The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:
When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:
An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?
Which of the following is MOST critical to the success of an information security program?
When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following is the auditor's BEST course of action?
Which of the following is the MOST important responsibility of data owners when implementing a data classification process?
Which of the following is the GREATEST risk when relying on reports generated by end-user computing (EUC)?
A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?
Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?
Which of the following provides the BEST evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system?
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?
Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?
Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?
Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?
A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:
Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?
Which of the following BEST Indicates that an incident management process is effective?
An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?
When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?
Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
The following findings are the result of an IS auditor's post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?
During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management
experience. What is the BEST course of action?
Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?
Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?
Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?
Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?
A business has requested an audit to determine whether information stored in an application is adequately protected. Which of the following is the MOST important action before the audit work begins?
Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?
An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following is the BEST way to prevent this vulnerability from being exploited?
Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves
for care?
An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?
Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?
The PRIMARY purpose of requiring source code escrow in a contractual agreement is to:
The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?
Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?
An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?
The use of which of the following is an inherent risk in the application container infrastructure?
Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?
Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?
During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?
Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor's BEST recommendation?
During which stage of the penetration test cycle does the tester utilize identified vulnerabilities to attempt to access the target system?
During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?
Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?
Which of the following BEST enables an organization to improve the effectiveness of its incident response team?
Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?
An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST
recommendation to address this situation?
An organization uses public key infrastructure (PKI) to provide email security. Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?
Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?
In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:
A bank performed minor changes to the interest calculation computer program. Which of the following techniques would provide the STRONGEST evidence to determine whether the interest calculations are correct?
Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?
Which of the following BEST contributes to the quality of an audit of a business-critical application?
An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?
Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?
Which of the following should be done FIRST to minimize the risk of unstructured data?
Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?
A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?
When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?
Which of the following should be identified FIRST during the risk assessment process?
Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?
Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?
Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change
management process?
Which of the following is MOST likely to be a project deliverable of an agile software development methodology?
Which of the following would be an auditor's GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?
To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?
When reviewing a business case for a proposed implementation of a third-party system, which of the following should be an IS auditor's GREATEST concern?
An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?
What is the PRIMARY reason for an organization to classify the data stored on its internal networks?
When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?
During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?
An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?
Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?
Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?
The BEST way to evaluate the effectiveness of a newly developed application is to:
Which of the following is the BEST indication of effective governance over IT infrastructure?
Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's job scheduling practices?
Which of the following poses the GREATEST potential concern for an organization that decides to consolidate mission-critical applications on a large server as part of IT capacity management?
Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?
A small IT department has embraced DevOps, which allows members of this group to deploy code to production and maintain some development access to automate releases. Which of the following is the MOST effective control?
Which of the following is the MOST effective way to detect as many abnormalities as possible during an IS audit?
Which of the following provides the BEST assurance that vendor-supported software remains up to date?
Which of the following is the PRIMARY objective of performing quality assurance (QA) in a system development process?
In a public key cryptographic system, which of the following is the PRIMARY requirement to address the risk of man-in-the-middle attacks through spoofing?
Which of the following is the PRIMARY benefit of monitoring IT operational logs?
Which of the following observations regarding change management should be considered the MOST serious risk by an IS auditor?
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's IT process performance reports over the last quarter?
Who is PRIMARILY responsible for the design of IT controls to meet control objectives?
An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?
Which of the following is MOST appropriate to review when determining if the work completed on an IT project is in alignment with budgeted costs?
Before the release of a new application into an organization’s production environment, which of the following should be in place to ensure that proper testing has occurred and rollback plans are in place?
Which of the following is MOST important to consider when determining the usefulness of audit evidence?
Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?
Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?
An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes. Which of the following is the MOST appropriate method to use for this purpose?
Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the following would provide the MOST assurance to the IS auditor that management
is adequately balancing the needs of the business with the need to manage risk?
A sample for testing must include the 80 largest client balances and a random sample of the rest. What should the IS auditor recommend?
An organization produces control reports with a desktop application that accesses data in the central production database. Which of the following would give an IS auditor concern about the reliability of these reports?
An IS auditor has been tasked with analyzing an organization's capital expenditures against its repair and maintenance costs. Which of the following is the BEST reason to use a data analytics tool for this purpose?
An organization has decided to build a data warehouse using source data from several disparate systems to support strategic decision-making.
Which of the following is the BEST way to ensure the accuracy and completeness of the data used to support business decisions?
Which of the following is MOST important for an IS auditor to verify when reviewing the planned use of Benford's law as a data analytics technique to detect fraud in a set of credit card transactions?
Which of the following should be done FIRST following an incident that has caused internal servers to be inaccessible, disrupting normal business operations?
Which of the following is MOST likely to be reduced when implementing optimal risk management strategies?
An IS auditor is tasked to review an organization's plan-do-check-act (PDCA) method for improving IT-related processes and wants to determine the accuracy of defined targets to be achieved. Which of the following steps in the PDCA process should the auditor PRIMARILY focus on in this situation?
Which of the following is MOST useful for determining the strategy for IT portfolio management?
Which of the following is the BEST recommendation by an IS auditor to prevent unauthorized access to Internet of Things (loT) devices'?
In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?
Which of the following is an IS auditor's BEST recommendation for mitigating risk associated with inadvertent disclosure of sensitive information by employees?
Which of the following is the MOST important reason for an organization to automate data purging?
During an IS audit of a data center, it was found that programmers are allowed to make emergency fixes to operational programs. Which of the following should be the IS auditor's PRIMARY recommendation?
When auditing IT organizational structure, which of the following findings presents the GREATEST risk to an organization?
Which of the following presents the GREATEST risk associated with end-user computing (EUC) applica-tions over financial reporting?
Which of the following is a PRIMARY function of an intrusion detection system (IDS)?
An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?
An IS auditor wants to verify alignment of the organization's business continuity plan (BCP) with the business strategy. Which of the following would be MOST helpful to review?
Which of the following should be of GREATEST concern to an IS auditor reviewing project documentation for a client relationship management (CRM) system migration project?
A system performance dashboard indicates several application servers are reaching the defined threshold for maximum CPU allocation. Which of the following would be the IS auditor's BEST recommendation for the IT department?
An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?
Which of the following is the PRIMARY reason an IS auditor would recommend offsite backups although critical data is already on a redundant array of inexpensive disks (RAID)?
During a physical security audit, an IS auditor was provided a proximity badge that granted access to three specific floors in a corporate office building. Which of the following issues should be of MOST concern?
When reviewing an organization's finalized risk assessment process, what would be the MAIN reason for an IS auditor to compare acceptable risk level with residual risk?
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT-related customer service project?
Which of the following should be the GREATEST concern for an IS auditor assessing an organization's disaster recovery plan (DRP)?
Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?
Which of the following will BEST ensure that archived electronic information of permanent importance remains accessible over time?
Which of the following is the BEST way to ensure a vendor complies with system security requirements?
Which of the following technologies BEST assists in protection of digital evidence as part of forensic investigation acquisition?
Which of the following is MOST helpful for understanding an organization’s key driver to modernize application platforms?
Which of the following network communication protocols is used by network devices such as routers to send error messages and operational information indicating success or failure when communicating with another IP address?
Which of the following BEST helps data loss prevention (DLP) tools detect movement of sensitive data m transit?
A hearth care organization utilizes Internet of Things (loT) devices to improve patient outcomes through real-time patient monitoring and advanced diagnostics. Which of the following would BEST assist in isolating these devices from corporate network traffic?
Which of the following is MOST important for an IS auditor to verify when evaluating tne upgrade of an organization's enterprise resource planning (ERP) application?
Which of the following is the BEST review for an IS auditor to conduct when a vulnerability has been exploited by an employee?
Which of the following is the MOST important regulatory consideration for an organization determining whether to use its customer data to train AI algorithms?
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?
An IS auditor is reviewing an organization's risk management program. Which of the following should be the PRIMARY driver of the enterprise IT risk appetite?
Which of the following demonstrates the use of data analytics for a loan origination process?
A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?
Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?
While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:
What is MOST important to verify during an external assessment of network vulnerability?
Which of the following would be a result of utilizing a top-down maturity model process?
Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?
An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?
When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?
Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?
Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?
An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?
An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?
Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?
Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?
An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?
An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?
While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:
To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?
During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?
Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
Providing security certification for a new system should include which of the following prior to the system's implementation?
Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
Which of the following is the MAJOR advantage of automating internal controls?
Which of the following is the BEST method to delete sensitive information from storage media that will be reused?
Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?
What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?
Which of the following is an audit reviewer's PRIMARY role with regard to evidence?
Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?
An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:
During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
Which of the following is MOST important for an effective control self-assessment (CSA) program?
An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?
One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:
Which of the following would BEST facilitate the successful implementation of an IT-related framework?
Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?
Which of the following BEST indicates the effectiveness of an organization's risk management program?
The decision to accept an IT control risk related to data quality should be the responsibility of the:
Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?
Which of the following metrics would BEST measure the agility of an organization's IT function?
The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
Which of the following documents should specify roles and responsibilities within an IT audit organization?
Which of the following is the BEST method to safeguard data on an organization's laptop computers?
Which of the following data would be used when performing a business impact analysis (BIA)?
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?
An organization has partnered with a third party to transport backup drives to an offsite storage facility. Which of the following is MOST important before sending the drives?
During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?
A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?
Which of the following occurs during the issues management process for a system development project?
Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST
Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?
Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?
Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?
In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?
An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:
Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?
Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?
Which of the following MOST effectively minimizes downtime during system conversions?
Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?
Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?
In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
Which of the following is MOST important to include in forensic data collection and preservation procedures?
An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:
During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor's BEST recommendation?
For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?
When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?
Which of the following concerns is BEST addressed by securing production source libraries?
Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:
Which of the following is an example of a preventative control in an accounts payable system?
To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?
An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?
Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?
An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
An information systems security officer's PRIMARY responsibility for business process applications is to:
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?
Which of the following should an IS auditor consider FIRST when evaluating firewall rules?
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?
An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?
During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?
Retention periods and conditions for the destruction of personal data should be determined by the.
Which of the following is the MOST important control for virtualized environments?
Which of the following is the PRIMARY basis on which audit objectives are established?
An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
Which of the following BEST enables an IS auditor to combine and compare access control lists from various applications and devices?
An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?
An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?
During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?
An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?
Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?
Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''
An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?
Which of the following would BEST indicate the effectiveness of a security awareness training program?
Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?
Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?
An auditee disagrees with a recommendation for corrective action that appears in the draft engagement report. Which of the following is the IS auditor's BEST course of action when preparing the final report?
Which of the following is MOST important for an IS auditor to validate when auditing network device management?
An IS auditor finds that while an organization's IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance. Which of the Mowing is the BEST recommendation?
An organization is planning to implement a work-from-home policy that allows users to work remotely as needed. Which of the following is the BEST solution for ensuring secure remote access to corporate resources?
The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:
Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?
Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?
Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?
An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?
A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?
Which of the following is the BEST way to verify the effectiveness of a data restoration process?
What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?
During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?
An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?
During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?
An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:
Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?
Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?
While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?
Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?
Which of the following is the MAIN purpose of an information security management system?
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?
Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?
Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?
Which of the following business continuity activities prioritizes the recovery of critical functions?
An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?
Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?
Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?
An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?
Which of the following should be the PRIMARY focus for any network design that deploys a Zero Trust architecture?
An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime?
Which of the following is the MOST effective control over visitor access to highly secured areas?
Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?
Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?
An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?
Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping
associated with an application programming interface (API) integration implementation?
An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?
An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?
When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;
An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?
Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?
An IS auditor assessing the controls within a newly implemented call center would First
Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?
An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that
Which of the following is the BEST way to ensure that an application is performing according to its specifications?
Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:
Which of the following features of a library control software package would protect against unauthorized updating of source code?
What Is the BEST method to determine if IT resource spending is aligned with planned project spending?
An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?
An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?
In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?
Which of the following is MOST critical for the effective implementation of IT governance?
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?
During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?
Which of the following provides the BEST providence that outsourced provider services are being properly managed?
Which of the following would be MOST useful when analyzing computer performance?
Which of the following is the BEST metric to measure the alignment of IT and business strategy?
An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?
Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?
Which of the following BEST facilitates the legal process in the event of an incident?
Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?
What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?
Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?
An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?
During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?
An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:
Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?
An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?
Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?
Which of the following is MOST important for an IS auditor to look
for in a project feasibility study?
Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?
Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?
Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?
In the development of a new financial application, the IS auditor's FIRST involvement should be in the:
Which of the following provides the MOST reliable method of preventing unauthonzed logon?
Which of the following is MOST helpful to an IS auditor when assessing the effectiveness of controls?
A bank has a combination of corporate customer accounts (higher monetary value) and small business accounts (lower monetary value) as part of online banking. Which of the following is the BEST sampling approach for an IS auditor to use for these accounts?
Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?
A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?
When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?
Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?
Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods formanaging IT risks?
Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?
Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?
Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?
An organization has engaged a third party to implement an application to perform business-critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?
Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?
Which of the following should be the FIRST step to successfully implement a corporate data classification program?
When auditing an organization's software acquisition process the BEST way for an IS auditor to understand the software benefits to the organization would be to review the
An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime This is BEST zed as an application of.
Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?
Which of following areas is MOST important for an IS auditor to focus on when reviewing the maturity model for a technology organization?
Which of the following provides the MOST assurance of the integrity of a firewall log?
Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)
policy to help prevent data leakage?
Email required for business purposes is being stored on employees' personal devices.
Which of the following is an IS auditor's BEST recommendation?