Summer Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpm65

CISA Certified Information Systems Auditor Questions and Answers

Questions 4

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options:

A.

Target architecture is defined at a technical level.

B.

The previous year's IT strategic goals were not achieved.

C.

Strategic IT goals are derived solely from the latest market trends.

D.

Financial estimates of new initiatives are disclosed within the document.

Buy Now
Questions 5

What is the MOST effective way to detect installation of unauthorized software packages by employees?

Options:

A.

Regular scanning of hard drives

B.

Communicating the policy to employees

C.

Logging of activity on the network

D.

Maintaining current antivirus software

Buy Now
Questions 6

Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?

Options:

A.

Conduct a data inventory and classification exercise.

B.

Identify approved data workflows across the enterprise_

C.

Conduct a threat analysis against sensitive data usage.

D.

Create the DLP policies and templates

Buy Now
Questions 7

Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

Options:

A.

Periodic reporting of cybersecurity incidents to key stakeholders

B.

Periodic update of incident response process documentation

C.

Periodic cybersecurity training for staff involved in incident response

D.

Periodic tabletop exercises involving key stakeholders

Buy Now
Questions 8

A mission-critical application utilizes a one-node database server. On multiple occasions, the database service has been stopped to perform routine patching, causing application outages. Which of the following should be the IS auditor’s GREATEST concern?

Options:

A.

Revenue lost due to application outages

B.

Patching performed by the vendor

C.

A large number of scheduled database changes

D.

The presence of a single point of failure

Buy Now
Questions 9

Which of the following are BEST suited for continuous auditing?

Options:

A.

Low-value transactions

B.

Real-lime transactions

C.

Irregular transactions

D.

Manual transactions

Buy Now
Questions 10

An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?

Options:

A.

Administrator passwords do not meet organizational security and complexity requirements.

B.

The number of support staff responsible for job scheduling has been reduced.

C.

The scheduling tool was not classified as business-critical by the IT department.

D.

Maintenance patches and the latest enhancement upgrades are missing.

Buy Now
Questions 11

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality

within the organization. Which of the following should be recommended as the PRIMARY factor to

determine system criticality?

Options:

A.

Recovery point objective (RPO)

B.

Maximum allowable downtime (MAD)

C.

Mean time to restore (MTTR)

D.

Key performance indicators (KPls)

Buy Now
Questions 12

Which of the following is BEST used for detailed testing of a business application's data and configuration files?

Options:

A.

Version control software

B.

Audit hooks

C.

Utility software

D.

Audit analytics tool

Buy Now
Questions 13

What is the FIRST step when creating a data classification program?

Options:

A.

Categorize and prioritize data.

B.

Develop data process maps.

C.

Categorize information by owner.

D.

Develop a policy.

Buy Now
Questions 14

The use of control totals reduces the risk of:

Options:

A.

posting to the wrong record.

B.

incomplete processing.

C.

improper backup.

D.

improper authorization.

Buy Now
Questions 15

An organization's senior management thinks current security controls may be excessive and requests an IS auditor's advice on how to assess the adequacy of current measures. What is the auditor's BEST recommendation to management?

Options:

A.

Perform correlation analysis between incidents and investments.

B.

Downgrade security controls on low-risk systems.

C.

Introduce automated security monitoring tools.

D.

Re-evaluate the organization's risk and control framework.

Buy Now
Questions 16

Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?

Options:

A.

Review data classification levels based on industry best practice

B.

Verify that current DLP software is installed on all computer systems.

C.

Conduct interviews to identify possible data protection vulnerabilities.

D.

Verify that confidential files cannot be transmitted to a personal USB device.

Buy Now
Questions 17

Which of the following is MOST important for the successful establishment of a security vulnerability management program?

Options:

A.

A robust tabletop exercise plan

B.

A comprehensive asset inventory

C.

A tested incident response plan

D.

An approved patching policy

Buy Now
Questions 18

Which of the following should be the PRIMARY consideration when incorporating user training and awareness into a data loss prevention (DLP) strategy?

Options:

A.

Avoiding financial penalties and reputational risk

B.

Ensuring data availability

C.

Promoting secure data handling practices

D.

Adhering to data governance policies

Buy Now
Questions 19

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Buy Now
Questions 20

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

Options:

A.

Review of program documentation

B.

Use of test transactions

C.

Interviews with knowledgeable users

D.

Review of source code

Buy Now
Questions 21

Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Options:

A.

Lessons learned were implemented.

B.

Management approved the PIR report.

C.

The review was performed by an external provider.

D.

Project outcomes have been realized.

Buy Now
Questions 22

Which of the following is MOST important to include in forensic data collection and preservation procedures?

Options:

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Buy Now
Questions 23

Which of the following should be the FIRST step to successfully implement a corporate data classification program?

Options:

A.

Approve a data classification policy.

B.

Select a data loss prevention (DLP) product.

C.

Confirm that adequate resources are available for the project.

D.

Check for the required regulatory requirements.

Buy Now
Questions 24

Which of the following is MOST useful when planning to audit an organization's compliance with cybersecurity regulations in foreign countries?

Options:

A.

Prioritize the audit to focus on the country presenting the greatest amount of operational risk.

B.

Follow the cybersecurity regulations of the country with the most stringent requirements.

C.

Develop a template that standardizes the reporting of findings from each country's audit team

D.

Map the different regulatory requirements to the organization's IT governance framework

Buy Now
Questions 25

Which of the following BEST enables an organization to improve the effectiveness of its incident response team?

Options:

A.

Conducting periodic testing and incorporating lessons learned

B.

Increasing the mean resolution time and publishing key performance indicator (KPI) metrics

C.

Disseminating incident response procedures and requiring signed acknowledgment by team members

D.

Ensuring all team members understand information systems technology

Buy Now
Questions 26

Which of the following is MOST important to ensure when developing an effective security awareness program?

Options:

A.

Training personnel are information security professionals.

B.

Outcome metrics for the program are established.

C.

Security threat scenarios are included in the program content.

D.

Phishing exercises are conducted post-training

Buy Now
Questions 27

Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?

Options:

A.

The data center is patrolled by a security guard.

B.

Access to the data center is monitored by video cameras.

C.

ID badges must be displayed before access is granted

D.

Access to the data center is controlled by a mantrap.

Buy Now
Questions 28

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

Options:

A.

Installing security cameras at the doors

B.

Changing to a biometric access control system

C.

Implementing a monitored mantrap at entrance and exit points

D.

Requiring two-factor authentication at entrance and exit points

Buy Now
Questions 29

An organization is disposing of removable onsite media which contains sensitive information. Which of the following is the MOST effective method to prevent disclosure of sensitive data?

Options:

A.

Encrypting and destroying keys

B.

Machine shredding

C.

Software formatting

D.

Wiping and rewriting three times

Buy Now
Questions 30

During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS)

agreement. What should the auditor do NEXT?

Options:

A.

Verify whether IT management monitors the effectiveness of the environment.

B.

Verify whether a right-to-audit clause exists.

C.

Verify whether a third-party security attestation exists.

D.

Verify whether service level agreements (SLAs) are defined and monitored.

Buy Now
Questions 31

Which of the following BEST facilitates strategic program management?

Options:

A.

Implementing stage gates

B.

Establishing a quality assurance (QA) process

C.

Aligning projects with business portfolios

D.

Tracking key project milestones

Buy Now
Questions 32

Which type of attack targets security vulnerabilities in web applications to gain access to data sets?

Options:

A.

Denial of service (DOS)

B.

SQL injection

C.

Phishing attacks

D.

Rootkits

Buy Now
Questions 33

Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

Options:

A.

privacy

B.

Maintainability

C.

Scalability

D.

Nonrepudiation

Buy Now
Questions 34

Which of the following BEST enables a benefits realization process for a system development project?

Options:

A.

Metrics for the project have been selected before the project begins.

B.

Project budget includes costs to execute the project and costs associated with the solution.

C.

Estimates of business benefits are backed by similar previously completed projects.

D.

Metrics are evaluated immediately after the project has been implemented.

Buy Now
Questions 35

What is the PRIMARY reason for an organization to classify the data stored on its internal networks?

Options:

A.

To determine data retention policy

B.

To implement data protection requirements

C.

To comply with the organization's data policies

D.

To follow industry best practices

Buy Now
Questions 36

During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor's BEST recommendation?

Options:

A.

System administrators should ensure consistency of assigned rights.

B.

IT security should regularly revoke excessive system rights.

C.

Human resources (HR) should delete access rights of terminated employees.

D.

Line management should regularly review and request modification of access rights

Buy Now
Questions 37

An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor's independence?

Options:

A.

The auditor implemented a specific control during the development of the system.

B.

The auditor provided advice concerning best practices.

C.

The auditor participated as a member of the project team without operational responsibilities

D.

The auditor designed an embedded audit module exclusively for audit

Buy Now
Questions 38

A bank wants to outsource a system to a cloud provider residing in another country. Which of the following would be the MOST appropriate IS audit recommendation?

Options:

A.

Find an alternative provider in the bank's home country.

B.

Ensure the provider's internal control system meets bank requirements.

C.

Proceed as intended, as the provider has to observe all laws of the clients’ countries.

D.

Ensure the provider has disaster recovery capability.

Buy Now
Questions 39

When developing customer-facing IT applications, in which stage of the system development life cycle (SDLC) is it MOST beneficial to consider data privacy principles?

Options:

A.

Systems design and architecture

B.

Software selection and acquisition

C.

User acceptance testing (UAT)

D.

Requirements definition

Buy Now
Questions 40

An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST

recommendation to address this situation?

Options:

A.

Suspend contracts with third-party providers that handle sensitive data.

B.

Prioritize contract amendments for third-party providers.

C.

Review privacy requirements when contracts come up for renewal.

D.

Require third-party providers to sign nondisclosure agreements (NDAs).

Buy Now
Questions 41

Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:

Options:

A.

eliminated

B.

unchanged

C.

increased

D.

reduced

Buy Now
Questions 42

An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?

Options:

A.

Overviews of interviews between data center personnel and the auditor

B.

Prior audit reports involving other corporate disaster recovery audits

C.

Summary memos reflecting audit opinions regarding noted weaknesses

D.

Detailed evidence of the successes and weaknesses of all contingency testing

Buy Now
Questions 43

An IS auditor is providing input to an RFP to acquire a financial application system. Which of the following is MOST important for the auditor to recommend?

Options:

A.

The application should meet the organization's requirements.

B.

Audit trails should be included in the design.

C.

Potential suppliers should have experience in the relevant area.

D.

Vendor employee background checks should be conducted regularly.

Buy Now
Questions 44

Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?

Options:

A.

Continuous auditing

B.

Manual checks

C.

Exception reporting

D.

Automated reconciliations

Buy Now
Questions 45

An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's

GREATEST concern?

Options:

A.

User access rights have not been periodically reviewed by the client.

B.

Payroll processing costs have not been included in the IT budget.

C.

The third-party contract has not been reviewed by the legal department.

D.

The third-party contract does not comply with the vendor management policy.

Buy Now
Questions 46

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

Options:

A.

The audit program does not involve periodic engagement with external assessors.

B.

Quarterly reports are not distributed to the audit committee.

C.

Results of corrective actions are not tracked consistently.

D.

Substantive testing is not performed during the assessment phase of some audits.

Buy Now
Questions 47

Which of the following is the MOST important responsibility of data owners when implementing a data classification process?

Options:

A.

Reviewing emergency changes to data

B.

Authorizing application code changes

C.

Determining appropriate user access levels

D.

Implementing access rules over database tables

Buy Now
Questions 48

Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?

Options:

A.

The organization's software inventory is not complete.

B.

Applications frequently need to be rebooted for patches to take effect.

C.

Software vendors are bundling patches.

D.

Testing patches takes significant time.

Buy Now
Questions 49

Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

Options:

A.

It demonstrates the maturity of the incident response program.

B.

It reduces the likelihood of an incident occurring.

C.

It identifies deficiencies in the operating environment.

D.

It increases confidence in the team's response readiness.

Buy Now
Questions 50

Which of the following would minimize the risk of losing transactions as a result of a disaster?

Options:

A.

Sending a copy of the transaction logs to offsite storage on a daily basis

B.

Storing a copy of the transaction logs onsite in a fireproof vault

C.

Encrypting a copy of the transaction logs and store on a local server

D.

Signing a copy of the transaction logs and store on a local server

Buy Now
Questions 51

Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?

Options:

A.

Interview the application developer.

B.

Obtain management attestation and sign-off.

C.

Review the application implementation documents.

D.

Review system configuration parameters and output.

Buy Now
Questions 52

During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?

Options:

A.

Perform a skills assessment to identify members from other business units with knowledge of Al.

B.

Remove the Al portion from the audit scope and proceed with the audit.

C.

Delay the audit until the team receives training on Al.

D.

Engage external consultants who have audit experience and knowledge of Al.

Buy Now
Questions 53

A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal

audit function to test its internal controls annually. Which of the following is the MOST significant benefit of

this approach?

Options:

A.

Compliance costs are reduced.

B.

Risks are detected earlier.

C.

Business owners can focus more on their core roles.

D.

Line management is more motivated to avoid control exceptions.

Buy Now
Questions 54

When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?

Options:

A.

Ensuring the scope of penetration testing is restricted to the test environment

B.

Obtaining management's consent to the testing scope in writing

C.

Notifying the IT security department regarding the testing scope

D.

Agreeing on systems to be excluded from the testing scope with the IT department

Buy Now
Questions 55

An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the

business continuity plan (BCP). Which of the following is the auditor's BEST course of action?

Options:

A.

Confirm the BCP has been recently updated.

B.

Review the effectiveness of the business response.

C.

Raise an audit issue for the lack of simulated testing.

D.

Interview staff members to obtain commentary on the BCP's effectiveness.

Buy Now
Questions 56

An IS auditor is reviewing the service agreement with a technology company that provides IT help desk services to the organization. Which of the following monthly performance

metrics is the BEST indicator of service quality?

Options:

A.

The total number of users requesting help desk services

B.

The average call waiting time on each request

C.

The percent of issues resolved by the first contact

D.

The average turnaround time spent on each reported issue

Buy Now
Questions 57

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

Options:

A.

The BCP's contact information needs to be updated

B.

The BCP is not version controlled.

C.

The BCP has not been approved by senior management.

D.

The BCP has not been tested since it was first issued.

Buy Now
Questions 58

Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

Options:

A.

Documentation of exit routines

B.

System initialization logs

C.

Change control log

D.

Security system parameters

Buy Now
Questions 59

Which of the following issues associated with a data center's closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?

Options:

A.

CCTV recordings are not regularly reviewed.

B.

CCTV cameras are not installed in break rooms

C.

CCTV records are deleted after one year.

D.

CCTV footage is not recorded 24 x 7.

Buy Now
Questions 60

Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?

Options:

A.

It helps to identify areas with a relatively high probability of material problems.

B.

It provides a basis for the formulation of corrective action plans.

C.

It increases awareness of the types of management actions that may be inappropriate

D.

It helps to identify areas that are most sensitive to fraudulent or inaccurate practices

Buy Now
Questions 61

Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?

Options:

A.

Critical business applications

B.

Business processes

C.

Existing IT controls

D.

Recent audit results

Buy Now
Questions 62

When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?

Options:

A.

Data backups

B.

Decision support system

C.

Operating system

D.

Applications

Buy Now
Questions 63

An IS auditor should be MOST concerned if which of the following fire suppression systems is utilized to protect an asset storage closet?

Options:

A.

Deluge system

B.

Wet pipe system

C.

Preaction system

D.

CO2 system

Buy Now
Questions 64

When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?

Options:

A.

Report that the changes make it impractical to determine whether the risks have been addressed.

B.

Accept management's assertion and report that the risks have been addressed.

C.

Determine whether the changes have introduced new risks that need to be addressed.

D.

Review the changes and determine whether the risks have been addressed.

Buy Now
Questions 65

During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor's NEXT step should be to:

Options:

A.

recommend a control to automatically update access rights.

B.

determine the reason why access rights have not been revoked.

C.

direct management to revoke current access rights.

D.

determine if access rights are in violation of software licenses.

Buy Now
Questions 66

An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.

Which of the following is the BEST course of action to address this issue?

Options:

A.

Examine the workflow to identify gaps in asset-handling responsibilities.

B.

Escalate the finding to the asset owner for remediation.

C.

Recommend the drives be sent to the vendor for destruction.

D.

Evaluate the corporate asset-handling policy for potential gaps.

Buy Now
Questions 67

Which of the following is MOST important during software license audits?

Options:

A.

Judgmental sampling

B.

Substantive testing

C.

Compliance testing

D.

Stop-or-go sampling

Buy Now
Questions 68

Which of the following would be an auditor's GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?

Options:

A.

Undocumented code formats data and transmits directly to the database.

B.

There is not a complete inventory of spreadsheets, and file naming is inconsistent.

C.

The department data protection policy has not been reviewed or updated for two years.

D.

Spreadsheets are accessible by all members of the finance department.

Buy Now
Questions 69

Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?

Options:

A.

Purchase requisitions and purchase orders

B.

Invoices and reconciliations

C.

Vendor selection and statements of work

D.

Good receipts and payments

Buy Now
Questions 70

During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

Options:

A.

Sampling risk

B.

Detection risk

C.

Control risk

D.

Inherent risk

Buy Now
Questions 71

An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

Options:

A.

To collect digital evidence of cyberattacks

B.

To attract attackers in order to study their behavior

C.

To provide training to security managers

D.

To test the intrusion detection system (IDS)

Buy Now
Questions 72

Which of the following metrics is the BEST indicator of the performance of a web application

Options:

A.

HTTP server error rate

B.

Server thread count

C.

Average response time

D.

Server uptime

Buy Now
Questions 73

The FIRST step in an incident response plan is to:

Options:

A.

validate the incident.

B.

notify the head of the IT department.

C.

isolate systems impacted by the incident.

D.

initiate root cause analysis.

Buy Now
Questions 74

Which of the following is MOST critical for the effective implementation of IT governance?

Options:

A.

Strong risk management practices

B.

Internal auditor commitment

C.

Supportive corporate culture

D.

Documented policies

Buy Now
Questions 75

Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?

Options:

A.

Progress updates indicate that the implementation of agreed actions is on track.

B.

Sufficient time has elapsed since implementation to provide evidence of control operation.

C.

Business management has completed the implementation of agreed actions on schedule.

D.

Regulators have announced a timeline for an inspection visit.

Buy Now
Questions 76

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

Options:

A.

The contract does not contain a right-to-audit clause.

B.

An operational level agreement (OLA) was not negotiated.

C.

Several vendor deliverables missed the commitment date.

D.

Software escrow was not negotiated.

Buy Now
Questions 77

An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?

Options:

A.

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

B.

Vulnerability in the virtualization platform affecting multiple hosts

C.

Data center environmental controls not aligning with new configuration

D.

System documentation not being updated to reflect changes in the environment

Buy Now
Questions 78

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

Options:

A.

failure to maximize the use of equipment

B.

unanticipated increase in business s capacity needs.

C.

cost of excessive data center storage capacity

D.

impact to future business project funding.

Buy Now
Questions 79

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Options:

A.

Perform a business impact analysis (BIA).

B.

Determine which databases will be in scope.

C.

Identify the most critical database controls.

D.

Evaluate the types of databases being used

Buy Now
Questions 80

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

Options:

A.

perform a business impact analysis (BIA).

B.

issue an intermediate report to management.

C.

evaluate the impact on current disaster recovery capability.

D.

conduct additional compliance testing.

Buy Now
Questions 81

Which of the following presents the GREATEST risk of data leakage in the cloud environment?

Options:

A.

Lack of data retention policy

B.

Multi-tenancy within the same database

C.

Lack of role-based access

D.

Expiration of security certificate

Buy Now
Questions 82

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.

Requiring policy acknowledgment and nondisclosure agreements signed by employees

B.

Providing education and guidelines to employees on use of social networking sites

C.

Establishing strong access controls on confidential data

D.

Monitoring employees' social networking usage

Buy Now
Questions 83

Which of the following is MOST critical to the success of an information security program?

Options:

A.

Alignment of information security with IT objectives

B.

Management’s commitment to information security

C.

Integration of business and information security

D.

User accountability for information security

Buy Now
Questions 84

Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?

Options:

A.

To evaluate the effectiveness of continuous improvement efforts

B.

To compare incident response metrics with industry benchmarks

C.

To re-analyze the incident to identify any hidden backdoors planted by the attacker

D.

To evaluate the effectiveness of the network firewall against future security breaches

Buy Now
Questions 85

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

Options:

A.

Source code version control

B.

Project change management controls

C.

Existence of an architecture review board

D.

Configuration management

Buy Now
Questions 86

When reviewing an IT strategic plan, the GREATEST concern would be that

Options:

A.

an IT strategy committee has not been created

B.

the plan does not support relevant organizational goals.

C.

there are no key performance indicators (KPls).

D.

the plan was not formally approved by the board of directors

Buy Now
Questions 87

Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?

Options:

A.

Continuous network monitoring

B.

Periodic network vulnerability assessments

C.

Review of electronic access logs

D.

Physical security reviews

Buy Now
Questions 88

Which of the following provides the BEST evidence that IT portfolio management is aligned with organizational strategies?

Options:

A.

Finance committee minutes that include approval for the annual IT budget

B.

Project sponsor sign-off on all project documents from beginning to end

C.

IT steering committee minutes that include approval for prioritization of IT projects

D.

Project sponsor sign-off on IT project proposals and milestones

Buy Now
Questions 89

Which of the following controls is the BEST recommendation to prevent the skimming of debit or credit card data in point of sale (POS) systems?

Options:

A.

Encryption

B.

Chip and PIN

C.

Hashing

D.

Biometric authentication

Buy Now
Questions 90

Which of the following is the MOST important regulatory consideration for an organization determining whether to use its customer data to train AI algorithms?

Options:

A.

Documentation of AI algorithm accuracy during the training process

B.

Ethical and optimal utilization of data computing resources

C.

Collection of data and obtaining data subject consent

D.

Continuous monitoring of AI algorithm performance

Buy Now
Questions 91

Which of the following is MOST important to consider when determining the usefulness of audit evidence?

Options:

A.

Timing of the evidence

B.

Nature of evidence gathered

C.

Overall objectives of the review

D.

Competence of the IS auditor

Buy Now
Questions 92

An IS auditor is reviewing an organizations release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application development projects. Which of the following should the auditor recommend to address this issue?

Options:

A.

Critical path methodology

B.

Agile development approach

C.

Function point analysis

D.

Rapid application development

Buy Now
Questions 93

Which of the following should be of MOST concern to an IS auditor reviewing an organization's operational log management?

Options:

A.

Log file size has grown year over year.

B.

Critical events are being logged to immutable log files.

C.

Applications are logging events into multiple log files.

D.

Data formats have not been standardized across all logs.

Buy Now
Questions 94

Which of the following BEST facilitates the successful implementation of IT performance monitoring?

Options:

A.

Determining goals for IT resources and processes

B.

Identifying tools to automate performance measurement

C.

Establishing templates for periodic reporting to management

D.

Adopting global standards and measurement norms

Buy Now
Questions 95

Which of the following is the PRIMARY purpose of a business impact analysts (BIA) in an organization's overall risk management strategy?

Options:

A.

Evaluating business investment opportunities for the organization

B.

Identifying critical business processes to effectively prioritize recovery efforts

C.

Ensuring compliance with regulations through regular audits

D.

Conducting vulnerability assessments to enhance network security measures

Buy Now
Questions 96

In an area susceptible to unexpected increases in electrical power, which of the following would MOST effectively protect the system?

Options:

A.

Generator

B.

Voltage regulator

C.

Circuit breaker

D.

Alternate power supply line

Buy Now
Questions 97

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identify as the

associated risk?

Options:

A.

Increased vulnerability due to anytime, anywhere accessibility

B.

Increased need for user awareness training

C.

The use of the cloud negatively impacting IT availability

D.

Lack of governance and oversight for IT infrastructure and applications

Buy Now
Questions 98

During recent post-implementation reviews, an IS auditor has noted that several deployed applications are not being used by the business. The MOST likely cause would be the lack of:

Options:

A.

IT portfolio management.

B.

IT resource management.

C.

system support documentation.

D.

change management.

Buy Now
Questions 99

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

Options:

A.

The job scheduler application has not been designed to display pop-up error messages.

B.

Access to the job scheduler application has not been restricted to a maximum of two staff members

C.

Operations shift turnover logs are not utilized to coordinate and control the processing environment

D.

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

Buy Now
Questions 100

Which of the following is the BEST reason for an organization to use clustering?

Options:

A.

To decrease system response time

B.

To Improve the recovery lime objective (RTO)

C.

To facilitate faster backups

D.

To improve system resiliency

Buy Now
Questions 101

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

Options:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

report on the internal control weaknesses.

D.

provide solutions for control weaknesses.

Buy Now
Questions 102

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

Options:

A.

SIEM reporting is customized.

B.

SIEM configuration is reviewed annually

C.

The SIEM is decentralized.

D.

SIEM reporting is ad hoc.

Buy Now
Questions 103

What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

Options:

A.

it facilitates easier audit follow-up

B.

it enforces action plan consensus between auditors and auditees

C.

it establishes accountability for the action plans

D.

it helps to ensure factual accuracy of findings

Buy Now
Questions 104

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Options:

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Buy Now
Questions 105

Which of the following is the PRIMARY purpose of batch processing monitoring?

Options:

A.

To comply with security standards

B.

To summarize the batch processing reporting

C.

To log error events in batch processing

D.

To prevent an incident that may result from batch failure

Buy Now
Questions 106

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

Options:

A.

Ensure sufficient audit resources are allocated,

B.

Communicate audit results organization-wide.

C.

Ensure ownership is assigned.

D.

Test corrective actions upon completion.

Buy Now
Questions 107

The MOST effective way to reduce sampling risk is to increase:

Options:

A.

confidence interval.

B.

population.

C.

audit sampling training.

D.

sample size.

Buy Now
Questions 108

IT management has accepted the risk associated with an IS auditor's finding due to the cost and complexity of the corrective actions. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Perform a cost-benefit analysis.

B.

Document and inform the audit committee.

C.

Report the finding to external regulators.

D.

Notify senior management.

Buy Now
Questions 109

Which of the following presents the GREATEST risk to an organization's ability to manage quality control (QC) processes?

Options:

A.

Lack of segregation of duties

B.

Lack of a dedicated QC function

C.

Lack of policies and procedures

D.

Lack of formal training and attestation

Buy Now
Questions 110

Which of the following applications should an IS auditor consider to be the HIGHEST priority when reviewing disaster recovery planning (DRP) tests for an commerce company?

Options:

A.

An application for IT performance monitoring

B.

An application for HR management

C.

An application for financial management

D.

An application for traffic load balancing

Buy Now
Questions 111

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Options:

A.

Restricting evidence access to professionally certified forensic investigators

B.

Documenting evidence handling by personnel throughout the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Engaging an independent third party to perform the forensic investigation

Buy Now
Questions 112

Which of the following is the BEST reason to implement a data retention policy?

Options:

A.

To limit the liability associated with storing and protecting information

B.

To document business objectives for processing data within the organization

C.

To assign responsibility and ownership for data protection outside IT

D.

To establish a recovery point detective (RPO) for (toaster recovery procedures

Buy Now
Questions 113

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

Options:

A.

Level of stakeholder satisfaction with the scope of planned IT projects

B.

Percentage of enterprise risk assessments that include IT-related risk

C.

Percentage of stat satisfied with their IT-related roles

D.

Frequency of business process capability maturity assessments

Buy Now
Questions 114

Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

Options:

A.

Shared facilities

B.

Adequacy of physical and environmental controls

C.

Results of business continuity plan (BCP) test

D.

Retention policy and period

Buy Now
Questions 115

As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following is the BEST course of action for the IS auditor?

Options:

A.

Accept the auditee's response and perform additional testing.

B.

Suggest hiring a third-party consultant to perform a current state assessment.

C.

Conduct further discussions with the auditee to develop a mitigation plan.

D.

Issue a final report without including the opinion of the auditee.

Buy Now
Questions 116

Which of the following is necessary for effective risk management in IT governance?

Options:

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Buy Now
Questions 117

Which of the following is the GREATEST risk associated with lack of IT involvement in the organization's strategic planning initiatives?

Options:

A.

Business strategies may not align with IT capabilities.

B.

Business strategies may not consider emerging technologies.

C.

IT strategies may not align with business strategies.

D.

IT strategic goals may not be considered by the business.

Buy Now
Questions 118

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

Options:

A.

The DRP has not been formally approved by senior management.

B.

The DRP has not been distributed to end users.

C.

The DRP has not been updated since an IT infrastructure upgrade.

D.

The DRP contains recovery procedures for critical servers only.

Buy Now
Questions 119

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Options:

A.

Improved disaster recovery

B.

Better utilization of resources

C.

Stronger data security

D.

Increased application performance

Buy Now
Questions 120

Based on best practices, which types of accounts should be disabled for interactive login?

Options:

A.

Local accounts

B.

Administrator accounts

C.

Console accounts

D.

Service accounts

Buy Now
Questions 121

Which of the following is the BEST review for an IS auditor to conduct when a vulnerability has been exploited by an employee?

Options:

A.

Compliance audit

B.

Application security testing

C.

Forensic audit

D.

Penetration testing

Buy Now
Questions 122

An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

Options:

A.

The security of the desktop PC is enhanced.

B.

Administrative security can be provided for the client.

C.

Desktop application software will never have to be upgraded.

D.

System administration can be better managed

Buy Now
Questions 123

Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

Options:

A.

Invite external auditors and regulators to perform regular assessments of the IS audit function.

B.

Implement rigorous managerial review and sign-off of IS audit deliverables.

C.

Frequently review IS audit policies, procedures, and instruction manuals.

D.

Establish and embed quality assurance (QA) within the IS audit function.

Buy Now
Questions 124

An IS auditor has validated that an organization's IT department runs several low-priority automated tasks Which of the following is the BEST recommendation for an automated job schedule?

Options:

A.

Low-priority jobs should be avoided.

B.

Low-priority jobs should include the major functions.

C.

Low-priority jobs should be provided with optimal resources.

D.

Low-priority jobs should be scheduled subject to resource availability.

Buy Now
Questions 125

An IS auditor is reviewing the operational database management of an organization that uses cloud systems for hosting. Which of the following should be the auditor's PRIMARY area of focus?

Options:

A.

Cloud vendor security certifications

B.

Auto-scaling of provisioning costs

C.

Security settings configuration

D.

Large-scale data transfers

Buy Now
Questions 126

Which of the following BEST describes the role of the IS auditor in a control self-assessment (CSA)?

Options:

A.

Implementer

B.

Facilitator

C.

Approver

D.

Reviewer

Buy Now
Questions 127

An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

When the model was tested with data drawn from a different population, the accuracy decreased.

B.

The data set for training the model was obtained from an unreliable source.

C.

An open-source programming language was used to develop the model.

D.

The model was tested with data drawn from the same population as the training data.

Buy Now
Questions 128

Which of the following presents the GREATEST risk associated with end-user computing (EUC) applica-tions over financial reporting?

Options:

A.

Inability to quickly modify and deploy a solution

B.

Lack of portability for users

C.

Loss of time due to manual processes

D.

Calculation errors in spreadsheets

Buy Now
Questions 129

An IS auditor is reviewing a medical device that is attached to a patient’s body, which automatically takes and uploads measurements to a cloud server. Treatment may be updated based on the measurements. Which of the following should be the auditor's PRIMARY focus?

Options:

A.

Physical access controls on the device

B.

Security and quality certification of the device

C.

Device identification and authentication

D.

Confirmation that the device is regularly updated

Buy Now
Questions 130

Which of the following is the GREATEST risk related to the use of virtualized environments?

Options:

A.

The host may be a potential single point of failure within the system.

B.

There may be insufficient processing capacity to assign to guests.

C.

There may be increased potential for session hijacking.

D.

Ability to change operating systems may be limited.

Buy Now
Questions 131

An IS auditor is assessing backup performance and observes that the system administrator manually initiates backups during unexpected peak usage. Which of the following is the auditor's BEST course of action?

Options:

A.

Review separation of duties documentation.

B.

Verify the load balancer configuration.

C.

Recommend using cloud-based backups.

D.

Inspect logs to verify timely execution of backups.

Buy Now
Questions 132

A hearth care organization utilizes Internet of Things (loT) devices to improve patient outcomes through real-time patient monitoring and advanced diagnostics. Which of the following would BEST assist in isolating these devices from corporate network traffic?

Options:

A.

Internal firewalls

B.

Blockchain technology

C.

Content filtering proxy

D.

Zero Trust architecture

Buy Now
Questions 133

What should be the PRIMARY focus during a review of a business process improvement project?

Options:

A.

Business project plan

B.

Continuous monitoring plans

C.

The cost of new controls

D.

Business impact

Buy Now
Questions 134

Which of the following is the GREATEST risk that could result from a contracted penetration tester attempting SQL injection techniques on the production system?

Options:

A.

The tester's access could be elevated.

B.

Events could be improperly logged.

C.

Sensitive data could be exfiltrated.

D.

Production data could be altered.

Buy Now
Questions 135

Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the following would provide the MOST assurance to the IS auditor that management

is adequately balancing the needs of the business with the need to manage risk?

Options:

A.

A communication plan exists for informing parties impacted by the risk.

B.

Potential impact and likelihood are adequately documented.

C.

Identified risk is reported into the organization's risk committee.

D.

Established criteria exist for accepting and approving risk.

Buy Now
Questions 136

Which of the following parameters reflects the risk threshold for an organization experiencing a service disruption?

Options:

A.

Maximum tolerable outage (MTO)

B.

Recovery point objective (RPO)

C.

Service delivery objective (SDO)

D.

Allowable interruption window (AIW)

Buy Now
Questions 137

Which of the following user actions poses the GREATEST risk for inadvertently introducing malware into a local network?

Options:

A.

Uploading a file onto an internal server

B.

Viewing a hypertext markup language (HTML) document

C.

Downloading a file from an enterprise file share

D.

Opening an email attachment from an external account

Buy Now
Questions 138

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Options:

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Buy Now
Questions 139

Which of the following would be of GREATEST concern to an IS auditor reviewing the feasibility study for a new application system?

Options:

A.

Security requirements have not been defined.

B.

Conditions under which the system will operate are unclear.

C.

The business case does not include well-defined strategic benefits.

D.

System requirements and expectations have not been clarified.

Buy Now
Questions 140

Which of the following is MOST important to the effectiveness of smoke detectors installed in a data processing facility?

Options:

A.

Detectors trigger audible alarms when activated.

B.

Detectors have the correct industry certification.

C.

Detectors are linked to dry pipe fire suppression systems.

D.

Detectors are linked to wet pipe fire suppression systems.

Buy Now
Questions 141

Which of the following is the MOST important success factor for implementing a data loss prevention (DLP) tool?

Options:

A.

Implementing the tool in monitor mode to avoid unnecessary blocking of communication

B.

Defining and configuring policies and tool rule sets to monitor sensitive data movement

C.

Testing the tool in a test environment before moving to the production environment

D.

Assigning responsibilities for maintaining the tool to applicable data owners and stakeholders

Buy Now
Questions 142

Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?

Options:

A.

Identify staff training needs related to compliance requirements.

B.

Analyze historical compliance-related audit findings.

C.

Research and purchase an industry-recognized IT compliance tool

D.

Identify applicable laws, regulations, and standards.

Buy Now
Questions 143

During which process is regression testing MOST commonly used?

Options:

A.

System modification

B.

Unit testing

C.

Stress testing

D.

Program development

Buy Now
Questions 144

Which of the following should be of GREATEST concern to an IS auditor when using data analytics?

Options:

A.

The data source lacks integrity.

B.

The data analytics software is open source.

C.

The data set contains irrelevant fields.

D.

The data was not extracted by the auditor.

Buy Now
Questions 145

Which of the following would be the GREATEST concern for an IS auditor conducting a pre-implementation review of a data loss prevention (DLP> tool?

Options:

A.

The tool is implemented in monitor mode rather than block mode.

B.

Crawlers are used to discover sensitive data.

C.

Deep packet inspection opens data packets in transit.

D.

Encryption keys are not centrally managed.

Buy Now
Questions 146

Which of the following is the BEST control to mitigate the risk of shadow IT?

Options:

A.

Intrusion detection system (IDS)

B.

Vendor management reviews

C.

Vulnerability scanning

D.

Security awareness training

Buy Now
Questions 147

An organization has replaced its call center with Al chatbots that autonomously learn new responses through internet queries and customer conversation history. Which of the following would an IS auditor tasked with verifying IT controls consider to be the GREATEST risk?

Options:

A.

The model may not result in expected efficiencies.

B.

The model's operations may be difficult for the IT team to document.

C.

The model may not generate accurate responses due to overfitting.

D.

It may be difficult to audit the model due to the lack of a suitable framework.

Buy Now
Questions 148

Which of the following is the MAIN objective of enterprise architecture (EA) governance?

Options:

A.

To ensure new processes and technologies harmonize with existing processes

B.

To ensure the EA can adapt to emerging technology trends

C.

To ensure the EA is compliant with local laws and regulations

D.

To ensure new initiatives produce an acceptable return on investment (ROI)

Buy Now
Questions 149

An organization offers an e-commerce platform that allows consumer-to-consumer transactions. The platform now uses blockchain technology to ensure the parties are unable to deny the transactions. Which of the following attributes BEST describes the risk element that this technology is addressing?

Options:

A.

Integrity

B.

Nonrepudiation

C.

Confidentiality

D.

Availability

Buy Now
Questions 150

Which of the following is the BEST indication that a software development project is on track to meet its completion deadline?

Options:

A.

Technical specifications and development requirements have been agreed upon and formally recorded.

B.

Project plan due dates have been documented for each phase of the software development life cycle.

C.

Issues identified during user acceptance testing (UAT) have been addressed prior to the original implementation date.

D.

The planned software go-live date has been communicated in advance to end users and stakeholders.

Buy Now
Questions 151

Which of the following would be the GREATEST concern during a financial statement audit?

Options:

A.

A backup has not been identified for key approvers.

B.

System capacity has not been tested.

C.

The procedures for generating key reports have not been approved.

D.

The financial management system is cloud based.

Buy Now
Questions 152

An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization's wider security threat and vulnerability management program.

Which of the following would BEST enable the organization to work toward improvement in this area?

Options:

A.

Implementing security logging to enhance threat and vulnerability management

B.

Maintaining a catalog of vulnerabilities that may impact mission-critical systems

C.

Using a capability maturity model to identify a path to an optimized program

D.

Outsourcing the threat and vulnerability management function to a third party

Buy Now
Questions 153

Which type of threat can utilize a large group of automated social media accounts to steal data, send spam, or launch distributed denial of service (DDoS) attacks?

Options:

A.

Botnet attack

B.

Data mining

C.

Phishing attempt

D.

Malware sharing

Buy Now
Questions 154

An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?

Options:

A.

Between each host and the local network switch/hub

B.

Between virtual local area networks (VLANs)

C.

Inside the demilitarized zone (DMZ)

D.

At borders of network segments with different security levels

Buy Now
Questions 155

Which of the following is MOST important to include in a business case for an IT-enabled investment?

Options:

A.

Business impact analysis (BIA)

B.

Cost-benefit analysis

C.

Security requirements

D.

Risk assessment

Buy Now
Questions 156

Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?

Options:

A.

Data privacy must be managed in accordance with the regulations applicable to the organization.

B.

Data privacy must be monitored in accordance with industry standards and best practices.

C.

No personal information may be transferred to the service provider without notifying the customer.

D.

Customer data transferred to the service provider must be reported to the regulatory authority.

Buy Now
Questions 157

To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?

Options:

A.

Review of the general IS controls followed by a review of the application controls

B.

Detailed examination of financial transactions followed by review of the general ledger

C.

Review of major financial applications followed by a review of IT governance processes

D.

Review of application controls followed by a test of key business process controls

Buy Now
Questions 158

When auditing the adequacy of a cooling system for a data center, which of the following is MOST important for the IS auditor to review?

Options:

A.

Environmental performance metrics

B.

Geographical location of the data center

C.

Disaster recovery plan (DRP) testing results

D.

Facilities maintenance records

Buy Now
Questions 159

An external audit firm was engaged to perform a validation and verification review for a systems implementation project. The IS auditor identifies that regression testing is not part of the project plan and was not performed by the systems implementation team. According to the team, the parallel testing being performed is sufficient, making regression testing unnecessary. What should be the auditor’s NEXT step?

Options:

A.

Evaluate the extent of the parallel testing being performed

B.

Recommend integration and stress testing be conducted by the systems implementation team

C.

Conclude that parallel testing is sufficient and regression testing is not needed

D.

Recommend regression testing be conducted by the systems implementation team

Buy Now
Questions 160

Which of the following should an IS auditor do FIRST when auditing a robotics process automation (RPA) implementation?

Options:

A.

Evaluate the overall solution architecture.

B.

Analyze the sequence of activities performed by the robot.

C.

Understand the business processes automated by the robot.

D.

Identity the credentials used by the robot and where they are stored.

Buy Now
Questions 161

Which of the following is the PRIMARY purpose of a rollback plan for a system change?

Options:

A.

To ensure steps exist to remove the change if necessary

B.

To ensure testing can be re-performed if required

C.

To ensure a backup exists before implementing a change

D.

To ensure the system change is effective

Buy Now
Questions 162

An IS auditor finds that a recently deployed application has a number of developers with inappropriate update access left over from the testing environment. Which of the following would have BEST prevented the update access from being migrated?

Options:

A.

Establishing a role-based matrix for provisioning users

B.

Re-assigning user access rights in the quality assurance (QA) environment

C.

Holding the application owner accountable for application security

D.

Including a step within the system development life cycle (SDLC) to clean up access prior to go-live

Buy Now
Questions 163

During which stage of the penetration test cycle does the tester utilize identified vulnerabilities to attempt to access the target system?

Options:

A.

Exfiltration

B.

Exploitation

C.

Reconnaissance

D.

Scanning

Buy Now
Questions 164

When drafting a disaster recovery strategy, what should be the MOST important outcome of a business impact analysis (BIA)?

Options:

A.

Establishing recovery point objectives (RPOs)

B.

Determining recovery priorities

C.

Establishing recovery time objectives (RTOs)

D.

Determining recovery costs

Buy Now
Questions 165

A current project to develop IT-based solutions will need additional funding to meet changes in business requirements. Who is BEST suited to obtain this additional funding?

Options:

A.

Project sponsor

B.

Project manager

C.

IT strategy committee

D.

Board of directors

Buy Now
Questions 166

An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?

Options:

A.

Review the decision-making logic built into the system.

B.

Interview the system owner.

C.

Understand the purpose and functionality of the system.

D.

Verify system adherence to corporate policy.

Buy Now
Questions 167

An IS auditor learns that an organization did not conduct any penetration testing over one internet-facing webpage prior to of the following is the auditor's BEST course of action?

Options:

A.

Revise IT security procedures to require penetration tests for internally developed services prior to deployment.

B.

Report a control deficiency, as no penetration test has been conducted and documented.

C.

Confirm whether vulnerability scanning was conducted after the webpage was deployed.

D.

Meet with IT and the information security team to determine why testing was not completed.

Buy Now
Questions 168

An organization is implementing a data loss prevention (DLP) system in response to a new regulatory requirement Reviewing. which of the following would be MOST helpful in evaluating the system's design?

Options:

A.

System manuals

B.

Enterprise architecture (EA)

C.

Historical record of data breaches

D.

Industry trends

Buy Now
Questions 169

An IS auditor is reviewing an organization that performs backups on local database servers every two weeks and does not have a formal policy to govern data backup and restoration procedures. Which of the following findings presents the GREATEST risk to the organization?

Options:

A.

Lack of offsite data backups

B.

Absence of a data backup policy

C.

Lack of periodic data restoration testing

D.

Insufficient data backup frequency

Buy Now
Questions 170

A finance department has a two-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger in year one the system version upgrade will be applied and in year two business processes will be updated to implement new system functionality. Which of the following should be the PRIMARY focus of an IS auditor reviewing the second year of the implementation'?

Options:

A.

Data migration

B.

Sociability testing

C.

User acceptance testing (UAT)

D.

Initial user access provisioning

Buy Now
Questions 171

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

Options:

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Buy Now
Questions 172

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

Options:

A.

Revise the assessment based on senior management's objections.

B.

Escalate the issue to audit management.

C.

Finalize the draft audit report without changes.

D.

Gather evidence to analyze senior management's objections

Buy Now
Questions 173

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

Options:

A.

violation reports may not be reviewed in a timely manner.

B.

a significant number of false positive violations may be reported.

C.

violations may not be categorized according to the organization's risk profile.

D.

violation reports may not be retained according to the organization's risk profile.

Buy Now
Questions 174

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

Options:

A.

Reviewing the parameter settings

B.

Reviewing the system log

C.

Interviewing the firewall administrator

D.

Reviewing the actual procedures

Buy Now
Questions 175

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Buy Now
Questions 176

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

Options:

A.

Reviewing the last compile date of production programs

B.

Manually comparing code in production programs to controlled copies

C.

Periodically running and reviewing test data against production programs

D.

Verifying user management approval of modifications

Buy Now
Questions 177

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

Options:

A.

Security cameras deployed outside main entrance

B.

Antistatic mats deployed at the computer room entrance

C.

Muddy footprints directly inside the emergency exit

D.

Fencing around facility is two meters high

Buy Now
Questions 178

In an online application, which of the following would provide the MOST information about the transaction audit trail?

Options:

A.

System/process flowchart

B.

File layouts

C.

Data architecture

D.

Source code documentation

Buy Now
Questions 179

The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:

Options:

A.

randomly selected by a test generator.

B.

provided by the vendor of the application.

C.

randomly selected by the user.

D.

simulated by production entities and customers.

Buy Now
Questions 180

Which of the following is an example of a preventative control in an accounts payable system?

Options:

A.

The system only allows payments to vendors who are included In the system's master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

Buy Now
Questions 181

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Options:

A.

Require written authorization for all payment transactions

B.

Restrict payment authorization to senior staff members.

C.

Reconcile payment transactions with invoices.

D.

Review payment transaction history

Buy Now
Questions 182

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

Options:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Buy Now
Questions 183

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Options:

A.

Expected deliverables meeting project deadlines

B.

Sign-off from the IT team

C.

Ongoing participation by relevant stakeholders

D.

Quality assurance (OA) review

Buy Now
Questions 184

A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Establish key performance indicators (KPls) for timely identification of security incidents.

B.

Engage an external security incident response expert for incident handling.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Include the requirement in the incident management response plan.

Buy Now
Questions 185

Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

Options:

A.

Data from the source and target system may be intercepted.

B.

Data from the source and target system may have different data formats.

C.

Records past their retention period may not be migrated to the new system.

D.

System performance may be impacted by the migration

Buy Now
Questions 186

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

Options:

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Buy Now
Questions 187

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

Options:

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Buy Now
Questions 188

Which of the following security risks can be reduced by a property configured network firewall?

Options:

A.

SQL injection attacks

B.

Denial of service (DoS) attacks

C.

Phishing attacks

D.

Insider attacks

Buy Now
Questions 189

Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?

Options:

A.

Implementing two-factor authentication

B.

Restricting access to transactions using network security software

C.

implementing role-based access at the application level

D.

Using a single menu tor sensitive application transactions

Buy Now
Questions 190

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.

Staging

B.

Testing

C.

Integration

D.

Development

Buy Now
Questions 191

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

Options:

A.

the access control system's log settings.

B.

how the latest system changes were implemented.

C.

the access control system's configuration.

D.

the access rights that have been granted.

Buy Now
Questions 192

A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:

Options:

A.

evaluate replacement systems and performance monitoring software.

B.

restrict functionality of system monitoring software to security-related events.

C.

re-install the system and performance monitoring software.

D.

use analytical tools to produce exception reports from the system and performance monitoring software

Buy Now
Questions 193

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the organization's web server.

B.

the demilitarized zone (DMZ).

C.

the organization's network.

D.

the Internet

Buy Now
Questions 194

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

Options:

A.

Information security program plans

B.

Penetration test results

C.

Risk assessment results

D.

Industry benchmarks

Buy Now
Questions 195

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

Options:

A.

Availability of the user list reviewed

B.

Confidentiality of the user list reviewed

C.

Source of the user list reviewed

D.

Completeness of the user list reviewed

Buy Now
Questions 196

Which of the following represents the HIGHEST level of maturity of an information security program?

Options:

A.

A training program is in place to promote information security awareness.

B.

A framework is in place to measure risks and track effectiveness.

C.

Information security policies and procedures are established.

D.

The program meets regulatory and compliance requirements.

Buy Now
Questions 197

Upon completion of audit work, an IS auditor should:

Options:

A.

provide a report to senior management prior to discussion with the auditee.

B.

distribute a summary of general findings to the members of the auditing team.

C.

provide a report to the auditee stating the initial findings.

D.

review the working papers with the auditee.

Buy Now
Questions 198

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

Options:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Buy Now
Questions 199

An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

Options:

A.

The exact definition of the service levels and their measurement

B.

The alerting and measurement process on the application servers

C.

The actual availability of the servers as part of a substantive test

D.

The regular performance-reporting documentation

Buy Now
Questions 200

Which of the following metrics would BEST measure the agility of an organization's IT function?

Options:

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Buy Now
Questions 201

Which of the following would BEST help lo support an auditor’s conclusion about the effectiveness of an implemented data classification program?

Options:

A.

Purchase of information management tools

B.

Business use cases and scenarios

C.

Access rights provisioned according to scheme

D.

Detailed data classification scheme

Buy Now
Questions 202

Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

Options:

A.

Findings from prior audits

B.

Results of a risk assessment

C.

An inventory of personal devices to be connected to the corporate network

D.

Policies including BYOD acceptable user statements

Buy Now
Questions 203

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

Options:

A.

reflect current practices.

B.

include new systems and corresponding process changes.

C.

incorporate changes to relevant laws.

D.

be subject to adequate quality assurance (QA).

Buy Now
Questions 204

Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?

Options:

A.

Reversing the hash function using the digest

B.

Altering the plaintext message

C.

Deciphering the receiver's public key

D.

Obtaining the sender's private key

Buy Now
Questions 205

Which of the following findings from an IT governance review should be of GREATEST concern?

Options:

A.

The IT budget is not monitored

B.

All IT services are provided by third parties.

C.

IT value analysis has not been completed.

D.

IT supports two different operating systems.

Buy Now
Questions 206

Which of the following MUST be completed as part of the annual audit planning process?

Options:

A.

Business impact analysis (BIA)

B.

Fieldwork

C.

Risk assessment

D.

Risk control matrix

Buy Now
Questions 207

The PRIMARY focus of a post-implementation review is to verify that:

Options:

A.

enterprise architecture (EA) has been complied with.

B.

user requirements have been met.

C.

acceptance testing has been properly executed.

D.

user access controls have been adequately designed.

Buy Now
Questions 208

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Options:

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Buy Now
Questions 209

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Options:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Buy Now
Questions 210

UESTION NO: 210

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

Options:

A.

There Is a reconciliation process between the spreadsheet and the finance system

B.

A separate copy of the spreadsheet is routinely backed up

C.

The spreadsheet is locked down to avoid inadvertent changes

D.

Access to the spreadsheet is given only to those who require access

Buy Now
Questions 211

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.

Statement of work (SOW)

B.

Nondisclosure agreement (NDA)

C.

Service level agreement (SLA)

D.

Privacy agreement

Buy Now
Questions 212

The GREATEST benefit of using a polo typing approach in software development is that it helps to:

Options:

A.

minimize scope changes to the system.

B.

decrease the time allocated for user testing and review.

C.

conceptualize and clarify requirements.

D.

Improve efficiency of quality assurance (QA) testing

Buy Now
Questions 213

In order to be useful, a key performance indicator (KPI) MUST

Options:

A.

be approved by management.

B.

be measurable in percentages.

C.

be changed frequently to reflect organizational strategy.

D.

have a target value.

Buy Now
Questions 214

Which of the following documents should specify roles and responsibilities within an IT audit organization?

Options:

A.

Organizational chart

B.

Audit charier

C.

Engagement letter

D.

Annual audit plan

Buy Now
Questions 215

The IS quality assurance (OA) group is responsible for:

Options:

A.

ensuring that program changes adhere to established standards.

B.

designing procedures to protect data against accidental disclosure.

C.

ensuring that the output received from system processing is complete.

D.

monitoring the execution of computer processing tasks.

Buy Now
Questions 216

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

Options:

A.

Availability of IS audit resources

B.

Remediation dates included in management responses

C.

Peak activity periods for the business

D.

Complexity of business processes identified in the audit

Buy Now
Questions 217

Which of the following BEST Indicates that an incident management process is effective?

Options:

A.

Decreased time for incident resolution

B.

Increased number of incidents reviewed by IT management

C.

Decreased number of calls lo the help desk

D.

Increased number of reported critical incidents

Buy Now
Questions 218

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

Options:

A.

well understood by all employees.

B.

based on industry standards.

C.

developed by process owners.

D.

updated frequently.

Buy Now
Questions 219

During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?

Options:

A.

Backup media are not reviewed before disposal.

B.

Degaussing is used instead of physical shredding.

C.

Backup media are disposed before the end of the retention period

D.

Hardware is not destroyed by a certified vendor.

Buy Now
Questions 220

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

Options:

A.

Implementing the remediation plan

B.

Partially completing the CSA

C.

Developing the remediation plan

D.

Developing the CSA questionnaire

Buy Now
Questions 221

Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?

Options:

A.

Ensure the third party allocates adequate resources to meet requirements.

B.

Use analytics within the internal audit function

C.

Conduct a capacity planning exercise

D.

Utilize performance monitoring tools to verify service level agreements (SLAs)

Buy Now
Questions 222

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

Buy Now
Questions 223

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Options:

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Buy Now
Questions 224

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Options:

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Buy Now
Questions 225

Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?

Options:

A.

Water sprinkler

B.

Fire extinguishers

C.

Carbon dioxide (CO2)

D.

Dry pipe

Buy Now
Questions 226

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?

Options:

A.

Enable automatic encryption decryption and electronic signing of data files

B.

implement software to perform automatic reconciliations of data between systems

C.

Have coders perform manual reconciliation of data between systems

D.

Automate the transfer of data between systems as much as feasible

Buy Now
Questions 227

Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?

Options:

A.

Review the third party's monitoring logs and incident handling

B.

Review the roles and responsibilities of the third-party provider

C.

Evaluate the organization's third-party monitoring process

D.

Determine if the organization has a secure connection to the provider

Buy Now
Questions 228

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Options:

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Buy Now
Questions 229

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

Options:

A.

Training was not provided to the department that handles intellectual property and patents

B.

Logging and monitoring for content filtering is not enabled.

C.

Employees can share files with users outside the company through collaboration tools.

D.

The collaboration tool is hosted and can only be accessed via an Internet browser

Buy Now
Questions 230

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.

Obtain error codes indicating failed data feeds.

B.

Purchase data cleansing tools from a reputable vendor.

C.

Appoint data quality champions across the organization.

D.

Implement business rules to reject invalid data.

Buy Now
Questions 231

In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?

Options:

A.

Discovery

B.

Attacks

C.

Planning

D.

Reporting

Buy Now
Questions 232

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Options:

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The retention period complies with data owner responsibilities.

D.

The total transaction amount has no impact on financial reporting

Buy Now
Questions 233

The waterfall life cycle model of software development is BEST suited for which of the following situations?

Options:

A.

The protect requirements are wall understood.

B.

The project is subject to time pressures.

C.

The project intends to apply an object-oriented design approach.

D.

The project will involve the use of new technology.

Buy Now
Questions 234

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

Options:

A.

architecture and cloud environment of the system.

B.

business process supported by the system.

C.

policies and procedures of the business area being audited.

D.

availability reports associated with the cloud-based system.

Buy Now
Questions 235

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

Options:

A.

Data migration is not part of the contracted activities.

B.

The replacement is occurring near year-end reporting

C.

The user department will manage access rights.

D.

Testing was performed by the third-party consultant

Buy Now
Questions 236

The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?

Options:

A.

Determine where delays have occurred

B.

Assign additional resources to supplement the audit

C.

Escalate to the audit committee

D.

Extend the audit deadline

Buy Now
Questions 237

Which of the following would be the BEST process for continuous auditing to a large financial Institution?

Options:

A.

Testing encryption standards on the disaster recovery system

B.

Validating access controls for real-time data systems

C.

Performing parallel testing between systems

D.

Validating performance of help desk metrics

Buy Now
Questions 238

Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

Options:

A.

Readily available resources such as domains and risk and control methodologies

B.

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

C.

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

D.

Wide acceptance by different business and support units with IT governance objectives

Buy Now
Questions 239

Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

Options:

A.

IT strategies are communicated to all Business stakeholders

B.

Organizational strategies are communicated to the chief information officer (CIO).

C.

Business stakeholders are Involved In approving the IT strategy.

D.

The chief information officer (CIO) is involved In approving the organizational strategies

Buy Now
Questions 240

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

Options:

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Buy Now
Questions 241

Which of the following is MOST effective for controlling visitor access to a data center?

Options:

A.

Visitors are escorted by an authorized employee

B.

Pre-approval of entry requests

C.

Visitors sign in at the front desk upon arrival

D.

Closed-circuit television (CCTV) is used to monitor the facilities

Buy Now
Questions 242

The use of which of the following is an inherent risk in the application container infrastructure?

Options:

A.

Shared registries

B.

Host operating system

C.

Shared data

D.

Shared kernel

Buy Now
Questions 243

While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:

Options:

A.

data classifications are automated.

B.

a data dictionary is maintained.

C.

data retention requirements are clearly defined.

D.

data is correctly classified.

Buy Now
Questions 244

An organization has replaced all of the storage devices at its primary data center with new higher-capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether

Options:

A.

the recovery site devices can handle the storage requirements

B.

hardware maintenance contract is in place for both old and new storage devices

C.

the procurement was in accordance with corporate policies and procedures

D.

the relocation plan has been communicated to all concerned parties

Buy Now
Questions 245

An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?

Options:

A.

Backlog consumption reports

B.

Critical path analysis reports

C.

Developer status reports

D.

Change management logs

Buy Now
Questions 246

During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?

Options:

A.

Input from customers

B.

Industry standard business definitions

C.

Validation of rules by the business

D.

Built-in data error prevention application controls

Buy Now
Questions 247

When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on

Options:

A.

employee retention

B.

enterprise architecture (EA)

C.

future task updates

D.

task capacity output

Buy Now
Questions 248

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

Options:

A.

The information security policy has not been approved by the chief audit executive (CAE).

B.

The information security policy does not include mobile device provisions

C.

The information security policy is not frequently reviewed

D.

The information security policy has not been approved by the policy owner

Buy Now
Questions 249

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

Options:

A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Buy Now
Questions 250

An IS auditor Is renewing the deployment of a new automated system Which of the following findings presents the MOST significant risk?

Options:

A.

The new system has resulted m layoffs of key experienced personnel.

B.

Users have not been trained on the new system.

C.

Data from the legacy system is not migrated correctly to the new system.

D.

The new system is not platform agnostic

Buy Now
Questions 251

Which of the following should be an IS auditor's PRIMARY focus when evaluating the response process for cybercrimes?

Options:

A.

Communication with law enforcement

B.

Notification to regulators

C.

Root cause analysis

D.

Evidence collection

Buy Now
Questions 252

An organization has recently moved to an agile model for deploying custom code to its in-house accounting software system. When reviewing the procedures in place for production code deployment, which of the following is the MOST significant security concern to address?

Options:

A.

Software vulnerability scanning is done on an ad hoc basis.

B.

Change control does not include testing and approval from quality assurance (QA).

C.

Production code deployment is not automated.

D.

Current DevSecOps processes have not been independently verified.

Buy Now
Questions 253

When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:

Options:

A.

legitimate packets blocked by the system have increased

B.

actual attacks have not been identified

C.

detected events have increased

D.

false positives have been reported

Buy Now
Questions 254

An IS auditor reviewing the throat assessment for a data cantor would be MOST concerned if:

Options:

A.

some of the identified threats are unlikely to occur.

B.

all identified threats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations' operations have been included.

Buy Now
Questions 255

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?

Options:

A.

Antivirus software was unable to prevent the attack even though it was properly updated

B.

The most recent security patches were not tested prior to implementation

C.

Backups were only performed within the local network

D.

Employees were not trained on cybersecurity policies and procedures

Buy Now
Questions 256

Which of the following provides the MOST useful information for performing a business impact analysis (B1A)?

Options:

A.

inventory of relevant business processes

B.

Policies for business procurement

C.

Documentation of application configurations

D.

Results of business resumption planning efforts

Buy Now
Questions 257

A computer forensic audit is MOST relevant in which of the following situations?

Options:

A.

Inadequate controls in the IT environment

B.

Mismatches in transaction data

C.

Missing server patches

D.

Data loss due to hacking of servers

Buy Now
Questions 258

A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem. Which of the following is the senior auditor s MOST appropriate course of action?

Options:

A.

Ask the auditee to retest

B.

Approve the work papers as written

C.

Have the finding reinstated

D.

Refer the issue to the audit director

Buy Now
Questions 259

An IS auditor learns that an in-house system development life cycle (SDLC) project has not met user specifications. The auditor should FIRST examine requirements from which of the following phases?

Options:

A.

Configuration phase

B.

User training phase

C.

Quality assurance (QA) phase

D.

Development phase

Buy Now
Questions 260

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

Options:

A.

Inspecting a sample of alerts generated from the central log repository

B.

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

C.

Inspecting a sample of alert settings configured in the central log repository

D.

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

Buy Now
Questions 261

Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?

Options:

A.

Parallel changeover

B.

Modular changeover

C.

Phased operation

D.

Pilot operation

Buy Now
Questions 262

An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?

Options:

A.

implement a control self-assessment (CSA)

B.

Conduct a gap analysis

C.

Develop a maturity model

D.

Evaluate key performance indicators (KPIs)

Buy Now
Questions 263

in a post-implantation Nation review of a recently purchased system it is MOST important for the iS auditor to determine whether the:

Options:

A.

stakeholder expectations were identified

B.

vendor product offered a viable solution.

C.

user requirements were met.

D.

test scenarios reflected operating activities.

Buy Now
Questions 264

Which of the following should be the FIRST step when conducting an IT risk assessment?

Options:

A.

Identify potential threats.

B.

Assess vulnerabilities.

C.

Identify assets to be protected.

D.

Evaluate controls in place.

Buy Now
Questions 265

Which of the following is an IS auditor's BEST approach when prepanng to evaluate whether the IT strategy supports the organization's vision and mission?

Options:

A.

Review strategic projects tor return on investments (ROls)

B.

Solicit feedback from other departments to gauge the organization's maturity

C.

Meet with senior management to understand business goals

D.

Review the organization's key performance indicators (KPls)

Buy Now
Questions 266

What is the PRIMARY purpose of performing a parallel run of a now system?

Options:

A.

To train the end users and supporting staff on the new system

B.

To verify the new system provides required business functionality

C.

To reduce the need for additional testing

D.

To validate the new system against its predecessor

Buy Now
Questions 267

An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?

Options:

A.

Verify that the compromised systems are fully functional

B.

Focus on limiting the damage

C.

Document the incident

D.

Remove and restore the affected systems

Buy Now
Questions 268

Which of the following management decisions presents the GREATEST risk associated with data leakage?

Options:

A.

There is no requirement for desktops to be encrypted

B.

Staff are allowed to work remotely

C.

Security awareness training is not provided to staff

D.

Security policies have not been updated in the past year

Buy Now
Questions 269

A data center's physical access log system captures each visitor's identification document numbers along with the visitor's photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?

Options:

A.

Quota sampling

B.

Haphazard sampling

C.

Attribute sampling

D.

Variable sampling

Buy Now
Questions 270

Management has learned the implementation of a new IT system will not be completed on time and has requested an audit. Which of the following audit findings should be of GREATEST concern?

Options:

A.

The actual start times of some activities were later than originally scheduled.

B.

Tasks defined on the critical path do not have resources allocated.

C.

The project manager lacks formal certification.

D.

Milestones have not been defined for all project products.

Buy Now
Questions 271

Which of the following is the BEST reason for an IS auditor to emphasize to management the importance of using an IT governance framework?

Options:

A.

Frameworks enable IT benchmarks against competitors

B.

Frameworks can be tailored and optimized for different organizations

C.

Frameworks help facilitate control self-assessments (CSAs)

D.

Frameworks help organizations understand and manage IT risk

Buy Now
Questions 272

Which of the following is the BEST performance indicator for the effectiveness of an incident management program?

Options:

A.

Average time between incidents

B.

Incident alert meantime

C.

Number of incidents reported

D.

Incident resolution meantime

Buy Now
Questions 273

The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?

Options:

A.

Report results to management

B.

Document lessons learned

C.

Perform a damage assessment

D.

Prioritize resources for corrective action

Buy Now
Questions 274

Stress testing should ideally be earned out under a:

Options:

A.

test environment with production workloads.

B.

production environment with production workloads.

C.

production environment with test data.

D.

test environment with test data.

Buy Now
Questions 275

Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?

Options:

A.

Controls to adequately safeguard the data may not be applied.

B.

Data may not be encrypted by the system administrator.

C.

Competitors may be able to view the data.

D.

Control costs may exceed the intrinsic value of the IT asset.

Buy Now
Questions 276

Which of the following is the BEST method to delete sensitive information from storage media that will be reused?

Options:

A.

Crypto-shredding

B.

Multiple overwriting

C.

Reformatting

D.

Re-partitioning

Buy Now
Questions 277

Capacity management tools are PRIMARILY used to ensure that:

Options:

A.

available resources are used efficiently and effectively

B.

computer systems are used to their maximum capacity most of the time

C.

concurrent use by a large number of users is enabled

D.

proposed hardware acquisitions meet capacity requirements

Buy Now
Questions 278

Which of the following be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business-critical server hardware?

Options:

A.

Preventive maintenance costs exceed the business allocated budget.

B.

Preventive maintenance has not been approved by the information system

C.

Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs)

D.

The preventive maintenance schedule is based on mean time between failures (MTBF) parameters.

Buy Now
Questions 279

An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor's NEXT action1?

Options:

A.

Make recommendations to IS management as to appropriate quality standards

B.

Postpone the audit until IS management implements written standards

C.

Document and lest compliance with the informal standards

D.

Finalize the audit and report the finding

Buy Now
Questions 280

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

Options:

A.

Only new employees are required to attend the program

B.

Metrics have not been established to assess training results

C.

Employees do not receive immediate notification of results

D.

The timing for program updates has not been determined

Buy Now
Questions 281

An organization is concerned with meeting new regulations for protecting data confidentiality and asks an IS auditor to evaluate their procedures for transporting data. Which of the

following would BEST support the organization's objectives?

Options:

A.

Cryptographic hashes

B.

Virtual local area network (VLAN)

C.

Encryption

D.

Dedicated lines

Buy Now
Questions 282

Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?

Options:

A.

Completing the incident management log

B.

Broadcasting an emergency message

C.

Requiring a dedicated incident response team

D.

Implementing incident escalation procedures

Buy Now
Questions 283

When assessing the overall effectiveness of an organization's disaster recovery planning process, which of the following is MOST important for the IS auditor to verify?

Options:

A.

Management contracts with a third party for warm site services.

B.

Management schedules an annual tabletop exercise.

C.

Management documents and distributes a copy of the plan to all personnel.

D.

Management reviews and updates the plan annually or as changes occur.

Buy Now
Questions 284

An IS auditor assessing the controls within a newly implemented call center would First

Options:

A.

gather information from the customers regarding response times and quality of service.

B.

review the manual and automated controls in the call center.

C.

test the technical infrastructure at the call center.

D.

evaluate the operational risk associated with the call center.

Buy Now
Questions 285

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Apply single sign-on for access control

B.

Implement segregation of duties.

C.

Enforce an internal data access policy.

D.

Enforce the use of digital signatures.

Buy Now
Questions 286

An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

Options:

A.

some of the identified throats are unlikely to occur.

B.

all identified throats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations operations have been included.

Buy Now
Questions 287

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Options:

A.

Senior management's request

B.

Prior year's audit findings

C.

Organizational risk assessment

D.

Previous audit coverage and scope

Buy Now
Questions 288

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

Options:

A.

Capacity management plan

B.

Training plans

C.

Database conversion results

D.

Stress testing results

Buy Now
Questions 289

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

Options:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Buy Now
Questions 290

Which of the following is MOST important to consider when reviewing an organization's defined data backup and restoration procedures?

Options:

A.

Business continuity plan (BCP)

B.

Recovery point objective (RPO)

C.

Mean time to restore (MTTR)

D.

Mean time between failures (MTBF)

Buy Now
Questions 291

One advantage of monetary unit sampling is the fact that

Options:

A.

results are stated m terms of the frequency of items in error

B.

it can easily be applied manually when computer resources are not available

C.

large-value population items are segregated and audited separately

D.

it increases the likelihood of selecting material items from the population

Buy Now
Questions 292

Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)

policy to help prevent data leakage?

Options:

A.

Require employees to waive privacy rights related to data on BYOD devices.

B.

Require multi-factor authentication on BYOD devices,

C.

Specify employee responsibilities for reporting lost or stolen BYOD devices.

D.

Allow only registered BYOD devices to access the network.

Buy Now
Questions 293

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

Options:

A.

A significant increase in authorized connections to third parties

B.

A significant increase in cybersecurity audit findings

C.

A significant increase in approved exceptions

D.

A significant increase in external attack attempts

Buy Now
Questions 294

Which of the following provides the BEST evidence that a third-party service provider's information security controls

are effective?

Options:

A.

An audit report of the controls by the service provider's external auditor

B.

Documentation of the service provider's security configuration controls

C.

An interview with the service provider's information security officer

D.

A review of the service provider's policies and procedures

Buy Now
Questions 295

An IS auditor is preparing a plan for audits to be carried out over a specified period. Which of the following activities should the IS auditor perform FIRST?

Options:

A.

Allocate audit resources.

B.

Prioritize risks.

C.

Review prior audit reports.

D.

Determine the audit universe.

Buy Now
Questions 296

What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?

Options:

A.

Establish rules for converting data from one format to another

B.

Implement data entry controls for new and existing applications

C.

Implement a consistent database indexing strategy

D.

Develop a metadata repository to store and access metadata

Buy Now
Questions 297

Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

Options:

A.

Cross-site scripting (XSS)

B.

Copyright violations

C.

Social engineering

D.

Adverse posts about the organization

Buy Now
Questions 298

Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?

Options:

A.

Integration testing

B.

Regression testing

C.

Automated testing

D.

User acceptance testing (UAT)

Buy Now
Questions 299

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''

Options:

A.

Steps taken to address identified vulnerabilities are not formally documented

B.

Results are not reported to individuals with authority to ensure resolution

C.

Scans are performed less frequently than required by the organization's vulnerability scanning schedule

D.

Results are not approved by senior management

Buy Now
Questions 300

Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

Options:

A.

Analysis of industry benchmarks

B.

Identification of organizational goals

C.

Analysis of quantitative benefits

D.

Implementation of a balanced scorecard

Buy Now
Questions 301

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

Options:

A.

Disposal policies and procedures are not consistently implemented

B.

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.

Business units are allowed to dispose printers directly to

D.

Inoperable printers are stored in an unsecured area.

Buy Now
Questions 302

Which of the following is MOST important to include in security awareness training?

Options:

A.

How to respond to various types of suspicious activity

B.

The importance of complex passwords

C.

Descriptions of the organization's security infrastructure

D.

Contact information for the organization's security team

Buy Now
Questions 303

As part of the architecture of virtualized environments, in a bare metal or native visualization the hypervisor runs without:

Options:

A.

a host operating system.

B.

a guest operating system.

C.

any applications on the guest operating system.

D.

any applications on the host operating system.

Buy Now
Questions 304

The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers because they: (Identify Correct answer and related explanation/references from CISA Certification - Information Systems Auditor official Manual or book)

Options:

A.

are recommended by security standards.

B.

can limit Telnet and traffic from the open Internet.

C.

act as fitters between the world and the network.

D.

can detect cyberattacks.

Buy Now
Questions 305

Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?

Options:

A.

Function point analysis

B.

Work breakdown structure

C.

Critical path analysts

D.

Software cost estimation

Buy Now
Questions 306

During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?

Options:

A.

There are documented compensating controls over the business processes.

B.

The risk acceptances were previously reviewed and approved by appropriate senior management

C.

The business environment has not significantly changed since the risk acceptances were approved.

D.

The risk acceptances with issues reflect a small percentage of the total population

Buy Now
Questions 307

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.

Review the documentation of recant changes to implement sequential order numbering.

B.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.

Examine a sample of system generated purchase orders obtained from management

Buy Now
Questions 308

Which of the following would be MOST useful when analyzing computer performance?

Options:

A.

Statistical metrics measuring capacity utilization

B.

Operations report of user dissatisfaction with response time

C.

Tuning of system software to optimize resource usage

D.

Report of off-peak utilization and response time

Buy Now
Questions 309

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.

Use an electronic vault for incremental backups

B.

Deploy a fully automated backup maintenance system.

C.

Periodically test backups stored in a remote location

D.

Use both tape and disk backup systems

Buy Now
Questions 310

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

Options:

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Buy Now
Questions 311

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Options:

A.

Inability to utilize the site when required

B.

Inability to test the recovery plans onsite

C.

Equipment compatibility issues at the site

D.

Mismatched organizational security policies

Buy Now
Questions 312

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Options:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Buy Now
Questions 313

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Options:

A.

Network penetration tests are not performed

B.

The network firewall policy has not been approved by the information security officer.

C.

Network firewall rules have not been documented.

D.

The network device inventory is incomplete.

Buy Now
Questions 314

Which of the following is a challenge in developing a service level agreement (SLA) for network services?

Options:

A.

Establishing a well-designed framework for network servirces.

B.

Finding performance metrics that can be measured properly

C.

Ensuring that network components are not modified by the client

D.

Reducing the number of entry points into the network

Buy Now
Questions 315

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

Options:

A.

Misconfiguration and missing updates

B.

Malicious software and spyware

C.

Zero-day vulnerabilities

D.

Security design flaws

Buy Now
Questions 316

During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?

Options:

A.

Leverage the work performed by external audit for the internal audit testing.

B.

Ensure both the internal and external auditors perform the work simultaneously.

C.

Request that the external audit team leverage the internal audit work.

D.

Roll forward the general controls audit to the subsequent audit year.

Buy Now
Questions 317

The PRIMARY benefit of information asset classification is that it:

Options:

A.

prevents loss of assets.

B.

helps to align organizational objectives.

C.

facilitates budgeting accuracy.

D.

enables risk management decisions.

Buy Now
Questions 318

Which of the following backup schemes is the BEST option when storage media is limited?

Options:

A.

Real-time backup

B.

Virtual backup

C.

Differential backup

D.

Full backup

Buy Now
Questions 319

Which of the following is the PRIMARY purpose of obtaining a baseline image during an operating system audit?

Options:

A.

To identify atypical running processes

B.

To verify antivirus definitions

C.

To identify local administrator account access

D.

To verify the integrity of operating system backups

Buy Now
Questions 320

Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

Options:

A.

Data owners are not trained on the use of data conversion tools.

B.

A post-implementation lessons-learned exercise was not conducted.

C.

There is no system documentation available for review.

D.

System deployment is routinely performed by contractors.

Buy Now
Questions 321

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

Options:

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

Buy Now
Questions 322

An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

Options:

A.

The applications are not included in business continuity plans (BCFs)

B.

The applications may not reasonably protect data.

C.

The application purchases did not follow procurement policy.

D.

The applications could be modified without advanced notice.

Buy Now
Questions 323

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

Options:

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Buy Now
Questions 324

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Buy Now
Questions 325

During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

Options:

A.

Review working papers with the auditee.

B.

Request the auditee provide management responses.

C.

Request management wait until a final report is ready for discussion.

D.

Present observations for discussion only.

Buy Now
Questions 326

An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

Options:

A.

Alarm system with CCTV

B.

Access control log

C.

Security incident log

D.

Access card allocation records

Buy Now
Questions 327

The PRIMARY objective of value delivery in reference to IT governance is to:

Options:

A.

promote best practices

B.

increase efficiency.

C.

optimize investments.

D.

ensure compliance.

Buy Now
Questions 328

Which of the following is MOST important when planning a network audit?

Options:

A.

Determination of IP range in use

B.

Analysis of traffic content

C.

Isolation of rogue access points

D.

Identification of existing nodes

Buy Now
Questions 329

An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?

Options:

A.

Procedures may not align with best practices

B.

Human resources (HR) records may not match system access.

C.

Unauthorized access cannot he identified.

D.

Access rights may not be removed in a timely manner.

Buy Now
Questions 330

An organizations audit charier PRIMARILY:

Options:

A.

describes the auditors' authority to conduct audits.

B.

defines the auditors' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Buy Now
Questions 331

An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

Options:

A.

The current business capabilities delivered by the legacy system

B.

The proposed network topology to be used by the redesigned system

C.

The data flows between the components to be used by the redesigned system

D.

The database entity relationships within the legacy system

Buy Now
Questions 332

Which of the following is MOST important when implementing a data classification program?

Options:

A.

Understanding the data classification levels

B.

Formalizing data ownership

C.

Developing a privacy policy

D.

Planning for secure storage capacity

Buy Now
Questions 333

What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

Options:

A.

Earned value analysis (EVA)

B.

Return on investment (ROI) analysis

C.

Gantt chart

D.

Critical path analysis

Buy Now
Questions 334

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Buy Now
Questions 335

Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

Options:

A.

Periodic vendor reviews

B.

Dual control

C.

Independent reconciliation

D.

Re-keying of monetary amounts

E.

Engage an external security incident response expert for incident handling.

Buy Now
Questions 336

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

Options:

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Buy Now
Questions 337

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Options:

A.

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.

Review compliance with data loss and applicable mobile device user acceptance policies.

C.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.

Verify employees have received appropriate mobile device security awareness training.

Buy Now
Questions 338

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Buy Now
Questions 339

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

Options:

A.

Separate authorization for input of transactions

B.

Statistical sampling of adjustment transactions

C.

Unscheduled audits of lost stock lines

D.

An edit check for the validity of the inventory transaction

Buy Now
Questions 340

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

Options:

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Buy Now
Questions 341

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

Options:

A.

Users can export application logs.

B.

Users can view sensitive data.

C.

Users can make unauthorized changes.

D.

Users can install open-licensed software.

Buy Now
Questions 342

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

The cost of outsourcing is lower than in-house development.

B.

The vendor development team is located overseas.

C.

A training plan for business users has not been developed.

D.

The data model is not clearly documented.

Buy Now
Questions 343

An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

Options:

A.

Loss of application support

B.

Lack of system integrity

C.

Outdated system documentation

D.

Developer access 1o production

Buy Now
Questions 344

An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

Options:

A.

Increasing the frequency of risk-based IS audits for each business entity

B.

Developing a risk-based plan considering each entity's business processes

C.

Conducting an audit of newly introduced IT policies and procedures

D.

Revising IS audit plans to focus on IT changes introduced after the split

Buy Now
Questions 345

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

Options:

A.

each information asset is to a assigned to a different classification.

B.

the security criteria are clearly documented for each classification

C.

Senior IT managers are identified as information owner.

D.

the information owner is required to approve access to the asset

Buy Now
Questions 346

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.

Verify all patches have been applied to the software system's outdated version

B.

Close all unused ports on the outdated software system.

C.

Segregate the outdated software system from the main network.

D.

Monitor network traffic attempting to reach the outdated software system.

Buy Now
Questions 347

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

Options:

A.

To address the overall risk associated with the activity under review

B.

To identify areas with relatively high probability of material problems

C.

To help ensure maximum use of audit resources during the engagement

D.

To help prioritize and schedule auditee meetings

Buy Now
Questions 348

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

Buy Now
Questions 349

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

Options:

A.

Process and resource inefficiencies

B.

Irregularities and illegal acts

C.

Noncompliance with organizational policies

D.

Misalignment with business objectives

Buy Now
Questions 350

An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:

Options:

A.

deleted data cannot easily be retrieved.

B.

deleting the files logically does not overwrite the files' physical data.

C.

backup copies of files were not deleted as well.

D.

deleting all files separately is not as efficient as formatting the hard disk.

Buy Now
Questions 351

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Options:

A.

Perform background verification checks.

B.

Review third-party audit reports.

C.

Implement change management review.

D.

Conduct a privacy impact analysis.

Buy Now
Questions 352

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

Options:

A.

Abuses by employees have not been reported.

B.

Lessons learned have not been properly documented

C.

vulnerabilities have not been properly addressed

D.

Security incident policies are out of date.

Buy Now
Questions 353

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Options:

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Buy Now
Questions 354

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

Options:

A.

Implement key performance indicators (KPIs)

B.

Implement annual third-party audits.

C.

Benchmark organizational performance against industry peers.

D.

Require executive management to draft IT strategy

Buy Now
Questions 355

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.

Determine the resources required to make the controleffective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Buy Now
Questions 356

To confirm integrity for a hashed message, the receiver should use:

Options:

A.

the same hashing algorithm as the sender's to create a binary image of the file.

B.

a different hashing algorithm from the sender's to create a binary image of the file.

C.

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.

a different hashing algorithm from the sender's to create a numerical representation of the file.

Buy Now
Questions 357

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?

Options:

A.

Increase the capacity of existing systems.

B.

Upgrade hardware to newer technology.

C.

Hire temporary contract workers for the IT function.

D.

Build a virtual environment.

Buy Now
Questions 358

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Options:

A.

Invoking the disaster recovery plan (DRP)

B.

Backing up data frequently

C.

Paying the ransom

D.

Requiring password changes for administrative accounts

Buy Now
Questions 359

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

Options:

A.

Implement a process to actively monitor postings on social networking sites.

B.

Adjust budget for network usage to include social media usage.

C.

Use data loss prevention (DLP) tools on endpoints.

D.

implement policies addressing acceptable usage of social media during working hours.

Buy Now
Questions 360

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

Options:

A.

Ensure corrected program code is compiled in a dedicated server.

B.

Ensure change management reports are independently reviewed.

C.

Ensure programmers cannot access code after the completion of program edits.

D.

Ensure the business signs off on end-to-end user acceptance test (UAT) results.

Buy Now
Questions 361

Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

Options:

A.

System flowchart

B.

Data flow diagram

C.

Process flowchart

D.

Entity-relationship diagram

Buy Now
Questions 362

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Accept management's decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Buy Now
Questions 363

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

Options:

A.

Audit cycle defined in the audit plan

B.

Complexity of management's action plans

C.

Recommendation from executive management

D.

Residual risk from the findings of previous audits

Buy Now
Questions 364

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Buy Now
Questions 365

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

Options:

A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

Buy Now
Questions 366

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Options:

A.

Annual sign-off of acceptable use policy

B.

Regular monitoring of user access logs

C.

Security awareness training

D.

Formalized disciplinary action

Buy Now
Questions 367

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

Options:

A.

Implementation plan

B.

Project budget provisions

C.

Requirements analysis

D.

Project plan

Buy Now
Questions 368

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:

Options:

A.

review recent changes to the system.

B.

verify completeness of user acceptance testing (UAT).

C.

verify results to determine validity of user concerns.

D.

review initial business requirements.

Buy Now
Questions 369

Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

Options:

A.

Align service level agreements (SLAs) with current needs.

B.

Monitor customer satisfaction with the change.

C.

Minimize costs related to the third-party agreement.

D.

Ensure right to audit is included within the contract.

Buy Now
Questions 370

Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

Options:

A.

Real-time audit software

B.

Performance data

C.

Quality assurance (QA) reviews

D.

Participative management techniques

Buy Now
Questions 371

Which of the following BEST indicates the effectiveness of an organization's risk management program?

Options:

A.

Inherent risk is eliminated.

B.

Residual risk is minimized.

C.

Control risk is minimized.

D.

Overall risk is quantified.

Buy Now
Questions 372

Which of the following is the BEST method to safeguard data on an organization's laptop computers?

Options:

A.

Disabled USB ports

B.

Full disk encryption

C.

Biometric access control

D.

Two-factor authentication

Buy Now
Questions 373

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Options:

A.

Data masking

B.

Data tokenization

C.

Data encryption

D.

Data abstraction

Buy Now
Questions 374

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.

Identifying relevant roles for an enterprise IT governance framework

B.

Making decisions regarding risk response and monitoring of residual risk

C.

Verifying that legal, regulatory, and contractual requirements are being met

D.

Providing independent and objective feedback to facilitate improvement of IT processes

Buy Now
Questions 375

Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

Options:

A.

Data conversion was performed using manual processes.

B.

Backups of the old system and data are not available online.

C.

Unauthorized data modifications occurred during conversion.

D.

The change management process was not formally documented

Buy Now
Questions 376

When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

Options:

A.

a risk management process.

B.

an information security framework.

C.

past information security incidents.

D.

industry best practices.

Buy Now
Questions 377

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

Options:

A.

recommend that the option to directly modify the database be removed immediately.

B.

recommend that the system require two persons to be involved in modifying the database.

C.

determine whether the log of changes to the tables is backed up.

D.

determine whether the audit trail is secured and reviewed.

Buy Now
Questions 378

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Buy Now
Questions 379

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:

A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

D.

Full operational test

Buy Now
Questions 380

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

Options:

A.

Modify applications to no longer require direct access to the database.

B.

Introduce database access monitoring into the environment

C.

Modify the access management policy to make allowances for application accounts.

D.

Schedule downtime to implement password changes.

Buy Now
Questions 381

An IT balanced scorecard is the MOST effective means of monitoring:

Options:

A.

governance of enterprise IT.

B.

control effectiveness.

C.

return on investment (ROI).

D.

change management effectiveness.

Buy Now
Questions 382

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

Options:

A.

Carbon dioxide

B.

FM-200

C.

Dry pipe

D.

Halon

Buy Now
Questions 383

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Options:

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Buy Now
Questions 384

Which of the following is MOST important for an effective control self-assessment (CSA) program?

Options:

A.

Determining the scope of the assessment

B.

Performing detailed test procedures

C.

Evaluating changes to the risk environment

D.

Understanding the business process

Buy Now
Questions 385

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Options:

A.

Walk-through reviews

B.

Substantive testing

C.

Compliance testing

D.

Design documentation reviews

Buy Now
Questions 386

A proper audit trail of changes to server start-up procedures would include evidence of:

Options:

A.

subsystem structure.

B.

program execution.

C.

security control options.

D.

operator overrides.

Buy Now
Questions 387

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Options:

A.

Balanced scorecard

B.

Enterprise dashboard

C.

Enterprise architecture (EA)

D.

Key performance indicators (KPIs)

Buy Now
Questions 388

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Options:

A.

Analyze whether predetermined test objectives were met.

B.

Perform testing at the backup data center.

C.

Evaluate participation by key personnel.

D.

Test offsite backup files.

Buy Now
Questions 389

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Options:

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization's policies and procedures

Buy Now
Questions 390

Which of the following MOST effectively minimizes downtime during system conversions?

Options:

A.

Phased approach

B.

Direct cutover

C.

Pilot study

D.

Parallel run

Buy Now
Questions 391

An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

Options:

A.

There is not a defined IT security policy.

B.

The business strategy meeting minutes are not distributed.

C.

IT is not engaged in business strategic planning.

D.

There is inadequate documentation of IT strategic planning.

Buy Now
Questions 392

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

Options:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

Buy Now
Questions 393

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

Options:

A.

Notify the cyber insurance company.

B.

Shut down the affected systems.

C.

Quarantine the impacted systems.

D.

Notify customers of the breach.

Buy Now
Questions 394

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

Options:

A.

Verify the disaster recovery plan (DRP) has been tested.

B.

Ensure the intrusion prevention system (IPS) is effective.

C.

Assess the security risks to the business.

D.

Confirm the incident response team understands the issue.

Buy Now
Questions 395

The implementation of an IT governance framework requires that the board of directors of an organization:

Options:

A.

Address technical IT issues.

B.

Be informed of all IT initiatives.

C.

Have an IT strategy committee.

D.

Approve the IT strategy.

Buy Now
Questions 396

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?

Options:

A.

Implement a new system that can be patched.

B.

Implement additional firewalls to protect the system.

C.

Decommission the server.

D.

Evaluate the associated risk.

Buy Now
Questions 397

An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

Options:

A.

Percentage of new hires that have completed the training.

B.

Number of new hires who have violated enterprise security policies.

C.

Number of reported incidents by new hires.

D.

Percentage of new hires who report incidents

Buy Now
Questions 398

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

Options:

A.

To ensure that older versions are availability for reference

B.

To ensure that only the latest approved version of the application is used

C.

To ensure compatibility different versions of the application

D.

To ensure that only authorized users can access the application

Buy Now
Questions 399

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

Options:

A.

The IS auditor provided consulting advice concerning application system best practices.

B.

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

C.

The IS auditor designed an embedded audit module exclusively for auditing the application system.

D.

The IS auditor implemented a specific control during the development of the application system.

Buy Now
Questions 400

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

Options:

A.

Purchasing guidelines and policies

B.

Implementation methodology

C.

Results of line processing

D.

Test results

Buy Now
Questions 401

Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

Options:

A.

Lack of appropriate labelling

B.

Lack of recent awareness training.

C.

Lack of password protection

D.

Lack of appropriate data classification

Buy Now
Questions 402

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Options:

A.

Assurance that the new system meets functional requirements

B.

More time for users to complete training for the new system

C.

Significant cost savings over other system implemental or approaches

D.

Assurance that the new system meets performance requirements

Buy Now
Questions 403

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

Options:

A.

Implement overtime pay and bonuses for all development staff.

B.

Utilize new system development tools to improve productivity.

C.

Recruit IS staff to expedite system development.

D.

Deliver only the core functionality on the initial target date.

Buy Now
Questions 404

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Options:

A.

Developing and communicating test procedure best practices to audit teams

B.

Developing and implementing an audit data repository

C.

Decentralizing procedures and Implementing periodic peer review

D.

Centralizing procedures and implementing change control

Buy Now
Questions 405

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

Options:

A.

Segregation of duties between staff ordering and staff receiving information assets

B.

Complete and accurate list of information assets that have been deployed

C.

Availability and testing of onsite backup generators

D.

Knowledge of the IT staff regarding data protection requirements

Buy Now
Questions 406

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.

Projected impact of current business on future business

B.

Cost-benefit analysis of running the current business

C.

Cost of regulatory compliance

D.

Expected costs for recovering the business

Buy Now
Questions 407

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Options:

A.

Periodically reviewing log files

B.

Configuring the router as a firewall

C.

Using smart cards with one-time passwords

D.

Installing biometrics-based authentication

Buy Now
Questions 408

Which of the following should be done FIRST when planning a penetration test?

Options:

A.

Execute nondisclosure agreements (NDAs).

B.

Determine reporting requirements for vulnerabilities.

C.

Define the testing scope.

D.

Obtain management consent for the testing.

Buy Now
Questions 409

Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?

Options:

A.

Project charter

B.

Project plan

C.

Project issue log

D.

Project business case

Buy Now
Questions 410

An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services Which of the following would BEST enable the organization to resolve this issue?

Options:

A.

Problem management

B.

Incident management

C.

Service level management

D.

Change management

Buy Now
Questions 411

Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?

Options:

A.

End-user computing (EUC) systems

B.

Email attachments

C.

Data sent to vendors

D.

New system applications

Buy Now
Questions 412

Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a newapplication system?

Options:

A.

The change management process was not formally documented

B.

Backups of the old system and data are not available online

C.

Unauthorized data modifications occurred during conversion,

D.

Data conversion was performed using manual processes

Buy Now
Questions 413

In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?

Options:

A.

Implementation

B.

Development

C.

Feasibility

D.

Design

Buy Now
Questions 414

When auditing the feasibility study of a system development project, the IS auditor should:

Options:

A.

review qualifications of key members of the project team.

B.

review the request for proposal (RFP) to ensure that it covers the scope of work.

C.

review cost-benefit documentation for reasonableness.

D.

ensure that vendor contracts are reviewed by legal counsel.

Buy Now
Questions 415

Which of the following is an advantage of using agile software development methodology over the waterfall methodology?

Options:

A.

Less funding required overall

B.

Quicker deliverables

C.

Quicker end user acceptance

D.

Clearly defined business expectations

Buy Now
Questions 416

Which of the following is MOST important with regard to an application development acceptance test?

Options:

A.

The programming team is involved in the testing process.

B.

All data files are tested for valid information before conversion.

C.

User management approves the test design before the test is started.

D.

The quality assurance (QA) team is in charge of the testing process.

Buy Now
Questions 417

An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?

Options:

A.

Segregation of duties between issuing purchase orders and making payments.

B.

Segregation of duties between receiving invoices and setting authorization limits

C.

Management review and approval of authorization tiers

D.

Management review and approval of purchase orders

Buy Now
Questions 418

From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Options:

A.

Inability to close unused ports on critical servers

B.

Inability to identify unused licenses within the organization

C.

Inability to deploy updated security patches

D.

Inability to determine the cost of deployed software

Buy Now
Questions 419

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

Options:

A.

allocation of resources during an emergency.

B.

frequency of system testing.

C.

differences in IS policies and procedures.

D.

maintenance of hardware and software compatibility.

Buy Now
Questions 420

An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart. Which of the following roles within the chart would provide this information?

Options:

A.

Consulted

B.

Informed

C.

Responsible

D.

Accountable

Buy Now
Questions 421

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

Options:

A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Buy Now
Questions 422

Cross-site scripting (XSS) attacks are BEST prevented through:

Options:

A.

application firewall policy settings.

B.

a three-tier web architecture.

C.

secure coding practices.

D.

use of common industry frameworks.

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Aug 14, 2025
Questions: 1407

PDF + Testing Engine

$87.15  $249

Testing Engine

$78.75  $225
buy now CISA testing engine

PDF (Q&A)

$69.65  $199
buy now CISA pdf
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 18 Aug 2025