Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

CISA Certified Information Systems Auditor Questions and Answers

Questions 4

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Buy Now
Questions 5

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Buy Now
Questions 6

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

Options:

A.

Review system and error logs to verify transaction accuracy.

B.

Review input and output control reports to verify the accuracy of the system decisions.

C.

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.

Review system documentation to ensure completeness.

Buy Now
Questions 7

Which of the following is MOST critical to the success of an information security program?

Options:

A.

User accountability for information security

B.

Management's commitment to information security

C.

Integration of business and information security

D.

Alignment of information security with IT objectives

Buy Now
Questions 8

When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following is the auditor's BEST course of action?

Options:

A.

Inform senior management.

B.

Reevaluate internal controls.

C.

Inform audit management.

D.

Re-perform past audits to ensure independence.

Buy Now
Questions 9

Which of the following is the MOST important responsibility of data owners when implementing a data classification process?

Options:

A.

Reviewing emergency changes to data

B.

Authorizing application code changes

C.

Determining appropriate user access levels

D.

Implementing access rules over database tables

Buy Now
Questions 10

Which of the following is the GREATEST risk when relying on reports generated by end-user computing (EUC)?

Options:

A.

Data may be inaccurate.

B.

Reports may not work efficiently.

C.

Reports may not be timely.

D.

Historical data may not be available.

Buy Now
Questions 11

Stress testing should ideally be carried out under a:

Options:

A.

test environment with production workloads.

B.

test environment with test data.

C.

production environment with production workloads.

D.

production environment with test data.

Buy Now
Questions 12

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

Options:

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Buy Now
Questions 13

Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?

Options:

A.

Validate the audit observations_

B.

Identify business risks associated with the observations.

C.

Assist the management with control enhancements.

D.

Record the proposed course of corrective action.

Buy Now
Questions 14

Which of the following provides the BEST evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system?

Options:

A.

Compliance testing

B.

Stop-or-go sampling

C.

Substantive testing

D.

Variable sampling

Buy Now
Questions 15

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?

Options:

A.

Enterprise risk manager

B.

Project sponsor

C.

Information security officer

D.

Project manager

Buy Now
Questions 16

Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?

Options:

A.

Configure a single server as a primary authentication server and a second server as a secondary authentication server.

B.

Configure each authentication server as belonging to a cluster of authentication servers.

C.

Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.

D.

Configure each authentication server and ensure that the disks of each server form part of a duplex.

Buy Now
Questions 17

Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

Options:

A.

To determine whether project objectives in the business case have been achieved

B.

To ensure key stakeholder sign-off has been obtained

C.

To align project objectives with business needs

D.

To document lessons learned to improve future project delivery

Buy Now
Questions 18

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Options:

A.

Identify approved data workflows across the enterprise.

B.

Conduct a threat analysis against sensitive data usage.

C.

Create the DLP pcJc.es and templates

D.

Conduct a data inventory and classification exercise

Buy Now
Questions 19

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Options:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Buy Now
Questions 20

Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

Options:

A.

Whether there is explicit permission from regulators to collect personal data

B.

The organization's legitimate purpose for collecting personal data

C.

Whether sharing of personal information with third-party service providers is prohibited

D.

The encryption mechanism selected by the organization for protecting personal data

Buy Now
Questions 21

Which of the following BEST Indicates that an incident management process is effective?

Options:

A.

Decreased time for incident resolution

B.

Increased number of incidents reviewed by IT management

C.

Decreased number of calls lo the help desk

D.

Increased number of reported critical incidents

Buy Now
Questions 22

An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?

Options:

A.

Data encryption on the mobile device

B.

Complex password policy for mobile devices

C.

The triggering of remote data wipe capabilities

D.

Awareness training for mobile device users

Buy Now
Questions 23

When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?

Options:

A.

Ensuring the scope of penetration testing is restricted to the test environment

B.

Obtaining management's consent to the testing scope in writing

C.

Notifying the IT security department regarding the testing scope

D.

Agreeing on systems to be excluded from the testing scope with the IT department

Buy Now
Questions 24

Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Options:

A.

Monitor access to stored images and snapshots of virtual machines.

B.

Restrict access to images and snapshots of virtual machines.

C.

Limit creation of virtual machine images and snapshots.

D.

Review logical access controls on virtual machines regularly.

Buy Now
Questions 25

The following findings are the result of an IS auditor's post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?

Options:

A.

A lessons-learned session was never conducted.

B.

The projects 10% budget overrun was not reported to senior management.

C.

Measurable benefits were not defined.

D.

Monthly dashboards did not always contain deliverables.

Buy Now
Questions 26

During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?

Options:

A.

Perform substantive testing of terminated users' access rights.

B.

Perform a review of terminated users' account activity

C.

Communicate risks to the application owner.

D.

Conclude that IT general controls ate ineffective.

Buy Now
Questions 27

An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management

experience. What is the BEST course of action?

Options:

A.

Transfer the assignment to a different audit manager despite lack of IT project management experience.

B.

Outsource the audit to independent and qualified resources.

C.

Manage the audit since there is no one else with the appropriate experience.

D.

Have a senior IS auditor manage the project with the IS audit manager performing final review.

Buy Now
Questions 28

To confirm integrity for a hashed message, the receiver should use:

Options:

A.

the same hashing algorithm as the sender's to create a binary image of the file.

B.

a different hashing algorithm from the sender's to create a binary image of the file.

C.

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.

a different hashing algorithm from the sender's to create a numerical representation of the file.

Buy Now
Questions 29

Which of the following BEST describes an audit risk?

Options:

A.

The company is being sued for false accusations.

B.

The financial report may contain undetected material errors.

C.

Employees have been misappropriating funds.

D.

Key employees have not taken vacation for 2 years.

Buy Now
Questions 30

Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?

Options:

A.

Role-based access control policies

B.

Types of data that can be uploaded to the platform

C.

Processes for on-boarding and off-boarding users to the platform

D.

Processes for reviewing administrator activity

Buy Now
Questions 31

Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?

Options:

A.

To evaluate the effectiveness of continuous improvement efforts

B.

To compare incident response metrics with industry benchmarks

C.

To re-analyze the incident to identify any hidden backdoors planted by the attacker

D.

To evaluate the effectiveness of the network firewall against future security breaches

Buy Now
Questions 32

Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?

Options:

A.

To prevent confidential data loss

B.

To comply with legal and regulatory requirements

C.

To identify data at rest and data in transit for encryption

D.

To provide options to individuals regarding use of their data

Buy Now
Questions 33

Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?

Options:

A.

The organization's software inventory is not complete.

B.

Applications frequently need to be rebooted for patches to take effect.

C.

Software vendors are bundling patches.

D.

Testing patches takes significant time.

Buy Now
Questions 34

A business has requested an audit to determine whether information stored in an application is adequately protected. Which of the following is the MOST important action before the audit work begins?

Options:

A.

Review remediation reports

B.

Establish control objectives.

C.

Assess the threat landscape.

D.

Perform penetration testing.

Buy Now
Questions 35

Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?

Options:

A.

Audit staff interviews

B.

Quality control reviews

C.

Control self-assessments (CSAs)

D.

Corrective action plans

Buy Now
Questions 36

An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following is the BEST way to prevent this vulnerability from being exploited?

Options:

A.

Implement security awareness training.

B.

Install vendor patches

C.

Review hardware vendor contracts.

D.

Review security log incidents.

Buy Now
Questions 37

Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves

for care?

Options:

A.

Infrastructure as a Service (laaS) provider

B.

Software as a Service (SaaS) provider

C.

Network segmentation

D.

Dynamic localization

Buy Now
Questions 38

An organization's IT risk assessment should include the identification of:

Options:

A.

vulnerabilities

B.

compensating controls

C.

business needs

D.

business process owners

Buy Now
Questions 39

An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?

Options:

A.

Single sign-on is not enabled

B.

Audit logging is not enabled

C.

Security baseline is not consistently applied

D.

Complex passwords are not required

Buy Now
Questions 40

Which of the following is MOST important during software license audits?

Options:

A.

Judgmental sampling

B.

Substantive testing

C.

Compliance testing

D.

Stop-or-go sampling

Buy Now
Questions 41

Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?

Options:

A.

Lessons learned were documented and applied.

B.

Business and IT stakeholders participated in the post-implementation review.

C.

Post-implementation review is a formal phase in the system development life cycle (SDLC).

D.

Internal audit follow-up was completed without any findings.

Buy Now
Questions 42

The PRIMARY purpose of requiring source code escrow in a contractual agreement is to:

Options:

A.

comply with vendor management policy

B.

convert source code to new executable code.

C.

satisfy regulatory requirements.

D.

ensure the source code is available.

Buy Now
Questions 43

The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?

Options:

A.

Report results to management

B.

Document lessons learned

C.

Perform a damage assessment

D.

Prioritize resources for corrective action

Buy Now
Questions 44

Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

Options:

A.

Degaussing

B.

Random character overwrite

C.

Physical destruction

D.

Low-level formatting

Buy Now
Questions 45

An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?

Options:

A.

Directive

B.

Detective

C.

Preventive

D.

Compensating

Buy Now
Questions 46

The use of which of the following is an inherent risk in the application container infrastructure?

Options:

A.

Shared registries

B.

Host operating system

C.

Shared data

D.

Shared kernel

Buy Now
Questions 47

Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?

Options:

A.

Increased number of false negatives in security logs

B.

Decreased effectiveness of roof cause analysis

C.

Decreased overall recovery time

D.

Increased demand for storage space for logs

Buy Now
Questions 48

Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

Options:

A.

Independence

B.

Integrity

C.

Materiality

D.

Accountability

Buy Now
Questions 49

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

Options:

A.

Revise the assessment based on senior management's objections.

B.

Escalate the issue to audit management.

C.

Finalize the draft audit report without changes.

D.

Gather evidence to analyze senior management's objections

Buy Now
Questions 50

Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor's BEST recommendation?

Options:

A.

Create regional centers of excellence.

B.

Engage an IT governance consultant.

C.

Create regional IT steering committees.

D.

Update the IT steering committee's formal charter.

Buy Now
Questions 51

During which stage of the penetration test cycle does the tester utilize identified vulnerabilities to attempt to access the target system?

Options:

A.

Exfiltration

B.

Exploitation

C.

Reconnaissance

D.

Scanning

Buy Now
Questions 52

What is the MOST effective way to manage contractors' access to a data center?

Options:

A.

Badge identification worn by visitors

B.

Escort requirement for visitor access

C.

Management approval of visitor access

D.

Verification of visitor identification

Buy Now
Questions 53

During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?

Options:

A.

Explain to IT management that the new control will be evaluated during follow-up

B.

Re-perform the audit before changing the conclusion.

C.

Change the conclusion based on evidence provided by IT management.

D.

Add comments about the action taken by IT management in the report.

Buy Now
Questions 54

Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?

Options:

A.

Ensuring standards are adhered to within the development process

B.

Ensuring the test work supports observations

C.

Updating development methodology

D.

Implementing solutions to correct defects

Buy Now
Questions 55

Which of the following BEST enables an organization to improve the effectiveness of its incident response team?

Options:

A.

Conducting periodic testing and incorporating lessons learned

B.

Increasing the mean resolution time and publishing key performance indicator (KPI) metrics

C.

Disseminating incident response procedures and requiring signed acknowledgment by team members

D.

Ensuring all team members understand information systems technology

Buy Now
Questions 56

Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?

Options:

A.

It helps to identify areas with a relatively high probability of material problems.

B.

It provides a basis for the formulation of corrective action plans.

C.

It increases awareness of the types of management actions that may be inappropriate

D.

It helps to identify areas that are most sensitive to fraudulent or inaccurate practices

Buy Now
Questions 57

An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST

recommendation to address this situation?

Options:

A.

Suspend contracts with third-party providers that handle sensitive data.

B.

Prioritize contract amendments for third-party providers.

C.

Review privacy requirements when contracts come up for renewal.

D.

Require third-party providers to sign nondisclosure agreements (NDAs).

Buy Now
Questions 58

An organization uses public key infrastructure (PKI) to provide email security. Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?

Options:

A.

The message is encrypted using a symmetric algorithm.

B.

The message is sent using Transport Layer Security (TLS) protocol.

C.

The message is sent along with an encrypted hash of the message.

D.

The message is encrypted using the private key of the sender.

Buy Now
Questions 59

Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?

Options:

A.

Hash totals

B.

Online review of description

C.

Comparison to historical order pattern

D.

Self-checking digit

Buy Now
Questions 60

Which of the following BEST facilitates strategic program management?

Options:

A.

Implementing stage gates

B.

Establishing a quality assurance (QA) process

C.

Aligning projects with business portfolios

D.

Tracking key project milestones

Buy Now
Questions 61

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

Options:

A.

integrated test facility (ITF).

B.

parallel simulation.

C.

transaction tagging.

D.

embedded audit modules.

Buy Now
Questions 62

A bank performed minor changes to the interest calculation computer program. Which of the following techniques would provide the STRONGEST evidence to determine whether the interest calculations are correct?

Options:

A.

Source code review

B.

Parallel simulation using audit software

C.

Manual verification of a sample of the results

D.

Review of the quality assurance (QA) test results

Buy Now
Questions 63

Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?

Options:

A.

Review exception reports

B.

Review IT staffing schedules.

C.

Analyze help desk ticket logs

D.

Conduct IT management interviews

Buy Now
Questions 64

Which of the following BEST contributes to the quality of an audit of a business-critical application?

Options:

A.

Assigning the audit to independent external auditors

B.

Reviewing previous findings reported by the application owner

C.

Identifying common coding errors made by the development team

D.

Involving the application owner early in the audit planning process

Buy Now
Questions 65

An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?

Options:

A.

Document the findings in the audit report.

B.

Identify who approved the policies.

C.

Escalate the situation to the lead auditor.

D.

Communicate the observation to the auditee.

Buy Now
Questions 66

Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

Options:

A.

Documentation of exit routines

B.

System initialization logs

C.

Change control log

D.

Security system parameters

Buy Now
Questions 67

Which of the following should be done FIRST to minimize the risk of unstructured data?

Options:

A.

Identify repositories of unstructured data.

B.

Purchase tools to analyze unstructured data.

C.

Implement strong encryption for unstructured data.

D.

Implement user access controls to unstructured data.

Buy Now
Questions 68

The PRIMARY responsibility of a project steering committee is to:

Options:

A.

sign off on the final build document.

B.

ensure that each project deadline is met.

C.

ensure that developed systems meet business needs.

D.

provide regular project updates and oversight.

Buy Now
Questions 69

Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

Options:

A.

It demonstrates the maturity of the incident response program.

B.

It reduces the likelihood of an incident occurring.

C.

It identifies deficiencies in the operating environment.

D.

It increases confidence in the team's response readiness.

Buy Now
Questions 70

A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?

Options:

A.

Penetration testing results

B.

Management attestation

C.

Anti-malware tool audit logs

D.

Recent malware scan reports

Buy Now
Questions 71

When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?

Options:

A.

Report that the changes make it impractical to determine whether the risks have been addressed.

B.

Accept management's assertion and report that the risks have been addressed.

C.

Determine whether the changes have introduced new risks that need to be addressed.

D.

Review the changes and determine whether the risks have been addressed.

Buy Now
Questions 72

Which of the following should be identified FIRST during the risk assessment process?

Options:

A.

Vulnerability to threats

B.

Existing controls

C.

Information assets

D.

Legal requirements

Buy Now
Questions 73

Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?

Options:

A.

Progress updates indicate that the implementation of agreed actions is on track.

B.

Sufficient time has elapsed since implementation to provide evidence of control operation.

C.

Business management has completed the implementation of agreed actions on schedule.

D.

Regulators have announced a timeline for an inspection visit.

Buy Now
Questions 74

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options:

A.

Target architecture is defined at a technical level.

B.

The previous year's IT strategic goals were not achieved.

C.

Strategic IT goals are derived solely from the latest market trends.

D.

Financial estimates of new initiatives are disclosed within the document.

Buy Now
Questions 75

Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?

Options:

A.

Adding the developers to the change approval board

B.

A small number of people have access to deploy code

C.

Post-implementation change review

D.

Creation of staging environments

Buy Now
Questions 76

Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change

management process?

Options:

A.

The added functionality has not been documented.

B.

The new functionality may not meet requirements.

C.

The project may fail to meet the established deadline.

D.

The project may go over budget.

Buy Now
Questions 77

Which of the following is MOST likely to be a project deliverable of an agile software development methodology?

Options:

A.

Strictly managed software requirements baselines

B.

Extensive project documentation

C.

Automated software programming routines

D.

Rapidly created working prototypes

Buy Now
Questions 78

Which of the following would be an auditor's GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?

Options:

A.

Undocumented code formats data and transmits directly to the database.

B.

There is not a complete inventory of spreadsheets, and file naming is inconsistent.

C.

The department data protection policy has not been reviewed or updated for two years.

D.

Spreadsheets are accessible by all members of the finance department.

Buy Now
Questions 79

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

Options:

A.

Recipient's public key

B.

Sender's private key

C.

Sender's public key

D.

Recipient's private key

Buy Now
Questions 80

When reviewing a business case for a proposed implementation of a third-party system, which of the following should be an IS auditor's GREATEST concern?

Options:

A.

Lack of ongoing maintenance costs

B.

Lack of training materials

C.

Lack of plan for pilot implementation

D.

Lack of detailed work breakdown structure

Buy Now
Questions 81

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

Options:

A.

Source code version control

B.

Project change management controls

C.

Existence of an architecture review board

D.

Configuration management

Buy Now
Questions 82

What is the PRIMARY reason for an organization to classify the data stored on its internal networks?

Options:

A.

To determine data retention policy

B.

To implement data protection requirements

C.

To comply with the organization's data policies

D.

To follow industry best practices

Buy Now
Questions 83

The use of control totals reduces the risk of:

Options:

A.

posting to the wrong record.

B.

incomplete processing.

C.

improper backup.

D.

improper authorization.

Buy Now
Questions 84

When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?

Options:

A.

Overwriting multiple times

B.

Encrypting the disk

C.

Reformatting

D.

Deleting files sequentially

Buy Now
Questions 85

During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?

Options:

A.

Perform a skills assessment to identify members from other business units with knowledge of Al.

B.

Remove the Al portion from the audit scope and proceed with the audit.

C.

Delay the audit until the team receives training on Al.

D.

Engage external consultants who have audit experience and knowledge of Al.

Buy Now
Questions 86

An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?

Options:

A.

Overviews of interviews between data center personnel and the auditor

B.

Prior audit reports involving other corporate disaster recovery audits

C.

Summary memos reflecting audit opinions regarding noted weaknesses

D.

Detailed evidence of the successes and weaknesses of all contingency testing

Buy Now
Questions 87

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Options:

A.

Legacy data has not been purged.

B.

Admin account passwords are not set to expire.

C.

Default settings have not been changed.

D.

Database activity logging is not complete.

Buy Now
Questions 88

Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?

Options:

A.

adequate measurement of key risk indicators (KRIS)

B.

Inadequate alignment of IT plans and business objectives

C.

Inadequate business impact analysis (BIA) results and predictions

D.

Inadequate measurement of key performance indicators (KPls)

Buy Now
Questions 89

The BEST way to evaluate the effectiveness of a newly developed application is to:

Options:

A.

perform a post-implementation review-

B.

analyze load testing results.

C.

perform a secure code review.

D.

review acceptance testing results.

Buy Now
Questions 90

Which of the following is the BEST indication of effective governance over IT infrastructure?

Options:

A.

The ability to deliver continuous, reliable performance

B.

A requirement for annual security awareness programs

C.

An increase in the number of IT infrastructure servers

D.

A decrease in the number of information security incidents

Buy Now
Questions 91

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's job scheduling practices?

Options:

A.

Most jobs are run manually.

B.

Jobs are executed during working hours.

C.

Job dependencies are undefined.

D.

Job processing procedures are missing.

Buy Now
Questions 92

Which of the following poses the GREATEST potential concern for an organization that decides to consolidate mission-critical applications on a large server as part of IT capacity management?

Options:

A.

More applications may be negatively affected by outages on the server.

B.

Continuous monitoring efforts for server capacity may be costly.

C.

Network bandwidth may be degraded during peak hours.

D.

Accurate server capacity forecasting may be more difficult.

Buy Now
Questions 93

Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?

Options:

A.

The architecture review board is chaired by the CIO

B.

IT application owners have sole responsibility for architecture approval

C.

The EA program governs projects that are not IT-related

D.

Information security requirements are reviewed by the EA program

Buy Now
Questions 94

A small IT department has embraced DevOps, which allows members of this group to deploy code to production and maintain some development access to automate releases. Which of the following is the MOST effective control?

Options:

A.

Enforce approval prior to deployment by a member of the team who has not taken part in the development.

B.

The DevOps team provides an annual policy acknowledgment that they did not develop and deploy the same code.

C.

Annual training reinforces the need to maintain segregation between developers and deployers of code

D.

The IT compliance manager performs weekly reviews to ensure the same person did not develop and deploy code.

Buy Now
Questions 95

Which of the following is the MOST effective way to detect as many abnormalities as possible during an IS audit?

Options:

A.

Conduct a walk-through of the process.

B.

Perform substantive testing on sampled records.

C.

Perform judgmental sampling of key processes.

D.

Use a data analytics tool to identify trends.

Buy Now
Questions 96

Which of the following provides the BEST assurance that vendor-supported software remains up to date?

Options:

A.

Release and patch management

B.

Licensing agreement and escrow

C.

Software asset management

D.

Version management

Buy Now
Questions 97

Which of the following is the PRIMARY objective of performing quality assurance (QA) in a system development process?

Options:

A.

To ensure that expected benefits have been realized

B.

To ensure the developed system meets business requirements

C.

To ensure the developed system integrates well with another system

D.

To help determine high-level requirements for the new system

Buy Now
Questions 98

In a public key cryptographic system, which of the following is the PRIMARY requirement to address the risk of man-in-the-middle attacks through spoofing?

Options:

A.

Strong encryption algorithms

B.

Kerberos authentication

C.

Registration authority

D.

Certificate authority (CA)

Buy Now
Questions 99

Which of the following is the PRIMARY benefit of monitoring IT operational logs?

Options:

A.

Detecting processing errors in a timely manner

B.

Identifying configuration flaws in operating systems

C.

Managing the usability and capacity of IT resources

D.

Generating exception reports to assess security compliance

Buy Now
Questions 100

Which of the following observations regarding change management should be considered the MOST serious risk by an IS auditor?

Options:

A.

There is no software used to track change management.

B.

The change is not approved by the business owners.

C.

The change is deployed two weeks after approval.

D.

The development of the change is not cost-effective.

Buy Now
Questions 101

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's IT process performance reports over the last quarter?

Options:

A.

Metrics are not aligned with industry benchmarks

B.

Performance reporting includes too many technical terms

C.

Key performance indicators (KPIs) were met in only one month

D.

Metrics were defined without stakeholder review

Buy Now
Questions 102

Who is PRIMARILY responsible for the design of IT controls to meet control objectives?

Options:

A.

Business management

B.

Internal auditor

C.

Risk management

D.

ITC manager

Buy Now
Questions 103

An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?

Options:

A.

Senior management representation

B.

Ability to meet the time commitment required

C.

Agile project management experience

D.

ERP implementation experience

Buy Now
Questions 104

Which of the following is an example of shadow IT?

Options:

A.

An employee using a cloud based order management tool without approval from IT

B.

An employee using a company provided laptop to access personal banking information

C.

An employee using personal email to communicate with clients without approval from IT

D.

An employee using a company-provided tablet to access social media during work hours

Buy Now
Questions 105

Which of the following is MOST appropriate to review when determining if the work completed on an IT project is in alignment with budgeted costs?

Options:

A.

Return on investment (ROI) analysis

B.

Earned value analysis (EVA)

C.

Financial value analysis

D.

Business impact analysis (BIA)

Buy Now
Questions 106

Before the release of a new application into an organization’s production environment, which of the following should be in place to ensure that proper testing has occurred and rollback plans are in place?

Options:

A.

Change approval board

B.

Standardized change requests

C.

Independent third-party approval

D.

Secure code review

Buy Now
Questions 107

Which of the following is MOST important to consider when determining the usefulness of audit evidence?

Options:

A.

Timing of the evidence

B.

Nature of evidence gathered

C.

Overall objectives of the review

D.

Competence of the IS auditor

Buy Now
Questions 108

Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?

Options:

A.

Error log review

B.

Total number of items

C.

Hash totals

D.

Aggregate monetary amount

Buy Now
Questions 109

Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?

Options:

A.

Cloud computing

B.

Robotic process automation (RPA)

C.

Internet of Things (IoT)

D.

Machine learning algorithms

Buy Now
Questions 110

An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes. Which of the following is the MOST appropriate method to use for this purpose?

Options:

A.

Penetration testing

B.

Authenticated scanning

C.

Change management records

D.

System log review

Buy Now
Questions 111

Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the following would provide the MOST assurance to the IS auditor that management

is adequately balancing the needs of the business with the need to manage risk?

Options:

A.

A communication plan exists for informing parties impacted by the risk.

B.

Potential impact and likelihood are adequately documented.

C.

Identified risk is reported into the organization's risk committee.

D.

Established criteria exist for accepting and approving risk.

Buy Now
Questions 112

A sample for testing must include the 80 largest client balances and a random sample of the rest. What should the IS auditor recommend?

Options:

A.

Query the database.

B.

Develop an integrated test facility (ITF).

C.

Use generalized audit software.

D.

Leverage a random number generator.

Buy Now
Questions 113

An organization produces control reports with a desktop application that accesses data in the central production database. Which of the following would give an IS auditor concern about the reliability of these reports?

Options:

A.

The reports are printed by the same person who reviews them.

B.

The reports are available to all end users.

C.

The report definitions file is not included in routine backups.

D.

The report definitions can be modified by end users.

Buy Now
Questions 114

An IS auditor has been tasked with analyzing an organization's capital expenditures against its repair and maintenance costs. Which of the following is the BEST reason to use a data analytics tool for this purpose?

Options:

A.

It reduces the error rate.

B.

It improves the reliability of the data.

C.

It enables the auditor to work with 100% of the transactions.

D.

It reduces the sample size required to perform the audit.

Buy Now
Questions 115

An organization has decided to build a data warehouse using source data from several disparate systems to support strategic decision-making.

Which of the following is the BEST way to ensure the accuracy and completeness of the data used to support business decisions?

Options:

A.

The source data is pre-selected so that it already supports senior management's desired business decision outcome.

B.

The source data is from the current year of operations so that irrelevant data from prior years is not included.

C.

The source data is modified in the data warehouse to remove confidential or sensitive information.

D.

The source data is standardized and cleansed before loading into the data warehouse.

Buy Now
Questions 116

Which of the following is MOST important for an IS auditor to verify when reviewing the planned use of Benford's law as a data analytics technique to detect fraud in a set of credit card transactions?

Options:

A.

The transactions are in double integer format.

B.

The transaction amounts are selected randomly without restriction.

C.

The transaction analysis is limited to transactions within standard deviation.

D.

The transactions are all in the same currency.

Buy Now
Questions 117

Which of the following should be done FIRST following an incident that has caused internal servers to be inaccessible, disrupting normal business operations?

Options:

A.

Document the servers' dates, times, and locations, as well as the individual who last used them

B.

Make a bit-level copy of the affected servers and calculate the hash value of the copy.

C.

Copy all key directories and files on the affected servers and generate the hash value of the copy.

D.

Unplug all power cables immediately to prevent further actions of the attacker on the servers.

Buy Now
Questions 118

Which of the following is MOST likely to be reduced when implementing optimal risk management strategies?

Options:

A.

Sampling risk

B.

Residual risk

C.

Detection risk

D.

Inherent risk

Buy Now
Questions 119

An IS auditor is tasked to review an organization's plan-do-check-act (PDCA) method for improving IT-related processes and wants to determine the accuracy of defined targets to be achieved. Which of the following steps in the PDCA process should the auditor PRIMARILY focus on in this situation?

Options:

A.

Check

B.

Plan

C.

Do

D.

Act

Buy Now
Questions 120

Which of the following is MOST useful for determining the strategy for IT portfolio management?

Options:

A.

IT metrics dashboards

B.

IT roadmap

C.

Capability maturity model

D.

Life cycle cost-benefit analysis

Buy Now
Questions 121

Which of the following is the BEST recommendation by an IS auditor to prevent unauthorized access to Internet of Things (loT) devices'?

Options:

A.

loT devices should only be accessible from the host network.

B.

loT devices should log and alert on access attempts.

C.

IoT devices should require identification and authentication.

D.

loT devices should monitor the use of device system accounts.

Buy Now
Questions 122

In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?

Options:

A.

Value-added activity analysis

B.

Risk management techniques

C.

Access control rules

D.

Incident management techniques

Buy Now
Questions 123

Which of the following is an IS auditor's BEST recommendation for mitigating risk associated with inadvertent disclosure of sensitive information by employees?

Options:

A.

Intrusion prevention system (IPS) and firewalls

B.

Data loss prevention (DLP) technologies

C.

Cryptographic protection

D.

Email phishing simulation exercises

Buy Now
Questions 124

Which of the following is the PRIMARY purpose of batch processing monitoring?

Options:

A.

To comply with security standards

B.

To summarize the batch processing reporting

C.

To log error events in batch processing

D.

To prevent an incident that may result from batch failure

Buy Now
Questions 125

Which of the following is the MOST important reason for an organization to automate data purging?

Options:

A.

Protection against privacy breaches

B.

Storage cost reduction

C.

Disaster recovery planning

D.

Ransomware protection

Buy Now
Questions 126

During an IS audit of a data center, it was found that programmers are allowed to make emergency fixes to operational programs. Which of the following should be the IS auditor's PRIMARY recommendation?

Options:

A.

Programmers should be allowed to implement emergency fixes only after obtaining verbal agreement from the application owner.

B.

Emergency program changes should be subject to program migration and testing procedures before they are applied to operational systems.

C.

Bypass user ID procedures should be put in place to ensure that the changes are subject to after-the-event approval and testing.

Buy Now
Questions 127

When auditing IT organizational structure, which of the following findings presents the GREATEST risk to an organization?

Options:

A.

Significantly higher turnover

B.

Lack of customer satisfaction surveys

C.

Aging staff

D.

Increase in the frequency of software upgrades

Buy Now
Questions 128

Which of the following presents the GREATEST risk associated with end-user computing (EUC) applica-tions over financial reporting?

Options:

A.

Inability to quickly modify and deploy a solution

B.

Lack of portability for users

C.

Loss of time due to manual processes

D.

Calculation errors in spreadsheets

Buy Now
Questions 129

Which of the following is a PRIMARY function of an intrusion detection system (IDS)?

Options:

A.

Predicting an attack before it occurs

B.

Alerting when a scheduled backup job fails

C.

Blocking malicious network traffic

D.

Warning when executable programs are modified

Buy Now
Questions 130

An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?

Options:

A.

Review the decision-making logic built into the system.

B.

Interview the system owner.

C.

Understand the purpose and functionality of the system.

D.

Verify system adherence to corporate policy.

Buy Now
Questions 131

An IS auditor wants to verify alignment of the organization's business continuity plan (BCP) with the business strategy. Which of the following would be MOST helpful to review?

Options:

A.

Disaster recovery plan (DRP) testing results

B.

Business impact analysis (BIA)

C.

Corporate risk management policy

D.

Key performance indicators (KPIs)

Buy Now
Questions 132

Which of the following should be of GREATEST concern to an IS auditor reviewing project documentation for a client relationship management (CRM) system migration project?

Options:

A.

The technical migration is planned for a holiday weekend and end users may not be available.

B.

Five weeks prior to the target date, there are still numerous defects in the printing functionality.

C.

A single implementation phase is planned and the legacy system will be immediately decommissioned.

D.

Employees are concerned that data representation in the new system is completely different from the old system.

Buy Now
Questions 133

A system performance dashboard indicates several application servers are reaching the defined threshold for maximum CPU allocation. Which of the following would be the IS auditor's BEST recommendation for the IT department?

Options:

A.

Increase the defined processing threshold to reflect capacity consumption during normal operations.

B.

Notify end users of potential disruptions caused by degradation of servers.

C.

Terminate both ingress and egress connections of these servers to avoid overload.

D.

Validate the processing capacity of these servers is adequate to complete computing tasks.

Buy Now
Questions 134

An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?

Options:

A.

Interview IT management to clarify the current procedure.

B.

Report this finding to senior management.

C.

Review the organization's patch management policy.

D.

Request a plan of action to be established as a follow-up item.

Buy Now
Questions 135

The PRIMARY advantage of using open-source-based solutions is that they:

Options:

A.

Have well-defined support levels.

B.

Are easily implemented.

C.

Reduce dependence on vendors.

D.

Offer better security features.

Buy Now
Questions 136

Which of the following is the PRIMARY reason an IS auditor would recommend offsite backups although critical data is already on a redundant array of inexpensive disks (RAID)?

Options:

A.

The array cannot offer protection against disk corruption.

B.

The array cannot recover from a natural disaster.

C.

The array relies on proper maintenance.

D.

Disks of the array cannot be hot-swapped for quick recovery.

Buy Now
Questions 137

During a physical security audit, an IS auditor was provided a proximity badge that granted access to three specific floors in a corporate office building. Which of the following issues should be of MOST concern?

Options:

A.

The proximity badge did not work for the first two days of audit fieldwork.

B.

There was no requirement for an escort during fieldwork.

C.

There was no follow-up for unsuccessful attempted access violations.

D.

The proximity badge incorrectly granted access to restricted areas.

Buy Now
Questions 138

When reviewing an organization's finalized risk assessment process, what would be the MAIN reason for an IS auditor to compare acceptable risk level with residual risk?

Options:

A.

To identify omissions made in the completed risk assessment

B.

To identify new risks the organization may have to address

C.

To recommend control enhancements for further risk reduction

D.

To advise management on risk appetite levels

Buy Now
Questions 139

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT-related customer service project?

Options:

A.

The project risk exceeds the organization's risk appetite.

B.

Executing the project will require additional investments.

C.

Expected business value is expressed in qualitative terms.

D.

The organization will be the first to offer the proposed services.

Buy Now
Questions 140

Which of the following should be the GREATEST concern for an IS auditor assessing an organization's disaster recovery plan (DRP)?

Options:

A.

The DRP was developed by the IT department.

B.

The DRP has not been tested during the past three years.

C.

The DRP has not been updated for two years.

D.

The DRP does not include the recovery the time objective (RTO) for a key system.

Buy Now
Questions 141

Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?

Options:

A.

Timely audit execution

B.

Effective allocation of audit resources

C.

Reduced travel and expense costs

D.

Effective risk mitigation

Buy Now
Questions 142

Which of the following will BEST ensure that archived electronic information of permanent importance remains accessible over time?

Options:

A.

Performing preventive maintenance on old hardware

B.

Acquiring applications that emulate old software

C.

Regularly migrating data to current technology

D.

Periodically backing up archived data

Buy Now
Questions 143

Which of the following is the BEST way to ensure a vendor complies with system security requirements?

Options:

A.

Require security training for vendor staff.

B.

Review past incidents reported by the vendor.

C.

Review past audits on the vendor's security compliance.

D.

Require a compliance clause in the vendor contract.

Buy Now
Questions 144

Which of the following technologies BEST assists in protection of digital evidence as part of forensic investigation acquisition?

Options:

A.

Hardware-based media write blocker

B.

Data encryption

C.

Differential backups

D.

Source media sanitization

Buy Now
Questions 145

Which of the following is the PRIMARY reason for using a digital signature?

Options:

A.

Provide availability to the transmission

B.

Authenticate the sender of a message

C.

Provide confidentiality to the transmission

D.

Verify the integrity of the data and the identity of the recipient

Buy Now
Questions 146

Which of the following is MOST helpful for understanding an organization’s key driver to modernize application platforms?

Options:

A.

Vendor software inventories

B.

Network architecture diagrams

C.

System-wide incident reports

D.

Inventory of end-of-life software

Buy Now
Questions 147

Which of the following network communication protocols is used by network devices such as routers to send error messages and operational information indicating success or failure when communicating with another IP address?

Options:

A.

Transmission Control Protocol/Internet Protocol (TCP/IP)

B.

Internet Control Message Protocol

C.

Multipurpose Transaction Protocol

D.

Point-to-Point Tunneling Protocol

Buy Now
Questions 148

Which of the following BEST helps data loss prevention (DLP) tools detect movement of sensitive data m transit?

Options:

A.

Network traffic logs

B.

Deep packet inspection

C.

Data inventory

D.

Proprietary encryption

Buy Now
Questions 149

A hearth care organization utilizes Internet of Things (loT) devices to improve patient outcomes through real-time patient monitoring and advanced diagnostics. Which of the following would BEST assist in isolating these devices from corporate network traffic?

Options:

A.

Internal firewalls

B.

Blockchain technology

C.

Content filtering proxy

D.

Zero Trust architecture

Buy Now
Questions 150

Which of the following is MOST important for an IS auditor to verify when evaluating tne upgrade of an organization's enterprise resource planning (ERP) application?

Options:

A.

Application related documentation was updated to reflect the changes in the new version

B.

Security configurations were appropriately applied to the new version

C.

Users were provided security training on the new version

D.

Lessons teamed analysis was documented after the upgrade

Buy Now
Questions 151

Which of the following is MOST important when defining the IS audit scope?

Options:

A.

Minimizing the time and cost to the organization of IS audit procedures

B.

Involving business in the formulation of the scope statement

C.

Aligning the IS audit procedures with IT management priorities

D.

Understanding the relationship between IT and business risks

Buy Now
Questions 152

Which of the following is the BEST review for an IS auditor to conduct when a vulnerability has been exploited by an employee?

Options:

A.

Compliance audit

B.

Application security testing

C.

Forensic audit

D.

Penetration testing

Buy Now
Questions 153

Which of the following is the MOST important regulatory consideration for an organization determining whether to use its customer data to train AI algorithms?

Options:

A.

Documentation of AI algorithm accuracy during the training process

B.

Ethical and optimal utilization of data computing resources

C.

Collection of data and obtaining data subject consent

D.

Continuous monitoring of AI algorithm performance

Buy Now
Questions 154

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options:

A.

The previous year’s IT strategic goals were not achieved.

B.

Target architecture is defined at a technical level.

C.

Financial estimates of new initiatives are disclosed within the document.

D.

Strategic IT goals are derived solely from the latest market trends.

Buy Now
Questions 155

An IS auditor is reviewing an organization's risk management program. Which of the following should be the PRIMARY driver of the enterprise IT risk appetite?

Options:

A.

Strategic objectives

B.

Return on investment (ROI)

C.

Cost of implementing controls

D.

Likelihood of risk events

Buy Now
Questions 156

Which of the following demonstrates the use of data analytics for a loan origination process?

Options:

A.

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Buy Now
Questions 157

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Include the requirement in the incident management response plan.

B.

Establish key performance indicators (KPIs) for timely identification of security incidents.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Engage an external security incident response expert for incident handling.

Buy Now
Questions 158

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

Options:

A.

Segregation of duties between staff ordering and staff receiving information assets

B.

Complete and accurate list of information assets that have been deployed

C.

Availability and testing of onsite backup generators

D.

Knowledge of the IT staff regarding data protection requirements

Buy Now
Questions 159

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

Options:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Buy Now
Questions 160

What is MOST important to verify during an external assessment of network vulnerability?

Options:

A.

Update of security information event management (SIEM) rules

B.

Regular review of the network security policy

C.

Completeness of network asset inventory

D.

Location of intrusion detection systems (IDS)

Buy Now
Questions 161

Which of the following would be a result of utilizing a top-down maturity model process?

Options:

A.

A means of benchmarking the effectiveness of similar processes with peers

B.

A means of comparing the effectiveness of other processes within the enterprise

C.

Identification of older, more established processes to ensure timely review

D.

Identification of processes with the most improvement opportunities

Buy Now
Questions 162

Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

Options:

A.

The exceptions are likely to continue indefinitely.

B.

The exceptions may result in noncompliance.

C.

The exceptions may elevate the level of operational risk.

D.

The exceptions may negatively impact process efficiency.

Buy Now
Questions 163

An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

Options:

A.

The number of users deleting the email without reporting because it is a phishing email

B.

The number of users clicking on the link to learn more about the sender of the email

C.

The number of users forwarding the email to their business unit managers

D.

The number of users reporting receipt of the email to the information security team

Buy Now
Questions 164

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

Options:

A.

Implementation plan

B.

Project budget provisions

C.

Requirements analysis

D.

Project plan

Buy Now
Questions 165

Which of the following is the BEST method to prevent wire transfer fraud by bank employees?

Options:

A.

Independent reconciliation

B.

Re-keying of wire dollar amounts

C.

Two-factor authentication control

D.

System-enforced dual control

Buy Now
Questions 166

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

Options:

A.

Ensure corrected program code is compiled in a dedicated server.

B.

Ensure change management reports are independently reviewed.

C.

Ensure programmers cannot access code after the completion of program edits.

D.

Ensure the business signs off on end-to-end user acceptance test (UAT) results.

Buy Now
Questions 167

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Options:

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Buy Now
Questions 168

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Buy Now
Questions 169

Which of the following is a social engineering attack method?

Options:

A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Buy Now
Questions 170

Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Options:

A.

Availability of the site in the event of multiple disaster declarations

B.

Coordination with the site staff in the event of multiple disaster declarations

C.

Reciprocal agreements with other organizations

D.

Complete testing of the recovery plan

Buy Now
Questions 171

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

Options:

A.

allocation of resources during an emergency.

B.

frequency of system testing.

C.

differences in IS policies and procedures.

D.

maintenance of hardware and software compatibility.

Buy Now
Questions 172

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Report the mitigating controls.

B.

Report the security posture of the organization.

C.

Determine the value of the firewall.

D.

Determine the risk of not replacing the firewall.

Buy Now
Questions 173

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B.

Establishing strong access controls on confidential data

C.

Providing education and guidelines to employees on use of social networking sites

D.

Monitoring employees' social networking usage

Buy Now
Questions 174

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Buy Now
Questions 175

Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

Options:

A.

The lack of technical documentation to support the program code

B.

The lack of completion of all requirements at the end of each sprint

C.

The lack of acceptance criteria behind user requirements.

D.

The lack of a detailed unit and system test plan

Buy Now
Questions 176

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

Options:

A.

Purchasing guidelines and policies

B.

Implementation methodology

C.

Results of line processing

D.

Test results

Buy Now
Questions 177

An organizations audit charier PRIMARILY:

Options:

A.

describes the auditors' authority to conduct audits.

B.

defines the auditors' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Buy Now
Questions 178

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

Options:

A.

A significant increase in authorized connections to third parties

B.

A significant increase in cybersecurity audit findings

C.

A significant increase in approved exceptions

D.

A significant increase in external attack attempts

Buy Now
Questions 179

An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?

Options:

A.

The cloud provider's external auditor

B.

The cloud provider

C.

The operating system vendor

D.

The organization

Buy Now
Questions 180

While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:

Options:

A.

data classifications are automated.

B.

a data dictionary is maintained.

C.

data retention requirements are clearly defined.

D.

data is correctly classified.

Buy Now
Questions 181

To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?

Options:

A.

Data retention

B.

Data minimization

C.

Data quality

D.

Data integrity

Buy Now
Questions 182

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

Options:

A.

Ask management why the regulatory changes have not been Included.

B.

Discuss potential regulatory issues with the legal department

C.

Report the missing regulatory updates to the chief information officer (CIO).

D.

Exclude recent regulatory changes from the audit scope.

Buy Now
Questions 183

Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?

Options:

A.

The person who collected the evidence is not qualified to represent the case.

B.

The logs failed to identify the person handling the evidence.

C.

The evidence was collected by the internal forensics team.

D.

The evidence was not fully backed up using a cloud-based solution prior to the trial.

Buy Now
Questions 184

Providing security certification for a new system should include which of the following prior to the system's implementation?

Options:

A.

End-user authorization to use the system in production

B.

External audit sign-off on financial controls

C.

Testing of the system within the production environment

D.

An evaluation of the configuration management practices

Buy Now
Questions 185

Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

Options:

A.

Findings from prior audits

B.

Results of a risk assessment

C.

An inventory of personal devices to be connected to the corporate network

D.

Policies including BYOD acceptable user statements

Buy Now
Questions 186

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

Alignment with the IT tactical plan

B.

IT steering committee minutes

C.

Compliance with industry best practice

D.

Business objectives

Buy Now
Questions 187

An IS auditor should ensure that an application's audit trail:

Options:

A.

has adequate security.

B.

logs ail database records.

C.

Is accessible online

D.

does not impact operational efficiency

Buy Now
Questions 188

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.

Staging

B.

Testing

C.

Integration

D.

Development

Buy Now
Questions 189

Which of the following is the MAJOR advantage of automating internal controls?

Options:

A.

To enable the review of large value transactions

B.

To efficiently test large volumes of data

C.

To help identity transactions with no segregation of duties

D.

To assist in performing analytical reviews

Buy Now
Questions 190

Which of the following is the BEST method to delete sensitive information from storage media that will be reused?

Options:

A.

Crypto-shredding

B.

Multiple overwriting

C.

Reformatting

D.

Re-partitioning

Buy Now
Questions 191

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:

A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

D.

Full operational test

Buy Now
Questions 192

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Options:

A.

Senior management's request

B.

Prior year's audit findings

C.

Organizational risk assessment

D.

Previous audit coverage and scope

Buy Now
Questions 193

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

Options:

A.

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.

Ensuring evidence is sufficient to support audit conclusions

C.

Ensuring appropriate statistical sampling methods were used

D.

Ensuring evidence is labeled to show it was obtained from an approved source

Buy Now
Questions 194

Coding standards provide which of the following?

Options:

A.

Program documentation

B.

Access control tables

C.

Data flow diagrams

D.

Field naming conventions

Buy Now
Questions 195

Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

Options:

A.

Require all employees to sign nondisclosure agreements (NDAs).

B.

Develop an acceptable use policy for end-user computing (EUC).

C.

Develop an information classification scheme.

D.

Provide notification to employees about possible email monitoring.

Buy Now
Questions 196

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

Options:

A.

incident management.

B.

quality assurance (QA).

C.

change management.

D.

project management.

Buy Now
Questions 197

During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:

Options:

A.

note the noncompliance in the audit working papers.

B.

issue an audit memorandum identifying the noncompliance.

C.

include the noncompliance in the audit report.

D.

determine why the procedures were not followed.

Buy Now
Questions 198

Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

Options:

A.

Encryption of the spreadsheet

B.

Version history

C.

Formulas within macros

D.

Reconciliation of key calculations

Buy Now
Questions 199

Which of the following is MOST important for an effective control self-assessment (CSA) program?

Options:

A.

Determining the scope of the assessment

B.

Performing detailed test procedures

C.

Evaluating changes to the risk environment

D.

Understanding the business process

Buy Now
Questions 200

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

Options:

A.

The default configurations have been changed.

B.

All tables in the database are normalized.

C.

The service port used by the database server has been changed.

D.

The default administration account is used after changing the account password.

Buy Now
Questions 201

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

Options:

A.

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.

Job failure alerts are automatically generated and routed to support personnel.

Buy Now
Questions 202

An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?

Options:

A.

Segregation of duties between issuing purchase orders and making payments.

B.

Segregation of duties between receiving invoices and setting authorization limits

C.

Management review and approval of authorization tiers

D.

Management review and approval of purchase orders

Buy Now
Questions 203

One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

Options:

A.

basis for allocating indirect costs.

B.

cost of replacing equipment.

C.

estimated cost of ownership.

D.

basis for allocating financial resources.

Buy Now
Questions 204

Which of the following would BEST facilitate the successful implementation of an IT-related framework?

Options:

A.

Aligning the framework to industry best practices

B.

Establishing committees to support and oversee framework activities

C.

Involving appropriate business representation within the framework

D.

Documenting IT-related policies and procedures

Buy Now
Questions 205

Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

Options:

A.

Effectiveness of the security program

B.

Security incidents vs. industry benchmarks

C.

Total number of hours budgeted to security

D.

Total number of false positives

Buy Now
Questions 206

Which of the following BEST indicates the effectiveness of an organization's risk management program?

Options:

A.

Inherent risk is eliminated.

B.

Residual risk is minimized.

C.

Control risk is minimized.

D.

Overall risk is quantified.

Buy Now
Questions 207

The decision to accept an IT control risk related to data quality should be the responsibility of the:

Options:

A.

information security team.

B.

IS audit manager.

C.

chief information officer (CIO).

D.

business owner.

Buy Now
Questions 208

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Options:

A.

Assurance that the new system meets functional requirements

B.

More time for users to complete training for the new system

C.

Significant cost savings over other system implemental or approaches

D.

Assurance that the new system meets performance requirements

Buy Now
Questions 209

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?

Options:

A.

Reconciliation of total amounts by project

B.

Validity checks, preventing entry of character data

C.

Reasonableness checks for each cost type

D.

Display the back of the project detail after the entry

Buy Now
Questions 210

Which of the following metrics would BEST measure the agility of an organization's IT function?

Options:

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Buy Now
Questions 211

Which of the following is a detective control?

Options:

A.

Programmed edit checks for data entry

B.

Backup procedures

C.

Use of pass cards to gain access to physical facilities

D.

Verification of hash totals

Buy Now
Questions 212

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

Options:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Buy Now
Questions 213

Capacity management enables organizations to:

Options:

A.

forecast technology trends

B.

establish the capacity of network communication links

C.

identify the extent to which components need to be upgraded

D.

determine business transaction volumes.

Buy Now
Questions 214

Stress testing should ideally be earned out under a:

Options:

A.

test environment with production workloads.

B.

production environment with production workloads.

C.

production environment with test data.

D.

test environment with test data.

Buy Now
Questions 215

Which of the following documents should specify roles and responsibilities within an IT audit organization?

Options:

A.

Organizational chart

B.

Audit charier

C.

Engagement letter

D.

Annual audit plan

Buy Now
Questions 216

In order to be useful, a key performance indicator (KPI) MUST

Options:

A.

be approved by management.

B.

be measurable in percentages.

C.

be changed frequently to reflect organizational strategy.

D.

have a target value.

Buy Now
Questions 217

Which of the following is the BEST method to safeguard data on an organization's laptop computers?

Options:

A.

Disabled USB ports

B.

Full disk encryption

C.

Biometric access control

D.

Two-factor authentication

Buy Now
Questions 218

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.

Projected impact of current business on future business

B.

Cost-benefit analysis of running the current business

C.

Cost of regulatory compliance

D.

Expected costs for recovering the business

Buy Now
Questions 219

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

Options:

A.

Conduct periodic on-site assessments using agreed-upon criteria.

B.

Periodically review the service level agreement (SLA) with the vendor.

C.

Conduct an unannounced vulnerability assessment of vendor's IT systems.

D.

Obtain evidence of the vendor's control self-assessment (CSA).

Buy Now
Questions 220

From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Options:

A.

Inability to close unused ports on critical servers

B.

Inability to identify unused licenses within the organization

C.

Inability to deploy updated security patches

D.

Inability to determine the cost of deployed software

Buy Now
Questions 221

An organization has partnered with a third party to transport backup drives to an offsite storage facility. Which of the following is MOST important before sending the drives?

Options:

A.

Creating a chain of custody to accompany the drive in transit

B.

Ensuring data protection is aligned with the data classification policy

C.

Encrypting the drive with strong protection standards

D.

Ensuring the drive is placed in a tamper-evident mechanism

Buy Now
Questions 222

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

Options:

A.

Review sign-off documentation

B.

Review the source code related to the calculation

C.

Re-perform the calculation with audit software

D.

Inspect user acceptance lest (UAT) results

Buy Now
Questions 223

A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Establish key performance indicators (KPls) for timely identification of security incidents.

B.

Engage an external security incident response expert for incident handling.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Include the requirement in the incident management response plan.

Buy Now
Questions 224

Which of the following occurs during the issues management process for a system development project?

Options:

A.

Contingency planning

B.

Configuration management

C.

Help desk management

D.

Impact assessment

Buy Now
Questions 225

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

Options:

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

Buy Now
Questions 226

An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

Options:

A.

Data with customer personal information

B.

Data reported to the regulatory body

C.

Data supporting financial statements

D.

Data impacting business objectives

Buy Now
Questions 227

Which of the following provides the MOST protection against emerging threats?

Options:

A.

Demilitarized zone (DMZ)

B.

Heuristic intrusion detection system (IDS)

C.

Real-time updating of antivirus software

D.

Signature-based intrusion detection system (IDS)

Buy Now
Questions 228

The FIRST step in an incident response plan is to:

Options:

A.

validate the incident.

B.

notify the head of the IT department.

C.

isolate systems impacted by the incident.

D.

initiate root cause analysis.

Buy Now
Questions 229

An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST

Options:

A.

Escalate to audit management to discuss the audit plan

B.

Notify the chief operating officer (COO) and discuss the audit plan risks

C.

Exclude IS audits from the upcoming year's plan

D.

Increase the number of IS audits in the clan

Buy Now
Questions 230

Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?

Options:

A.

Controls to adequately safeguard the data may not be applied.

B.

Data may not be encrypted by the system administrator.

C.

Competitors may be able to view the data.

D.

Control costs may exceed the intrinsic value of the IT asset.

Buy Now
Questions 231

Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

Options:

A.

Cross-site scripting (XSS)

B.

Copyright violations

C.

Social engineering

D.

Adverse posts about the organization

Buy Now
Questions 232

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

Options:

A.

The information security policy has not been approved by the chief audit executive (CAE).

B.

The information security policy does not include mobile device provisions

C.

The information security policy is not frequently reviewed

D.

The information security policy has not been approved by the policy owner

Buy Now
Questions 233

One advantage of monetary unit sampling is the fact that

Options:

A.

results are stated m terms of the frequency of items in error

B.

it can easily be applied manually when computer resources are not available

C.

large-value population items are segregated and audited separately

D.

it increases the likelihood of selecting material items from the population

Buy Now
Questions 234

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Options:

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization's policies and procedures

Buy Now
Questions 235

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

Options:

A.

Modify applications to no longer require direct access to the database.

B.

Introduce database access monitoring into the environment

C.

Modify the access management policy to make allowances for application accounts.

D.

Schedule downtime to implement password changes.

Buy Now
Questions 236

An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Options:

A.

Require employees to attend security awareness training.

B.

Password protect critical data files.

C.

Configure to auto-wipe after multiple failed access attempts.

D.

Enable device auto-lock function.

Buy Now
Questions 237

During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

Options:

A.

application test cases.

B.

acceptance testing.

C.

cost-benefit analysis.

D.

project plans.

Buy Now
Questions 238

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Options:

A.

Balanced scorecard

B.

Enterprise dashboard

C.

Enterprise architecture (EA)

D.

Key performance indicators (KPIs)

Buy Now
Questions 239

Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

Options:

A.

Real-time audit software

B.

Performance data

C.

Quality assurance (QA) reviews

D.

Participative management techniques

Buy Now
Questions 240

Which of the following MOST effectively minimizes downtime during system conversions?

Options:

A.

Phased approach

B.

Direct cutover

C.

Pilot study

D.

Parallel run

Buy Now
Questions 241

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Options:

A.

Annual sign-off of acceptable use policy

B.

Regular monitoring of user access logs

C.

Security awareness training

D.

Formalized disciplinary action

Buy Now
Questions 242

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

Options:

A.

Key performance indicators (KPIs)

B.

Maximum allowable downtime (MAD)

C.

Recovery point objective (RPO)

D.

Mean time to restore (MTTR)

Buy Now
Questions 243

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Options:

A.

Analyze whether predetermined test objectives were met.

B.

Perform testing at the backup data center.

C.

Evaluate participation by key personnel.

D.

Test offsite backup files.

Buy Now
Questions 244

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

Options:

A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Buy Now
Questions 245

Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

Options:

A.

System flowchart

B.

Data flow diagram

C.

Process flowchart

D.

Entity-relationship diagram

Buy Now
Questions 246

Which of the following is MOST important to include in forensic data collection and preservation procedures?

Options:

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Buy Now
Questions 247

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

Options:

A.

recommend that the option to directly modify the database be removed immediately.

B.

recommend that the system require two persons to be involved in modifying the database.

C.

determine whether the log of changes to the tables is backed up.

D.

determine whether the audit trail is secured and reviewed.

Buy Now
Questions 248

During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor's BEST recommendation?

Options:

A.

System administrators should ensure consistency of assigned rights.

B.

IT security should regularly revoke excessive system rights.

C.

Human resources (HR) should delete access rights of terminated employees.

D.

Line management should regularly review and request modification of access rights

Buy Now
Questions 249

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Options:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Buy Now
Questions 250

An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

Options:

A.

The security of the desktop PC is enhanced.

B.

Administrative security can be provided for the client.

C.

Desktop application software will never have to be upgraded.

D.

System administration can be better managed

Buy Now
Questions 251

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the organization's web server.

B.

the demilitarized zone (DMZ).

C.

the organization's network.

D.

the Internet

Buy Now
Questions 252

An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?

Options:

A.

The standard is met as long as one member has a globally recognized audit certification.

B.

Technical co-sourcing must be used to help the new staff.

C.

Team member assignments must be based on individual competencies.

D.

The standard is met as long as a supervisor reviews the new auditors' work.

Buy Now
Questions 253

Upon completion of audit work, an IS auditor should:

Options:

A.

provide a report to senior management prior to discussion with the auditee.

B.

distribute a summary of general findings to the members of the auditing team.

C.

provide a report to the auditee stating the initial findings.

D.

review the working papers with the auditee.

Buy Now
Questions 254

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

Options:

A.

Observing the execution of a daily backup run

B.

Evaluating the backup policies and procedures

C.

Interviewing key personnel evolved In the backup process

D.

Reviewing a sample of system-generated backup logs

Buy Now
Questions 255

Which of the following concerns is BEST addressed by securing production source libraries?

Options:

A.

Programs are not approved before production source libraries are updated.

B.

Production source and object libraries may not be synchronized.

C.

Changes are applied to the wrong version of production source libraries.

D.

Unauthorized changes can be moved into production.

Buy Now
Questions 256

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

Options:

A.

the patches were updated.

B.

The logs were monitored.

C.

The network traffic was being monitored.

D.

The domain controller was classified for high availability.

Buy Now
Questions 257

Which of the following is an example of a preventative control in an accounts payable system?

Options:

A.

The system only allows payments to vendors who are included In the system's master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

Buy Now
Questions 258

To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Options:

A.

Root cause

B.

Responsible party

C.

impact

D.

Criteria

Buy Now
Questions 259

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

Options:

A.

Available resources for the activities included in the action plan

B.

A management response in the final report with a committed implementation date

C.

A heal map with the gaps and recommendations displayed in terms of risk

D.

Supporting evidence for the gaps and recommendations mentioned in the audit report

Buy Now
Questions 260

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Buy Now
Questions 261

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.

Obtain error codes indicating failed data feeds.

B.

Purchase data cleansing tools from a reputable vendor.

C.

Appoint data quality champions across the organization.

D.

Implement business rules to reject invalid data.

Buy Now
Questions 262

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Buy Now
Questions 263

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

Options:

A.

The certificate revocation list has not been updated.

B.

The PKI policy has not been updated within the last year.

C.

The private key certificate has not been updated.

D.

The certificate practice statement has not been published

Buy Now
Questions 264

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Options:

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Buy Now
Questions 265

IT disaster recovery time objectives (RTOs) should be based on the:

Options:

A.

maximum tolerable loss of data.

B.

nature of the outage

C.

maximum tolerable downtime (MTD).

D.

business-defined criticality of the systems.

Buy Now
Questions 266

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

Buy Now
Questions 267

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

Options:

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Buy Now
Questions 268

Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

Options:

A.

The organization's security policy

B.

The number of remote nodes

C.

The firewalls' default settings

D.

The physical location of the firewalls

Buy Now
Questions 269

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Options:

A.

Require written authorization for all payment transactions

B.

Restrict payment authorization to senior staff members.

C.

Reconcile payment transactions with invoices.

D.

Review payment transaction history

Buy Now
Questions 270

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

Options:

A.

compare the organization's strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Buy Now
Questions 271

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

Options:

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Buy Now
Questions 272

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

Options:

A.

A single point of failure for both voice and data communications

B.

Inability to use virtual private networks (VPNs) for internal traffic

C.

Lack of integration of voice and data communications

D.

Voice quality degradation due to packet toss

Buy Now
Questions 273

During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?

Options:

A.

Backup media are not reviewed before disposal.

B.

Degaussing is used instead of physical shredding.

C.

Backup media are disposed before the end of the retention period

D.

Hardware is not destroyed by a certified vendor.

Buy Now
Questions 274

Retention periods and conditions for the destruction of personal data should be determined by the.

Options:

A.

risk manager.

B.

database administrator (DBA).

C.

privacy manager.

D.

business owner.

Buy Now
Questions 275

Which of the following is the MOST important control for virtualized environments?

Options:

A.

Regular updates of policies for the operation of the virtualized environment

B.

Hardening for the hypervisor and guest machines

C.

Redundancy of hardware resources and network components

D.

Monitoring utilization of resources at the guest operating system level

Buy Now
Questions 276

Which of the following is the PRIMARY basis on which audit objectives are established?

Options:

A.

Audit risk

B.

Consideration of risks

C.

Assessment of prior audits

D.

Business strategy

Buy Now
Questions 277

An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

Options:

A.

To test the intrusion detection system (IDS)

B.

To provide training to security managers

C.

To collect digital evidence of cyberattacks

D.

To attract attackers in order to study their behavior

Buy Now
Questions 278

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

Options:

A.

Conduct periodic onsite assessments using agreed-upon criteria.

B.

Conduct an unannounced vulnerability assessment of the vendor’s IT systems.

C.

Periodically review the service level agreement (SLA) with the vendor.

D.

Obtain evidence of the vendor's control self-assessment (CSA).

Buy Now
Questions 279

Which of the following BEST enables an IS auditor to combine and compare access control lists from various applications and devices?

Options:

A.

Integrated test facility (ITF)

B.

Snapshots

C.

Data analytics

D.

Audit hooks

Buy Now
Questions 280

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

Options:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Buy Now
Questions 281

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

Options:

A.

Attack vectors are evolving for industrial control systems.

B.

There is a greater risk of system exploitation.

C.

Disaster recovery plans (DRPs) are not in place.

D.

Technical specifications are not documented.

Buy Now
Questions 282

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

Options:

A.

Implementing the remediation plan

B.

Partially completing the CSA

C.

Developing the remediation plan

D.

Developing the CSA questionnaire

Buy Now
Questions 283

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

Options:

A.

the access control system's log settings.

B.

how the latest system changes were implemented.

C.

the access control system's configuration.

D.

the access rights that have been granted.

Buy Now
Questions 284

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Developing procedures to monitor the use of personal data

C.

Defining roles within the organization related to privacy

D.

Designing controls to protect personal data

Buy Now
Questions 285

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Options:

A.

Utilize a network-based firewall.

B.

Conduct regular user security awareness training.

C.

Perform domain name system (DNS) server security hardening.

D.

Enforce a strong password policy meeting complexity requirement.

Buy Now
Questions 286

Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

Options:

A.

Restricting program functionality according to user security profiles

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator’s user ID as a field in every transaction record created

D.

Ensuring that audit trails exist for transactions

Buy Now
Questions 287

An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

Options:

A.

Improve the change management process

B.

Establish security metrics.

C.

Perform a penetration test

D.

Perform a configuration review

Buy Now
Questions 288

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Options:

A.

Require the auditee to address the recommendations in full.

B.

Adjust the annual risk assessment accordingly.

C.

Evaluate senior management's acceptance of the risk.

D.

Update the audit program based on management's acceptance of risk.

Buy Now
Questions 289

An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

Options:

A.

Alarm system with CCTV

B.

Access control log

C.

Security incident log

D.

Access card allocation records

Buy Now
Questions 290

Which of the following is a corrective control?

Options:

A.

Separating equipment development testing and production

B.

Verifying duplicate calculations in data processing

C.

Reviewing user access rights for segregation

D.

Executing emergency response plans

Buy Now
Questions 291

Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

Options:

A.

Program coding standards have been followed

B.

Acceptance test criteria have been developed

C.

Data conversion procedures have been established.

D.

The design has been approved by senior management.

Buy Now
Questions 292

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.

Use an electronic vault for incremental backups

B.

Deploy a fully automated backup maintenance system.

C.

Periodically test backups stored in a remote location

D.

Use both tape and disk backup systems

Buy Now
Questions 293

An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?

Options:

A.

Computer-assisted technique

B.

Stratified sampling

C.

Statistical sampling

D.

Process walk-through

Buy Now
Questions 294

Which of the following would BEST indicate the effectiveness of a security awareness training program?

Options:

A.

Results of third-party social engineering tests

B.

Employee satisfaction with training

C.

Increased number of employees completing training

D.

Reduced unintentional violations

Buy Now
Questions 295

Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

Options:

A.

Requiring users to save files in secured folders instead of a company-wide shared drive

B.

Reviewing data transfer logs to determine historical patterns of data flow

C.

Developing a DLP policy and requiring signed acknowledgment by users

D.

Identifying where existing data resides and establishing a data classification matrix

Buy Now
Questions 296

Which of the following BEST enables alignment of IT with business objectives?

Options:

A.

Benchmarking against peer organizations

B.

Developing key performance indicators (KPIs)

C.

Completing an IT risk assessment

D.

Leveraging an IT governance framework

Buy Now
Questions 297

Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?

Options:

A.

Using passwords to allow authorized users to send documents to the printer

B.

Requiring a key code to be entered on the printer to produce hard copy

C.

Encrypting the data stream between the user's computer and the printer

D.

Producing a header page with classification level for printed documents

Buy Now
Questions 298

An auditee disagrees with a recommendation for corrective action that appears in the draft engagement report. Which of the following is the IS auditor's BEST course of action when preparing the final report?

Options:

A.

Come to an agreement prior to issuing the final report.

B.

Include the position supported by senior management in the final engagement report

C.

Ensure the auditee's comments are included in the working papers

D.

Exclude the disputed recommendation from the final engagement report

Buy Now
Questions 299

Which of the following is MOST important for an IS auditor to validate when auditing network device management?

Options:

A.

Devices cannot be accessed through service accounts.

B.

Backup policies include device configuration files.

C.

All devices have current security patches assessed.

D.

All devices are located within a protected network segment.

Buy Now
Questions 300

An IS auditor finds that while an organization's IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance. Which of the Mowing is the BEST recommendation?

Options:

A.

Align the IT strategy will business objectives

B.

Review priorities in the IT portfolio

C.

Change the IT strategy to focus on operational excellence.

D.

Align the IT portfolio with the IT strategy.

Buy Now
Questions 301

An organization is planning to implement a work-from-home policy that allows users to work remotely as needed. Which of the following is the BEST solution for ensuring secure remote access to corporate resources?

Options:

A.

Additional firewall rules

B.

Multi-factor authentication

C.

Virtual private network (VPN)

D.

Virtual desktop

Buy Now
Questions 302

The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:

Options:

A.

payment processing.

B.

payroll processing.

C.

procurement.

D.

product registration.

Buy Now
Questions 303

Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?

Options:

A.

Unit the use of logs to only those purposes for which they were collected

B.

Restrict the transfer of log files from host machine to online storage

C.

Only collect logs from servers classified as business critical

D.

Limit log collection to only periods of increased security activity

Buy Now
Questions 304

Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?

Options:

A.

Policies and procedures for managing documents provided by department heads

B.

A system-generated list of staff and their project assignments. roles, and responsibilities

C.

Previous audit reports related to other departments' use of the same system

D.

Information provided by the audit team lead an the authentication systems used by the department

Buy Now
Questions 305

Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?

Options:

A.

Parallel changeover

B.

Modular changeover

C.

Phased operation

D.

Pilot operation

Buy Now
Questions 306

An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

Options:

A.

Review test procedures and scenarios

B.

Conduct a mock conversion test

C.

Establish a configuration baseline

D.

Automate the test scripts

Buy Now
Questions 307

A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?

Options:

A.

Performance audit

B.

Integrated audit

C.

Cyber audit

D.

Financial audit

Buy Now
Questions 308

The PRIMARY purpose of a configuration management system is to:

Options:

A.

track software updates.

B.

define baselines for software.

C.

support the release procedure.

D.

standardize change approval.

Buy Now
Questions 309

Which of the following is the BEST way to verify the effectiveness of a data restoration process?

Options:

A.

Performing periodic reviews of physical access to backup media

B.

Performing periodic complete data restorations

C.

Validating off ne backups using software utilities

D.

Reviewing and updating data restoration policies annually

Buy Now
Questions 310

What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

Options:

A.

Notify law enforcement of the finding.

B.

Require the third party to notify customers.

C.

The audit report with a significant finding.

D.

Notify audit management of the finding.

Buy Now
Questions 311

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Options:

A.

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.

Review compliance with data loss and applicable mobile device user acceptance policies.

C.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.

Verify employees have received appropriate mobile device security awareness training.

Buy Now
Questions 312

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

Options:

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Buy Now
Questions 313

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?

Options:

A.

The use of the cloud negatively impacting IT availably

B.

Increased need for user awareness training

C.

Increased vulnerability due to anytime, anywhere accessibility

D.

Lack of governance and oversight for IT infrastructure and applications

Buy Now
Questions 314

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

Options:

A.

well understood by all employees.

B.

based on industry standards.

C.

developed by process owners.

D.

updated frequently.

Buy Now
Questions 315

A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:

Options:

A.

evaluate replacement systems and performance monitoring software.

B.

restrict functionality of system monitoring software to security-related events.

C.

re-install the system and performance monitoring software.

D.

use analytical tools to produce exception reports from the system and performance monitoring software

Buy Now
Questions 316

Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Designing controls to protect personal data

C.

Defining roles within the organization related to privacy

D.

Developing procedures to monitor the use of personal data

Buy Now
Questions 317

Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?

Options:

A.

Implementing two-factor authentication

B.

Restricting access to transactions using network security software

C.

implementing role-based access at the application level

D.

Using a single menu tor sensitive application transactions

Buy Now
Questions 318

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?

Options:

A.

Service management standards are not followed.

B.

Expected time to resolve incidents is not specified.

C.

Metrics are not reported to senior management.

D.

Prioritization criteria are not defined.

Buy Now
Questions 319

While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

Options:

A.

Use automatic document classification based on content.

B.

Have IT security staff conduct targeted training for data owners.

C.

Publish the data classification policy on the corporate web portal.

D.

Conduct awareness presentations and seminars for information classification policies.

Buy Now
Questions 320

Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?

Options:

A.

Ensure the third party allocates adequate resources to meet requirements.

B.

Use analytics within the internal audit function

C.

Conduct a capacity planning exercise

D.

Utilize performance monitoring tools to verify service level agreements (SLAs)

Buy Now
Questions 321

Which of the following are BEST suited for continuous auditing?

Options:

A.

Low-value transactions

B.

Real-lime transactions

C.

Irregular transactions

D.

Manual transactions

Buy Now
Questions 322

Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?

Options:

A.

Circuit gateway

B.

Application level gateway

C.

Packet filtering router

D.

Screening router

Buy Now
Questions 323

Which of the following is the MAIN purpose of an information security management system?

Options:

A.

To identify and eliminate the root causes of information security incidents

B.

To enhance the impact of reports used to monitor information security incidents

C.

To keep information security policies and procedures up-to-date

D.

To reduce the frequency and impact of information security incidents

Buy Now
Questions 324

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

Options:

A.

Preserving the same data classifications

B.

Preserving the same data inputs

C.

Preserving the same data structure

D.

Preserving the same data interfaces

Buy Now
Questions 325

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

Options:

A.

Security cameras deployed outside main entrance

B.

Antistatic mats deployed at the computer room entrance

C.

Muddy footprints directly inside the emergency exit

D.

Fencing around facility is two meters high

Buy Now
Questions 326

Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Options:

A.

Audit charter

B.

IT steering committee

C.

Information security policy

D.

Audit best practices

Buy Now
Questions 327

An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?

Options:

A.

Implementing risk responses on management's behalf

B.

Integrating the risk register for audit planning purposes

C.

Providing assurances to management regarding risk

D.

Facilitating audit risk identification and evaluation workshops

Buy Now
Questions 328

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Options:

A.

Testing

B.

Replication

C.

Staging

D.

Development

Buy Now
Questions 329

Which of the following business continuity activities prioritizes the recovery of critical functions?

Options:

A.

Business continuity plan (BCP) testing

B.

Business impact analysis (BIA)

C.

Disaster recovery plan (DRP) testing

D.

Risk assessment

Buy Now
Questions 330

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

Options:

A.

Training was not provided to the department that handles intellectual property and patents

B.

Logging and monitoring for content filtering is not enabled.

C.

Employees can share files with users outside the company through collaboration tools.

D.

The collaboration tool is hosted and can only be accessed via an Internet browser

Buy Now
Questions 331

Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?

Options:

A.

The design of controls

B.

Industry standards and best practices

C.

The results of the previous audit

D.

The amount of time since the previous audit

Buy Now
Questions 332

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.

Statement of work (SOW)

B.

Nondisclosure agreement (NDA)

C.

Service level agreement (SLA)

D.

Privacy agreement

Buy Now
Questions 333

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Options:

A.

Network penetration tests are not performed

B.

The network firewall policy has not been approved by the information security officer.

C.

Network firewall rules have not been documented.

D.

The network device inventory is incomplete.

Buy Now
Questions 334

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

Options:

A.

Separate authorization for input of transactions

B.

Statistical sampling of adjustment transactions

C.

Unscheduled audits of lost stock lines

D.

An edit check for the validity of the inventory transaction

Buy Now
Questions 335

Which of the following should be the PRIMARY focus for any network design that deploys a Zero Trust architecture?

Options:

A.

Protecting network segments

B.

Protecting technology resources

C.

Maintaining network router operating system versions

D.

Ensuring a vendor-agnostic environment

Buy Now
Questions 336

An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime?

Options:

A.

Big bang

B.

Phased

C.

Cutover

D.

Parallel

Buy Now
Questions 337

Which of the following is the MOST effective control over visitor access to highly secured areas?

Options:

A.

Visitors are required to be escorted by authorized personnel.

B.

Visitors are required to use biometric authentication.

C.

Visitors are monitored online by security cameras

D.

Visitors are required to enter through dead-man doors.

Buy Now
Questions 338

Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

Options:

A.

Establish the timing of testing.

B.

Identify milestones.

C.

Determine the test reporting

D.

Establish the rules of engagement.

Buy Now
Questions 339

Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?

Options:

A.

Attempt to submit new account applications with invalid dates of birth.

B.

Review the business requirements document for date of birth field requirements.

C.

Review new account applications submitted in the past month for invalid dates of birth.

D.

Evaluate configuration settings for the date of birth field requirements

Buy Now
Questions 340

An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Identify existing mitigating controls.

B.

Disclose the findings to senior management.

C.

Assist in drafting corrective actions.

D.

Attempt to exploit the weakness.

Buy Now
Questions 341

Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping

associated with an application programming interface (API) integration implementation?

Options:

A.

Encrypt the extensible markup language (XML) file.

B.

Implement Transport Layer Security (TLS).

C.

Implement Simple Object Access Protocol (SOAP).

D.

Mask the API endpoints.

Buy Now
Questions 342

An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?

Options:

A.

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

B.

Vulnerability in the virtualization platform affecting multiple hosts

C.

Data center environmental controls not aligning with new configuration

D.

System documentation not being updated to reflect changes in the environment

Buy Now
Questions 343

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

Options:

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Buy Now
Questions 344

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Buy Now
Questions 345

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Options:

A.

Inability to utilize the site when required

B.

Inability to test the recovery plans onsite

C.

Equipment compatibility issues at the site

D.

Mismatched organizational security policies

Buy Now
Questions 346

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

Options:

A.

data analytics findings.

B.

audit trails

C.

acceptance lasting results

D.

rollback plans

Buy Now
Questions 347

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Buy Now
Questions 348

Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

Options:

A.

Project segments are established.

B.

The work is separated into phases.

C.

The work is separated into sprints.

D.

Project milestones are created.

Buy Now
Questions 349

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Options:

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Buy Now
Questions 350

An IS auditor assessing the controls within a newly implemented call center would First

Options:

A.

gather information from the customers regarding response times and quality of service.

B.

review the manual and automated controls in the call center.

C.

test the technical infrastructure at the call center.

D.

evaluate the operational risk associated with the call center.

Buy Now
Questions 351

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

Options:

A.

Ensure sufficient audit resources are allocated,

B.

Communicate audit results organization-wide.

C.

Ensure ownership is assigned.

D.

Test corrective actions upon completion.

Buy Now
Questions 352

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Apply single sign-on for access control

B.

Implement segregation of duties.

C.

Enforce an internal data access policy.

D.

Enforce the use of digital signatures.

Buy Now
Questions 353

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

Options:

A.

Users can export application logs.

B.

Users can view sensitive data.

C.

Users can make unauthorized changes.

D.

Users can install open-licensed software.

Buy Now
Questions 354

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

Options:

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization's policies.

D.

the procurement project invited lenders from at least three different suppliers.

Buy Now
Questions 355

The PRIMARY objective of value delivery in reference to IT governance is to:

Options:

A.

promote best practices

B.

increase efficiency.

C.

optimize investments.

D.

ensure compliance.

Buy Now
Questions 356

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

Options:

A.

Unit testing

B.

Pilot testing

C.

System testing

D.

Integration testing

Buy Now
Questions 357

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Options:

A.

Mobile device tracking program

B.

Mobile device upgrade program

C.

Mobile device testing program

D.

Mobile device awareness program

Buy Now
Questions 358

An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:

Options:

A.

deleted data cannot easily be retrieved.

B.

deleting the files logically does not overwrite the files' physical data.

C.

backup copies of files were not deleted as well.

D.

deleting all files separately is not as efficient as formatting the hard disk.

Buy Now
Questions 359

Which of the following is MOST important when planning a network audit?

Options:

A.

Determination of IP range in use

B.

Analysis of traffic content

C.

Isolation of rogue access points

D.

Identification of existing nodes

Buy Now
Questions 360

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Options:

A.

Temperature sensors

B.

Humidity sensors

C.

Water sensors

D.

Air pressure sensors

Buy Now
Questions 361

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.

the provider has alternate service locations.

B.

the contract includes compensation for deficient service levels.

C.

the provider's information security controls are aligned with the company's.

D.

the provider adheres to the company's data retention policies.

Buy Now
Questions 362

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

Options:

A.

Implement key performance indicators (KPIs)

B.

Implement annual third-party audits.

C.

Benchmark organizational performance against industry peers.

D.

Require executive management to draft IT strategy

Buy Now
Questions 363

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Buy Now
Questions 364

An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:

Options:

A.

reclassify the data to a lower level of confidentiality

B.

require the business owner to conduct regular access reviews.

C.

implement a strong password schema for users.

D.

recommend corrective actions to be taken by the security administrator.

Buy Now
Questions 365

Which of the following features of a library control software package would protect against unauthorized updating of source code?

Options:

A.

Required approvals at each life cycle step

B.

Date and time stamping of source and object code

C.

Access controls for source libraries

D.

Release-to-release comparison of source code

Buy Now
Questions 366

What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

Options:

A.

Earned value analysis (EVA)

B.

Return on investment (ROI) analysis

C.

Gantt chart

D.

Critical path analysis

Buy Now
Questions 367

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

Options:

A.

Abuses by employees have not been reported.

B.

Lessons learned have not been properly documented

C.

vulnerabilities have not been properly addressed

D.

Security incident policies are out of date.

Buy Now
Questions 368

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

The cost of outsourcing is lower than in-house development.

B.

The vendor development team is located overseas.

C.

A training plan for business users has not been developed.

D.

The data model is not clearly documented.

Buy Now
Questions 369

In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?

Options:

A.

Approved test scripts and results prior to implementation

B.

Written procedures defining processes and controls

C.

Approved project scope document

D.

A review of tabletop exercise results

Buy Now
Questions 370

Which of the following is MOST critical for the effective implementation of IT governance?

Options:

A.

Strong risk management practices

B.

Internal auditor commitment

C.

Supportive corporate culture

D.

Documented policies

Buy Now
Questions 371

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Options:

A.

Using smart cards with one-time passwords

B.

Periodically reviewing log files

C.

Configuring the router as a firewall

D.

Installing biometrics-based authentication

Buy Now
Questions 372

During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

Options:

A.

Sampling risk

B.

Detection risk

C.

Control risk

D.

Inherent risk

Buy Now
Questions 373

Which of the following provides the BEST providence that outsourced provider services are being properly managed?

Options:

A.

The service level agreement (SLA) includes penalties for non-performance.

B.

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.

The vendor provides historical data to demonstrate its performance.

D.

Internal performance standards align with corporate strategy.

Buy Now
Questions 374

Which of the following would be MOST useful when analyzing computer performance?

Options:

A.

Statistical metrics measuring capacity utilization

B.

Operations report of user dissatisfaction with response time

C.

Tuning of system software to optimize resource usage

D.

Report of off-peak utilization and response time

Buy Now
Questions 375

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

Options:

A.

Level of stakeholder satisfaction with the scope of planned IT projects

B.

Percentage of enterprise risk assessments that include IT-related risk

C.

Percentage of stat satisfied with their IT-related roles

D.

Frequency of business process capability maturity assessments

Buy Now
Questions 376

An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

Options:

A.

Loss of application support

B.

Lack of system integrity

C.

Outdated system documentation

D.

Developer access 1o production

Buy Now
Questions 377

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

Options:

A.

Limit check

B.

Parity check

C.

Reasonableness check

D.

Validity check

Buy Now
Questions 378

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Buy Now
Questions 379

Which of the following BEST facilitates the legal process in the event of an incident?

Options:

A.

Right to perform e-discovery

B.

Advice from legal counsel

C.

Preserving the chain of custody

D.

Results of a root cause analysis

Buy Now
Questions 380

Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

Options:

A.

Testing incident response plans with a wide range of scenarios

B.

Prioritizing incidents after impact assessment.

C.

Linking incidents to problem management activities

D.

Training incident management teams on current incident trends

Buy Now
Questions 381

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

Options:

A.

To address the overall risk associated with the activity under review

B.

To identify areas with relatively high probability of material problems

C.

To help ensure maximum use of audit resources during the engagement

D.

To help prioritize and schedule auditee meetings

Buy Now
Questions 382

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

Options:

A.

Process and resource inefficiencies

B.

Irregularities and illegal acts

C.

Noncompliance with organizational policies

D.

Misalignment with business objectives

Buy Now
Questions 383

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

Options:

A.

Analyze a new application that moots the current re

B.

Perform an analysis to determine the business risk

C.

Bring the escrow version up to date.

D.

Develop a maintenance plan to support the application using the existing code

Buy Now
Questions 384

During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?

Options:

A.

Leverage the work performed by external audit for the internal audit testing.

B.

Ensure both the internal and external auditors perform the work simultaneously.

C.

Request that the external audit team leverage the internal audit work.

D.

Roll forward the general controls audit to the subsequent audit year.

Buy Now
Questions 385

An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

Options:

A.

some of the identified throats are unlikely to occur.

B.

all identified throats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations operations have been included.

Buy Now
Questions 386

Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

Options:

A.

Analysis of industry benchmarks

B.

Identification of organizational goals

C.

Analysis of quantitative benefits

D.

Implementation of a balanced scorecard

Buy Now
Questions 387

An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?

Options:

A.

Users are not required to change their passwords on a regular basis

B.

Management does not review application user activity logs

C.

User accounts are shared between users

D.

Password length is set to eight characters

Buy Now
Questions 388

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

Options:

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Buy Now
Questions 389

Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

Options:

A.

An assessment of whether requirements will be fully met

B.

An assessment indicating security controls will operateeffectively

C.

An assessment of whether the expected benefits can beachieved

D.

An assessment indicating the benefits will exceed the implement

Buy Now
Questions 390

Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?

Options:

A.

Server room access history

B.

Emergency change records

C.

IT security incidents

D.

Penetration test results

Buy Now
Questions 391

What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

Options:

A.

it facilitates easier audit follow-up

B.

it enforces action plan consensus between auditors and auditees

C.

it establishes accountability for the action plans

D.

it helps to ensure factual accuracy of findings

Buy Now
Questions 392

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Options:

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Buy Now
Questions 393

Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?

Options:

A.

Function point analysis

B.

Work breakdown structure

C.

Critical path analysts

D.

Software cost estimation

Buy Now
Questions 394

Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?

Options:

A.

The testing produces a lower number of false positive results

B.

Network bandwidth is utilized more efficiently

C.

Custom-developed applications can be tested more accurately

D.

The testing process can be automated to cover large groups of assets

Buy Now
Questions 395

In the development of a new financial application, the IS auditor's FIRST involvement should be in the:

Options:

A.

control design.

B.

feasibility study.

C.

application design.

D.

system test.

Buy Now
Questions 396

Which of the following provides the MOST reliable method of preventing unauthonzed logon?

Options:

A.

issuing authentication tokens

B.

Reinforcing current security policies

C.

Limiting after-hours usage

D.

Installing an automatic password generator

Buy Now
Questions 397

Which of the following is MOST helpful to an IS auditor when assessing the effectiveness of controls?

Options:

A.

A control self-assessment (CSA)

B.

Results of control testing

C.

Interviews with management

D.

A control matrix

Buy Now
Questions 398

A bank has a combination of corporate customer accounts (higher monetary value) and small business accounts (lower monetary value) as part of online banking. Which of the following is the BEST sampling approach for an IS auditor to use for these accounts?

Options:

A.

Difference estimation sampling

B.

Stratified mean per unit sampling

C.

Customer unit sampling

D.

Unstratified mean per unit sampling

Buy Now
Questions 399

Which of the following BEST protects evidence in a forensic investigation?

Options:

A.

imaging the affected system

B.

Powering down the affected system

C.

Protecting the hardware of the affected system

D.

Rebooting the affected system

Buy Now
Questions 400

Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?

Options:

A.

Implement controls to prohibit downloads of unauthorized software.

B.

Conduct periodic software scanning.

C.

Perform periodic counting of licenses.

D.

Require senior management approval when installing licenses.

Buy Now
Questions 401

A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

Options:

A.

Trace a sample of complete PCR forms to the log of all program changes

B.

Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date

C.

Review a sample of PCRs for proper approval throughout the program change process

D.

Trace a sample of program change from the log to completed PCR forms

Buy Now
Questions 402

When is it MOST important for an IS auditor to apply the concept of materiality in an audit?

Options:

A.

When planning an audit engagement

B.

When gathering information for the fieldwork

C.

When a violation of a regulatory requirement has been identified

D.

When evaluating representations from the auditee

Buy Now
Questions 403

Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?

Options:

A.

Deviation detection

B.

Cluster sampling

C.

Random sampling

D.

Classification

Buy Now
Questions 404

Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?

Options:

A.

Data leakage as a result of employees leaving to work for competitors

B.

Noncompliance fines related to storage of regulated information

C.

Unauthorized logical access to information through an application interface

D.

Physical theft of media on which information is stored

Buy Now
Questions 405

Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods formanaging IT risks?

Options:

A.

Average the business units’ IT risk levels

B.

Identify the highest-rated IT risk level among the business units

C.

Prioritize the organization's IT risk scenarios

D.

Establish a global IT risk scoring criteria

Buy Now
Questions 406

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

Options:

A.

The policy aligns with corporate policies and practices.

B.

The policy aligns with global best practices.

C.

The policy aligns with business goals and objectives.

D.

The policy aligns with local laws and regulations.

Buy Now
Questions 407

A checksum is classified as which type of control?

Options:

A.

Detective control

B.

Preventive control

C.

Corrective control

D.

Administrative control

Buy Now
Questions 408

Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?

Options:

A.

Document the security view as part of the EA

B.

Consider stakeholder concerns when defining the EA

C.

Perform mandatory post-implementation reviews of IT implementations

D.

Conduct EA reviews as part of the change advisory board

Buy Now
Questions 409

Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?

Options:

A.

The organization does not use an industry-recognized methodology

B.

Changes and change approvals are not documented

C.

All changes require middle and senior management approval

D.

There is no centralized configuration management database (CMDB)

Buy Now
Questions 410

An organization has engaged a third party to implement an application to perform business-critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?

Options:

A.

Key performance indicator (KPI) monitoring

B.

Change management

C.

Configuration management

D.

Quality assurance (QA)

Buy Now
Questions 411

Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?

Options:

A.

Chief information security officer (CISO)

B.

Information security steering committee

C.

Board of directors

D.

Chief information officer (CIO)

Buy Now
Questions 412

Which of the following is the BEST way to minimize sampling risk?

Options:

A.

Use a larger sample size

B.

Perform statistical sampling

C.

Perform judgmental sampling

D.

Enhance audit testing procedures

Buy Now
Questions 413

What is the PRIMARY benefit of using one-time passwords?

Options:

A.

An intercepted password cannot be reused

B.

Security for applications can be automated

C.

Users do not have to memorize complex passwords

D.

Users cannot be locked out of an account

Buy Now
Questions 414

Which of the following should be the FIRST step to successfully implement a corporate data classification program?

Options:

A.

Approve a data classification policy.

B.

Select a data loss prevention (DLP) product.

C.

Confirm that adequate resources are available for the project.

D.

Check for the required regulatory requirements.

Buy Now
Questions 415

When auditing an organization's software acquisition process the BEST way for an IS auditor to understand the software benefits to the organization would be to review the

Options:

A.

feasibility study

B.

business case

C.

request for proposal (RFP)

D.

alignment with IT strategy

Buy Now
Questions 416

An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime This is BEST zed as an application of.

Options:

A.

risk framework

B.

balanced scorecard

C.

value chain analysis

D.

control self-assessment (CSA)

Buy Now
Questions 417

Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?

Options:

A.

Completing the incident management log

B.

Broadcasting an emergency message

C.

Requiring a dedicated incident response team

D.

Implementing incident escalation procedures

Buy Now
Questions 418

Which of following areas is MOST important for an IS auditor to focus on when reviewing the maturity model for a technology organization?

Options:

A.

Standard operating procedures

B.

Service level agreements (SLAs)

C.

Roles and responsibility matrix

D.

Business resiliency

Buy Now
Questions 419

Which of the following provides the MOST assurance of the integrity of a firewall log?

Options:

A.

The log is reviewed on a monthly basis.

B.

Authorized access is required to view the log.

C.

The log cannot be modified.

D.

The log is retained per policy.

Buy Now
Questions 420

Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)

policy to help prevent data leakage?

Options:

A.

Require employees to waive privacy rights related to data on BYOD devices.

B.

Require multi-factor authentication on BYOD devices,

C.

Specify employee responsibilities for reporting lost or stolen BYOD devices.

D.

Allow only registered BYOD devices to access the network.

Buy Now
Questions 421

Email required for business purposes is being stored on employees' personal devices.

Which of the following is an IS auditor's BEST recommendation?

Options:

A.

Require employees to utilize passwords on personal devices

B.

Prohibit employees from storing company email on personal devices

C.

Ensure antivirus protection is installed on personal devices

D.

Implement an email containerization solution on personal devices

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Apr 2, 2025
Questions: 1404
CISA pdf

CISA PDF

$59.7  $199
CISA Engine

CISA Testing Engine

$67.5  $225
CISA PDF + Engine

CISA PDF + Testing Engine

$74.7  $249