CISA Certified Information Systems Auditor Questions and Answers
Which of the following BEST indicates that an incident management process is effective?
Which of the following is the MOST effective control to mitigate against the risk of inappropriate activity by employees?
A proper audit trail of changes to server start-up procedures would include evidence of:
In the development of a new financial application, the IS auditor ' s FIRST involvement should be in the:
Which of the following should be done FIRST to ensure the secure configuration of new IT assets in an organization?
Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?
If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?
Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization ' s goals?
An IT strategic plan that BEST leverages IT in achieving organizational goals will include:
Which of the following is the BEST way to ensure email confidentiality in transit?
An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
The PRIMARY reason to assign data ownership for protection of data is to establish:
Which of the following BEST enables an IS auditor to combine and compare access control lists from various applications and devices?
Which of the following BEST helps to ensure data integrity across system interfaces?
Which of the following controls is BEST implemented through system configuration?
Network user accounts for temporary workers expire after 90 days.
Application user access is reviewed every 180 days for appropriateness.
Financial data in key reports is traced to source systems for completeness and accuracy.
Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?
An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
Which of the following observations regarding change management should be considered the MOST serious risk by an IS auditor?
In an annual audit cycle, the audit of an organization ' s IT department resulted in many findings. Which of the following would be the MOST important consideration when planning the next audit?
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
Which of the following control measures is the MOST effective against unauthorized access of confidential information on stolen or lost laptops?
Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?
If a recent release of a program has to be backed out of production, the corresponding changes within the delta version of the code should be:
An IS auditor is asked to provide feedback on the systems options analysis for a new project. The BEST course of action for the IS auditor would be to:
A job is scheduled to transfer data from a transactional system database to a data lake for reporting purposes. Which of the following would be of GREATEST concern to an IS auditor?
Which of the following is MOST important for an IS auditor to examine when reviewing an organization ' s privacy policy?
Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?
Which of the following is the PRIMARY objective of data loss prevention (DLP) mechanisms?
Which of the following is the MOST important consideration when developing tabletop exercises within a cybersecurity incident response plan?
To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?
A new system development project is running late against a critical implementation deadline. Which of the following is the MOST important activity?
How does public key infrastructure (PKI) help to verify that a digitally signed document is not a forgery?
Which of the following is the BEST way to address separation of duties issues in an organization with budget constraints?
A network analyst is monitoring the network after hours and detects activity that appears to be a brute-force attempt to compromise a critical server. After reviewing the alerts to ensure their accuracy, what should be done NEXT?
When designing metrics for information security, the MOST important consideration is that the metrics:
Which of the following is the BEST method to safeguard data on an organization ' s laptop computers?
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.
Which of the following is the BEST recommendation to help prevent this situation in the future?
An IS auditor discovers that a developer has used the same key to grant access to multiple applications making calls to an application programming interface (API). Which of the following is the BEST recommendation to address this situation?
Which of the following applications should an IS auditor consider to be the HIGHEST priority when reviewing disaster recovery planning (DRP) tests for an commerce company?
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor ' s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?
Which of the following is MOST appropriate to review when determining if the work completed on an IT project is in alignment with budgeted costs?
Having knowledge in which of the following areas is MOST relevant for an IS auditor reviewing public key infrastructure (PKI)?
Which of the following is the MOST important course of action to ensure a cloud access security broker (CASB) effectively detects and responds to threats?
The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:
Which of the following should an IS auditor be MOST concerned with during a post-implementation review?
An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?
Which of the following MOST effectively enables consistency across high-volume software changes ' ?
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management ' s decision. Which of the following should be the IS auditor ' s NEXT course of action?
In an organization ' s feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?
Which of the following would be an IS auditor’s GREATEST concern when reviewing the configuration management process?
What should an IS auditor do FIRST when management responses
to an in-person internal control questionnaire indicate a key internal
control is no longer effective?
An IS auditor is preparing a plan for audits to be carried out over a specified period. Which of the following activities should the IS auditor perform FIRST?
In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?
A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:
Which of the following is the MAIN purpose of an information security management system?
An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?
Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?
When developing customer-facing IT applications, in which stage of the system development life cycle (SDLC) is it MOST beneficial to consider data privacy principles?
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
Which of the following issues associated with a data center ' s closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?
Which of the following is an IS auditor ' s BEST recommendation to help an organization increase the efficiency of computing resources?
Which of the following demonstrates the use of data analytics for a loan origination process?
Which of following is MOST important to determine when conducting a post-implementation review?
Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:
Which of the following should be of GREATEST concern to an IS auditor reviewing a terminated employee’s network access?
During an audit of a financial application, it was determined that many terminated users ' accounts were not disabled. Which of the following should be the IS auditor ' s NEXT step?
Based on best practices, which types of accounts should be disabled for interactive login?
Which of the following is the PRIMARY benefit of monitoring IT operational logs?
Which of the following observations should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA) practices?
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
At the end of each business day, a business-critical application generates a report of financial transac-tions greater than a certain value, and an employee
then checks these transactions for errors. What type of control is in place?
External audits have identified recurring exceptions in the user termination process, despite similar internal audits having reported no exceptions in the past. Which of the following is the IS auditor ' s BEST course of action to improve the internal audit process in the future?
In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
Data centers that want to prevent unauthorized personnel from entering during a power outage should ensure external access doors:
An IS auditor is reviewing the disaster recovery plan (DRP) of an organization with offices across multiple regions. Which of the following should be the auditor ' s PRIMARY focus?
An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. Which of the following should the auditor do NEXT?
Which of the following BEST helps monitor and manage operational logs to create value for an organization?
What is the MOST effective way to manage contractors ' access to a data center?
While auditing a small organization ' s data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
Which of the following is the PRIMARY function of an internal IS auditor when the organization acquires a new IT system to support its business strategy?
Which of the following would be MOST important to include in an IS audit report?
The GREATEST benefit of using a polo typing approach in software development is that it helps to:
An organization that processes credit card information employs a remote workforce. Which of the following is the MOST effective way to mitigate risk associated with data exfiltration?
Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?
Which of the following would be of MOST concern to an IS auditor reviewing a data loss prevention (DLP) solution implementation for endpoints?
Which of the following BEST enables an organization to determine the effectiveness of its information security awareness program?
How is nonrepudiation supported within a public key infrastructure (PKI) environment?
Which of the following is the BEST way to determine the adequacy of controls for detecting inappropriate network activity in an organization?
Which of the following MUST be completed as part of the annual audit planning process?
Which of the following would be the MOST significant finding when reviewing a data backup process?
Which of the following BEST facilitates the successful implementation of IT performance monitoring?
Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?
Which of the following is MOST important for the successful establishment of a security vulnerability management program?
An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?
Which of the following risk scenarios is BEST mitigated through the use of a data loss prevention (DLP) tool?
Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
Which of the following is the MOST likely root cause of shadow IT in an organization?
Which of the following is an example of a preventive control for physical access?
An organization offers an e-commerce platform that allows consumer-to-consumer transactions. The platform now uses blockchain technology to ensure the parties are unable to deny the transactions. Which of the following attributes BEST describes the risk element that this technology is addressing?
An IS auditor is reviewing the system development practices of an organization that is about to move from a Waterfall to an Agile approach. Which of the following is MOST important for the auditor to focus on as a result of this move?
Which of the following is MOST important to consider when scheduling follow-up audits?
Which of the following MUST be performed by senior audit leadership prior to starting an IS audit project?
A global bank plans to use a cloud provider for backup of customer financial data. Which of the following should be the PRIMARY focus of this project?
An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?
Management has agreed to move the organization ' s data center due to recent flood map changes in its current location. Which risk response has been adopted?
Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the
Which of the following is MOST likely to be reduced when implementing optimal risk management strategies?
Which of the following is MOST important for an IS auditor to assess during a post-implementation review of a newly modified IT application developed in-house?
An IS auditor is reviewing the installation of a new server. The IS auditor ' s PRIMARY objective is to ensure that
Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST
Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
In continuous delivery, the critical connector between development and production is:
An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?
Which of the following should be the PRIMARY focus when communicating an IS audit issue to management?
An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization ' s RACI chart. Which of the following roles within the chart would provide this information?
Which of the following is the BEST justification for deferring remediation testing until the next audit?
Which of the following should be an IS auditor ' s GREATEST concern when assessing an IT service configuration database?
Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?
Providing security certification for a new system should include which of the following prior to the system ' s implementation?
Which of the following is the BEST way to identify key areas for a risk-based audit plan?
Which of the following should be the PRIMARY purpose of conducting tabletop exercises when re-viewing a security incident response plan?
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor ' s BEST recommendation for a compensating control?
Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?
An IS auditor is reviewing how password resets are performed for users working remotely. Which type of documentation should be requested to understand the detailed steps required for this activity?
Which of the following is the GREATEST risk associated with lack of IT involvement in the organization ' s strategic planning initiatives?
Which of the following is the MOST important factor when an organization is developing information security policies and procedures?
Which of the following is the BEST source of information to determine the required level of data protection on a file server?
In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?
Which of the following is the BEST reason to implement a configuration management database (CMDB)?
An organization has implemented a distributed security administration system to replace the previous centralized one. Which of the following presents the GREATEST potential concern?
Which of the following is MOST important to include in security awareness training?
During the implementation of an enterprise resource planning (ERP) system, an IS auditor is reviewing the results of user acceptance testing (UAT). Which of the following should be the auditor’s PRIMARY focus?
An organization has decided to purchase a web-based email service from a third-party vendor and eliminate its own email server infrastructure. What type of cloud computing environment would BEST meet the organization ' s objective?
A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?
The process of applying a hash function to a message and obtaining and ciphering a digest refers to:
Which of the following information security requirements BE ST enables the tracking of organizational data in a bring your own device (BYOD) environment?
Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?
The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?
Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?
An organization has alternative links in its wide area network (WAN) to provide redundancy. However, each time there is a problem with a link, network administrators have to update the configuration to divert traffic to the other link. Which of the following would be an IS auditor ' s BEST recommendation?
An organization is planning to implement a control self-assessment (CSA) program tor selected business processes Which of the following should be the role of the internal audit team for this program?
When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?
An IS auditor has discovered that a software system still in regular use is outdated and no longer supported. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
The use of which of the following would BEST enhance a process improvement program?
Which of the following is MOST important for an IS auditor to look
for in a project feasibility study?
Which of the following poses the GREATEST risk to an organization related to system interfaces?
Which of the following can BEST reduce the impact of a long-term power failure?
Which of the following is the GREATEST concern when applying emergency patches?
Which of the following should be given GREATEST consideration when implementing the use of an open-source product?
An IS auditor is reviewing a bank ' s service level agreement (SLA) with a third-party provider that hosts the bank ' s secondary data center, which of the following findings should be of GREATEST concern to the auditor?
During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?
An IS auditor reviewing an organization’s online payment system finds that the system sometimes duplicates payments. Which control will BEST compensate for this weakness?
An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST
recommendation to address this situation?
Internal audit is evaluating an organization’s IT portfolio management. Which of the following would be the BEST recommendation for prioritizing the funding of IT projects?
Which of the following is the MOST effective way to validate that the quality of IS audits is maintained?
Which of the following technologies is BEST suited to fulfill a business requirement for nonrepudiation of business-to-business transactions with external parties without the need for a mutually trusted entity?
During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?
The BEST way for an IS auditor to validate that separation of duties has been implemented is to perform:
If enabled within firewall rules, which of the following services would present the GREATEST risk?
Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?
Which of the following should be of MOST concern to an IS auditor reviewing an organization ' s operational log management?
Which of the following is the MOST important consideration when defining an operational log management strategy?
Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?
Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?
Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?
A security review focused on data loss prevention (DLP) revealed the organization has no visibility to data stored in the cloud. What is the IS auditor ' s BEST recommendation to address this
issue?
When an IS auditor needs to confirm that an organization is encrypting sensitive information at a database level, which of the following would provide the BEST assurance?
An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of
MOST concern?
Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?
An IS auditor observes that an organization ' s systems are being used for cryptocurrency mining on a regular basis. Which of the following is the auditor ' s FIRST course of action?
An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?
Which of the following is MOST effective for controlling visitor access to a data center?
When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
Which of the following BEST describes the process of creating a digital envelope?
Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
The waterfall life cycle model of software development is BEST suited for which of the following situations?
Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization ' s patch management process?
Which of the following provides the BEST assurance that a new database management system (DBMS) meets the requirements of local privacy regulations?
An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?
When planning an audit to assess controls for an application in the cloud environment, it is MOST important for an IS auditor to understand:
Which of the following should be the FIRST step in the incident response process for a suspected breach?
Which audit approach is MOST helpful in optimizing the use of IS audit resources?
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s IT process performance reports over the last quarter?
Which of the following is the BEST metric to measure the alignment of IT and business strategy?
Which of the following system attack methods is executed by entering malicious code into the search box of a vulnerable website, causing the server to reveal restricted information?
Which of the following is necessary for effective risk management in IT governance?
Which of the following should be used as the PRIMARY basis for prioritizing IT projects and initiatives?
An IS auditor reviewing an organization’s IT systems finds that the organization frequently purchases systems that are incompatible with the technologies already in the organization. Which of the following is the MOST likely reason?
An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?
Which of the following statements appearing in an organization ' s acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?
Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?
An IS auditor reviewing an information processing environment decides to conduct external penetration testing. Which of the following is MOST appropriate to include in the audit scope for the organization to distinguish between the auditor ' s penetration attacks and actual attacks?
An organization establishes capacity utilization thresholds and monitors for instances when thresholds are exceeded. Which of the following is BEST supported by this activity?
Which of the following is the MOST efficient control to reduce the risk associated with a systems administrator having network administrator responsibilities?
Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?
During a database security audit, an IS auditor is reviewing the process used to input data. Which of the following is the MOST significant risk area for the auditor to focus on?
Which of the following is PRIMARILY used in blockchain technology to create a distributed immutable ledger?
Which of the following would be of GREATEST concern to an IS auditor reviewing the feasibility study for a new application system?
Which of the following would be the GREATEST concern during a financial statement audit?
An IS auditor is asked to review an organization ' s technology relationships, interfaces, and data. Which of the following enterprise architecture (EA) areas is MOST appropriate this review? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)
Which of the following metrics would BEST measure the agility of an organization ' s IT function?
An IS auditor is conducting an audit of a very large e-commerce platform. Which of the following techniques BEST enables the auditor to identify web application security flaws?
Which of the following should be the FIRST step when conducting an IT risk assessment?
A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?
Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?
Which of the following is the PRIMARY role of the IS auditor m an organization ' s information classification process?
Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?
Which of the following is the GREATEST risk associated with security patches being automatically downloaded and applied to production servers?
Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?
Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?
For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization ' s information security plan includes:
An organization ' s security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?
Which of the following is the BEST way to mitigate risk to an organization ' s network associated with devices permitted under a bring your own device (BYOD) policy?
A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?
Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?
Which of the following is an analytical review procedure for a payroll system?
An IS auditor wants to verify alignment of the organization ' s business continuity plan (BCP) with the business strategy. Which of the following would be MOST helpful to review?
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?
A global company has been using a publicly available AI tool to obtain information about global laws and regulations that could impact the business. Which of the following should be of MOST concern to an IS auditor?
What should an IS auditor do FIRST when a follow-up audit reveals some management action plans have not been initiated?
To protect the organization from malware transmitted by physical media, IT administrators have disabled USB access for storage devices. Which of the following BEST describes this type of control?
Which of the following is MOST important for an IS auditor to confirm when reviewing an organization ' s incident response management program?
An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?
Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?
Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?
Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?
In which data loss prevention (DLP) deployment model is data inspection and policy enforcement performed at the organization ' s perimeter or gateway?
Which of the following non-audit activities may impair an IS auditor ' s independence and objectivity?
During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor ' s time would be to review and evaluate:
Which of the following is an IS auditor’s BEST approach when low-risk anomalies have been identified?
Which of the following should be restricted from a network administrator ' s privileges in an adequately segregated IT environment?
The BEST way to evaluate the effectiveness of a newly developed application is to:
Which of the following poses the GREATEST potential concern for an organization that decides to consolidate mission-critical applications on a large server as part of IT capacity management?
Which of the following should be done FIRST to minimize the risk of unstructured data?
When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.
For security awareness training to be MOST effective, management should ensure the training:
During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?
Which of the following is MOST important to ensure when developing an effective security awareness program?
An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization ' s wider security threat and vulnerability management program.
Which of the following would BEST enable the organization to work toward improvement in this area?
Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?
An IS auditor is reviewing an organization ' s business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of data quality would be to:
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?
An IS auditor reviewing the throat assessment for a data cantor would be MOST concerned if:
An organization that has decided to approve the use of end-user computing (EUC) should FIRST ensure:
An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor ' s NEXT course of action?
Which of the following job scheduling schemes for operating system updates is MOST likely to adequately balance protection of workstations with user requirements?
Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?
Which of the following security testing techniques is MOST effective for confirming that inputs to a web application have been properly sanitized?
A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?
An organization ' s IT department and internal IS audit function all report to the chief information officer (CIO). Which of the following is the GREATEST concern associated with this reporting structure?
Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?
In the case of a disaster where the data center is no longer available, which of the following tasks should be done FIRST?
Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?
An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?
Which of the following is the MOST important advantage of participating in beta testing of software products?
Which of the following is the BEST source of information for examining the classification of new data?
Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?
During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?
An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which ot the following should the auditor do FIRSTS
Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.
What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted
application?
Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?
Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?
During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report. Which of the following is the auditor ' s BEST course of action?
Which of the following BEST supports the effectiveness of a compliance program?
In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?
in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
Which of the following is the BEST indication of effective IT investment management?
An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime This is BEST zed as an application of.
An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?
Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?
Which of the following BEST indicates an effective internal audit quality assurance and improvement program?
Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the following would provide the MOST assurance to the IS auditor that management
is adequately balancing the needs of the business with the need to manage risk?
Which of the following is MOST helpful for measuring benefits realization for a new system?
Which of the following BEST mitigates the risk associated with the deployment of a new production system?
Which of the following should be of MOST concern to an IS auditor when reviewing an intrusion detection system (IDS)?
An administrator performs firewall configuration changes for a small organization. Which of the following is the BEST compensating control to mitigate the risk of unauthorized changes in this situation?
An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?
An IS auditor is reviewing a machine learning algorithm-based system for loan approvals and is preparing a data set to test the algorithm for bias. Which of the following is MOST important for the auditor’s test data set to include?
Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?
An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?
If concurrent update transactions to an account are not processed properly, which of the following will be affected?
Which of the following would be the BEST criteria for monitoring an IT vendor ' s service levels?
What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?
Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?
An organization is implementing a new data loss prevention (DLP) tool. Which of the following will BEST enable the organization to reduce false positive alerts?
Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?
Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?
The PRIMARY role of an IS auditor in the remediation of problems found during an audit engagement is to:
Which of the following BEST indicates that the effectiveness of an organization ' s security awareness program has improved?
Which of the following should be the GREATEST concern to an IS auditor reviewing the information security framework of an organization?
Which of the following is the MOST important consideration to facilitate prosecution of a perpetrator after a cybercrime?
Which of the following observations should be of GREATEST concern to an IS auditor assessing access controls for the accounts payable module of a finance system?
Which of the following represents the HIGHEST level of maturity of an information security program?
To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?
To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?
Which of the following provides the MOST assurance of the integrity of a firewall log?
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?
Which of the following is the MOST appropriate control to ensure integrity of online orders?
An IS auditor learns that an organization ' s business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor ' s BEST course of action?
Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?
A hearth care organization utilizes Internet of Things (loT) devices to improve patient outcomes through real-time patient monitoring and advanced diagnostics. Which of the following would BEST assist in isolating these devices from corporate network traffic?
Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?
An IS auditor is reviewing database fields updated in real-time and displayed through other applications in multiple organizational functions. When validating business approval for these various use cases, which of the following sources of information would be the BEST starting point?
During an exit meeting, an IS auditor highlights that backup cycles
are being missed due to operator error and that these exceptions
are not being managed. Which of the following is the BEST way to
help management understand the associated risk?
An organization has replaced all of the storage devices at its primary data center with new higher-capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether
Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?
When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on
An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes. Which of the following is the MOST appropriate method to use for this purpose?
When auditing the security architecture of an online application, an IS auditor should FIRST review the:
Which of the following should be an IS auditor ' s PRIMARY consideration when determining which issues to include in an audit report?
An organization has introduced a capability maturity model to the system development life cycle (SDLC) to measure improvements. Which of the following is the BEST indication of successful process improvement?
An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?
Which of the following security measures is MOST important for protecting Internet of Things (IoT) devices from potential cyberattacks?
Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization ' s goals and strategic objectives?
Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
An organization ' s payroll department recently implemented a new Software as a Service (SaaS) tool for payment processing. Which of the following audits is MOST appropriate for an IS auditor to validate that the new tool is configured as expected to meet performance requirements?
An organization recently migrated Us data warehouse from a legacy system to a different architecture in the cloud. Which of the following should be of GREATEST concern to the IS auditor reviewing the new data architecture?
A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.
Which of the following is the BEST point in time to conduct a post-implementation review?
A system experiences multiple recurring processing errors. Which of the following is the PRIMARY concern for an IS auditor?
Which of the following findings should be an IS auditor’s GREATEST concern when reviewing a project to migrate confidential data backups to a cloud-based solution?
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor ' s BEST recommendation?
A mission-critical application utilizes a one-node database server. On multiple occasions, the database service has been stopped to perform routine patching, causing application outages. Which of the following should be the IS auditor’s GREATEST concern?
Which of the following is the BEST indication that there are potential problems within an organization ' s IT service desk function?
During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?
Which of the following BEST helps to establish that digital evidence is in its original form and has not been tampered with?
An organization ' s information security policies should be developed PRIMARILY on the basis of:
Which of the following controls would BEST help a forensic investigator prevent modifications in digital evidence?
Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?
An organization plans to centrally decommission end-of-life databases and migrate the data to the latest model of hardware. Which of the following BEST ensures data integrity is preserved during the migration?
Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?
Secure code reviews as part of a continuous deployment program are which type of control?
Which of the following should an IS auditor perform FIRST when auditing an outsourced human resource application?
Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?
Which of the following concerns is BEST addressed by securing production source libraries?
Which of the following BEST facilitates the legal process in the event of an incident?
Which of the following is the MAJOR advantage of automating internal controls?
An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?
Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization ' s information cannot be accessed?
During an organization ' s implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?
An organization saves confidential information in a file with password protection and the file is placed in a shared folder. An attacker has stolen this information by obtaining the password through social engineering. Implementing which of the following would BEST enable the organization to prevent this type of incident in the future?
What Is the BEST method to determine if IT resource spending is aligned with planned project spending?
When building or upgrading enterprise cryptographic infrastructure, which of the following is the MOST critical requirement for growing business environments?
A small organization has cut costs by reducing IT positions and consolidating a large number of critical responsibilities into the role of its most senior IT engineer. Which of the following is the PRIMARY risk in this situation?
What should an IS auditor evaluate FIRST when reviewing an organization ' s response to new privacy legislation?
When auditing the closing stages of a system development protect which of the following should be the MOST important consideration?
An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor ' s NEXT action1?
Which of the following is the MOST efficient way to identify separation of duties violations in a new system?
Which of the following findings from a network security review presents the GREATEST risk to the organization?
Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?
Which type of control has been established when an organization implements a security information and event management (SIEM) system?
An organization has developed processes to recover critical files in the event of a ransomware attack. Which type of control do these processes represent?
Which of the following is the BEST evidence that an organization ' s IT strategy is aligned lo its business objectives?
Which of the following is the BEST reason to implement a data retention policy?
Which of the following applications has the MOST inherent risk and should be prioritized during audit planning?
Which of the following system redundancy configurations BEST improves system resiliency and reduces the possibility of a single cause of failure impacting system dependability?
which of the following is a core functionality of a configuration and release management system?
Which of the following network topologies will provide the GREATEST fault tolerance?
A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system. Which of the following is the IS
auditor ' s BEST recommendation?
An organization has replaced its call center with Al chatbots that autonomously learn new responses through internet queries and customer conversation history. Which of the following would an IS auditor tasked with verifying IT controls consider to be the GREATEST risk?
After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
An IS auditor is assessing an organization ' s DevSecOps approach. Which of the following BEST indicates a proactive approach to identifying vulnerabilities?
Which of the following is the PRIMARY purpose of a rollback plan for a system change?
Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?
The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:
An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following should the auditor do FIRST?
In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?
Which of the following BEST enables an organization to standardize its IT infrastructure to align with business goals?
An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users ' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following is the auditor ' s BEST course of action?
Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?
During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor ' s GREATEST concern with this situation?
Who is PRIMARILY responsible for the design of IT controls to meet control objectives?
Which of the following is the PRIMARY advantage of using an automated security log monitoring tool over a manual review to monitor the use of privileged access?
An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?
Which of the following is the MOST important control for virtualized environments?
When an intrusion into an organization network is deleted, which of the following should be done FIRST?
From an IS auditor ' s perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?
Which of the following is the PRIMARY purpose of enterprise architecture (EA) within an organization?
An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?
An outsourced recruitment vendor processes personally identifiable information (PII) related to an organization’s new hires. Which of the following would be the GREATEST concern to an IS auditor reviewing the third-party risk management process?
An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?
Which of the following is the BEST compensating control against separation of duties conflicts in new code development?
An IS auditor is reviewing the service management of an outsourced help desk. Which of the following is the BEST indicator of how effectively the service provider is performing this function?
An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?
Which of the following is the MOST important activity in the data classification process?
What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?
Which of the following would be MOST helpful to an IS auditor performing a risk assessment of an application programming interface (API) that feeds credit scores from a well-known commercial credit agency into an organizational system?
An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?
Which of the following is the MOST significant risk when an application uses individual end-user accounts to access the underlying database?
When selecting a new data loss prevention (DLP) solution, the MOST important consideration is that the solution:
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
What should an IS auditor ensure when a financial organization intends to utilize production data in the testing environment?
When processing speed is the highest priority, which cryptographic algorithm should be used to verify the integrity of a bit-for-bit copy from digital evidence?
Which of the following should be of GREATEST concern to an IS auditor when using data analytics?
Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor ' s BEST recommendation to protect data in case of recurrence?
Which of the following is the BEST metric to measure the quality of software developed in an organization?
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
Which of the following should be the role of internal audit in an organization’s move to the cloud?
Which of the following MOST effectively minimizes downtime during system conversions?
The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?
An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor ' s BEST course of action?
A finance department has a two-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger in year one the system version upgrade will be applied and in year two business processes will be updated to implement new system functionality. Which of the following should be the PRIMARY focus of an IS auditor reviewing the second year of the implementation ' ?
During an audit of payment services of a branch based in a foreign country, a large global bank ' s audit team identifies an opportunity to use data analytics techniques to identify abnormal payments. Which of the following is the team ' s MOST important course of action?
Which of the following presents the GREATEST challenge to the alignment of business and IT?
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization ' s disaster recovery plan (DRP)?
What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?
In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?
When reviewing whether IT investments are meeting business objectives, which of the following evaluations would be MOST useful?
Upon completion of a penetration test with findings for an IT system, the NEXT step should be:
An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?
In a data center audit, an IS auditor finds that the humidity level is very low. The IS auditor would be MOST concerned because of an expected increase in:
An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization ' s vulnerability scanning program ' '
A cloud access security broker (CASB) administers the user access of a Software as a Service {SaaS) on behalf of the customer organization. When conducting an audit of the service, which of the following is MOST important for the IS auditor to confirm?
Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?
Which of the following is the BEST review for an IS auditor to conduct when a vulnerability has been exploited by an employee?
When auditing IT organizational structure, which of the following findings presents the GREATEST risk to an organization?
An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?
Which of the following controls is MOST important for ensuring the integrity of system interfaces?
Which of the following BEST enables the timely identification of risk exposure?
Which of the following is the MOST important consideration for a contingency facility?
Which of the following is MOST critical to the success of an information security program?
Which of the following would BEST protect the confidentiality of sensitive data in transit between multiple offices?