

Full Access
Question # 264

Which of the following is the BEST reason to implement a data retention policy?

A.

To limit the liability associated with storing and protecting information

B.

To document business objectives for processing data within the organization

C.

To assign responsibility and ownership for data protection outside IT

D.

To establish a recovery point detective (RPO) for (toaster recovery procedures

Full Access
Question # 265

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Full Access
Question # 266

What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

A.

it facilitates easier audit follow-up

B.

it enforces action plan consensus between auditors and auditees

C.

it establishes accountability for the action plans

D.

it helps to ensure factual accuracy of findings

Full Access
Question # 267

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Full Access
Question # 268

The PRIMARY benefit of information asset classification is that it:

A.

prevents loss of assets.

B.

helps to align organizational objectives.

C.

facilitates budgeting accuracy.

D.

enables risk management decisions.

Full Access
Question # 269

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization's policies.

D.

the procurement project invited lenders from at least three different suppliers.

Full Access
Question # 270

Which of the following is MOST critical for the effective implementation of IT governance?

A.

Strong risk management practices

B.

Internal auditor commitment

C.

Supportive corporate culture

D.

Documented policies

Full Access
Question # 271

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

A.

Using smart cards with one-time passwords

B.

Periodically reviewing log files

C.

Configuring the router as a firewall

D.

Installing biometrics-based authentication

Full Access
Question # 272

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Full Access
Question # 273

Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

A.

Cost of projects divided by total IT cost

B.

Expected return divided by total project cost

C.

Net present value (NPV) of the portfolio

D.

Total cost of each project

Full Access
Question # 274

Which of the following is MOST important when implementing a data classification program?

A.

Understanding the data classification levels

B.

Formalizing data ownership

C.

Developing a privacy policy

D.

Planning for secure storage capacity

Full Access
Question # 275

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Full Access
Question # 276

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

report on the internal control weaknesses.

D.

provide solutions for control weaknesses.

Full Access
Question # 277

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

A.

Users can export application logs.

B.

Users can view sensitive data.

C.

Users can make unauthorized changes.

D.

Users can install open-licensed software.

Full Access
Question # 278

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

A.

Perform a business impact analysis (BIA).

B.

Determine which databases will be in scope.

C.

Identify the most critical database controls.

D.

Evaluate the types of databases being used

Full Access