Special Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

CISA Certified Information Systems Auditor Questions and Answers

Questions 4

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:

Options:

A.

review recent changes to the system.

B.

verify completeness of user acceptance testing (UAT).

C.

verify results to determine validity of user concerns.

D.

review initial business requirements.

Buy Now
Questions 5

Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?

Options:

A.

Circuit gateway

B.

Application level gateway

C.

Packet filtering router

D.

Screening router

Buy Now
Questions 6

Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?

Options:

A.

Implementing two-factor authentication

B.

Restricting access to transactions using network security software

C.

implementing role-based access at the application level

D.

Using a single menu tor sensitive application transactions

Buy Now
Questions 7

Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

Options:

A.

Require all employees to sign nondisclosure agreements (NDAs).

B.

Develop an acceptable use policy for end-user computing (EUC).

C.

Develop an information classification scheme.

D.

Provide notification to employees about possible email monitoring.

Buy Now
Questions 8

Which of the following is a challenge in developing a service level agreement (SLA) for network services?

Options:

A.

Establishing a well-designed framework for network servirces.

B.

Finding performance metrics that can be measured properly

C.

Ensuring that network components are not modified by the client

D.

Reducing the number of entry points into the network

Buy Now
Questions 9

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Buy Now
Questions 10

An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Options:

A.

Require employees to attend security awareness training.

B.

Password protect critical data files.

C.

Configure to auto-wipe after multiple failed access attempts.

D.

Enable device auto-lock function.

Buy Now
Questions 11

The PRIMARY advantage of object-oriented technology is enhanced:

Options:

A.

efficiency due to the re-use of elements of logic.

B.

management of sequential program execution for data access.

C.

grouping of objects into methods for data access.

D.

management of a restricted variety of data types for a data object.

Buy Now
Questions 12

Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

Options:

A.

Data conversion was performed using manual processes.

B.

Backups of the old system and data are not available online.

C.

Unauthorized data modifications occurred during conversion.

D.

The change management process was not formally documented

Buy Now
Questions 13

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

Options:

A.

Purchasing guidelines and policies

B.

Implementation methodology

C.

Results of line processing

D.

Test results

Buy Now
Questions 14

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Buy Now
Questions 15

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.

Identifying relevant roles for an enterprise IT governance framework

B.

Making decisions regarding risk response and monitoring of residual risk

C.

Verifying that legal, regulatory, and contractual requirements are being met

D.

Providing independent and objective feedback to facilitate improvement of IT processes

Buy Now
Questions 16

An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Options:

A.

Assessment of the personnel training processes of the provider

B.

Adequacy of the service provider's insurance

C.

Review of performance against service level agreements (SLAs)

D.

Periodic audits of controls by an independent auditor

Buy Now
Questions 17

Which of the following should be done FIRST when planning a penetration test?

Options:

A.

Execute nondisclosure agreements (NDAs).

B.

Determine reporting requirements for vulnerabilities.

C.

Define the testing scope.

D.

Obtain management consent for the testing.

Buy Now
Questions 18

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

Options:

A.

incident management.

B.

quality assurance (QA).

C.

change management.

D.

project management.

Buy Now
Questions 19

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?

Options:

A.

Increase the capacity of existing systems.

B.

Upgrade hardware to newer technology.

C.

Hire temporary contract workers for the IT function.

D.

Build a virtual environment.

Buy Now
Questions 20

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

Options:

A.

allocation of resources during an emergency.

B.

frequency of system testing.

C.

differences in IS policies and procedures.

D.

maintenance of hardware and software compatibility.

Buy Now
Questions 21

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Options:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Buy Now
Questions 22

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

Options:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

Buy Now
Questions 23

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

Options:

A.

Assignment of responsibility for each project to an IT team member

B.

Adherence to best practice and industry approved methodologies

C.

Controls to minimize risk and maximize value for the IT portfolio

D.

Frequency of meetings where the business discusses the IT portfolio

Buy Now
Questions 24

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.

Obtain error codes indicating failed data feeds.

B.

Appoint data quality champions across the organization.

C.

Purchase data cleansing tools from a reputable vendor.

D.

Implement business rules to reject invalid data.

Buy Now
Questions 25

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

Options:

A.

To ensure that older versions are availability for reference

B.

To ensure that only the latest approved version of the application is used

C.

To ensure compatibility different versions of the application

D.

To ensure that only authorized users can access the application

Buy Now
Questions 26

Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Options:

A.

Availability of the site in the event of multiple disaster declarations

B.

Coordination with the site staff in the event of multiple disaster declarations

C.

Reciprocal agreements with other organizations

D.

Complete testing of the recovery plan

Buy Now
Questions 27

What is MOST important to verify during an external assessment of network vulnerability?

Options:

A.

Update of security information event management (SIEM) rules

B.

Regular review of the network security policy

C.

Completeness of network asset inventory

D.

Location of intrusion detection systems (IDS)

Buy Now
Questions 28

Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Options:

A.

Lessons learned were implemented.

B.

Management approved the PIR report.

C.

The review was performed by an external provider.

D.

Project outcomes have been realized.

Buy Now
Questions 29

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

Options:

A.

Implementation plan

B.

Project budget provisions

C.

Requirements analysis

D.

Project plan

Buy Now
Questions 30

A proper audit trail of changes to server start-up procedures would include evidence of:

Options:

A.

subsystem structure.

B.

program execution.

C.

security control options.

D.

operator overrides.

Buy Now
Questions 31

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

Alignment with the IT tactical plan

B.

IT steering committee minutes

C.

Compliance with industry best practice

D.

Business objectives

Buy Now
Questions 32

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Options:

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization's policies and procedures

Buy Now
Questions 33

Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

Options:

A.

Business interruption due to remediation

B.

IT budgeting constraints

C.

Availability of responsible IT personnel

D.

Risk rating of original findings

Buy Now
Questions 34

Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

Options:

A.

The exceptions are likely to continue indefinitely.

B.

The exceptions may result in noncompliance.

C.

The exceptions may elevate the level of operational risk.

D.

The exceptions may negatively impact process efficiency.

Buy Now
Questions 35

Which of the following is MOST important with regard to an application development acceptance test?

Options:

A.

The programming team is involved in the testing process.

B.

All data files are tested for valid information before conversion.

C.

User management approves the test design before the test is started.

D.

The quality assurance (QA) team is in charge of the testing process.

Buy Now
Questions 36

One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

Options:

A.

basis for allocating indirect costs.

B.

cost of replacing equipment.

C.

estimated cost of ownership.

D.

basis for allocating financial resources.

Buy Now
Questions 37

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.

Use an electronic vault for incremental backups

B.

Deploy a fully automated backup maintenance system.

C.

Periodically test backups stored in a remote location

D.

Use both tape and disk backup systems

Buy Now
Questions 38

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

Options:

A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

Buy Now
Questions 39

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Report the mitigating controls.

B.

Report the security posture of the organization.

C.

Determine the value of the firewall.

D.

Determine the risk of not replacing the firewall.

Buy Now
Questions 40

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

Options:

A.

Phishing

B.

Using a dictionary attack of encrypted passwords

C.

Intercepting packets and viewing passwords

D.

Flooding the site with an excessive number of packets

Buy Now
Questions 41

Which of the following is MOST important to include in forensic data collection and preservation procedures?

Options:

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Buy Now
Questions 42

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Buy Now
Questions 43

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

Options:

A.

Staff members who failed the test did not receive follow-up education

B.

Test results were not communicated to staff members.

C.

Staff members were not notified about the test beforehand.

D.

Security awareness training was not provided prior to the test.

Buy Now
Questions 44

Which of the following should be identified FIRST during the risk assessment process?

Options:

A.

Vulnerability to threats

B.

Existing controls

C.

Information assets

D.

Legal requirements

Buy Now
Questions 45

Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?

Options:

A.

Ensuring standards are adhered to within the development process

B.

Ensuring the test work supports observations

C.

Updating development methodology

D.

Implementing solutions to correct defects

Buy Now
Questions 46

When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following is the auditor's BEST course of action?

Options:

A.

Inform senior management.

B.

Reevaluate internal controls.

C.

Inform audit management.

D.

Re-perform past audits to ensure independence.

Buy Now
Questions 47

Which of the following is the MOST important responsibility of data owners when implementing a data classification process?

Options:

A.

Reviewing emergency changes to data

B.

Authorizing application code changes

C.

Determining appropriate user access levels

D.

Implementing access rules over database tables

Buy Now
Questions 48

An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?

Options:

A.

Version control issues

B.

Reduced system performance

C.

Inability to recover from cybersecurity attacks

D.

Increase in IT investment cost

Buy Now
Questions 49

A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?

Options:

A.

Analyzing the root cause of the outage to ensure the incident will not reoccur

B.

Restoring the system to operational state as quickly as possible

C.

Ensuring all resolution steps are fully documented prior to returning thesystem to service

D.

Rolling back the unsuccessful change to the previous state

Buy Now
Questions 50

Which of the following would MOST effectively ensure the integrity of data transmitted over a network?

Options:

A.

Message encryption

B.

Certificate authority (CA)

C.

Steganography

D.

Message digest

Buy Now
Questions 51

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

Options:

A.

Notify the cyber insurance company.

B.

Shut down the affected systems.

C.

Quarantine the impacted systems.

D.

Notify customers of the breach.

Buy Now
Questions 52

The IS quality assurance (OA) group is responsible for:

Options:

A.

ensuring that program changes adhere to established standards.

B.

designing procedures to protect data against accidental disclosure.

C.

ensuring that the output received from system processing is complete.

D.

monitoring the execution of computer processing tasks.

Buy Now
Questions 53

An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?

Options:

A.

Determine whether the business impact analysis (BIA) is current with the organization's structure and context.

B.

Determine the types of technologies used at the plant and how they may affect the BCP.

C.

Perform testing to determine the impact to the recovery time objective (R TO).

D.

Assess the risk to operations from the closing of the plant.

Buy Now
Questions 54

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Buy Now
Questions 55

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Include the requirement in the incident management response plan.

B.

Establish key performance indicators (KPIs) for timely identification of security incidents.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Engage an external security incident response expert for incident handling.

Buy Now
Questions 56

An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

Options:

A.

The current business capabilities delivered by the legacy system

B.

The proposed network topology to be used by the redesigned system

C.

The data flows between the components to be used by the redesigned system

D.

The database entity relationships within the legacy system

Buy Now
Questions 57

Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

Options:

A.

Effectiveness of the security program

B.

Security incidents vs. industry benchmarks

C.

Total number of hours budgeted to security

D.

Total number of false positives

Buy Now
Questions 58

When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?

Options:

A.

Report that the changes make it impractical to determine whether the risks have been addressed.

B.

Accept management's assertion and report that the risks have been addressed.

C.

Determine whether the changes have introduced new risks that need to be addressed.

D.

Review the changes and determine whether the risks have been addressed.

Buy Now
Questions 59

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Options:

A.

Annual sign-off of acceptable use policy

B.

Regular monitoring of user access logs

C.

Security awareness training

D.

Formalized disciplinary action

Buy Now
Questions 60

Which of the following is the BEST point in time to conduct a post-implementation review?

Options:

A.

After a full processing cycle

B.

Immediately after deployment

C.

After the warranty period

D.

Prior to the annual performance review

Buy Now
Questions 61

Audit observations should be FIRST communicated with the auditee:

Options:

A.

when drafting the report.

B.

during fieldwork.

C.

at the end of fieldwork.

D.

within the audit report

Buy Now
Questions 62

Which of the following is MOST important to include in security awareness training?

Options:

A.

How to respond to various types of suspicious activity

B.

The importance of complex passwords

C.

Descriptions of the organization's security infrastructure

D.

Contact information for the organization's security team

Buy Now
Questions 63

An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

Options:

A.

To test the intrusion detection system (IDS)

B.

To provide training to security managers

C.

To collect digital evidence of cyberattacks

D.

To attract attackers in order to study their behavior

Buy Now
Questions 64

Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?

Options:

A.

The organization's software inventory is not complete.

B.

Applications frequently need to be rebooted for patches to take effect.

C.

Software vendors are bundling patches.

D.

Testing patches takes significant time.

Buy Now
Questions 65

An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.

Which of the following is the BEST course of action to address this issue?

Options:

A.

Examine the workflow to identify gaps in asset-handling responsibilities.

B.

Escalate the finding to the asset owner for remediation.

C.

Recommend the drives be sent to the vendor for destruction.

D.

Evaluate the corporate asset-handling policy for potential gaps.

Buy Now
Questions 66

During an audit, an IT finding is agreed upon by all IT teams involved, but no team wants to be responsible for remediation or considers the finding within Its area of responsibility Which of the following is the IS auditor's BEST course of action?

Options:

A.

Escalate to IT management for resolution.

B.

Issue the finding without identifying an owner

C.

Assign shared responsibility to all IT teams.

D.

Determine the most appropriate team and assign accordingly.

Buy Now
Questions 67

Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

Options:

A.

Penetration testing

B.

Application security testing

C.

Forensic audit

D.

Server security audit

Buy Now
Questions 68

Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?

Options:

A.

Requiring all users to encrypt documents before sending

B.

Installing firewalls on the corporate network

C.

Reporting all outgoing emails that are marked as confidential

D.

Monitoring all emails based on pre-defined criteria

Buy Now
Questions 69

Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?

Options:

A.

It helps to identify areas with a relatively high probability of material problems.

B.

It provides a basis for the formulation of corrective action plans.

C.

It increases awareness of the types of management actions that may be inappropriate

D.

It helps to identify areas that are most sensitive to fraudulent or inaccurate practices

Buy Now
Questions 70

An IT strategic plan that BEST leverages IT in achieving organizational goals will include:

Options:

A.

a comparison of future needs against current capabilities.

B.

a risk-based ranking of projects.

C.

enterprise architecture (EA) impacts.

D.

IT budgets linked to the organization's budget.

Buy Now
Questions 71

During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?

Options:

A.

Perform a skills assessment to identify members from other business units with knowledge of Al.

B.

Remove the Al portion from the audit scope and proceed with the audit.

C.

Delay the audit until the team receives training on Al.

D.

Engage external consultants who have audit experience and knowledge of Al.

Buy Now
Questions 72

When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?

Options:

A.

Data backups

B.

Decision support system

C.

Operating system

D.

Applications

Buy Now
Questions 73

The use of which of the following would BEST enhance a process improvement program?

Options:

A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Buy Now
Questions 74

Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?

Options:

A.

adequate measurement of key risk indicators (KRIS)

B.

Inadequate alignment of IT plans and business objectives

C.

Inadequate business impact analysis (BIA) results and predictions

D.

Inadequate measurement of key performance indicators (KPls)

Buy Now
Questions 75

Which of the following biometric access controls has the HIGHEST rate of false negatives?

Options:

A.

Iris recognition

B.

Fingerprint scanning

C.

Face recognition

D.

Retina scanning

Buy Now
Questions 76

Which of the following is the MOST significant risk when an application uses individual end-user accounts to access the underlying database?

Options:

A.

Multiple connects to the database are used and slow the process_

B.

User accounts may remain active after a termination.

C.

Users may be able to circumvent application controls.

D.

Application may not capture a complete audit trail.

Buy Now
Questions 77

Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?

Options:

A.

Progress updates indicate that the implementation of agreed actions is on track.

B.

Sufficient time has elapsed since implementation to provide evidence of control operation.

C.

Business management has completed the implementation of agreed actions on schedule.

D.

Regulators have announced a timeline for an inspection visit.

Buy Now
Questions 78

During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. Which of the following is the BEST course of action in this situation?

Options:

A.

Outsource low-risk audits to external audit service providers.

B.

Conduct limited-scope audits of low-risk business entities.

C.

Validate the low-risk entity ratings and apply professional judgment.

D.

Challenge the risk rating and include the low-risk entities in the plan.

Buy Now
Questions 79

The PRIMARY responsibility of a project steering committee is to:

Options:

A.

sign off on the final build document.

B.

ensure that each project deadline is met.

C.

ensure that developed systems meet business needs.

D.

provide regular project updates and oversight.

Buy Now
Questions 80

Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?

Options:

A.

Data ownership

B.

Applicable laws and regulations

C.

Business requirements and data flows

D.

End-user access rights

Buy Now
Questions 81

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

Options:

A.

Installing security cameras at the doors

B.

Changing to a biometric access control system

C.

Implementing a monitored mantrap at entrance and exit points

D.

Requiring two-factor authentication at entrance and exit points

Buy Now
Questions 82

In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?

Options:

A.

Onsite disk-based backup systems

B.

Tape-based backup systems

C.

Virtual tape library

D.

Redundant array of independent disks (RAID)

Buy Now
Questions 83

Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization's goals and strategic objectives?

Options:

A.

Enterprise architecture (EA)

B.

Business impact analysis (BIA)

C.

Risk assessment report

D.

Audit recommendations

Buy Now
Questions 84

An IS auditor should be MOST concerned if which of the following fire suppression systems is utilized to protect an asset storage closet?

Options:

A.

Deluge system

B.

Wet pipe system

C.

Preaction system

D.

CO2 system

Buy Now
Questions 85

A bank performed minor changes to the interest calculation computer program. Which of the following techniques would provide the STRONGEST evidence to determine whether the interest calculations are correct?

Options:

A.

Source code review

B.

Parallel simulation using audit software

C.

Manual verification of a sample of the results

D.

Review of the quality assurance (QA) test results

Buy Now
Questions 86

What is the PRIMARY reason for an organization to classify the data stored on its internal networks?

Options:

A.

To determine data retention policy

B.

To implement data protection requirements

C.

To comply with the organization's data policies

D.

To follow industry best practices

Buy Now
Questions 87

Which of the following BEST enables a benefits realization process for a system development project?

Options:

A.

Metrics for the project have been selected before the project begins.

B.

Project budget includes costs to execute the project and costs associated with the solution.

C.

Estimates of business benefits are backed by similar previously completed projects.

D.

Metrics are evaluated immediately after the project has been implemented.

Buy Now
Questions 88

Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERR) system?

Options:

A.

Bank confirmation

B.

Goods delivery notification

C.

Purchase requisition

D.

Purchase order

Buy Now
Questions 89

Which of the following is MOST critical to the success of an information security program?

Options:

A.

Alignment of information security with IT objectives

B.

Management’s commitment to information security

C.

Integration of business and information security

D.

User accountability for information security

Buy Now
Questions 90

Which of the following is MOST likely to be a project deliverable of an agile software development methodology?

Options:

A.

Strictly managed software requirements baselines

B.

Extensive project documentation

C.

Automated software programming routines

D.

Rapidly created working prototypes

Buy Now
Questions 91

Which of the following BEST describes a digital signature?

Options:

A.

It is under control of the receiver.

B.

It is capable of authorization.

C.

It dynamically validates modifications of data.

D.

It is unique to the sender using it.

Buy Now
Questions 92

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

Options:

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization's policies.

D.

the procurement project invited lenders from at least three different suppliers.

Buy Now
Questions 93

Which of the following features of a library control software package would protect against unauthorized updating of source code?

Options:

A.

Required approvals at each life cycle step

B.

Date and time stamping of source and object code

C.

Access controls for source libraries

D.

Release-to-release comparison of source code

Buy Now
Questions 94

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

Options:

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

Buy Now
Questions 95

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

Options:

A.

Ensure sufficient audit resources are allocated,

B.

Communicate audit results organization-wide.

C.

Ensure ownership is assigned.

D.

Test corrective actions upon completion.

Buy Now
Questions 96

Which of the following BEST helps to ensure data integrity across system interfaces?

Options:

A.

Environment segregation

B.

Reconciliation

C.

System backups

D.

Access controls

Buy Now
Questions 97

An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?

Options:

A.

Procedures may not align with best practices

B.

Human resources (HR) records may not match system access.

C.

Unauthorized access cannot he identified.

D.

Access rights may not be removed in a timely manner.

Buy Now
Questions 98

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

Options:

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Buy Now
Questions 99

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

Options:

A.

Limit check

B.

Parity check

C.

Reasonableness check

D.

Validity check

Buy Now
Questions 100

Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?

Options:

A.

Server room access history

B.

Emergency change records

C.

IT security incidents

D.

Penetration test results

Buy Now
Questions 101

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

Options:

A.

The end-to-end process is understood and documented.

B.

Roles and responsibilities are defined for the business processes in scope.

C.

A benchmarking exercise of industry peers who use RPA has been completed.

D.

A request for proposal (RFP) has been issued to qualified vendors.

Buy Now
Questions 102

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.

the provider has alternate service locations.

B.

the contract includes compensation for deficient service levels.

C.

the provider's information security controls are aligned with the company's.

D.

the provider adheres to the company's data retention policies.

Buy Now
Questions 103

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Options:

A.

Require the auditee to address the recommendations in full.

B.

Adjust the annual risk assessment accordingly.

C.

Evaluate senior management's acceptance of the risk.

D.

Update the audit program based on management's acceptance of risk.

Buy Now
Questions 104

The PRIMARY objective of value delivery in reference to IT governance is to:

Options:

A.

promote best practices

B.

increase efficiency.

C.

optimize investments.

D.

ensure compliance.

Buy Now
Questions 105

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Options:

A.

Temperature sensors

B.

Humidity sensors

C.

Water sensors

D.

Air pressure sensors

Buy Now
Questions 106

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Buy Now
Questions 107

Which of the following should be the FIRST step in the incident response process for a suspected breach?

Options:

A.

Inform potentially affected customers of the security breach

B.

Notify business management of the security breach.

C.

Research the validity of the alerted breach

D.

Engage a third party to independently evaluate the alerted breach.

Buy Now
Questions 108

What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

Options:

A.

Earned value analysis (EVA)

B.

Return on investment (ROI) analysis

C.

Gantt chart

D.

Critical path analysis

Buy Now
Questions 109

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

Options:

A.

Level of stakeholder satisfaction with the scope of planned IT projects

B.

Percentage of enterprise risk assessments that include IT-related risk

C.

Percentage of stat satisfied with their IT-related roles

D.

Frequency of business process capability maturity assessments

Buy Now
Questions 110

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

Options:

A.

The contract does not contain a right-to-audit clause.

B.

An operational level agreement (OLA) was not negotiated.

C.

Several vendor deliverables missed the commitment date.

D.

Software escrow was not negotiated.

Buy Now
Questions 111

An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Options:

A.

Installing security software on the devices

B.

Partitioning the work environment from personal space on devices

C.

Preventing users from adding applications

D.

Restricting the use of devices for personal purposes during working hours

Buy Now
Questions 112

An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

Options:

A.

Loss of application support

B.

Lack of system integrity

C.

Outdated system documentation

D.

Developer access 1o production

Buy Now
Questions 113

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Buy Now
Questions 114

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

Options:

A.

failure to maximize the use of equipment

B.

unanticipated increase in business s capacity needs.

C.

cost of excessive data center storage capacity

D.

impact to future business project funding.

Buy Now
Questions 115

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Options:

A.

Utilize a network-based firewall.

B.

Conduct regular user security awareness training.

C.

Perform domain name system (DNS) server security hardening.

D.

Enforce a strong password policy meeting complexity requirement.

Buy Now
Questions 116

Which of the following provides the BEST providence that outsourced provider services are being properly managed?

Options:

A.

The service level agreement (SLA) includes penalties for non-performance.

B.

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.

The vendor provides historical data to demonstrate its performance.

D.

Internal performance standards align with corporate strategy.

Buy Now
Questions 117

The PRIMARY benefit of information asset classification is that it:

Options:

A.

prevents loss of assets.

B.

helps to align organizational objectives.

C.

facilitates budgeting accuracy.

D.

enables risk management decisions.

Buy Now
Questions 118

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Developing procedures to monitor the use of personal data

C.

Defining roles within the organization related to privacy

D.

Designing controls to protect personal data

Buy Now
Questions 119

Which of the following is MOST critical for the effective implementation of IT governance?

Options:

A.

Strong risk management practices

B.

Internal auditor commitment

C.

Supportive corporate culture

D.

Documented policies

Buy Now
Questions 120

Which of the following is MOST important when implementing a data classification program?

Options:

A.

Understanding the data classification levels

B.

Formalizing data ownership

C.

Developing a privacy policy

D.

Planning for secure storage capacity

Buy Now
Questions 121

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

Buy Now
Questions 122

An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

Options:

A.

The applications are not included in business continuity plans (BCFs)

B.

The applications may not reasonably protect data.

C.

The application purchases did not follow procurement policy.

D.

The applications could be modified without advanced notice.

Buy Now
Questions 123

Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

Options:

A.

Program coding standards have been followed

B.

Acceptance test criteria have been developed

C.

Data conversion procedures have been established.

D.

The design has been approved by senior management.

Buy Now
Questions 124

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

Options:

A.

To address the overall risk associated with the activity under review

B.

To identify areas with relatively high probability of material problems

C.

To help ensure maximum use of audit resources during the engagement

D.

To help prioritize and schedule auditee meetings

Buy Now
Questions 125

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Options:

A.

Mobile device tracking program

B.

Mobile device upgrade program

C.

Mobile device testing program

D.

Mobile device awareness program

Buy Now
Questions 126

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

Options:

A.

Review of program documentation

B.

Use of test transactions

C.

Interviews with knowledgeable users

D.

Review of source code

Buy Now
Questions 127

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Options:

A.

Perform background verification checks.

B.

Review third-party audit reports.

C.

Implement change management review.

D.

Conduct a privacy impact analysis.

Buy Now
Questions 128

Which of the following is MOST important when planning a network audit?

Options:

A.

Determination of IP range in use

B.

Analysis of traffic content

C.

Isolation of rogue access points

D.

Identification of existing nodes

Buy Now
Questions 129

Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

Options:

A.

Change management

B.

Problem management

C.

incident management

D.

Configuration management

Buy Now
Questions 130

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

Options:

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Buy Now
Questions 131

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

Options:

A.

SIEM reporting is customized.

B.

SIEM configuration is reviewed annually

C.

The SIEM is decentralized.

D.

SIEM reporting is ad hoc.

Buy Now
Questions 132

A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

Options:

A.

The survey results were not presented in detail lo management.

B.

The survey questions did not address the scope of the business case.

C.

The survey form template did not allow additional feedback to be provided.

D.

The survey was issued to employees a month after implementation.

Buy Now
Questions 133

Which of the following is the BEST reason to implement a data retention policy?

Options:

A.

To limit the liability associated with storing and protecting information

B.

To document business objectives for processing data within the organization

C.

To assign responsibility and ownership for data protection outside IT

D.

To establish a recovery point detective (RPO) for (toaster recovery procedures

Buy Now
Questions 134

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Options:

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Buy Now
Questions 135

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.

Determine the resources required to make the controleffective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Buy Now
Questions 136

Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

Options:

A.

Shared facilities

B.

Adequacy of physical and environmental controls

C.

Results of business continuity plan (BCP) test

D.

Retention policy and period

Buy Now
Questions 137

Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

Options:

A.

Project segments are established.

B.

The work is separated into phases.

C.

The work is separated into sprints.

D.

Project milestones are created.

Buy Now
Questions 138

Which of the following issues associated with a data center's closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?

Options:

A.

CCTV recordings are not regularly reviewed.

B.

CCTV cameras are not installed in break rooms

C.

CCTV records are deleted after one year.

D.

CCTV footage is not recorded 24 x 7.

Buy Now
Questions 139

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Options:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Buy Now
Questions 140

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

Options:

A.

Disposal policies and procedures are not consistently implemented

B.

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.

Business units are allowed to dispose printers directly to

D.

Inoperable printers are stored in an unsecured area.

Buy Now
Questions 141

in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

Options:

A.

application programmer

B.

systems programmer

C.

computer operator

D.

quality assurance (QA) personnel

Buy Now
Questions 142

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Buy Now
Questions 143

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

Options:

A.

Customer service complaints

B.

Automated monitoring of logs

C.

Server crashes

D.

Penetration testing

Buy Now
Questions 144

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Options:

A.

Identify approved data workflows across the enterprise.

B.

Conduct a threat analysis against sensitive data usage.

C.

Create the DLP pcJc.es and templates

D.

Conduct a data inventory and classification exercise

Buy Now
Questions 145

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?

Options:

A.

Enable automatic encryption decryption and electronic signing of data files

B.

implement software to perform automatic reconciliations of data between systems

C.

Have coders perform manual reconciliation of data between systems

D.

Automate the transfer of data between systems as much as feasible

Buy Now
Questions 146

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Buy Now
Questions 147

Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

Options:

A.

The IT strategy is modified in response to organizational change.

B.

The IT strategy is approved by executive management.

C.

The IT strategy is based on IT operational best practices.

D.

The IT strategy has significant impact on the business strategy

Buy Now
Questions 148

Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?

Options:

A.

Project charter

B.

Project plan

C.

Project issue log

D.

Project business case

Buy Now
Questions 149

A characteristic of a digital signature is that it

Options:

A.

is under control of the receiver

B.

is unique to the message

C.

is validated when data are changed

D.

has a reproducible hashing algorithm

Buy Now
Questions 150

Which of the following is the BEST source of information for examining the classification of new data?

Options:

A.

Input by data custodians

B.

Security policy requirements

C.

Risk assessment results

D.

Current level of protection

Buy Now
Questions 151

Which of the following is a PRIMARY responsibility of an IT steering committee?

Options:

A.

Prioritizing IT projects in accordance with business requirements

B.

Reviewing periodic IT risk assessments

C.

Validating and monitoring the skill sets of IT department staff

D.

Establishing IT budgets for the business

Buy Now
Questions 152

Which of the following is a concern associated with virtualization?

Options:

A.

The physical footprint of servers could decrease within the data center.

B.

Performance issues with the host could impact the guest operating systems.

C.

Processing capacity may be shared across multiple operating systems.

D.

One host may have multiple versions of the same operating system.

Buy Now
Questions 153

An organization is planning to implement a work-from-home policy that allows users to work remotely as needed. Which of the following is the BEST solution for ensuring secure remote access to corporate resources?

Options:

A.

Additional firewall rules

B.

Multi-factor authentication

C.

Virtual private network (VPN)

D.

Virtual desktop

Buy Now
Questions 154

Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?

Options:

A.

Data leakage as a result of employees leaving to work for competitors

B.

Noncompliance fines related to storage of regulated information

C.

Unauthorized logical access to information through an application interface

D.

Physical theft of media on which information is stored

Buy Now
Questions 155

Which of the following is the BEST indication of effective IT investment management?

Options:

A.

IT investments are implemented and monitored following a system development life cycle (SDLC)

B.

IT investments are mapped to specific business objectives

C.

Key performance indicators (KPIs) are defined for each business requiring IT Investment

D.

The IT Investment budget is significantly below industry benchmarks

Buy Now
Questions 156

The charging method that effectively encourages the MOST efficient use of IS resources is:

Options:

A.

specific charges that can be tied back to specific usage.

B.

total utilization to achieve full operating capacity.

C.

residual income in excess of actual incurred costs.

D.

allocations based on the ability to absorb charges.

Buy Now
Questions 157

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.

Verify all patches have been applied to the software system's outdated version.

B.

Close all unused ports on the outdated software system.

C.

Monitor network traffic attempting to reach the outdated software system.

D.

Segregate the outdated software system from the main network.

Buy Now
Questions 158

The use of control totals reduces the risk of:

Options:

A.

posting to the wrong record.

B.

incomplete processing.

C.

improper backup.

D.

improper authorization.

Buy Now
Questions 159

During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?

Options:

A.

Conduct a follow-up audit after a suitable period has elapsed.

B.

Reschedule the audit assignment for the next financial year.

C.

Reassign the audit to an internal audit subject matter expert.

D.

Extend the duration of the audit to give the auditor more time.

Buy Now
Questions 160

Which of the following should be done FIRST to minimize the risk of unstructured data?

Options:

A.

Identify repositories of unstructured data.

B.

Purchase tools to analyze unstructured data.

C.

Implement strong encryption for unstructured data.

D.

Implement user access controls to unstructured data.

Buy Now
Questions 161

An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance. Which of the following is the GREATEST concern with this lack of structure?

Options:

A.

Software developers may adopt inappropriate technology.

B.

Project managers may accept technology risks exceeding the organization's risk appetite.

C.

Key decision-making entities for technology risk have not been identified

D.

There is no clear approval entity for organizational security standards.

Buy Now
Questions 162

An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?

Options:

A.

Administrator passwords do not meet organizational security and complexity requirements.

B.

The number of support staff responsible for job scheduling has been reduced.

C.

The scheduling tool was not classified as business-critical by the IT department.

D.

Maintenance patches and the latest enhancement upgrades are missing.

Buy Now
Questions 163

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Options:

A.

Network penetration tests are not performed

B.

The network firewall policy has not been approved by the information security officer.

C.

Network firewall rules have not been documented.

D.

The network device inventory is incomplete.

Buy Now
Questions 164

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

Options:

A.

Ask management why the regulatory changes have not been Included.

B.

Discuss potential regulatory issues with the legal department

C.

Report the missing regulatory updates to the chief information officer (CIO).

D.

Exclude recent regulatory changes from the audit scope.

Buy Now
Questions 165

Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?

Options:

A.

Increased number of false negatives in security logs

B.

Decreased effectiveness of roof cause analysis

C.

Decreased overall recovery time

D.

Increased demand for storage space for logs

Buy Now
Questions 166

An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?

Options:

A.

Audit transparency

B.

Data confidentiality

C.

Professionalism

D.

Audit efficiency

Buy Now
Questions 167

When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?

Options:

A.

The information security department has difficulty filling vacancies

B.

An information security governance audit was not conducted within the past year

C.

The data center manager has final sign-off on security projects

D.

Information security policies are updated annually

Buy Now
Questions 168

An IS auditor finds that while an organization's IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance. Which of the Mowing is the BEST recommendation?

Options:

A.

Align the IT strategy will business objectives

B.

Review priorities in the IT portfolio

C.

Change the IT strategy to focus on operational excellence.

D.

Align the IT portfolio with the IT strategy.

Buy Now
Questions 169

Audit frameworks cart assist the IS audit function by:

Options:

A.

defining the authority and responsibility of the IS audit function.

B.

providing details on how to execute the audit program.

C.

providing direction and information regarding the performance of audits.

D.

outlining the specific steps needed to complete audits

Buy Now
Questions 170

The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers because they: (Identify Correct answer and related explanation/references from CISA Certification - Information Systems Auditor official Manual or book)

Options:

A.

are recommended by security standards.

B.

can limit Telnet and traffic from the open Internet.

C.

act as fitters between the world and the network.

D.

can detect cyberattacks.

Buy Now
Questions 171

Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?

Options:

A.

Stronger data security

B.

Better utilization of resources

C.

Increased application performance

D.

Improved disaster recovery

Buy Now
Questions 172

Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?

Options:

A.

Integration testing

B.

Regression testing

C.

Automated testing

D.

User acceptance testing (UAT)

Buy Now
Questions 173

In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?

Options:

A.

Implementation

B.

Development

C.

Feasibility

D.

Design

Buy Now
Questions 174

Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

Options:

A.

Data storage costs

B.

Data classification

C.

Vendor cloud certification

D.

Service level agreements (SLAs)

Buy Now
Questions 175

A data center's physical access log system captures each visitor's identification document numbers along with the visitor's photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?

Options:

A.

Quota sampling

B.

Haphazard sampling

C.

Attribute sampling

D.

Variable sampling

Buy Now
Questions 176

Which of the following is the BEST reason for an IS auditor to emphasize to management the importance of using an IT governance framework?

Options:

A.

Frameworks enable IT benchmarks against competitors

B.

Frameworks can be tailored and optimized for different organizations

C.

Frameworks help facilitate control self-assessments (CSAs)

D.

Frameworks help organizations understand and manage IT risk

Buy Now
Questions 177

The FIRST step in auditing a data communication system is to determine:

Options:

A.

traffic volumes and response-time criteria

B.

physical security for network equipment

C.

the level of redundancy in the various communication paths

D.

business use and types of messages to be transmitted

Buy Now
Questions 178

Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?

Options:

A.

EUC inventory

B.

EUC availability controls

C.

EUC access control matrix

D.

EUC tests of operational effectiveness

Buy Now
Questions 179

An organization has recently moved to an agile model for deploying custom code to its in-house accounting software system. When reviewing the procedures in place for production code deployment, which of the following is the MOST significant security concern to address?

Options:

A.

Software vulnerability scanning is done on an ad hoc basis.

B.

Change control does not include testing and approval from quality assurance (QA).

C.

Production code deployment is not automated.

D.

Current DevSecOps processes have not been independently verified.

Buy Now
Questions 180

Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides assurance that the BEST transactions were recovered successfully?

Options:

A.

Review transaction recovery logs to ensure no errors were recorded.

B.

Recount the transaction records to ensure no records are missing.

C.

Rerun the process on a backup machine to verify the results are the same.

D.

Compare transaction values against external statements to verify accuracy.

Buy Now
Questions 181

During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?

Options:

A.

Recommend the utilization of software licensing monitoring tools

B.

Recommend the purchase of additional software license keys

C.

Validate user need for shared software licenses

D.

Verify whether the licensing agreement allows shared use

Buy Now
Questions 182

A checksum is classified as which type of control?

Options:

A.

Detective control

B.

Preventive control

C.

Corrective control

D.

Administrative control

Buy Now
Questions 183

Which of the following is the MOST important outcome of an information security program?

Options:

A.

Operating system weaknesses are more easily identified.

B.

Emerging security technologies are better understood and accepted.

C.

The cost to mitigate information security risk is reduced.

D.

Organizational awareness of security responsibilities is improved.

Buy Now
Questions 184

Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?

Options:

A.

Regression testing

B.

Unit testing

C.

Integration testing

D.

Acceptance testing

Buy Now
Questions 185

Which of the following should be restricted from a network administrator's privileges in an adequately segregated IT environment?

Options:

A.

Monitoring network traffic

B.

Changing existing configurations for applications

C.

Hardening network ports

D.

Ensuring transmission protocols are functioning correctly

Buy Now
Questions 186

What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?

Options:

A.

Ensure the open issues are retained in the audit results.

B.

Terminate the follow-up because open issues are not resolved

C.

Recommend compensating controls for open issues.

D.

Evaluate the residual risk due to open issues.

Buy Now
Questions 187

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

Options:

A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Buy Now
Questions 188

In the development of a new financial application, the IS auditor's FIRST involvement should be in the:

Options:

A.

control design.

B.

feasibility study.

C.

application design.

D.

system test.

Buy Now
Questions 189

The PRIMARY purpose of requiring source code escrow in a contractual agreement is to:

Options:

A.

comply with vendor management policy

B.

convert source code to new executable code.

C.

satisfy regulatory requirements.

D.

ensure the source code is available.

Buy Now
Questions 190

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?

Options:

A.

Risk appetite

B.

Critical applications m the cloud

C.

Completeness of critical asset inventory

D.

Recovery scenarios

Buy Now
Questions 191

Which of the following is the MOST appropriate indicator of change management effectiveness?

Options:

A.

Time lag between changes to the configuration and the update of records

B.

Number of system software changes

C.

Time lag between changes and updates of documentation materials

D.

Number of incidents resulting from changes

Buy Now
Questions 192

Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?

Options:

A.

The vendor's process appropriately sanitizes the media before disposal

B.

The contract includes issuance of a certificate of destruction by the vendor

C.

The vendor has not experienced security incidents in the past.

D.

The disposal transportation vehicle is fully secure

Buy Now
Questions 193

An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. Which of the following should the auditor do NEXT?

Options:

A.

Report the variance immediately to the audit committee

B.

Request an explanation of the variance from the auditee

C.

Increase the sample size to 100% of the population

D.

Exclude the transaction from the sample population

Buy Now
Questions 194

During the discussion of a draft audit report IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective Which of the following is the auditor's BEST action?

Options:

A.

Explain to IT management that the new control will be evaluated during follow-up

B.

Add comments about the action taken by IT management in the report

C.

Change the conclusion based on evidence provided by IT management

D.

Re-perform the audit before changing the conclusion

Buy Now
Questions 195

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

Options:

A.

Inspecting a sample of alerts generated from the central log repository

B.

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

C.

Inspecting a sample of alert settings configured in the central log repository

D.

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

Buy Now
Questions 196

When testing the accuracy of transaction data, which of the following situations BEST justifies the use of a smaller sample size?

Options:

A.

The IS audit staff has a high level of experience.

B.

It is expected that the population is error-free.

C.

Proper segregation of duties is in place.

D.

The data can be directly changed by users.

Buy Now
Questions 197

The PRIMARY benefit of automating application testing is to:

Options:

A.

provide test consistency.

B.

provide more flexibility.

C.

replace all manual test processes.

D.

reduce the time to review code.

Buy Now
Questions 198

Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

Options:

A.

Availability integrity

B.

Data integrity

C.

Entity integrity

D.

Referential integrity

Buy Now
Questions 199

An organization has engaged a third party to implement an application to perform business-critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?

Options:

A.

Key performance indicator (KPI) monitoring

B.

Change management

C.

Configuration management

D.

Quality assurance (QA)

Buy Now
Questions 200

Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?

Options:

A.

The organization does not use an industry-recognized methodology

B.

Changes and change approvals are not documented

C.

All changes require middle and senior management approval

D.

There is no centralized configuration management database (CMDB)

Buy Now
Questions 201

An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?

Options:

A.

Verify that the compromised systems are fully functional

B.

Focus on limiting the damage

C.

Document the incident

D.

Remove and restore the affected systems

Buy Now
Questions 202

During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?

Options:

A.

Report the deviation by the control owner in the audit report.

B.

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.

C.

Cancel the follow-up audit and reschedule for the next audit period.

D.

Request justification from management for not implementing the recommended control.

Buy Now
Questions 203

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

Options:

A.

Availability of IS audit resources

B.

Remediation dates included in management responses

C.

Peak activity periods for the business

D.

Complexity of business processes identified in the audit

Buy Now
Questions 204

IT disaster recovery time objectives (RTOs) should be based on the:

Options:

A.

maximum tolerable loss of data.

B.

nature of the outage

C.

maximum tolerable downtime (MTD).

D.

business-defined criticality of the systems.

Buy Now
Questions 205

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Options:

A.

Improved disaster recovery

B.

Better utilization of resources

C.

Stronger data security

D.

Increased application performance

Buy Now
Questions 206

In an organization's feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?

Options:

A.

Alternatives for financing the acquisition

B.

Financial stability of potential vendors

C.

Reputation of potential vendors

D.

Cost-benefit analysis of available products

Buy Now
Questions 207

An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

Options:

A.

structured query language (SQL) injection

B.

buffer overflow.

C.

denial of service (DoS).

D.

phishing.

Buy Now
Questions 208

Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?

Options:

A.

The data center is patrolled by a security guard.

B.

Access to the data center is monitored by video cameras.

C.

ID badges must be displayed before access is granted

D.

Access to the data center is controlled by a mantrap.

Buy Now
Questions 209

Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?

Options:

A.

Validate the audit observations_

B.

Identify business risks associated with the observations.

C.

Assist the management with control enhancements.

D.

Record the proposed course of corrective action.

Buy Now
Questions 210

A business has requested an audit to determine whether information stored in an application is adequately protected. Which of the following is the MOST important action before the audit work begins?

Options:

A.

Review remediation reports

B.

Establish control objectives.

C.

Assess the threat landscape.

D.

Perform penetration testing.

Buy Now
Questions 211

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.

Requiring policy acknowledgment and nondisclosure agreements signed by employees

B.

Providing education and guidelines to employees on use of social networking sites

C.

Establishing strong access controls on confidential data

D.

Monitoring employees' social networking usage

Buy Now
Questions 212

An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?

Options:

A.

Database clustering

B.

Data caching

C.

Reindexing of the database table

D.

Load balancing

Buy Now
Questions 213

Which of the following would be the GREATEST concern to an IS auditor when reviewing the outsourcing contract for an organization's cloud service provider?

Options:

A.

There is no change management process defined in the contract.

B.

There are no procedures for incident escalation.

C.

There is no dispute resolution process defined in the contract.

D.

There is no right-to-audit clause defined in the contract.

Buy Now
Questions 214

In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?

Options:

A.

Discovery sampling

B.

Variable sampling

C.

Stop-or-go sampling

D.

Judgmental sampling

Buy Now
Questions 215

Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

Options:

A.

Findings from prior audits

B.

Results of a risk assessment

C.

An inventory of personal devices to be connected to the corporate network

D.

Policies including BYOD acceptable user statements

Buy Now
Questions 216

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

Options:

A.

The organization's systems inventory is kept up to date.

B.

Vulnerability scanning results are reported to the CISO.

C.

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.

Access to the vulnerability scanning tool is periodically reviewed

Buy Now
Questions 217

Which of the following is the BEST reason for an organization to use clustering?

Options:

A.

To decrease system response time

B.

To Improve the recovery lime objective (RTO)

C.

To facilitate faster backups

D.

To improve system resiliency

Buy Now
Questions 218

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Options:

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Buy Now
Questions 219

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

Options:

A.

Revise the assessment based on senior management's objections.

B.

Escalate the issue to audit management.

C.

Finalize the draft audit report without changes.

D.

Gather evidence to analyze senior management's objections

Buy Now
Questions 220

Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

Options:

A.

The organization's security policy

B.

The number of remote nodes

C.

The firewalls' default settings

D.

The physical location of the firewalls

Buy Now
Questions 221

Which of the following is MOST helpful for measuring benefits realization for a new system?

Options:

A.

Function point analysis

B.

Balanced scorecard review

C.

Post-implementation review

D.

Business impact analysis (BIA)

Buy Now
Questions 222

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

Options:

A.

Security cameras deployed outside main entrance

B.

Antistatic mats deployed at the computer room entrance

C.

Muddy footprints directly inside the emergency exit

D.

Fencing around facility is two meters high

Buy Now
Questions 223

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

Options:

A.

Availability of the user list reviewed

B.

Confidentiality of the user list reviewed

C.

Source of the user list reviewed

D.

Completeness of the user list reviewed

Buy Now
Questions 224

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Options:

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Buy Now
Questions 225

What is the MAIN reason to use incremental backups?

Options:

A.

To improve key availability metrics

B.

To reduce costs associates with backups

C.

To increase backup resiliency and redundancy

D.

To minimize the backup time and resources

Buy Now
Questions 226

Which of the following occurs during the issues management process for a system development project?

Options:

A.

Contingency planning

B.

Configuration management

C.

Help desk management

D.

Impact assessment

Buy Now
Questions 227

To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Options:

A.

Root cause

B.

Responsible party

C.

impact

D.

Criteria

Buy Now
Questions 228

During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?

Options:

A.

Perform substantive testing of terminated users' access rights.

B.

Perform a review of terminated users' account activity

C.

Communicate risks to the application owner.

D.

Conclude that IT general controls ate ineffective.

Buy Now
Questions 229

Which of the following is a detective control?

Options:

A.

Programmed edit checks for data entry

B.

Backup procedures

C.

Use of pass cards to gain access to physical facilities

D.

Verification of hash totals

Buy Now
Questions 230

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:

A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

D.

Full operational test

Buy Now
Questions 231

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

Options:

A.

Review system and error logs to verify transaction accuracy.

B.

Review input and output control reports to verify the accuracy of the system decisions.

C.

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.

Review system documentation to ensure completeness.

Buy Now
Questions 232

An IT balanced scorecard is the MOST effective means of monitoring:

Options:

A.

governance of enterprise IT.

B.

control effectiveness.

C.

return on investment (ROI).

D.

change management effectiveness.

Buy Now
Questions 233

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

Options:

A.

Double-posting of a single journal entry

B.

Inability to support new business transactions

C.

Unauthorized alteration of account attributes

D.

Inaccuracy of financial reporting

Buy Now
Questions 234

When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

Options:

A.

a risk management process.

B.

an information security framework.

C.

past information security incidents.

D.

industry best practices.

Buy Now
Questions 235

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

Options:

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization's staff to manage the new software

Buy Now
Questions 236

In an online application, which of the following would provide the MOST information about the transaction audit trail?

Options:

A.

System/process flowchart

B.

File layouts

C.

Data architecture

D.

Source code documentation

Buy Now
Questions 237

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

Options:

A.

document the exception in an audit report.

B.

review security incident reports.

C.

identify compensating controls.

D.

notify the audit committee.

Buy Now
Questions 238

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Evaluate the appropriateness of the remedial action taken.

B.

Conduct a risk analysis incorporating the change.

C.

Report results of the follow-up to the audit committee.

D.

Inform senior management of the change in approach.

Buy Now
Questions 239

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Buy Now
Questions 240

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

Options:

A.

Staff were not involved in the procurement process, creating user resistance to the new system.

B.

Data is not converted correctly, resulting in inaccurate patient records.

C.

The deployment project experienced significant overruns, exceeding budget projections.

D.

The new system has capacity issues, leading to slow response times for users.

Buy Now
Questions 241

Which of the following findings from an IT governance review should be of GREATEST concern?

Options:

A.

The IT budget is not monitored

B.

All IT services are provided by third parties.

C.

IT value analysis has not been completed.

D.

IT supports two different operating systems.

Buy Now
Questions 242

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

Options:

A.

well understood by all employees.

B.

based on industry standards.

C.

developed by process owners.

D.

updated frequently.

Buy Now
Questions 243

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

Options:

A.

Configure data quality alerts to check variances between the data warehouse and the source system

B.

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.

Include the data warehouse in the impact analysis (or any changes m the source system

D.

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

Buy Now
Questions 244

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

Options:

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

Buy Now
Questions 245

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

Options:

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Buy Now
Questions 246

Stress testing should ideally be earned out under a:

Options:

A.

test environment with production workloads.

B.

production environment with production workloads.

C.

production environment with test data.

D.

test environment with test data.

Buy Now
Questions 247

Which of the following BEST Indicates that an incident management process is effective?

Options:

A.

Decreased time for incident resolution

B.

Increased number of incidents reviewed by IT management

C.

Decreased number of calls lo the help desk

D.

Increased number of reported critical incidents

Buy Now
Questions 248

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the organization's web server.

B.

the demilitarized zone (DMZ).

C.

the organization's network.

D.

the Internet

Buy Now
Questions 249

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

Buy Now
Questions 250

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

Options:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Buy Now
Questions 251

An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

Options:

A.

The exact definition of the service levels and their measurement

B.

The alerting and measurement process on the application servers

C.

The actual availability of the servers as part of a substantive test

D.

The regular performance-reporting documentation

Buy Now
Questions 252

Which of the following would BEST help lo support an auditor’s conclusion about the effectiveness of an implemented data classification program?

Options:

A.

Purchase of information management tools

B.

Business use cases and scenarios

C.

Access rights provisioned according to scheme

D.

Detailed data classification scheme

Buy Now
Questions 253

Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

Options:

A.

IT strategies are communicated to all Business stakeholders

B.

Organizational strategies are communicated to the chief information officer (CIO).

C.

Business stakeholders are Involved In approving the IT strategy.

D.

The chief information officer (CIO) is involved In approving the organizational strategies

Buy Now
Questions 254

Which of the following is the GREATEST risk associated with storing customer data on a web server?

Options:

A.

Data availability

B.

Data confidentiality

C.

Data integrity

D.

Data redundancy

Buy Now
Questions 255

An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

Options:

A.

An imaging process was used to obtain a copy of the data from each computer.

B.

The legal department has not been engaged.

C.

The chain of custody has not been documented.

D.

Audit was only involved during extraction of the Information

Buy Now
Questions 256

Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?

Options:

A.

Ensure the third party allocates adequate resources to meet requirements.

B.

Use analytics within the internal audit function

C.

Conduct a capacity planning exercise

D.

Utilize performance monitoring tools to verify service level agreements (SLAs)

Buy Now
Questions 257

A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Establish key performance indicators (KPls) for timely identification of security incidents.

B.

Engage an external security incident response expert for incident handling.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Include the requirement in the incident management response plan.

Buy Now
Questions 258

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

Options:

A.

Observing the execution of a daily backup run

B.

Evaluating the backup policies and procedures

C.

Interviewing key personnel evolved In the backup process

D.

Reviewing a sample of system-generated backup logs

Buy Now
Questions 259

An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services Which of the following would BEST enable the organization to resolve this issue?

Options:

A.

Problem management

B.

Incident management

C.

Service level management

D.

Change management

Buy Now
Questions 260

An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

Options:

A.

Review test procedures and scenarios

B.

Conduct a mock conversion test

C.

Establish a configuration baseline

D.

Automate the test scripts

Buy Now
Questions 261

Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

Options:

A.

Degaussing

B.

Random character overwrite

C.

Physical destruction

D.

Low-level formatting

Buy Now
Questions 262

Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?

Options:

A.

Insufficient processes to track ownership of each EUC application?

B.

Insufficient processes to lest for version control

C.

Lack of awareness training for EUC users

D.

Lack of defined criteria for EUC applications

Buy Now
Questions 263

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

Options:

A.

The DRP has not been formally approved by senior management.

B.

The DRP has not been distributed to end users.

C.

The DRP has not been updated since an IT infrastructure upgrade.

D.

The DRP contains recovery procedures for critical servers only.

Buy Now
Questions 264

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Buy Now
Questions 265

The implementation of an IT governance framework requires that the board of directors of an organization:

Options:

A.

Address technical IT issues.

B.

Be informed of all IT initiatives.

C.

Have an IT strategy committee.

D.

Approve the IT strategy.

Buy Now
Questions 266

Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?

Options:

A.

Gap analysis

B.

Audit reports

C.

Risk profile

D.

Risk register

Buy Now
Questions 267

In an IT organization where many responsibilities are shared which of the following is the BEST control for detecting unauthorized data changes?

Options:

A.

Users are required to periodically rotate responsibilities

B.

Segregation of duties conflicts are periodically reviewed

C.

Data changes are independently reviewed by another group

D.

Data changes are logged in an outside application

Buy Now
Questions 268

An organization has replaced all of the storage devices at its primary data center with new higher-capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether

Options:

A.

the recovery site devices can handle the storage requirements

B.

hardware maintenance contract is in place for both old and new storage devices

C.

the procurement was in accordance with corporate policies and procedures

D.

the relocation plan has been communicated to all concerned parties

Buy Now
Questions 269

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Options:

A.

Invoking the disaster recovery plan (DRP)

B.

Backing up data frequently

C.

Paying the ransom

D.

Requiring password changes for administrative accounts

Buy Now
Questions 270

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Buy Now
Questions 271

To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?

Options:

A.

Performance feedback from the user community

B.

Contract with the server vendor

C.

Server CPU usage trends

D.

Mean time between failure (MTBF) of each server

Buy Now
Questions 272

Which of the following is the BEST reason to implement a data retention policy?

Options:

A.

To establish a recovery point objective (RPO) for disaster recovery procedures

B.

To limit the liability associated with storing and protecting information

C.

To document business objectives for processing data within the organization

D.

To assign responsibility and ownership for data protection outside IT

Buy Now
Questions 273

Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?

Options:

A.

Review data classification levels based on industry best practice

B.

Verify that current DLP software is installed on all computer systems.

C.

Conduct interviews to identify possible data protection vulnerabilities.

D.

Verify that confidential files cannot be transmitted to a personal USB device.

Buy Now
Questions 274

An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality. Which of the following is the MOST important consideration when making this decision?

Options:

A.

Maximum tolerable downtime (MTD)

B.

Recovery time objective (RTO)

C.

Recovery point objective (RPO)

D.

Mean time to repair (MTTR)

Buy Now
Questions 275

Which of the following provides the MOST protection against emerging threats?

Options:

A.

Demilitarized zone (DMZ)

B.

Heuristic intrusion detection system (IDS)

C.

Real-time updating of antivirus software

D.

Signature-based intrusion detection system (IDS)

Buy Now
Questions 276

Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?

Options:

A.

The recovery plan does not contain the process and application dependencies.

B.

The duration of tabletop exercises is longer than the recovery point objective (RPO).

C.

The duration of tabletop exercises is longer than the recovery time objective (RTO).

D.

The recovery point objective (RPO) and recovery time objective (R TO) are not the same.

Buy Now
Questions 277

An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Identify existing mitigating controls.

B.

Disclose the findings to senior management.

C.

Assist in drafting corrective actions.

D.

Attempt to exploit the weakness.

Buy Now
Questions 278

An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-circuit television (CCTV) systems located in a patient care area. Which of the following is the GREATEST concern?

Options:

A.

Cameras are not monitored 24/7.

B.

There are no notices indicating recording IS in progress.

C.

The retention period for video recordings is undefined

D.

There are no backups of the videos.

Buy Now
Questions 279

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

Options:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

report on the internal control weaknesses.

D.

provide solutions for control weaknesses.

Buy Now
Questions 280

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

Options:

A.

Abuses by employees have not been reported.

B.

Lessons learned have not been properly documented

C.

vulnerabilities have not been properly addressed

D.

Security incident policies are out of date.

Buy Now
Questions 281

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

Options:

A.

Users can export application logs.

B.

Users can view sensitive data.

C.

Users can make unauthorized changes.

D.

Users can install open-licensed software.

Buy Now
Questions 282

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.

Review the documentation of recant changes to implement sequential order numbering.

B.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.

Examine a sample of system generated purchase orders obtained from management

Buy Now
Questions 283

During the audit of an enterprise resource planning (ERP) system, an IS auditor found an applicationpatch was applied to the production environment. It is MOST

important for the IS auditor to verify approval from the:

Options:

A.

information security officer.

B.

system administrator.

C.

information asset owner.

D.

project manager.

Buy Now
Questions 284

Which of the following poses the GREATEST potential concern for an organization that decides to consolidate mission-critical applications on a large server as part of IT capacity management?

Options:

A.

More applications may be negatively affected by outages on the server.

B.

Continuous monitoring efforts for server capacity may be costly.

C.

Network bandwidth may be degraded during peak hours.

D.

Accurate server capacity forecasting may be more difficult.

Buy Now
Questions 285

Which of the following is the PRIMARY purpose of conducting a control self-assessment (CSA)?

Options:

A.

To replace audit responsibilities

B.

To reduce control costs

C.

To promote control ownership

D.

To enable early detection of risks

Buy Now
Questions 286

Which of the following security measures is MOST important for protecting Internet of Things (IoT) devices from potential cyberattacks?

Options:

A.

Logging and monitoring network traffic

B.

Confirming firmware compliance to current security requirements

C.

Changing default passwords

D.

Reviewing and updating the network diagram on a regular basis

Buy Now
Questions 287

An IS auditor is conducting an IT governance audit and notices many initiatives are managed informally by isolated project managers. Which of the following recommendations would have the GREATEST impact on improving the maturity of the IT team?

Options:

A.

Schedule a follow-up audit in the next year to confirm whether IT processes have matured.

B.

Create an interdisciplinary IT steering committee to oversee IT prioritization and spending.

C.

Document and track all IT decisions in a project management tool.

D.

Discontinue all current IT projects until formal approval is obtained and documented.

Buy Now
Questions 288

What type of control has been implemented when secure code reviews are conducted as part of a deployment program?

Options:

A.

Monitoring

B.

Deterrent

C.

Detective

D.

Corrective

Buy Now
Questions 289

Which of the following should be of GREATEST concern to an IS auditor assessing an organization's patch management program?

Options:

A.

Patches are deployed from multiple deployment servers.

B.

There is no process in place to scan the network to identify missing patches.

C.

Patches for medium- and low-risk vulnerabilities are omitted.

D.

There is no process in place to quarantine servers that have not been patched.

Buy Now
Questions 290

During the course of fieldwork, an internal IS auditor observes a critical vulnerability within a newly deployed application. What is the auditor's BEST course of action?

Options:

A.

Document the finding in the report.

B.

Identify other potential vulnerabilities.

C.

Notify IT management.

D.

Report the finding to the external auditors.

Buy Now
Questions 291

Which of the following controls is the BEST recommendation to prevent the skimming of debit or credit card data in point of sale (POS) systems?

Options:

A.

Encryption

B.

Chip and PIN

C.

Hashing

D.

Biometric authentication

Buy Now
Questions 292

If a recent release of a program has to be backed out of production, the corresponding changes within the delta version of the code should be:

Options:

A.

filed in production for future reference in researching the problem.

B.

applied to the source code that reflects the version in production.

C.

eliminated from the source code that reflects the version in production.

D.

reinstalled when replacing the version back into production.

Buy Now
Questions 293

Which of the following is MOST helpful for evaluating benefits realized by IT projects?

Options:

A.

Benchmarking IT project management practices with industry peers

B.

Evaluating compliance with key security controls

C.

Comparing planned versus actual return on investment (ROI)

D.

Reviewing system development life cycle (SDLC) processes

Buy Now
Questions 294

Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?

Options:

A.

To evaluate the effectiveness of continuous improvement efforts

B.

To compare incident response metrics with industry benchmarks

C.

To re-analyze the incident to identify any hidden backdoors planted by the attacker

D.

To evaluate the effectiveness of the network firewall against future security breaches

Buy Now
Questions 295

Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

Options:

A.

It demonstrates the maturity of the incident response program.

B.

It reduces the likelihood of an incident occurring.

C.

It identifies deficiencies in the operating environment.

D.

It increases confidence in the team's response readiness.

Buy Now
Questions 296

Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?

Options:

A.

Detective control

B.

Preventive control

C.

Directive control

D.

Corrective control

Buy Now
Questions 297

Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change

management process?

Options:

A.

The added functionality has not been documented.

B.

The new functionality may not meet requirements.

C.

The project may fail to meet the established deadline.

D.

The project may go over budget.

Buy Now
Questions 298

Which of the following would be an auditor's GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?

Options:

A.

Undocumented code formats data and transmits directly to the database.

B.

There is not a complete inventory of spreadsheets, and file naming is inconsistent.

C.

The department data protection policy has not been reviewed or updated for two years.

D.

Spreadsheets are accessible by all members of the finance department.

Buy Now
Questions 299

Which of the following is MOST critical to the success of an information security program?

Options:

A.

User accountability for information security

B.

Management's commitment to information security

C.

Integration of business and information security

D.

Alignment of information security with IT objectives

Buy Now
Questions 300

When reviewing an IT strategic plan, the GREATEST concern would be that

Options:

A.

an IT strategy committee has not been created

B.

the plan does not support relevant organizational goals.

C.

there are no key performance indicators (KPls).

D.

the plan was not formally approved by the board of directors

Buy Now
Questions 301

Which of the following is MOST useful when planning to audit an organization's compliance with cybersecurity regulations in foreign countries?

Options:

A.

Prioritize the audit to focus on the country presenting the greatest amount of operational risk.

B.

Follow the cybersecurity regulations of the country with the most stringent requirements.

C.

Develop a template that standardizes the reporting of findings from each country's audit team

D.

Map the different regulatory requirements to the organization's IT governance framework

Buy Now
Questions 302

Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?

Options:

A.

Embed details within source code.

B.

Standardize file naming conventions.

C.

Utilize automated version control.

D.

Document details on a change register.

Buy Now
Questions 303

Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

Options:

A.

IT value analysis

B.

Prior audit reports

C.

IT balanced scorecard

D.

Vulnerability assessment report

Buy Now
Questions 304

An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?

Options:

A.

Interview change management personnel about completeness.

B.

Take an item from the log and trace it back to the system.

C.

Obtain management attestation of completeness.

D.

Take the last change from the system and trace it back to the log.

Buy Now
Questions 305

When assessing whether an organization's IT performance measures are comparable to other organizations in the same industry, which of the following would be MOST helpful to review?

Options:

A.

IT governance frameworks

B.

Benchmarking surveys

C.

Utilization reports

D.

Balanced scorecard

Buy Now
Questions 306

Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization's security policy?

Options:

A.

Analyzing how the configuration changes are performed

B.

Analyzing log files

C.

Reviewing the rule base

D.

Performing penetration testing

Buy Now
Questions 307

During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?

Options:

A.

Input from customers

B.

Industry standard business definitions

C.

Validation of rules by the business

D.

Built-in data error prevention application controls

Buy Now
Questions 308

A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting. What would be MOST important to consider before including this audit in the program?

Options:

A.

Whether system delays result in more frequent use of manual processing

B.

Whether the system's performance poses a significant risk to the organization

C.

Whether stakeholders are committed to assisting with the audit

D.

Whether internal auditors have the required skills to perform the audit

Buy Now
Questions 309

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the Internet.

B.

the demilitarized zone (DMZ).

C.

the organization's web server.

D.

the organization's network.

Buy Now
Questions 310

Which of the following is the MOST appropriate control to ensure integrity of online orders?

Options:

A.

Data Encryption Standard (DES)

B.

Digital signature

C.

Public key encryption

D.

Multi-factor authentication

Buy Now
Questions 311

When auditing an organization's software acquisition process the BEST way for an IS auditor to understand the software benefits to the organization would be to review the

Options:

A.

feasibility study

B.

business case

C.

request for proposal (RFP)

D.

alignment with IT strategy

Buy Now
Questions 312

Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?

Options:

A.

Return on investment (ROI)

B.

Business strategy

C.

Business cases

D.

Total cost of ownership (TCO)

Buy Now
Questions 313

Which of the following is the BEST way to verify the effectiveness of a data restoration process?

Options:

A.

Performing periodic reviews of physical access to backup media

B.

Performing periodic complete data restorations

C.

Validating off ne backups using software utilities

D.

Reviewing and updating data restoration policies annually

Buy Now
Questions 314

A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?

Options:

A.

Performance audit

B.

Integrated audit

C.

Cyber audit

D.

Financial audit

Buy Now
Questions 315

Which of the following is MOST effective for controlling visitor access to a data center?

Options:

A.

Visitors are escorted by an authorized employee

B.

Pre-approval of entry requests

C.

Visitors sign in at the front desk upon arrival

D.

Closed-circuit television (CCTV) is used to monitor the facilities

Buy Now
Questions 316

Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

Options:

A.

Industry regulations

B.

Industry standards

C.

Incident response plan

D.

Information security policy

Buy Now
Questions 317

Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Designing controls to protect personal data

C.

Defining roles within the organization related to privacy

D.

Developing procedures to monitor the use of personal data

Buy Now
Questions 318

A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?

Options:

A.

Terminated staff

B.

Unauthorized access

C.

Deleted log data

D.

Hacktivists

Buy Now
Questions 319

An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

Options:

A.

Data with customer personal information

B.

Data reported to the regulatory body

C.

Data supporting financial statements

D.

Data impacting business objectives

Buy Now
Questions 320

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Options:

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Buy Now
Questions 321

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Options:

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Buy Now
Questions 322

An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?

Options:

A.

System event correlation report

B.

Database log

C.

Change log

D.

Security incident and event management (SIEM) report

Buy Now
Questions 323

Which of the following BEST enables the timely identification of risk exposure?

Options:

A.

External audit review

B.

Internal audit review

C.

Control self-assessment (CSA)

D.

Stress testing

Buy Now
Questions 324

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?

Options:

A.

Number of successful penetration tests

B.

Percentage of protected business applications

C.

Financial impact per security event

D.

Number of security vulnerability patches

Buy Now
Questions 325

An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?

Options:

A.

Long-term Internal audit resource planning

B.

Ongoing monitoring of the audit activities

C.

Analysis of user satisfaction reports from business lines

D.

Feedback from Internal audit staff

Buy Now
Questions 326

UESTION NO: 210

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

Options:

A.

There Is a reconciliation process between the spreadsheet and the finance system

B.

A separate copy of the spreadsheet is routinely backed up

C.

The spreadsheet is locked down to avoid inadvertent changes

D.

Access to the spreadsheet is given only to those who require access

Buy Now
Questions 327

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Options:

A.

Testing

B.

Replication

C.

Staging

D.

Development

Buy Now
Questions 328

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

Options:

A.

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.

Identifying data security threats in the affected jurisdiction

C.

Reviewing data classification procedures associated with the affected jurisdiction

D.

Identifying business processes associated with personal data exchange with the affected jurisdiction

Buy Now
Questions 329

Which of the following is MOST important to consider when scheduling follow-up audits?

Options:

A.

The efforts required for independent verification with new auditors

B.

The impact if corrective actions are not taken

C.

The amount of time the auditee has agreed to spend with auditors

D.

Controls and detection risks related to the observations

Buy Now
Questions 330

Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?

Options:

A.

Requirements may become unreasonable.

B.

The policy may conflict with existing application requirements.

C.

Local regulations may contradict the policy.

D.

Local management may not accept the policy.

Buy Now
Questions 331

An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?

Options:

A.

Implementing risk responses on management's behalf

B.

Integrating the risk register for audit planning purposes

C.

Providing assurances to management regarding risk

D.

Facilitating audit risk identification and evaluation workshops

Buy Now
Questions 332

The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?

Options:

A.

Determine where delays have occurred

B.

Assign additional resources to supplement the audit

C.

Escalate to the audit committee

D.

Extend the audit deadline

Buy Now
Questions 333

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Options:

A.

Verifying that access privileges have been reviewed

B.

investigating access rights for expiration dates

C.

Updating the continuity plan for critical resources

D.

Updating the security policy

Buy Now
Questions 334

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

Options:

A.

A single point of failure for both voice and data communications

B.

Inability to use virtual private networks (VPNs) for internal traffic

C.

Lack of integration of voice and data communications

D.

Voice quality degradation due to packet toss

Buy Now
Questions 335

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Options:

A.

Inability to utilize the site when required

B.

Inability to test the recovery plans onsite

C.

Equipment compatibility issues at the site

D.

Mismatched organizational security policies

Buy Now
Questions 336

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

Options:

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Buy Now
Questions 337

Which of the following is necessary for effective risk management in IT governance?

Options:

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Buy Now
Questions 338

Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

Options:

A.

Testing incident response plans with a wide range of scenarios

B.

Prioritizing incidents after impact assessment.

C.

Linking incidents to problem management activities

D.

Training incident management teams on current incident trends

Buy Now
Questions 339

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Options:

A.

Restricting evidence access to professionally certified forensic investigators

B.

Documenting evidence handling by personnel throughout the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Engaging an independent third party to perform the forensic investigation

Buy Now
Questions 340

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

Options:

A.

Risk avoidance

B.

Risk transfer

C.

Risk acceptance

D.

Risk reduction

Buy Now
Questions 341

A firewall between internal network segments improves security and reduces risk by:

Options:

A.

Jogging all packets passing through network segments

B.

inspecting all traffic flowing between network segments and applying security policies

C.

monitoring and reporting on sessions between network participants

D.

ensuring all connecting systems have appropriate security controls enabled.

Buy Now
Questions 342

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

Options:

A.

Information security program plans

B.

Penetration test results

C.

Risk assessment results

D.

Industry benchmarks

Buy Now
Questions 343

Which of the following represents the HIGHEST level of maturity of an information security program?

Options:

A.

A training program is in place to promote information security awareness.

B.

A framework is in place to measure risks and track effectiveness.

C.

Information security policies and procedures are established.

D.

The program meets regulatory and compliance requirements.

Buy Now
Questions 344

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

Options:

A.

Implementing the remediation plan

B.

Partially completing the CSA

C.

Developing the remediation plan

D.

Developing the CSA questionnaire

Buy Now
Questions 345

An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?

Options:

A.

There are conflicting permit and deny rules for the IT group.

B.

The network security group can change network address translation (NAT).

C.

Individual permissions are overriding group permissions.

D.

There is only one rule per group with access privileges.

Buy Now
Questions 346

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Options:

A.

Data masking

B.

Data tokenization

C.

Data encryption

D.

Data abstraction

Buy Now
Questions 347

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Options:

A.

Analyze whether predetermined test objectives were met.

B.

Perform testing at the backup data center.

C.

Evaluate participation by key personnel.

D.

Test offsite backup files.

Buy Now
Questions 348

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

Options:

A.

The default configurations have been changed.

B.

All tables in the database are normalized.

C.

The service port used by the database server has been changed.

D.

The default administration account is used after changing the account password.

Buy Now
Questions 349

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

Options:

A.

recommend that the option to directly modify the database be removed immediately.

B.

recommend that the system require two persons to be involved in modifying the database.

C.

determine whether the log of changes to the tables is backed up.

D.

determine whether the audit trail is secured and reviewed.

Buy Now
Questions 350

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Options:

A.

Walk-through reviews

B.

Substantive testing

C.

Compliance testing

D.

Design documentation reviews

Buy Now
Questions 351

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

Options:

A.

firewall standards.

B.

configuration of the firewall

C.

firmware version of the firewall

D.

location of the firewall within the network

Buy Now
Questions 352

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:

A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Buy Now
Questions 353

Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

Options:

A.

Implement network access control.

B.

Implement outbound firewall rules.

C.

Perform network reviews.

D.

Review access control lists.

Buy Now
Questions 354

Coding standards provide which of the following?

Options:

A.

Program documentation

B.

Access control tables

C.

Data flow diagrams

D.

Field naming conventions

Buy Now
Questions 355

An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Options:

A.

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

B.

Establishing strong access controls on confidential data

C.

Providing education and guidelines to employees on use of social networking sites

D.

Monitoring employees' social networking usage

Buy Now
Questions 356

Cross-site scripting (XSS) attacks are BEST prevented through:

Options:

A.

application firewall policy settings.

B.

a three-tier web architecture.

C.

secure coding practices.

D.

use of common industry frameworks.

Buy Now
Questions 357

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

Options:

A.

Conduct periodic on-site assessments using agreed-upon criteria.

B.

Periodically review the service level agreement (SLA) with the vendor.

C.

Conduct an unannounced vulnerability assessment of vendor's IT systems.

D.

Obtain evidence of the vendor's control self-assessment (CSA).

Buy Now
Questions 358

During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

Options:

A.

Review working papers with the auditee.

B.

Request the auditee provide management responses.

C.

Request management wait until a final report is ready for discussion.

D.

Present observations for discussion only.

Buy Now
Questions 359

What is the BEST control to address SQL injection vulnerabilities?

Options:

A.

Unicode translation

B.

Secure Sockets Layer (SSL) encryption

C.

Input validation

D.

Digital signatures

Buy Now
Questions 360

Which of the following is MOST important to ensure when planning a black box penetration test?

Options:

A.

The management of the client organization is aware of the testing.

B.

The test results will be documented and communicated to management.

C.

The environment and penetration test scope have been determined.

D.

Diagrams of the organization's network architecture are available.

Buy Now
Questions 361

Which of the following is the BEST justification for deferring remediation testing until the next audit?

Options:

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management's planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Buy Now
Questions 362

Which of the following demonstrates the use of data analytics for a loan origination process?

Options:

A.

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Buy Now
Questions 363

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Options:

A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Buy Now
Questions 364

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Accept management's decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Buy Now
Questions 365

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Options:

A.

Agile auditing

B.

Continuous auditing

C.

Outsourced auditing

D.

Risk-based auditing

Buy Now
Questions 366

An organizations audit charier PRIMARILY:

Options:

A.

describes the auditors' authority to conduct audits.

B.

defines the auditors' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Buy Now
Questions 367

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

Options:

A.

business impact analysis (BIA).

B.

threat and risk assessment.

C.

business continuity plan (BCP).

D.

disaster recovery plan (DRP).

Buy Now
Questions 368

In an area susceptible to unexpected increases in electrical power, which of the following would MOST effectively protect the system?

Options:

A.

Generator

B.

Voltage regulator

C.

Circuit breaker

D.

Alternate power supply line

Buy Now
Questions 369

During an IS audit of a data center, it was found that programmers are allowed to make emergency fixes to operational programs. Which of the following should be the IS auditor's PRIMARY recommendation?

Options:

A.

Programmers should be allowed to implement emergency fixes only after obtaining verbal agreement from the application owner.

B.

Emergency program changes should be subject to program migration and testing procedures before they are applied to operational systems.

C.

Bypass user ID procedures should be put in place to ensure that the changes are subject to after-the-event approval and testing.

Buy Now
Questions 370

Which of the following criteria is MOST important for the successful delivery of benefits from an IT project?

Options:

A.

Assessing the impact of changes to individuals and business units within the organization

B.

Involving key stakeholders during the development and execution phases of the project

C.

Ensuring that IT project managers have sign-off authority on the business case

D.

Quantifying the size of the software development effort required by the project

Buy Now
Questions 371

In a public key cryptographic system, which of the following is the PRIMARY requirement to address the risk of man-in-the-middle attacks through spoofing?

Options:

A.

Strong encryption algorithms

B.

Kerberos authentication

C.

Registration authority

D.

Certificate authority (CA)

Buy Now
Questions 372

The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:

Options:

A.

Internal audit activity conforms with audit standards and methodology.

B.

The audit function is adequately governed and meets performance metrics.

C.

Inherent risk in audits is minimized.

D.

Audit resources are used most effectively.

Buy Now
Questions 373

An organization is implementing a data loss prevention (DLP) system in response to a new regulatory requirement Reviewing. which of the following would be MOST helpful in evaluating the system's design?

Options:

A.

System manuals

B.

Enterprise architecture (EA)

C.

Historical record of data breaches

D.

Industry trends

Buy Now
Questions 374

What should be the PRIMARY focus during a review of a business process improvement project?

Options:

A.

Business project plan

B.

Continuous monitoring plans

C.

The cost of new controls

D.

Business impact

Buy Now
Questions 375

Which of the following is the MOST efficient way to identify fraudulent activity on a set of transactions?

Options:

A.

Control self-assessments (CSAs)

B.

Interviews with control owners

C.

Regression analysis

D.

Benford’s law analysis

Buy Now
Questions 376

Which of the following is an organization's BEST defense against malware?

Options:

A.

Documented security procedures

B.

Intrusion prevention system (IPS)

C.

Security awareness training

D.

Intrusion detection system (IDS)

Buy Now
Questions 377

Which of the following protocols should be used when transferring data via the internet?

Options:

A.

User Datagram Protocol (UDP)

B.

Hypertext Transfer Protocol (HTTP)

C.

Secure File Transfer Protocol (SFTP)

D.

Remote Desktop Protocol (RDP)

Buy Now
Questions 378

An organization recently migrated Us data warehouse from a legacy system to a different architecture in the cloud. Which of the following should be of GREATEST concern to the IS auditor reviewing the new data architecture?

Options:

A.

The data was not cleansed before moving to the cloud data warehouse.

B.

The cloud data warehouse uses a hybrid cloud architecture.

C.

The migration analyst is not fully trained on the new tools.

D.

The data is stored in a multi-tenant environment.

Buy Now
Questions 379

Who should be the FIRST to evaluate an audit report prior to issuing it to the project steering committee?

Options:

A.

IS audit manager

B.

Audit committee

C.

Business owner

D.

Project sponsor

Buy Now
Questions 380

If concurrent update transactions to an account are not processed properly, which of the following will be affected?

Options:

A.

Confidentiality

B.

Integrity

C.

Accountability

D.

Availability

Buy Now
Questions 381

Which of the following BEST ensures that effective change management is in place in an IS environment?

Options:

A.

User authorization procedures for application access are well established.

B.

User-prepared detailed test criteria for acceptance testing of the software.

C.

Adequate testing was carried out by the development team.

D.

Access to production source and object programs is well controlled.

Buy Now
Questions 382

Which of the following BEST enables an IS auditor to confirm the batch processing to post transactions from an input source is successful?

Options:

A.

Error log review

B.

Total number of items

C.

Hash totals

D.

Aggregate monetary amount

Buy Now
Questions 383

Management has requested a post-implementation review of a newly implemented purchasing package to determine the extent that business requirements are being met. Which of the following

is MOST likely to be assessed?

Options:

A.

Acceptance testing results

B.

Results of live processing

C.

Implementation methodology

D.

Purchasing guidelines and policies

Buy Now
Questions 384

Which of the following would be MOST useful to an IS auditor when making recommendations to enable continual improvement of IT processes over time?

Options:

A.

Benchmarking studies

B.

Maturity model

C.

IT risk register

D.

IT incident log

Buy Now
Questions 385

Which of the following is the BEST way to determine the adequacy of controls for detecting inappropriate network activity in an organization?

Options:

A.

Reviewing SIEM reports of suspicious events in a timely manner

B.

Reviewing business application logs on a regular basis

C.

Troubleshooting connectivity issues routinely

D.

Installing a packet filtering firewall to block malicious traffic

Buy Now
Questions 386

Which of the following is the PRIMARY benefit of effective implementation of appropriate data classification?

Options:

A.

Ability to meet business requirements

B.

Assurance that sensitive data is encrypted

C.

Increased accuracy of sensitive data

D.

Management of business risk to sensitive data

Buy Now
Questions 387

An IS auditor is evaluating the log management system for an organization with devices and systems in multiple geographic locations. Which of the following is MOST important for the auditor to verify?

Options:

A.

Log files are reviewed in multiple locations.

B.

Log files are concurrently updated.

C.

Log files are encrypted and digitally signed.

D.

Log files of the servers are synchronized.

Buy Now
Questions 388

Of the following who should be responsible for cataloging and inventorying robotic process automation (RPA) processes?

Options:

A.

IT personnel

B.

Business owner

C.

Information security personnel

D.

Data steward

Buy Now
Questions 389

A startup organization wants to develop a data loss prevention (DLP) program. The FIRST step should be to implement:

Options:

A.

Security awareness training

B.

Data encryption

C.

Data classification

D.

Access controls

Buy Now
Questions 390

An IS auditor is reviewing an organizations release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application development projects. Which of the following should the auditor recommend to address this issue?

Options:

A.

Critical path methodology

B.

Agile development approach

C.

Function point analysis

D.

Rapid application development

Buy Now
Questions 391

Which of the following findings would be of GREATEST concern when auditing an organization's end-user computing (EUC)?

Options:

A.

Errors flowed through to financial statements

B.

Reduced oversight by the IT department

C.

Inconsistency of patching processes being followed

D.

Inability to monitor EUC audit logs and activities

Buy Now
Questions 392

Which of the following is the BEST way to prevent social engineering incidents?

Options:

A.

Ensure user workstations are running the most recent version of antivirus software.

B.

Maintain an onboarding and annual security awareness program.

C.

Include security responsibilities in job descriptions and require signed acknowledgment.

D.

Enforce strict email security gateway controls.

Buy Now
Questions 393

Which of the following BEST addresses the availability of an online store?

Options:

A.

RAID level 5 storage devices

B.

A mirrored site at another location

C.

Online backups

D.

Clustered architecture

Buy Now
Questions 394

Which of the following is the PRIMARY purpose of a rollback plan for a system change?

Options:

A.

To ensure steps exist to remove the change if necessary

B.

To ensure testing can be re-performed if required

C.

To ensure a backup exists before implementing a change

D.

To ensure the system change is effective

Buy Now
Questions 395

Which of the following BEST enables an IS auditor to assess whether jobs were completed according to the job schedule?

Options:

A.

Console log

B.

Exception log

C.

System schedule

D.

Database schedule

Buy Now
Questions 396

Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?

Options:

A.

A high percentage of stakeholders satisfied with the quality of IT

B.

A high percentage of IT processes reviewed by quality assurance (QA)

C.

A high percentage of incidents being quickly resolved

D.

A high percentage of IT employees attending quality training

Buy Now
Questions 397

Which of the following would an IS auditor find to be the GREATEST risk associated with the server room in a remote office location?

Options:

A.

The server room is secured by a key lock instead of an electronic lock.

B.

The server room's location is known by people who work in the area.

C.

The server room does not have temperature controls.

D.

The server room does not have biometric controls.

Buy Now
Questions 398

When reviewing whether IT investments are meeting business objectives, which of the following evaluations would be MOST useful?

Options:

A.

A break-even analysis

B.

Realized return on investment (ROI) versus projected ROI

C.

Budgeted spend versus actual spend

D.

Actual return on investment (ROI) versus industry average ROI

Buy Now
Questions 399

An organization offers an e-commerce platform that allows consumer-to-consumer transactions. The platform now uses blockchain technology to ensure the parties are unable to deny the transactions. Which of the following attributes BEST describes the risk element that this technology is addressing?

Options:

A.

Integrity

B.

Nonrepudiation

C.

Confidentiality

D.

Availability

Buy Now
Questions 400

While reviewing the effectiveness of an incident response program, an IS auditor notices a high number of reported incidents involving malware originating from removable media found by employees. Which of the following is the MOST appropriate recommendation to management?

Options:

A.

Restrict access to removable media ports on company devices.

B.

Install an additional antivirus program to increase protection.

C.

Ensure the antivirus program contains up-to-date signature files for all company devices.

D.

Implement an organization-wide removable media policy.

Buy Now
Questions 401

How is nonrepudiation supported within a public key infrastructure (PKI) environment?

Options:

A.

Through the use of elliptical curve cryptography on transmitted messages

B.

Through the use of a certificate issued by a certificate authority (CA)

C.

Through the use of private keys to decrypt data received by a user

D.

Through the use of enterprise key management systems

Buy Now
Questions 402

Which of the following BEST indicates a need to review an organization's information security policy?

Options:

A.

High number of low-risk findings in the audit report

B.

Increasing exceptions approved by management

C.

Increasing complexity of business transactions

D.

Completion of annual IT risk assessment

Buy Now
Questions 403

Which of the following should an IS auditor do FIRST when auditing a robotics process automation (RPA) implementation?

Options:

A.

Evaluate the overall solution architecture.

B.

Analyze the sequence of activities performed by the robot.

C.

Understand the business processes automated by the robot.

D.

Identity the credentials used by the robot and where they are stored.

Buy Now
Questions 404

An IS auditor found that operations personnel failed to run a script contributing to year-end financial statements. Which of the following is the BEST recommendation?

Options:

A.

Retrain operations personnel.

B.

Implement a closing checklist.

C.

Update the operations manual.

D.

Bring staff with financial experience into operations.

Buy Now
Questions 405

Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

Options:

A.

Invite external auditors and regulators to perform regular assessments of the IS audit function.

B.

Implement rigorous managerial review and sign-off of IS audit deliverables.

C.

Frequently review IS audit policies, procedures, and instruction manuals.

D.

Establish and embed quality assurance (QA) within the IS audit function.

Buy Now
Questions 406

An IS auditor determines elevated administrator accounts for servers that are not properly checked out and then back in after each use. Which of the following is the MOST appropriate sampling technique to determine the scope of the problem?

Options:

A.

Haphazard sampling

B.

Random sampling

C.

Statistical sampling

D.

Stratified sampling

Buy Now
Questions 407

Which of the following tests is MOST likely to detect an error in one subroutine resulting from a recent change in another subroutine?

Options:

A.

User acceptance testing (UAT)

B.

Black-box testing

C.

Regression testing

D.

Stress testing

Buy Now
Questions 408

An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?

Options:

A.

Log feeds are uploaded via batch process.

B.

Completeness testing has not been performed on the log data.

C.

The log data is not normalized.

D.

Data encryption standards have not been considered.

Buy Now
Questions 409

Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?

Options:

A.

The architecture review board is chaired by the CIO

B.

IT application owners have sole responsibility for architecture approval

C.

The EA program governs projects that are not IT-related

D.

Information security requirements are reviewed by the EA program

Buy Now
Questions 410

An organization is modernizing its technology policy framework to demonstrate compliance with external industry standards. Which of the following would be MOST useful to an IS auditor for validating the outcome?

Options:

A.

Benchmarking of internal standards against peer organizations

B.

Inventory of the organization's approved policy exceptions

C.

Policy recommendations from a leading external consulting agency

D.

Mapping of relevant standards against the organization's controls

Buy Now
Questions 411

Which of the following is the MOST important consideration to facilitate prosecution of a perpetrator after a cybercrime?

Options:

A.

An active intrusion detection system (IDS)

B.

Professional collection of unaltered evidence

C.

Reporting to the internal legal department

D.

Immediate law enforcement involvement

Buy Now
Questions 412

Which of the following system attack methods is executed by entering malicious code into the search box of a vulnerable website, causing the server to reveal restricted information?

Options:

A.

Man-m-the-middle

B.

Denial of service (DoS)

C.

SQL injection

D.

Cross-site scripting

Buy Now
Questions 413

The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:

Options:

A.

audit resources are used most effectively.

B.

internal audit activity conforms with audit standards and methodology.

C.

the audit function is adequately governed and meets performance metrics.

D.

inherent risk in audits is minimized.

Buy Now
Questions 414

Which of the following is the MAIN objective of enterprise architecture (EA) governance?

Options:

A.

To ensure new processes and technologies harmonize with existing processes

B.

To ensure the EA can adapt to emerging technology trends

C.

To ensure the EA is compliant with local laws and regulations

D.

To ensure new initiatives produce an acceptable return on investment (ROI)

Buy Now
Questions 415

An organization establishes capacity utilization thresholds and monitors for instances when thresholds are exceeded. Which of the following is BEST supported by this activity?

Options:

A.

Integrity

B.

Availability

C.

Confidentiality

D.

Nonrepudiation

Buy Now
Questions 416

A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:

Options:

A.

audit management.

B.

the police.

C.

the audit committee.

D.

auditee line management.

Buy Now
Questions 417

Which of the following controls is BEST implemented through system configuration?

    Network user accounts for temporary workers expire after 90 days.

    Application user access is reviewed every 180 days for appropriateness.

    Financial data in key reports is traced to source systems for completeness and accuracy.

Options:

A.

Computer operations personnel initiate batch processing jobs daily.

Buy Now
Questions 418

Which of the following is the PRIMARY benefit of operational log management?

Options:

A.

It enhances user experience via predictive analysis.

B.

It improves security with real-time monitoring of network data.

C.

It organizes data to identify performance issues.

D.

It supports data aggregation using unified storage.

Buy Now
Questions 419

An organization produces control reports with a desktop application that accesses data in the central production database. Which of the following would give an IS auditor concern about the reliability of these reports?

Options:

A.

The reports are printed by the same person who reviews them.

B.

The reports are available to all end users.

C.

The report definitions file is not included in routine backups.

D.

The report definitions can be modified by end users.

Buy Now
Questions 420

Which of the following applications has the MOST inherent risk and should be prioritized during audit planning?

Options:

A.

A decommissioned legacy application

B.

An onsite application that is unsupported

C.

An outsourced accounting application

D.

An internally developed application

Buy Now
Questions 421

Which of the following presents the GREATEST risk to an organization's ability to manage quality control (QC) processes?

Options:

A.

Lack of segregation of duties

B.

Lack of a dedicated QC function

C.

Lack of policies and procedures

D.

Lack of formal training and attestation

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Mar 26, 2025
Questions: 1404

PDF + Testing Engine

$87.15  $249

Testing Engine

$78.75  $225
buy now CISA testing engine

PDF (Q&A)

$69.65  $199
buy now CISA pdf