Weekend Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

CISA Certified Information Systems Auditor Questions and Answers

Questions 4

The PRIMARY advantage of object-oriented technology is enhanced:

Options:

A.

efficiency due to the re-use of elements of logic.

B.

management of sequential program execution for data access.

C.

grouping of objects into methods for data access.

D.

management of a restricted variety of data types for a data object.

Buy Now
Questions 5

Which of the following BEST indicates that an incident management process is effective?

Options:

A.

Decreased number of calls to the help desk

B.

Decreased time for incident resolution

C.

Increased number of incidents reviewed by IT management

D.

Increased number of reported critical incidents

Buy Now
Questions 6

Which of the following is the MOST effective control to mitigate against the risk of inappropriate activity by employees?

Options:

A.

User activity monitoring

B.

Two-factor authentication

C.

Network segmentation

D.

Access recertification

Buy Now
Questions 7

A proper audit trail of changes to server start-up procedures would include evidence of:

Options:

A.

subsystem structure.

B.

program execution.

C.

security control options.

D.

operator overrides.

Buy Now
Questions 8

In the development of a new financial application, the IS auditor ' s FIRST involvement should be in the:

Options:

A.

control design.

B.

feasibility study.

C.

application design.

D.

system test.

Buy Now
Questions 9

Which of the following should be done FIRST to ensure the secure configuration of new IT assets in an organization?

Options:

A.

Identify and remediate vulnerabilities before deploying new IT assets.

B.

Define and implement hardening standards.

C.

Scan new IT assets for security vulnerabilities.

D.

Purchase security tools to configure new IT assets.

Buy Now
Questions 10

Which of the following is the PRIMARY purpose of batch processing monitoring?

Options:

A.

To comply with security standards

B.

To summarize the batch processing reporting

C.

To log error events in batch processing

D.

To prevent an incident that may result from batch failure

Buy Now
Questions 11

Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?

Options:

A.

Role-based access control policies

B.

Types of data that can be uploaded to the platform

C.

Processes for on-boarding and off-boarding users to the platform

D.

Processes for reviewing administrator activity

Buy Now
Questions 12

If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?

Options:

A.

Comparison of object and executable code

B.

Review of audit trail of compile dates

C.

Comparison of date stamping of source and object code

D.

Review of developer comments in executable code

Buy Now
Questions 13

Which of the following BEST guards against the risk of attack by hackers?

Options:

A.

Tunneling

B.

Encryption

C.

Message validation

D.

Firewalls

Buy Now
Questions 14

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization ' s goals?

Options:

A.

Balanced scorecard

B.

Enterprise dashboard

C.

Enterprise architecture (EA)

D.

Key performance indicators (KPIs)

Buy Now
Questions 15

An IT strategic plan that BEST leverages IT in achieving organizational goals will include:

Options:

A.

a comparison of future needs against current capabilities.

B.

a risk-based ranking of projects.

C.

enterprise architecture (EA) impacts.

D.

IT budgets linked to the organization ' s budget.

Buy Now
Questions 16

Which of the following is the BEST way to ensure email confidentiality in transit?

Options:

A.

Encryption of corporate network traffic

B.

Complex user passwords

C.

End-to-end encryption

D.

Digital signatures

Buy Now
Questions 17

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Options:

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Buy Now
Questions 18

The PRIMARY reason to assign data ownership for protection of data is to establish:

Options:

A.

reliability.

B.

traceability.

C.

authority,

D.

accountability.

Buy Now
Questions 19

Which of the following is an example of shadow IT?

Options:

A.

An employee using a cloud based order management tool without approval from IT

B.

An employee using a company provided laptop to access personal banking information

C.

An employee using personal email to communicate with clients without approval from IT

D.

An employee using a company-provided tablet to access social media during work hours

Buy Now
Questions 20

Which of the following BEST enables an IS auditor to combine and compare access control lists from various applications and devices?

Options:

A.

Integrated test facility (ITF)

B.

Snapshots

C.

Data analytics

D.

Audit hooks

Buy Now
Questions 21

Which of the following BEST helps to ensure data integrity across system interfaces?

Options:

A.

Environment segregation

B.

Reconciliation

C.

System backups

D.

Access controls

Buy Now
Questions 22

Which of the following controls is BEST implemented through system configuration?

Network user accounts for temporary workers expire after 90 days.

Application user access is reviewed every 180 days for appropriateness.

Financial data in key reports is traced to source systems for completeness and accuracy.

Options:

A.

Computer operations personnel initiate batch processing jobs daily.

Buy Now
Questions 23

Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

Options:

A.

Availability integrity

B.

Data integrity

C.

Entity integrity

D.

Referential integrity

Buy Now
Questions 24

Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

Options:

A.

Require all employees to sign nondisclosure agreements (NDAs).

B.

Develop an acceptable use policy for end-user computing (EUC).

C.

Develop an information classification scheme.

D.

Provide notification to employees about possible email monitoring.

Buy Now
Questions 25

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.

Verify all patches have been applied to the software system ' s outdated version.

B.

Close all unused ports on the outdated software system.

C.

Monitor network traffic attempting to reach the outdated software system.

D.

Segregate the outdated software system from the main network.

Buy Now
Questions 26

Which of the following observations regarding change management should be considered the MOST serious risk by an IS auditor?

Options:

A.

There is no software used to track change management.

B.

The change is not approved by the business owners.

C.

The change is deployed two weeks after approval.

D.

The development of the change is not cost-effective.

Buy Now
Questions 27

In an annual audit cycle, the audit of an organization ' s IT department resulted in many findings. Which of the following would be the MOST important consideration when planning the next audit?

Options:

A.

Postponing the review until all of the findings have been rectified

B.

Limiting the review to the deficient areas

C.

Verifying that all recommendations have been implemented

D.

Following up on the status of all recommendations

Buy Now
Questions 28

An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:

Options:

A.

deleted data cannot easily be retrieved.

B.

deleting the files logically does not overwrite the files ' physical data.

C.

backup copies of files were not deleted as well.

D.

deleting all files separately is not as efficient as formatting the hard disk.

Buy Now
Questions 29

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?

Options:

A.

Benchmark organizational performance against industry peers

B.

Implement key performance indicators (KPIs).

C.

Require executive management to draft IT strategy

D.

Implement annual third-party audits.

Buy Now
Questions 30

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Options:

A.

Utilize a network-based firewall.

B.

Conduct regular user security awareness training.

C.

Perform domain name system (DNS) server security hardening.

D.

Enforce a strong password policy meeting complexity requirement.

Buy Now
Questions 31

Which of the following control measures is the MOST effective against unauthorized access of confidential information on stolen or lost laptops?

Options:

A.

Remote wipe capabilities

B.

Disk encryption

C.

User awareness

D.

Password-protected files

Buy Now
Questions 32

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

Options:

A.

Blocking attachments in IM

B.

Blocking external IM traffic

C.

Allowing only corporate IM solutions

D.

Encrypting IM traffic

Buy Now
Questions 33

If a recent release of a program has to be backed out of production, the corresponding changes within the delta version of the code should be:

Options:

A.

filed in production for future reference in researching the problem.

B.

applied to the source code that reflects the version in production.

C.

eliminated from the source code that reflects the version in production.

D.

reinstalled when replacing the version back into production.

Buy Now
Questions 34

An IS auditor is asked to provide feedback on the systems options analysis for a new project. The BEST course of action for the IS auditor would be to:

Options:

A.

Identify the best alternative.

B.

Retain comments as findings for the audit report.

C.

Comment on the criteria used to assess the alternatives.

D.

Request at least one other alternative.

Buy Now
Questions 35

A job is scheduled to transfer data from a transactional system database to a data lake for reporting purposes. Which of the following would be of GREATEST concern to an IS auditor?

Options:

A.

The inventory of scheduled jobs is not periodically reviewed

B.

Automated support ticket creation has not been implemented for job failures and errors

C.

Access to scheduling changes is restricted to job operators

D.

Notification alerts are configured to be sent to a support distribution group

Buy Now
Questions 36

Which of the following is MOST important for an IS auditor to examine when reviewing an organization ' s privacy policy?

Options:

A.

Whether there is explicit permission from regulators to collect personal data

B.

The organization ' s legitimate purpose for collecting personal data

C.

Whether sharing of personal information with third-party service providers is prohibited

D.

The encryption mechanism selected by the organization for protecting personal data

Buy Now
Questions 37

Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?

Options:

A.

Continuous auditing

B.

Manual checks

C.

Exception reporting

D.

Automated reconciliations

Buy Now
Questions 38

Which of the following is the PRIMARY objective of data loss prevention (DLP) mechanisms?

Options:

A.

Enhancing system performance while safeguarding against data loss

B.

Automating data loss recovery procedures to minimize downtime in case of incidents

C.

Protecting against unauthorized transmissions or disclosure of sensitive data

D.

Ensuring compliance with regulatory requirements for data protection

Buy Now
Questions 39

Which of the following is the MOST important consideration when developing tabletop exercises within a cybersecurity incident response plan?

Options:

A.

Ensure participants are selected from all cross-functional units in the organization.

B.

Create exercises that are challenging enough to prove inadequacies in the current incident response plan.

C.

Ensure the incident response team will have enough distractions to simulate real-life situations.

D.

Identify the scope and scenarios that are relevant to current threats faced by the organization.

Buy Now
Questions 40

To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?

Options:

A.

Review of the general IS controls followed by a review of the application controls

B.

Detailed examination of financial transactions followed by review of the general ledger

C.

Review of major financial applications followed by a review of IT governance processes

D.

Review of application controls followed by a test of key business process controls

Buy Now
Questions 41

An organization ' s IT risk assessment should include the identification of:

Options:

A.

vulnerabilities

B.

compensating controls

C.

business needs

D.

business process owners

Buy Now
Questions 42

A new system development project is running late against a critical implementation deadline. Which of the following is the MOST important activity?

Options:

A.

Ensure that code has been reviewed.

B.

Perform user acceptance testing (UAT).

C.

Document last-minute enhancements.

D.

Perform a pre-implementation audit.

Buy Now
Questions 43

How does public key infrastructure (PKI) help to verify that a digitally signed document is not a forgery?

Options:

A.

By decrypting the signature with the signer’s public key

B.

By verifying the signature with the signer’s private key

C.

By checking the signature against the receiver’s public key

D.

By checking the signed document’s audit history

Buy Now
Questions 44

Which of the following is the BEST way to address separation of duties issues in an organization with budget constraints?

Options:

A.

Hire temporary staff.

B.

Perform an independent audit.

C.

Rotate job duties periodically.

D.

Implement compensating controls.

Buy Now
Questions 45

A network analyst is monitoring the network after hours and detects activity that appears to be a brute-force attempt to compromise a critical server. After reviewing the alerts to ensure their accuracy, what should be done NEXT?

Options:

A.

Perform a root cause analysis.

B.

Document all steps taken in a written report.

C.

Isolate the affected system.

D.

Invoke the incident response plan.

Buy Now
Questions 46

When designing metrics for information security, the MOST important consideration is that the metrics:

Options:

A.

conform to industry standards.

B.

apply to all business units.

C.

provide actionable data.

D.

are easy to understand.

Buy Now
Questions 47

Which of the following is the BEST method to safeguard data on an organization ' s laptop computers?

Options:

A.

Disabled USB ports

B.

Full disk encryption

C.

Multi-factor authentication (MFA)

D.

Passkey phrases

Buy Now
Questions 48

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

Options:

A.

The access rights that have been granted.

B.

How the latest system changes were implemented.

C.

The access control system’s configuration.

D.

The access control system’s log settings.

Buy Now
Questions 49

What is the FIRST step when creating a data classification program?

Options:

A.

Categorize and prioritize data.

B.

Develop data process maps.

C.

Categorize information by owner.

D.

Develop a policy.

Buy Now
Questions 50

During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.

Which of the following is the BEST recommendation to help prevent this situation in the future?

Options:

A.

Introduce escalation protocols.

B.

Develop a competency matrix.

C.

Implement fallback options.

D.

Enable an emergency access ID.

Buy Now
Questions 51

An IS auditor discovers that a developer has used the same key to grant access to multiple applications making calls to an application programming interface (API). Which of the following is the BEST recommendation to address this situation?

Options:

A.

Replace the API key with time-limited tokens that grant least privilege access.

B.

Authorize the API key to allow read-only access by all applications.

C.

Implement a process to expire the API key after a previously agreed-upon period of time.

D.

Coordinate an API key rotation exercise with all impacted application owners.

Buy Now
Questions 52

Which of the following applications should an IS auditor consider to be the HIGHEST priority when reviewing disaster recovery planning (DRP) tests for an commerce company?

Options:

A.

An application for IT performance monitoring

B.

An application for HR management

C.

An application for financial management

D.

An application for traffic load balancing

Buy Now
Questions 53

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor ' s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the organization ' s web server.

B.

the demilitarized zone (DMZ).

C.

the organization ' s network.

D.

the Internet

Buy Now
Questions 54

Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?

Options:

A.

Return on investment (ROI)

B.

Business strategy

C.

Business cases

D.

Total cost of ownership (TCO)

Buy Now
Questions 55

Which of the following is MOST appropriate to review when determining if the work completed on an IT project is in alignment with budgeted costs?

Options:

A.

Return on investment (ROI) analysis

B.

Earned value analysis (EVA)

C.

Financial value analysis

D.

Business impact analysis (BIA)

Buy Now
Questions 56

Having knowledge in which of the following areas is MOST relevant for an IS auditor reviewing public key infrastructure (PKI)?

Options:

A.

Design and application of key controls in public audit

B.

Security strategy in public cloud Infrastructure as a Service (IaaS)

C.

Modern encoding methods for digital communications

D.

Technology and process life cycle for digital certificates and key pairs

Buy Now
Questions 57

Which of the following is the MOST important course of action to ensure a cloud access security broker (CASB) effectively detects and responds to threats?

Options:

A.

Monitoring data movement

B.

Implementing a long-term CASB contract

C.

Reviewing the information security policy

D.

Evaluating firewall effectiveness

Buy Now
Questions 58

The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:

Options:

A.

audit resources are used most effectively.

B.

internal audit activity conforms with audit standards and methodology.

C.

the audit function is adequately governed and meets performance metrics.

D.

inherent risk in audits is minimized.

Buy Now
Questions 59

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

Options:

A.

The system does not have a maintenance plan.

B.

The system contains several minor defects.

C.

The system deployment was delayed by three weeks.

D.

The system was over budget by 15%.

Buy Now
Questions 60

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

Options:

A.

Double-posting of a single journal entry

B.

Inability to support new business transactions

C.

Unauthorized alteration of account attributes

D.

Inaccuracy of financial reporting

Buy Now
Questions 61

Which of the following MOST effectively enables consistency across high-volume software changes ' ?

Options:

A.

The use of continuous integration and deployment pipelines

B.

Management reviews of detailed exception reports for released code

C.

Publication of a refreshed policy on development and release management

D.

An ongoing awareness campaign for software deployment best practices

Buy Now
Questions 62

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management ' s decision. Which of the following should be the IS auditor ' s NEXT course of action?

Options:

A.

Accept management ' s decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Buy Now
Questions 63

In an organization ' s feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?

Options:

A.

Alternatives for financing the acquisition

B.

Financial stability of potential vendors

C.

Reputation of potential vendors

D.

Cost-benefit analysis of available products

Buy Now
Questions 64

Which of the following would be an IS auditor’s GREATEST concern when reviewing the configuration management process?

Options:

A.

Use of vendor-supplied baseline documents for configuration change processes.

B.

Lack of management approval for the configuration control process.

C.

Use of commercial software products to automate parts of the configuration management process.

D.

Lack of centralized system documentation for configuration change approvals.

Buy Now
Questions 65

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.

Determine the resources required to make the controleffective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Buy Now
Questions 66

An IS auditor is preparing a plan for audits to be carried out over a specified period. Which of the following activities should the IS auditor perform FIRST?

Options:

A.

Allocate audit resources.

B.

Prioritize risks.

C.

Review prior audit reports.

D.

Determine the audit universe.

Buy Now
Questions 67

In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?

Options:

A.

Discovery sampling

B.

Variable sampling

C.

Stop-or-go sampling

D.

Judgmental sampling

Buy Now
Questions 68

A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:

Options:

A.

evaluate replacement systems and performance monitoring software.

B.

restrict functionality of system monitoring software to security-related events.

C.

re-install the system and performance monitoring software.

D.

use analytical tools to produce exception reports from the system and performance monitoring software

Buy Now
Questions 69

Which of the following is the MAIN purpose of an information security management system?

Options:

A.

To identify and eliminate the root causes of information security incidents

B.

To enhance the impact of reports used to monitor information security incidents

C.

To keep information security policies and procedures up-to-date

D.

To reduce the frequency and impact of information security incidents

Buy Now
Questions 70

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

Options:

A.

Capacity management plan

B.

Training plans

C.

Database conversion results

D.

Stress testing results

Buy Now
Questions 71

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Options:

A.

Mobile device tracking program

B.

Mobile device upgrade program

C.

Mobile device testing program

D.

Mobile device awareness program

Buy Now
Questions 72

Which of the following is a corrective control?

Options:

A.

Separating equipment development testing and production

B.

Verifying duplicate calculations in data processing

C.

Reviewing user access rights for segregation

D.

Executing emergency response plans

Buy Now
Questions 73

When developing customer-facing IT applications, in which stage of the system development life cycle (SDLC) is it MOST beneficial to consider data privacy principles?

Options:

A.

Systems design and architecture

B.

Software selection and acquisition

C.

User acceptance testing (UAT)

D.

Requirements definition

Buy Now
Questions 74

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Options:

A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Buy Now
Questions 75

Which of the following issues associated with a data center ' s closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?

Options:

A.

CCTV recordings are not regularly reviewed.

B.

CCTV cameras are not installed in break rooms

C.

CCTV records are deleted after one year.

D.

CCTV footage is not recorded 24 x 7.

Buy Now
Questions 76

Which of the following is an IS auditor ' s BEST recommendation to help an organization increase the efficiency of computing resources?

Options:

A.

Virtualization

B.

Hardware upgrades

C.

Overclocking the central processing unit (CPU)

D.

Real-time backups

Buy Now
Questions 77

Which of the following demonstrates the use of data analytics for a loan origination process?

Options:

A.

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Buy Now
Questions 78

Which of following is MOST important to determine when conducting a post-implementation review?

Options:

A.

Whether the solution architecture compiles with IT standards

B.

Whether success criteria have been achieved

C.

Whether the project has been delivered within the approved budget

D.

Whether lessons teamed have been documented

Buy Now
Questions 79

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

Options:

A.

business impact analysis (BIA).

B.

threat and risk assessment.

C.

business continuity plan (BCP).

D.

disaster recovery plan (DRP).

Buy Now
Questions 80

Which of the following should be of GREATEST concern to an IS auditor reviewing a terminated employee’s network access?

Options:

A.

The user account password is set to never expire.

B.

The last login to the user account was days after the last working date.

C.

The user account password was last changed more than 90 days ago.

D.

There is not a documented approval process to disable user accounts.

Buy Now
Questions 81

During an audit of a financial application, it was determined that many terminated users ' accounts were not disabled. Which of the following should be the IS auditor ' s NEXT step?

Options:

A.

Perform substantive testing of terminated users ' access rights.

B.

Perform a review of terminated users ' account activity

C.

Communicate risks to the application owner.

D.

Conclude that IT general controls ate ineffective.

Buy Now
Questions 82

Based on best practices, which types of accounts should be disabled for interactive login?

Options:

A.

Local accounts

B.

Administrator accounts

C.

Console accounts

D.

Service accounts

Buy Now
Questions 83

Which of the following is the PRIMARY benefit of monitoring IT operational logs?

Options:

A.

Detecting processing errors in a timely manner

B.

Identifying configuration flaws in operating systems

C.

Managing the usability and capacity of IT resources

D.

Generating exception reports to assess security compliance

Buy Now
Questions 84

Which of the following observations should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA) practices?

Options:

A.

Resource dependencies for critical processes are not determined.

B.

Recovery objectives are identified without conducting risk assessments.

C.

A combination of questionnaires, workshops, and interviews is used.

D.

Outsourced business processes are excluded from the scope of the BIA.

Buy Now
Questions 85

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

Options:

A.

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.

Job failure alerts are automatically generated and routed to support personnel.

Buy Now
Questions 86

At the end of each business day, a business-critical application generates a report of financial transac-tions greater than a certain value, and an employee

then checks these transactions for errors. What type of control is in place?

Options:

A.

Detective

B.

Preventive

C.

Corrective

D.

Deterrent

Buy Now
Questions 87

External audits have identified recurring exceptions in the user termination process, despite similar internal audits having reported no exceptions in the past. Which of the following is the IS auditor ' s BEST course of action to improve the internal audit process in the future?

Options:

A.

Include the user termination process in all upcoming audits.

B.

Review user termination process changes.

C.

Review the internal audit sampling methodology.

D.

Review control self-assessment (CSA) results.

Buy Now
Questions 88

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

Options:

A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Buy Now
Questions 89

Data centers that want to prevent unauthorized personnel from entering during a power outage should ensure external access doors:

Options:

A.

Have physical key backup.

B.

Operate in fail-safe mode.

C.

Operate in fail-secure mode.

D.

Are alarmed and monitored.

Buy Now
Questions 90

An IS auditor is reviewing the disaster recovery plan (DRP) of an organization with offices across multiple regions. Which of the following should be the auditor ' s PRIMARY focus?

Options:

A.

Recovery point objective (RPO) monitoring

B.

Processes and system dependencies

C.

Disaster recovery training

D.

Data backup and storage changes

Buy Now
Questions 91

An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. Which of the following should the auditor do NEXT?

Options:

A.

Report the variance immediately to the audit committee

B.

Request an explanation of the variance from the auditee

C.

Increase the sample size to 100% of the population

D.

Exclude the transaction from the sample population

Buy Now
Questions 92

Which of the following BEST helps monitor and manage operational logs to create value for an organization?

Options:

A.

Using automated tools to collect logs and raise alerts based on use cases

B.

Reporting results of log analyses to senior management for review

C.

Selecting logs only from critical operational systems and devices for monitoring

D.

Encrypting logs processed before archiving for defined retention periods

Buy Now
Questions 93

What is the MOST effective way to manage contractors ' access to a data center?

Options:

A.

Badge identification worn by visitors

B.

Escort requirement for visitor access

C.

Management approval of visitor access

D.

Verification of visitor identification

Buy Now
Questions 94

While auditing a small organization ' s data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

Options:

A.

Use automatic document classification based on content.

B.

Have IT security staff conduct targeted training for data owners.

C.

Publish the data classification policy on the corporate web portal.

D.

Conduct awareness presentations and seminars for information classification policies.

Buy Now
Questions 95

Which of the following is the PRIMARY function of an internal IS auditor when the organization acquires a new IT system to support its business strategy?

Options:

A.

Identifying significant IT errors and fraud

B.

Assessing system development life cycle (SDLC) controls

C.

Implementing risk and control gap mitigation

D.

Evaluating IT risk and controls

Buy Now
Questions 96

Which of the following would be MOST important to include in an IS audit report?

Options:

A.

Observations not reported as findings due to inadequate evidence

B.

The roadmap for addressing the various risk areas

C.

The level of unmitigated risk along with business impact

D.

Specific technology solutions for each audit observation

Buy Now
Questions 97

The GREATEST benefit of using a polo typing approach in software development is that it helps to:

Options:

A.

minimize scope changes to the system.

B.

decrease the time allocated for user testing and review.

C.

conceptualize and clarify requirements.

D.

Improve efficiency of quality assurance (QA) testing

Buy Now
Questions 98

An organization that processes credit card information employs a remote workforce. Which of the following is the MOST effective way to mitigate risk associated with data exfiltration?

Options:

A.

Require employees to sign acknowledgment of the data security policy.

B.

Deploy a data loss prevention (DLP) system.

C.

Enable a web application firewall (WAF) along with an intrusion detection system (IDS).

D.

Implement a security information and event management (SIEM) solution.

Buy Now
Questions 99

Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

Options:

A.

Data storage costs

B.

Data classification

C.

Vendor cloud certification

D.

Service level agreements (SLAs)

Buy Now
Questions 100

The PRIMARY objective of a control self-assessment (CSA) is to:

Options:

A.

educate functional areas on risks and controls.

B.

ensure appropriate access controls are implemented.

C.

eliminate the audit risk by leveraging management ' s analysis.

D.

gain assurance for business functions that cannot be audited.

Buy Now
Questions 101

Which of the following would be of MOST concern to an IS auditor reviewing a data loss prevention (DLP) solution implementation for endpoints?

Options:

A.

The DLP solution does not support all types of servers.

B.

The solution has been implemented in blocking mode prior to performing tuning.

C.

The organization has never finished tuning the solution.

D.

The solution does not prevent data leakage because it is still in the monitoring phase.

Buy Now
Questions 102

Which of the following BEST enables an organization to determine the effectiveness of its information security awareness program?

Options:

A.

Measuring user satisfaction with the quality of the training

B.

Evaluating the results of a social engineering exercise

C.

Reviewing security staff performance evaluations

D.

Performing an analysis of the number of help desk calls

Buy Now
Questions 103

How is nonrepudiation supported within a public key infrastructure (PKI) environment?

Options:

A.

Through the use of elliptical curve cryptography on transmitted messages

B.

Through the use of a certificate issued by a certificate authority (CA)

C.

Through the use of private keys to decrypt data received by a user

D.

Through the use of enterprise key management systems

Buy Now
Questions 104

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

Options:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

report on the internal control weaknesses.

D.

provide solutions for control weaknesses.

Buy Now
Questions 105

Which of the following is the BEST way to determine the adequacy of controls for detecting inappropriate network activity in an organization?

Options:

A.

Reviewing SIEM reports of suspicious events in a timely manner

B.

Reviewing business application logs on a regular basis

C.

Troubleshooting connectivity issues routinely

D.

Installing a packet filtering firewall to block malicious traffic

Buy Now
Questions 106

Which of the following MUST be completed as part of the annual audit planning process?

Options:

A.

Business impact analysis (BIA)

B.

Fieldwork

C.

Risk assessment

D.

Risk control matrix

Buy Now
Questions 107

Which of the following would be the MOST significant finding when reviewing a data backup process?

Options:

A.

Recovery testing is not performed.

B.

The data backup process is not documented.

C.

Tapes are not consistently rotated offsite.

D.

The key to the data safe is kept by the backup administrator.

Buy Now
Questions 108

Which of the following BEST facilitates the successful implementation of IT performance monitoring?

Options:

A.

Determining goals for IT resources and processes

B.

Identifying tools to automate performance measurement

C.

Establishing templates for periodic reporting to management

D.

Adopting global standards and measurement norms

Buy Now
Questions 109

Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?

Options:

A.

Audit staff interviews

B.

Quality control reviews

C.

Control self-assessments (CSAs)

D.

Corrective action plans

Buy Now
Questions 110

Which of the following is MOST important for the successful establishment of a security vulnerability management program?

Options:

A.

A robust tabletop exercise plan

B.

A comprehensive asset inventory

C.

A tested incident response plan

D.

An approved patching policy

Buy Now
Questions 111

An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?

Options:

A.

Evaluate key performance indicators (KPIs).

B.

Conduct a gap analysis.

C.

Develop a maturity model.

D.

Implement a control self-assessment (CSA).

Buy Now
Questions 112

Which of the following risk scenarios is BEST mitigated through the use of a data loss prevention (DLP) tool?

Options:

A.

An employee is sending company documents to an external email to increase productivity.

B.

A former employee retains access to an application that authenticates via single sign-on < SSO).

C.

An employee uses production data in a test environment.

D.

An employee selects the incorrect data classification on documents.

Buy Now
Questions 113

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

Options:

A.

The organization ' s systems inventory is kept up to date.

B.

Vulnerability scanning results are reported to the CISO.

C.

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.

Access to the vulnerability scanning tool is periodically reviewed

Buy Now
Questions 114

Which of the following is the MOST likely root cause of shadow IT in an organization?

Options:

A.

Lengthy approval for technology investment

B.

The opportunity to reduce software license fees

C.

Ease of use for cloud-based applications and services

D.

Approved software not meeting user requirements

Buy Now
Questions 115

What is the BEST control to address SQL injection vulnerabilities?

Options:

A.

Unicode translation

B.

Secure Sockets Layer (SSL) encryption

C.

Input validation

D.

Digital signatures

Buy Now
Questions 116

Which of the following is an example of a preventive control for physical access?

Options:

A.

Keeping log entries for all visitors to the building

B.

Implementing a fingerprint-based access control system for the building

C.

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

D.

Implementing a centralized logging server to record instances of staff logging into workstations

Buy Now
Questions 117

An organization offers an e-commerce platform that allows consumer-to-consumer transactions. The platform now uses blockchain technology to ensure the parties are unable to deny the transactions. Which of the following attributes BEST describes the risk element that this technology is addressing?

Options:

A.

Integrity

B.

Nonrepudiation

C.

Confidentiality

D.

Availability

Buy Now
Questions 118

An IS auditor is reviewing the system development practices of an organization that is about to move from a Waterfall to an Agile approach. Which of the following is MOST important for the auditor to focus on as a result of this move?

Options:

A.

Secure code review

B.

Release management

C.

Capacity planning

D.

Code documentation

Buy Now
Questions 119

Which of the following is MOST important to consider when scheduling follow-up audits?

Options:

A.

The efforts required for independent verification with new auditors

B.

The impact if corrective actions are not taken

C.

The amount of time the auditee has agreed to spend with auditors

D.

Controls and detection risks related to the observations

Buy Now
Questions 120

Which of the following MUST be performed by senior audit leadership prior to starting an IS audit project?

Options:

A.

Attend planning walkthroughs.

B.

Meet with auditee leadership.

C.

Review audit planning documents.

D.

Sign off on the audit scope.

Buy Now
Questions 121

A global bank plans to use a cloud provider for backup of customer financial data. Which of the following should be the PRIMARY focus of this project?

Options:

A.

Backup testing schedule

B.

Data retention policy

C.

Transfer frequency

D.

Data confidentiality

Buy Now
Questions 122

An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

Options:

A.

The exact definition of the service levels and their measurement

B.

The alerting and measurement process on the application servers

C.

The actual availability of the servers as part of a substantive test

D.

The regular performance-reporting documentation

Buy Now
Questions 123

Management has agreed to move the organization ' s data center due to recent flood map changes in its current location. Which risk response has been adopted?

Options:

A.

Risk elimination

B.

Risk transfer

C.

Risk acceptance

D.

Risk avoidance

Buy Now
Questions 124

Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the

Options:

A.

computer room closest to the uninterruptible power supply (UPS) module

B.

computer room closest to the server computers

C.

system administrators’ office

D.

booth used by the building security personnel

Buy Now
Questions 125

Which of the following is MOST likely to be reduced when implementing optimal risk management strategies?

Options:

A.

Sampling risk

B.

Residual risk

C.

Inherent risk

D.

Detection risk

Buy Now
Questions 126

Which of the following is MOST important for an IS auditor to assess during a post-implementation review of a newly modified IT application developed in-house?

Options:

A.

Sufficiency of implemented controls

B.

Resource management plan

C.

Updates required for end-user manuals

D.

Rollback plans for changes

Buy Now
Questions 127

An IS auditor is reviewing the installation of a new server. The IS auditor ' s PRIMARY objective is to ensure that

Options:

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization ' s policies.

D.

the procurement project invited lenders from at least three different suppliers.

Buy Now
Questions 128

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Buy Now
Questions 129

An IT balanced scorecard is PRIMARILY used for:

Options:

A.

evaluating the IT project portfolio

B.

measuring IT strategic performance

C.

allocating IT budget and resources

D.

monitoring risk in lT-related processes

Buy Now
Questions 130

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

Options:

A.

perform a business impact analysis (BIA).

B.

issue an intermediate report to management.

C.

evaluate the impact on current disaster recovery capability.

D.

conduct additional compliance testing.

Buy Now
Questions 131

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.

Identifying relevant roles for an enterprise IT governance framework

B.

Making decisions regarding risk response and monitoring of residual risk

C.

Verifying that legal, regulatory, and contractual requirements are being met

D.

Providing independent and objective feedback to facilitate improvement of IT processes

Buy Now
Questions 132

In continuous delivery, the critical connector between development and production is:

Options:

A.

Release management.

B.

Log management.

C.

DevOps.

D.

Data management.

Buy Now
Questions 133

An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

When the model was tested with data drawn from a different population, the accuracy decreased.

B.

The data set for training the model was obtained from an unreliable source.

C.

An open-source programming language was used to develop the model.

D.

The model was tested with data drawn from the same population as the training data.

Buy Now
Questions 134

Which of the following should be the PRIMARY focus when communicating an IS audit issue to management?

Options:

A.

The risk to which the organization is exposed due to the issue

B.

The nature, extent, and timing of subsequent audit follow-up

C.

How the issue was found and who bears responsibility

D.

A detailed solution for resolving the issue

Buy Now
Questions 135

An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization ' s RACI chart. Which of the following roles within the chart would provide this information?

Options:

A.

Consulted

B.

Informed

C.

Responsible

D.

Accountable

Buy Now
Questions 136

Which of the following is the BEST justification for deferring remediation testing until the next audit?

Options:

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management ' s planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Buy Now
Questions 137

Which of the following should be an IS auditor ' s GREATEST concern when assessing an IT service configuration database?

Options:

A.

The database is read-accessible for all users.

B.

The database is write-accessible for all users.

C.

The database is not encrypted at rest.

D.

The database is executable for all users.

Buy Now
Questions 138

Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?

Options:

A.

Changes are promoted to production by the development group.

B.

Object code can be accessed by the development group.

C.

Developers have access to the testing environment.

D.

Change approvals are not formally documented.

Buy Now
Questions 139

Providing security certification for a new system should include which of the following prior to the system ' s implementation?

Options:

A.

End-user authorization to use the system in production

B.

External audit sign-off on financial controls

C.

Testing of the system within the production environment

D.

An evaluation of the configuration management practices

Buy Now
Questions 140

Which of the following is the BEST way to identify key areas for a risk-based audit plan?

Options:

A.

Review peer benchmarking results.

B.

Review open issues from recent audit reports.

C.

Interview relevant stakeholders in the business.

D.

Conduct a risk survey with the CIO.

Buy Now
Questions 141

Which of the following should be the PRIMARY purpose of conducting tabletop exercises when re-viewing a security incident response plan?

Options:

A.

To provide efficiencies for alignment with incident response test scenarios

B.

To determine process improvement options for the incident response plan

C.

To gather documentation for responding to security audit inquiries

D.

To confirm that technology is in place to support the incident response plan

Buy Now
Questions 142

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor ' s BEST recommendation for a compensating control?

Options:

A.

Require written authorization for all payment transactions

B.

Restrict payment authorization to senior staff members.

C.

Reconcile payment transactions with invoices.

D.

Review payment transaction history

Buy Now
Questions 143

Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?

Options:

A.

Review the third party ' s monitoring logs and incident handling

B.

Review the roles and responsibilities of the third-party provider

C.

Evaluate the organization ' s third-party monitoring process

D.

Determine if the organization has a secure connection to the provider

Buy Now
Questions 144

An IS auditor is reviewing how password resets are performed for users working remotely. Which type of documentation should be requested to understand the detailed steps required for this activity?

Options:

A.

Standards

B.

Guidelines

C.

Policies

D.

Procedures

Buy Now
Questions 145

Which of the following is MOST important when planning a network audit?

Options:

A.

Determination of IP range in use

B.

Analysis of traffic content

C.

Isolation of rogue access points

D.

Identification of existing nodes

Buy Now
Questions 146

Which of the following is the GREATEST risk associated with lack of IT involvement in the organization ' s strategic planning initiatives?

Options:

A.

Business strategies may not align with IT capabilities.

B.

Business strategies may not consider emerging technologies.

C.

IT strategies may not align with business strategies.

D.

IT strategic goals may not be considered by the business.

Buy Now
Questions 147

Which of the following is the MOST important factor when an organization is developing information security policies and procedures?

Options:

A.

Consultation with security staff

B.

Inclusion of mission and objectives

C.

Compliance with relevant regulations

D.

Alignment with an information security framework

Buy Now
Questions 148

Which of the following is the BEST source of information to determine the required level of data protection on a file server?

Options:

A.

Data classification policy and procedures

B.

Access rights of similar file servers

C.

Previous data breach incident reports

D.

Acceptable use policy and privacy statements

Buy Now
Questions 149

In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?

Options:

A.

Approved test scripts and results prior to implementation

B.

Written procedures defining processes and controls

C.

Approved project scope document

D.

A review of tabletop exercise results

Buy Now
Questions 150

Which of the following is the BEST reason to implement a configuration management database (CMDB)?

Options:

A.

To store licenses for software configuration items

B.

To provide real-time network monitoring of configuration items

C.

To track the physical location of configuration items

D.

To document relationships between configuration items

Buy Now
Questions 151

An organization has implemented a distributed security administration system to replace the previous centralized one. Which of the following presents the GREATEST potential concern?

Options:

A.

Security procedures may be inadequate to support the change

B.

A distributed security system is inherently a weak security system

C.

End-user acceptance of the new system may be difficult to obtain

D.

The new system will require additional resources

Buy Now
Questions 152

Which of the following is MOST important to include in security awareness training?

Options:

A.

How to respond to various types of suspicious activity

B.

The importance of complex passwords

C.

Descriptions of the organization ' s security infrastructure

D.

Contact information for the organization ' s security team

Buy Now
Questions 153

During the implementation of an enterprise resource planning (ERP) system, an IS auditor is reviewing the results of user acceptance testing (UAT). Which of the following should be the auditor’s PRIMARY focus?

Options:

A.

Confirm that all errors have been communicated to end users.

B.

Determine if the business process owner has signed off on the results.

C.

Verify that system integration testing was performed.

D.

Determine if application interfaces have been satisfactorily tested.

Buy Now
Questions 154

An organization has decided to purchase a web-based email service from a third-party vendor and eliminate its own email server infrastructure. What type of cloud computing environment would BEST meet the organization ' s objective?

Options:

A.

Platform as a Service (PaaS)

B.

Software as a Service (SaaS)

C.

Database as a Service (DBaaS)

D.

Infrastructure as a Service (laaS)

Buy Now
Questions 155

A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Establish key performance indicators (KPls) for timely identification of security incidents.

B.

Engage an external security incident response expert for incident handling.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Include the requirement in the incident management response plan.

Buy Now
Questions 156

Which of the following are examples of corrective controls?

Options:

A.

Implementing separation of duties and hash totals

B.

Performing internal audit reviews and remediation activities

C.

Applying rollback scripts and backup procedures

D.

Enforcing disciplinary action and termination procedures

Buy Now
Questions 157

The process of applying a hash function to a message and obtaining and ciphering a digest refers to:

Options:

A.

digital certificates.

B.

digital signatures.

C.

public key infrastructure (PKI).

D.

authentication.

Buy Now
Questions 158

Which of the following information security requirements BE ST enables the tracking of organizational data in a bring your own device (BYOD) environment?

Options:

A.

Employees must immediately report lost or stolen mobile devices containing organizational data

B.

Employees must sign acknowledgment of the organization ' s mobile device acceptable use policy

C.

Employees must enroll their personal devices in the organization ' s mobile device management program

Buy Now
Questions 159

Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?

Options:

A.

Enabling remote data destruction capabilities

B.

Implementing mobile device management (MDM)

C.

Disabling unnecessary network connectivity options

D.

Requiring security awareness training for mobile users

Buy Now
Questions 160

The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?

Options:

A.

Report results to management

B.

Document lessons learned

C.

Perform a damage assessment

D.

Prioritize resources for corrective action

Buy Now
Questions 161

Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?

Options:

A.

Review exception reports

B.

Review IT staffing schedules.

C.

Analyze help desk ticket logs

D.

Conduct IT management interviews

Buy Now
Questions 162

An organization has alternative links in its wide area network (WAN) to provide redundancy. However, each time there is a problem with a link, network administrators have to update the configuration to divert traffic to the other link. Which of the following would be an IS auditor ' s BEST recommendation?

Options:

A.

Reduce the number of alternative links.

B.

Implement a load-balancing mechanism.

C.

Configure a non-proprietary routing protocol.

D.

Implement an exterior routing protocol.

Buy Now
Questions 163

An organization is planning to implement a control self-assessment (CSA) program tor selected business processes Which of the following should be the role of the internal audit team for this program?

Options:

A.

De-scope business processes to be covered by CSAs from future audit plans.

B.

Design testing procedures for management to assess process controls effectively.

C.

Perform testing to validate the accuracy of management ' s self-assessment.

D.

Advise management on the self-assessment process.

Buy Now
Questions 164

When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?

Options:

A.

Ensuring the scope of penetration testing is restricted to the test environment

B.

Obtaining management ' s consent to the testing scope in writing

C.

Notifying the IT security department regarding the testing scope

D.

Agreeing on systems to be excluded from the testing scope with the IT department

Buy Now
Questions 165

An IS auditor has discovered that a software system still in regular use is outdated and no longer supported. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.

Verify all patches have been applied to the outdated software system.

B.

Encrypt network traffic to the outdated software system.

C.

Isolate the outdated software system from the main network.

D.

Close all unused ports on the outdated software system.

Buy Now
Questions 166

The use of which of the following would BEST enhance a process improvement program?

Options:

A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Buy Now
Questions 167

Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

Options:

A.

An assessment of whether requirements will be fully met

B.

An assessment indicating security controls will operateeffectively

C.

An assessment of whether the expected benefits can beachieved

D.

An assessment indicating the benefits will exceed the implement

Buy Now
Questions 168

Which of the following poses the GREATEST risk to an organization related to system interfaces?

Options:

A.

There is no process documentation for some system interfaces.

B.

Notifications of data transfers through the interfaces are not retained.

C.

Parts of the data transfer process are performed manually.

D.

There is no reliable inventory of system interfaces.

Buy Now
Questions 169

Which of the following can BEST reduce the impact of a long-term power failure?

Options:

A.

Power conditioning unit

B.

Emergency power-off switches

C.

Battery bank

D.

Redundant power source

Buy Now
Questions 170

Which of the following is the GREATEST concern when applying emergency patches?

Options:

A.

A change record may not be properly maintained.

B.

Temporary administrative permissions may be needed to apply patches.

C.

Patch-related risk may not be adequately assessed.

D.

Documented approvals may not be required before applying the emergency patch.

Buy Now
Questions 171

Which of the following should be given GREATEST consideration when implementing the use of an open-source product?

Options:

A.

Support

B.

Performance

C.

Confidentiality

D.

Usability

Buy Now
Questions 172

An IS auditor is reviewing a bank ' s service level agreement (SLA) with a third-party provider that hosts the bank ' s secondary data center, which of the following findings should be of GREATEST concern to the auditor?

Options:

A.

The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (ORP).

B.

The SLA has not been reviewed in more than a year.

C.

Backup data is hosted online only.

D.

The recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan (DRP).

Buy Now
Questions 173

During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?

Options:

A.

Conduct a follow-up audit after a suitable period has elapsed.

B.

Reschedule the audit assignment for the next financial year.

C.

Reassign the audit to an internal audit subject matter expert.

D.

Extend the duration of the audit to give the auditor more time.

Buy Now
Questions 174

An IS auditor reviewing an organization’s online payment system finds that the system sometimes duplicates payments. Which control will BEST compensate for this weakness?

Options:

A.

Using hash totals

B.

Performing a bank reconciliation

C.

Manually receipting payments

D.

Using control totals

Buy Now
Questions 175

An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST

recommendation to address this situation?

Options:

A.

Suspend contracts with third-party providers that handle sensitive data.

B.

Prioritize contract amendments for third-party providers.

C.

Review privacy requirements when contracts come up for renewal.

D.

Require third-party providers to sign nondisclosure agreements (NDAs).

Buy Now
Questions 176

Internal audit is evaluating an organization’s IT portfolio management. Which of the following would be the BEST recommendation for prioritizing the funding of IT projects?

Options:

A.

Direct funds toward projects that reduce the organization’s technology risk exposure.

B.

Group projects with common themes into portfolios and assess them against strategic objectives.

C.

Direct funds toward projects that increase the availability of the organization’s technology infrastructure.

D.

Group projects into portfolios based on their potential to increase market share and reduce costs.

Buy Now
Questions 177

Which of the following is the MOST effective way to validate that the quality of IS audits is maintained?

Options:

A.

Engage a third party to conduct regular quality assurance (QA) reviews.

B.

Conduct control self-assessments (CSAs) with IT management.

C.

Introduce a metrics dashboard for internal audit.

D.

Include quality metrics in audit staff annual performance evaluations.

Buy Now
Questions 178

Which of the following technologies is BEST suited to fulfill a business requirement for nonrepudiation of business-to-business transactions with external parties without the need for a mutually trusted entity?

Options:

A.

Public key infrastructure (PKI)

B.

Blockchain distributed ledger

C.

Artificial intelligence (Al)

D.

Centralized ledger technology

Buy Now
Questions 179

During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?

Options:

A.

Input from customers

B.

Industry standard business definitions

C.

Validation of rules by the business

D.

Built-in data error prevention application controls

Buy Now
Questions 180

The BEST way for an IS auditor to validate that separation of duties has been implemented is to perform:

Options:

A.

A review of personnel files.

B.

An analysis of documented job descriptions.

C.

A review of the organizational chart.

D.

A walk-through of job functions.

Buy Now
Questions 181

If enabled within firewall rules, which of the following services would present the GREATEST risk?

Options:

A.

Simple mail transfer protocol (SMTP)

B.

Simple object access protocol (SOAP)

C.

Hypertext transfer protocol (HTTP)

D.

File transfer protocol (FTP)

Buy Now
Questions 182

Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?

Options:

A.

Variable sampling

B.

Judgmental sampling

C.

Stop-or-go sampling

D.

Discovery sampling

Buy Now
Questions 183

Which of the following should be of MOST concern to an IS auditor reviewing an organization ' s operational log management?

Options:

A.

Log file size has grown year over year.

B.

Critical events are being logged to immutable log files.

C.

Applications are logging events into multiple log files.

D.

Data formats have not been standardized across all logs.

Buy Now
Questions 184

An IS auditor can BEST evaluate the business impact of system failures by:

Options:

A.

assessing user satisfaction levels.

B.

interviewing the security administrator.

C.

analyzing equipment maintenance logs.

D.

reviewing system-generated logs.

Buy Now
Questions 185

Which of the following is the MOST important consideration when defining an operational log management strategy?

Options:

A.

Stakeholder requirements

B.

Audit recommendations

C.

Industry benchmarking

D.

Event response procedures

Buy Now
Questions 186

Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?

Options:

A.

Using a continuous auditing module

B.

Interviewing business management

C.

Confirming accounts

D.

Reviewing program documentation

Buy Now
Questions 187

Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?

Options:

A.

Project charter

B.

Project plan

C.

Project issue log

D.

Project business case

Buy Now
Questions 188

Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?

Options:

A.

Understanding the purpose of each spreadsheet

B.

Identifying the spreadsheets with built-in macros

C.

Reviewing spreadsheets based on file size

D.

Ascertaining which spreadsheets are most frequently used

Buy Now
Questions 189

A security review focused on data loss prevention (DLP) revealed the organization has no visibility to data stored in the cloud. What is the IS auditor ' s BEST recommendation to address this

issue?

Options:

A.

Enhance the firewall at the network perimeter.

B.

Implement a file system scanner to discover data stored in the cloud.

C.

Employ a cloud access security broker (CASB).

D.

Utilize a DLP tool on desktops to monitor user activities.

Buy Now
Questions 190

Coding standards provide which of the following?

Options:

A.

Program documentation

B.

Access control tables

C.

Data flow diagrams

D.

Field naming conventions

Buy Now
Questions 191

When an IS auditor needs to confirm that an organization is encrypting sensitive information at a database level, which of the following would provide the BEST assurance?

Options:

A.

Reviewing the drive settings of the host server

B.

Checking network traffic for clear text transmissions

C.

Verifying a sample of critical fields

D.

Reviewing the organization’s encryption policy

Buy Now
Questions 192

An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of

MOST concern?

Options:

A.

Confidentiality of the user list

B.

Timeliness of the user list review

C.

Completeness of the user list

D.

Availability of the user list

Buy Now
Questions 193

Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?

Options:

A.

To ensure the conclusions are adequately supported

B.

To ensure adequate sampling methods were used during fieldwork

C.

To ensure the work is properly documented and filed

D.

To ensure the work is conducted according to industry standards

Buy Now
Questions 194

The PRIMARY goal of capacity management is to:

Options:

A.

minimize data storage needs across the organization.

B.

provide necessary IT resources to meet business requirements.

C.

minimize system idle time to optimize cost.

D.

ensure that IT teams have sufficient personnel.

Buy Now
Questions 195

Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?

Options:

A.

Guest operating systems are updated monthly

B.

The hypervisor is updated quarterly.

C.

A variety of guest operating systems operate on one virtual server

D.

Antivirus software has been implemented on the guest operating system only.

Buy Now
Questions 196

An IS auditor observes that an organization ' s systems are being used for cryptocurrency mining on a regular basis. Which of the following is the auditor ' s FIRST course of action?

Options:

A.

Report the incident immediately.

B.

Recommend changing the organization ' s firewall settings.

C.

Consult the organization ' s acceptable use policy.

D.

Require mining software to be uninstalled.

Buy Now
Questions 197

An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?

Options:

A.

Database clustering

B.

Data caching

C.

Reindexing of the database table

D.

Load balancing

Buy Now
Questions 198

Which of the following is MOST effective for controlling visitor access to a data center?

Options:

A.

Visitors are escorted by an authorized employee

B.

Pre-approval of entry requests

C.

Visitors sign in at the front desk upon arrival

D.

Closed-circuit television (CCTV) is used to monitor the facilities

Buy Now
Questions 199

When is it MOST important for an IS auditor to apply the concept of materiality in an audit?

Options:

A.

When planning an audit engagement

B.

When gathering information for the fieldwork

C.

When a violation of a regulatory requirement has been identified

D.

When evaluating representations from the auditee

Buy Now
Questions 200

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Network segmentation

D.

Web application firewall (WAF)

Buy Now
Questions 201

Which of the following BEST describes the process of creating a digital envelope?

Options:

A.

The encryption key is compressed within a folder after a message is encoded using symmetric encryption.

B.

A message is encoded using symmetric encryption, and then the encryption key is secured using public key encryption.

C.

The message is hashed, and the hash total is sent using symmetric encryption.

D.

A message digest is encrypted using asymmetric encryption, and the encryption key is sent using asymmetric encryption.

Buy Now
Questions 202

Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Options:

A.

Lessons learned were implemented.

B.

Management approved the PIR report.

C.

The review was performed by an external provider.

D.

Project outcomes have been realized.

Buy Now
Questions 203

The waterfall life cycle model of software development is BEST suited for which of the following situations?

Options:

A.

The protect requirements are wall understood.

B.

The project is subject to time pressures.

C.

The project intends to apply an object-oriented design approach.

D.

The project will involve the use of new technology.

Buy Now
Questions 204

Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization ' s patch management process?

Options:

A.

The organization ' s software inventory is not complete.

B.

Applications frequently need to be rebooted for patches to take effect.

C.

Software vendors are bundling patches.

D.

Testing patches takes significant time.

Buy Now
Questions 205

Which of the following provides the BEST assurance that a new database management system (DBMS) meets the requirements of local privacy regulations?

Options:

A.

Compliance audit

B.

Administrative audit

C.

General IT controls review

D.

Forensic audit

Buy Now
Questions 206

An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?

Options:

A.

Version control issues

B.

Reduced system performance

C.

Inability to recover from cybersecurity attacks

D.

Increase in IT investment cost

Buy Now
Questions 207

When planning an audit to assess controls for an application in the cloud environment, it is MOST important for an IS auditor to understand:

Options:

A.

The noncompliance fee for violating a service level agreement (SLA).

B.

Availability reports from the cloud platform architecture.

C.

The shared responsibility model between cloud provider and organization.

D.

Business process reengineering that is supported by the cloud system.

Buy Now
Questions 208

An emergency power-off switch should:

Options:

A.

Be remotely accessible.

B.

Not be identified.

C.

Be protected.

D.

Be under dual control.

Buy Now
Questions 209

Which of the following should be the FIRST step in the incident response process for a suspected breach?

Options:

A.

Inform potentially affected customers of the security breach

B.

Notify business management of the security breach.

C.

Research the validity of the alerted breach

D.

Engage a third party to independently evaluate the alerted breach.

Buy Now
Questions 210

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Options:

A.

Agile auditing

B.

Continuous auditing

C.

Outsourced auditing

D.

Risk-based auditing

Buy Now
Questions 211

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s IT process performance reports over the last quarter?

Options:

A.

Key performance indicators (KPIs) are not consistently monitored.

B.

Metrics were defined without key stakeholder input.

C.

Performance reporting includes too many technical terms.

D.

Metrics are not aligned with industry benchmarks.

Buy Now
Questions 212

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

Options:

A.

Level of stakeholder satisfaction with the scope of planned IT projects

B.

Percentage of enterprise risk assessments that include IT-related risk

C.

Percentage of stat satisfied with their IT-related roles

D.

Frequency of business process capability maturity assessments

Buy Now
Questions 213

Which of the following system attack methods is executed by entering malicious code into the search box of a vulnerable website, causing the server to reveal restricted information?

Options:

A.

Man-m-the-middle

B.

Denial of service (DoS)

C.

SQL injection

D.

Cross-site scripting

Buy Now
Questions 214

Which of the following is necessary for effective risk management in IT governance?

Options:

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Buy Now
Questions 215

Which of the following should be used as the PRIMARY basis for prioritizing IT projects and initiatives?

Options:

A.

Estimated cost and time

B.

Level of risk reduction

C.

Expected business value

D.

Available resources

Buy Now
Questions 216

Which of the following is the PRIMARY objective of cyber resiliency?

Options:

A.

To resume normal operations after service disruptions

B.

To prevent potential attacks or disruptions in operations

C.

To efficiently and effectively recover from an incident with limited operational impact

D.

To limit the severity of security breaches and maintain continuous operations

Buy Now
Questions 217

An IS auditor reviewing an organization’s IT systems finds that the organization frequently purchases systems that are incompatible with the technologies already in the organization. Which of the following is the MOST likely reason?

Options:

A.

Ineffective risk management policy

B.

Lack of enterprise architecture (EA)

C.

Lack of a maturity model

D.

Outdated enterprise resource planning (ERP) system

Buy Now
Questions 218

An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?

Options:

A.

The organization may be locked into an unfavorable contract with the vendor.

B.

The vendor may be unable to restore critical data.

C.

The vendor may be unable to restore data by recovery time objective (RTO) requirements.

D.

The organization may not be allowed to inspect the vendor ' s data center.

Buy Now
Questions 219

Which of the following statements appearing in an organization ' s acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?

Options:

A.

Any information assets transmitted over a public network must be approved by executive management.

B.

All information assets must be encrypted when stored on the organization ' s systems.

C.

Information assets should only be accessed by persons with a justified need.

D.

All information assets will be assigned a clearly defined level to facilitate proper employee handling.

Buy Now
Questions 220

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Options:

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Buy Now
Questions 221

An IS auditor reviewing an information processing environment decides to conduct external penetration testing. Which of the following is MOST appropriate to include in the audit scope for the organization to distinguish between the auditor ' s penetration attacks and actual attacks?

Options:

A.

Restricted host IP addresses of simulated attacks

B.

Testing techniques of simulated attacks

C.

Source IP addresses of simulated attacks

D.

Timing of simulated attacks

Buy Now
Questions 222

An organization establishes capacity utilization thresholds and monitors for instances when thresholds are exceeded. Which of the following is BEST supported by this activity?

Options:

A.

Integrity

B.

Availability

C.

Confidentiality

D.

Nonrepudiation

Buy Now
Questions 223

Which of the following is the MOST efficient control to reduce the risk associated with a systems administrator having network administrator responsibilities?

Options:

A.

The administrator must obtain temporary access to make critical changes.

B.

The administrator will need to request additional approval for critical changes.

C.

The administrator must sign a due diligence agreement.

D.

The administrator will be subject to unannounced audits.

Buy Now
Questions 224

Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?

Options:

A.

Inaccurate business impact analysis (BIA)

B.

Inadequate IT change management practices

C.

Lack of a benchmark analysis

D.

Inadequate IT portfolio management

Buy Now
Questions 225

During a database security audit, an IS auditor is reviewing the process used to input data. Which of the following is the MOST significant risk area for the auditor to focus on?

Options:

A.

Data resilience

B.

Data availability

C.

Data normalization

D.

Data integrity

Buy Now
Questions 226

Which of the following is PRIMARILY used in blockchain technology to create a distributed immutable ledger?

Options:

A.

Artificial intelligence (Al)

B.

Application hardening

C.

Edge computing

D.

Encryption

Buy Now
Questions 227

Which of the following would be of GREATEST concern to an IS auditor reviewing the feasibility study for a new application system?

Options:

A.

Security requirements have not been defined.

B.

Conditions under which the system will operate are unclear.

C.

The business case does not include well-defined strategic benefits.

D.

System requirements and expectations have not been clarified.

Buy Now
Questions 228

Which of the following would be the GREATEST concern during a financial statement audit?

Options:

A.

A backup has not been identified for key approvers.

B.

System capacity has not been tested.

C.

The procedures for generating key reports have not been approved.

D.

The financial management system is cloud based.

Buy Now
Questions 229

An IS auditor is asked to review an organization ' s technology relationships, interfaces, and data. Which of the following enterprise architecture (EA) areas is MOST appropriate this review? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

Options:

A.

Reference architecture

B.

Infrastructure architecture

C.

Information security architecture

D.

Application architecture

Buy Now
Questions 230

Which of the following metrics would BEST measure the agility of an organization ' s IT function?

Options:

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Buy Now
Questions 231

An IS auditor is conducting an audit of a very large e-commerce platform. Which of the following techniques BEST enables the auditor to identify web application security flaws?

Options:

A.

Code review.

B.

Vulnerability scanning.

C.

Logical security testing.

D.

Penetration testing.

Buy Now
Questions 232

Which of the following should be the FIRST step when conducting an IT risk assessment?

Options:

A.

Identify potential threats.

B.

Assess vulnerabilities.

C.

Identify assets to be protected.

D.

Evaluate controls in place.

Buy Now
Questions 233

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?

Options:

A.

Enable automatic encryption decryption and electronic signing of data files

B.

implement software to perform automatic reconciliations of data between systems

C.

Have coders perform manual reconciliation of data between systems

D.

Automate the transfer of data between systems as much as feasible

Buy Now
Questions 234

Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

Options:

A.

Periodic vendor reviews

B.

Dual control

C.

Independent reconciliation

D.

Re-keying of monetary amounts

E.

Engage an external security incident response expert for incident handling.

Buy Now
Questions 235

Which of the following is the PRIMARY role of the IS auditor m an organization ' s information classification process?

Options:

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

Buy Now
Questions 236

Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

Options:

A.

Ensuring that audit trails exist for transactions

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator ' s user ID as a field in every transaction record created

D.

Restricting program functionality according to user security profiles

Buy Now
Questions 237

Which of the following is the GREATEST risk associated with security patches being automatically downloaded and applied to production servers?

Options:

A.

Supporting documentation is not updated.

B.

Anti-malware is disabled during patch installation.

C.

Patches may be installed regardless of their criticality.

D.

Patches may result in major service failures.

Buy Now
Questions 238

Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?

Options:

A.

Identify staff training needs related to compliance requirements.

B.

Analyze historical compliance-related audit findings.

C.

Research and purchase an industry-recognized IT compliance tool

D.

Identify applicable laws, regulations, and standards.

Buy Now
Questions 239

Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?

Options:

A.

The data center is patrolled by a security guard.

B.

Access to the data center is monitored by video cameras.

C.

ID badges must be displayed before access is granted

D.

Access to the data center is controlled by a mantrap.

Buy Now
Questions 240

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization ' s information security plan includes:

Options:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Buy Now
Questions 241

Job scheduling impacts system availability and reliability by:

Options:

A.

Reducing system downtime.

B.

Ensuring flexibility and scalability.

C.

Optimizing resource utilization.

D.

Decreasing system complexity.

Buy Now
Questions 242

An organization ' s security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

Options:

A.

To collect digital evidence of cyberattacks

B.

To attract attackers in order to study their behavior

C.

To provide training to security managers

D.

To test the intrusion detection system (IDS)

Buy Now
Questions 243

Which of the following is the BEST way to mitigate risk to an organization ' s network associated with devices permitted under a bring your own device (BYOD) policy?

Options:

A.

Require personal devices to be reviewed by IT staff.

B.

Enable port security on all network switches.

C.

Implement a network access control system.

D.

Ensure the policy requires antivirus software on devices.

Buy Now
Questions 244

A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?

Options:

A.

Analyzing the root cause of the outage to ensure the incident will not reoccur

B.

Restoring the system to operational state as quickly as possible

C.

Ensuring all resolution steps are fully documented prior to returning thesystem to service

D.

Rolling back the unsuccessful change to the previous state

Buy Now
Questions 245

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

Options:

A.

Limit check

B.

Parity check

C.

Reasonableness check

D.

Validity check

Buy Now
Questions 246

In order to be useful, a key performance indicator (KPI) MUST

Options:

A.

be approved by management.

B.

be measurable in percentages.

C.

be changed frequently to reflect organizational strategy.

D.

have a target value.

Buy Now
Questions 247

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

Options:

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Buy Now
Questions 248

Which of the following is an analytical review procedure for a payroll system?

Options:

A.

Performing reasonableness tests by multiplying the number of employees by the average wage rate

B.

Evaluating the performance of the payroll system using benchmarking software

C.

Performing penetration attempts on the payroll system

D.

Testing hours reported on time sheets

Buy Now
Questions 249

An IS auditor wants to verify alignment of the organization ' s business continuity plan (BCP) with the business strategy. Which of the following would be MOST helpful to review?

Options:

A.

Disaster recovery plan (DRP) testing results

B.

Business impact analysis (BIA)

C.

Corporate risk management policy

D.

Key performance indicators (KPIs)

Buy Now
Questions 250

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

Options:

A.

Separate authorization for input of transactions

B.

Statistical sampling of adjustment transactions

C.

Unscheduled audits of lost stock lines

D.

An edit check for the validity of the inventory transaction

Buy Now
Questions 251

A global company has been using a publicly available AI tool to obtain information about global laws and regulations that could impact the business. Which of the following should be of MOST concern to an IS auditor?

Options:

A.

Accuracy and quality of the data provided by the AI tool

B.

Whether the organization is using a paid version of the AI tool

C.

Version and provider of the AI tool being utilized

D.

Whether the tool is utilized by competitors in the same industry

Buy Now
Questions 252

What should an IS auditor do FIRST when a follow-up audit reveals some management action plans have not been initiated?

Options:

A.

Confirm whether the identified risks are still valid.

B.

Provide a report to the audit committee.

C.

Escalate the lack of plan completion to executive management.

D.

Request an additional action plan review to confirm the findings.

Buy Now
Questions 253

To protect the organization from malware transmitted by physical media, IT administrators have disabled USB access for storage devices. Which of the following BEST describes this type of control?

Options:

A.

Corrective

B.

Administrative

C.

Preventive

D.

Physical

Buy Now
Questions 254

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization ' s incident response management program?

Options:

A.

All incidents have a severity level assigned.

B.

All identified incidents are escalated to the CEO and the CISO.

C.

Incident response is within defined service level agreements (SLAs).

D.

The alerting tools and incident response team can detect incidents.

Buy Now
Questions 255

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

Options:

A.

Security cameras deployed outside main entrance

B.

Antistatic mats deployed at the computer room entrance

C.

Muddy footprints directly inside the emergency exit

D.

Fencing around facility is two meters high

Buy Now
Questions 256

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options:

A.

The previous year’s IT strategic goals were not achieved.

B.

Target architecture is defined at a technical level.

C.

Financial estimates of new initiatives are disclosed within the document.

D.

Strategic IT goals are derived solely from the latest market trends.

Buy Now
Questions 257

Upon completion of audit work, an IS auditor should:

Options:

A.

provide a report to senior management prior to discussion with the auditee.

B.

distribute a summary of general findings to the members of the auditing team.

C.

provide a report to the auditee stating the initial findings.

D.

review the working papers with the auditee.

Buy Now
Questions 258

Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?

Options:

A.

End-user computing (EUC) systems

B.

Email attachments

C.

Data sent to vendors

D.

New system applications

Buy Now
Questions 259

Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

Options:

A.

Ensure that the facts presented in the report are correct

B.

Communicate the recommendations lo senior management

C.

Specify implementation dates for the recommendations.

D.

Request input in determining corrective action.

Buy Now
Questions 260

In which data loss prevention (DLP) deployment model is data inspection and policy enforcement performed at the organization ' s perimeter or gateway?

Options:

A.

Hybrid DLP

B.

Cloud-based DLP

C.

Endpoint-based DLP

D.

Network-based DLP

Buy Now
Questions 261

Which of the following non-audit activities may impair an IS auditor ' s independence and objectivity?

Options:

A.

Evaluating a third-party customer satisfaction survey

B.

Providing advice on an IT project management framework

C.

Designing security controls for a new cloud-based workforce management system

D.

Reviewing secure software development guidelines adopted by an organization

Buy Now
Questions 262

During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor ' s time would be to review and evaluate:

Options:

A.

application test cases.

B.

acceptance testing.

C.

cost-benefit analysis.

D.

project plans.

Buy Now
Questions 263

Which of the following is an IS auditor’s BEST approach when low-risk anomalies have been identified?

Options:

A.

Reprioritize further testing of the anomalies and refocus on issues with higher risk

B.

Update the audit plan to include the information collected during the audit

C.

Ask auditees to promptly remediate the anomalies

D.

Document the anomalies in audit workpapers

Buy Now
Questions 264

Which of the following should be restricted from a network administrator ' s privileges in an adequately segregated IT environment?

Options:

A.

Monitoring network traffic

B.

Changing existing configurations for applications

C.

Hardening network ports

D.

Ensuring transmission protocols are functioning correctly

Buy Now
Questions 265

The BEST way to evaluate the effectiveness of a newly developed application is to:

Options:

A.

perform a post-implementation review-

B.

analyze load testing results.

C.

perform a secure code review.

D.

review acceptance testing results.

Buy Now
Questions 266

Which of the following poses the GREATEST potential concern for an organization that decides to consolidate mission-critical applications on a large server as part of IT capacity management?

Options:

A.

More applications may be negatively affected by outages on the server.

B.

Continuous monitoring efforts for server capacity may be costly.

C.

Network bandwidth may be degraded during peak hours.

D.

Accurate server capacity forecasting may be more difficult.

Buy Now
Questions 267

Which of the following should be done FIRST to minimize the risk of unstructured data?

Options:

A.

Identify repositories of unstructured data.

B.

Purchase tools to analyze unstructured data.

C.

Implement strong encryption for unstructured data.

D.

Implement user access controls to unstructured data.

Buy Now
Questions 268

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

Options:

A.

each information asset is to a assigned to a different classification.

B.

the security criteria are clearly documented for each classification

C.

Senior IT managers are identified as information owner.

D.

the information owner is required to approve access to the asset

Buy Now
Questions 269

For security awareness training to be MOST effective, management should ensure the training:

Options:

A.

covers all aspects of the IT environment.

B.

is conducted by IT personnel.

C.

is tailored to specific groups.

D.

occurs annually.

Buy Now
Questions 270

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

Options:

A.

Review sign-off documentation

B.

Review the source code related to the calculation

C.

Re-perform the calculation with audit software

D.

Inspect user acceptance lest (UAT) results

Buy Now
Questions 271

Which of the following is MOST important to ensure when developing an effective security awareness program?

Options:

A.

Training personnel are information security professionals.

B.

Outcome metrics for the program are established.

C.

Security threat scenarios are included in the program content.

D.

Phishing exercises are conducted post-training

Buy Now
Questions 272

An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization ' s wider security threat and vulnerability management program.

Which of the following would BEST enable the organization to work toward improvement in this area?

Options:

A.

Implementing security logging to enhance threat and vulnerability management

B.

Maintaining a catalog of vulnerabilities that may impact mission-critical systems

C.

Using a capability maturity model to identify a path to an optimized program

D.

Outsourcing the threat and vulnerability management function to a third party

Buy Now
Questions 273

Which of the following are BEST suited for continuous auditing?

Options:

A.

Low-value transactions

B.

Real-lime transactions

C.

Irregular transactions

D.

Manual transactions

Buy Now
Questions 274

Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

Options:

A.

Real-time audit software

B.

Performance data

C.

Quality assurance (QA) reviews

D.

Participative management techniques

Buy Now
Questions 275

An IS auditor is reviewing an organization ' s business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of data quality would be to:

Options:

A.

review data against data classification standards.

B.

outsource data cleansing to skilled service providers.

C.

consolidate data stored across separate databases into a warehouse.

D.

analyze the data against predefined specifications.

Buy Now
Questions 276

The PRIMARY advantage of using open-source-based solutions is that they:

Options:

A.

Have well-defined support levels.

B.

Are easily implemented.

C.

Reduce dependence on vendors.

D.

Offer better security features.

Buy Now
Questions 277

To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

Options:

A.

Review IT staff job descriptions for alignment

B.

Develop quarterly training for each IT staff member.

C.

Identify required IT skill sets that support key business processes

D.

Include strategic objectives m IT staff performance objectives

Buy Now
Questions 278

Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?

Options:

A.

Configuration management database (CMDB)

B.

Enterprise architecture (EA)

C.

IT portfolio management

D.

IT service management

Buy Now
Questions 279

An IS auditor reviewing the throat assessment for a data cantor would be MOST concerned if:

Options:

A.

some of the identified threats are unlikely to occur.

B.

all identified threats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations ' operations have been included.

Buy Now
Questions 280

An organization that has decided to approve the use of end-user computing (EUC) should FIRST ensure:

Options:

A.

a business impact analysis (BIA) is conducted.

B.

EUC controls are reviewed.

C.

EUC use cases are assessed and documented.

D.

an EUC policy is developed.

Buy Now
Questions 281

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor ' s NEXT course of action?

Options:

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Buy Now
Questions 282

Which of the following job scheduling schemes for operating system updates is MOST likely to adequately balance protection of workstations with user requirements?

Options:

A.

Automated patching jobs and immediate restart

B.

Automated patching jobs followed by a scheduled restart outside of business hours

C.

End users can initiate patching including subsequent system restarts

D.

Applying only those patches not requiring a system restart

Buy Now
Questions 283

Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?

Options:

A.

Requiring all users to encrypt documents before sending

B.

Installing firewalls on the corporate network

C.

Reporting all outgoing emails that are marked as confidential

D.

Monitoring all emails based on pre-defined criteria

Buy Now
Questions 284

Which of the following security testing techniques is MOST effective for confirming that inputs to a web application have been properly sanitized?

Options:

A.

SQL injection

B.

Fuzzing

C.

Brute force

D.

Password spraying

Buy Now
Questions 285

A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

Options:

A.

Trace a sample of complete PCR forms to the log of all program changes

B.

Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date

C.

Review a sample of PCRs for proper approval throughout the program change process

D.

Trace a sample of program change from the log to completed PCR forms

Buy Now
Questions 286

An organization ' s IT department and internal IS audit function all report to the chief information officer (CIO). Which of the following is the GREATEST concern associated with this reporting structure?

Options:

A.

Potential for inaccurate audit findings

B.

Compromise of IS audit independence

C.

IS audit resources being shared with other IT functions

D.

IS audit being isolated from other audit functions

Buy Now
Questions 287

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Options:

A.

Developing and communicating test procedure best practices to audit teams

B.

Developing and implementing an audit data repository

C.

Decentralizing procedures and Implementing periodic peer review

D.

Centralizing procedures and implementing change control

Buy Now
Questions 288

In the case of a disaster where the data center is no longer available, which of the following tasks should be done FIRST?

Options:

A.

Perform data recovery.

B.

Arrange for a secondary site.

C.

Analyze risk.

D.

Activate the call tree.

Buy Now
Questions 289

What is the PRIMARY reason to adopt a risk-based IS audit strategy?

Options:

A.

To achieve synergy between audit and other risk management functions

B.

To prioritize available resources and focus on areas with significant risk

C.

To reduce the time and effort needed to perform a full audit cycle

D.

To identify key threats, risks, and controls for the organization

Buy Now
Questions 290

Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

Options:

A.

IT value analysis

B.

Prior audit reports

C.

IT balanced scorecard

D.

Vulnerability assessment report

Buy Now
Questions 291

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

Options:

A.

Inspecting a sample of alerts generated from the central log repository

B.

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

C.

Inspecting a sample of alert settings configured in the central log repository

D.

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

Buy Now
Questions 292

Which of the following is the MOST important advantage of participating in beta testing of software products?

Options:

A.

It increases an organization ' s ability to retain staff who prefer to work with new technology.

B.

It improves vendor support and training.

C.

It enhances security and confidentiality.

D.

It enables an organization to gain familiarity with new products and their functionality.

Buy Now
Questions 293

Which of the following is the BEST source of information for examining the classification of new data?

Options:

A.

Input by data custodians

B.

Security policy requirements

C.

Risk assessment results

D.

Current level of protection

Buy Now
Questions 294

Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?

Options:

A.

Interview the application developer.

B.

Obtain management attestation and sign-off.

C.

Review the application implementation documents.

D.

Review system configuration parameters and output.

Buy Now
Questions 295

During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?

Options:

A.

The business case reflects stakeholder requirements.

B.

The business case is based on a proven methodology.

C.

The business case passed a quality review by an independent party.

D.

The business case identifies specific plans for cost allocation.

Buy Now
Questions 296

An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which ot the following should the auditor do FIRSTS

Options:

A.

Determine whether another DBA could make the changes

B.

Report a potential segregation of duties violation

C.

identify whether any compensating controls exist

D.

Ensure a change management process is followed prior to implementation

Buy Now
Questions 297

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

Options:

A.

Access to the vulnerability scanning tool is periodically reviewed.

B.

Vulnerability scanning results are reported to the CISO.

C.

The organization is using a cloud-hosted scanning tool for identification of vulnerabilities.

D.

The organization’s systems inventory is kept up to date.

Buy Now
Questions 298

An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.

What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted

application?

Options:

A.

Financial regulations affecting the organization

B.

Data center physical access controls whore the application is hosted

C.

Privacy regulations affecting the organization

D.

Per-unit cost charged by the hosting services provider for storage

Buy Now
Questions 299

Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?

Options:

A.

EUC inventory

B.

EUC availability controls

C.

EUC access control matrix

D.

EUC tests of operational effectiveness

Buy Now
Questions 300

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:

A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

D.

Full operational test

Buy Now
Questions 301

During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report. Which of the following is the auditor ' s BEST course of action?

Options:

A.

Request that the IT manager be removed from the remaining meetings and future audits.

B.

Modify the finding to include the IT manager ' s comments and inform the audit manager of the changes.

C.

Remove the finding from the report and continue presenting the remaining findings.

D.

Provide the evidence which supports the finding and keep the finding in the report.

Buy Now
Questions 302

Which of the following BEST supports the effectiveness of a compliance program?

Options:

A.

Implementing an awareness plan regarding compliance regulation requirements

B.

Implementing a governance, risk, and compliance (GRC) tool to track compliance to regulations

C.

Assessing and tracking all compliance audit findings

D.

Monitoring which compliance regulations apply to the organization

Buy Now
Questions 303

In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?

Options:

A.

Onsite disk-based backup systems

B.

Tape-based backup systems

C.

Virtual tape library

D.

Redundant array of independent disks (RAID)

Buy Now
Questions 304

in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

Options:

A.

application programmer

B.

systems programmer

C.

computer operator

D.

quality assurance (QA) personnel

Buy Now
Questions 305

Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

Options:

A.

Encryption of the spreadsheet

B.

Version history

C.

Formulas within macros

D.

Reconciliation of key calculations

Buy Now
Questions 306

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

Options:

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization ' s staff to manage the new software

Buy Now
Questions 307

Which of the following is the BEST indication of effective IT investment management?

Options:

A.

IT investments are implemented and monitored following a system development life cycle (SDLC)

B.

IT investments are mapped to specific business objectives

C.

Key performance indicators (KPIs) are defined for each business requiring IT Investment

D.

The IT Investment budget is significantly below industry benchmarks

Buy Now
Questions 308

Capacity management enables organizations to:

Options:

A.

forecast technology trends

B.

establish the capacity of network communication links

C.

identify the extent to which components need to be upgraded

D.

determine business transaction volumes.

Buy Now
Questions 309

An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime This is BEST zed as an application of.

Options:

A.

risk framework

B.

balanced scorecard

C.

value chain analysis

D.

control self-assessment (CSA)

Buy Now
Questions 310

An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?

Options:

A.

Data encryption on the mobile device

B.

Complex password policy for mobile devices

C.

The triggering of remote data wipe capabilities

D.

Awareness training for mobile device users

Buy Now
Questions 311

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Options:

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Buy Now
Questions 312

Which of the following BEST indicates an effective internal audit quality assurance and improvement program?

Options:

A.

Oversight of the improvement program by senior management

B.

An improved internal audit charter

C.

A scope that focuses on high-risk audit engagements

D.

Identification of opportunities for continuous improvement

Buy Now
Questions 313

Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the following would provide the MOST assurance to the IS auditor that management

is adequately balancing the needs of the business with the need to manage risk?

Options:

A.

A communication plan exists for informing parties impacted by the risk.

B.

Potential impact and likelihood are adequately documented.

C.

Identified risk is reported into the organization ' s risk committee.

D.

Established criteria exist for accepting and approving risk.

Buy Now
Questions 314

Which of the following is MOST helpful for measuring benefits realization for a new system?

Options:

A.

Function point analysis

B.

Balanced scorecard review

C.

Post-implementation review

D.

Business impact analysis (BIA)

Buy Now
Questions 315

Which of the following BEST mitigates the risk associated with the deployment of a new production system?

Options:

A.

Problem management

B.

Incident management

C.

Configuration management

D.

Release management

Buy Now
Questions 316

Which of the following should be of MOST concern to an IS auditor when reviewing an intrusion detection system (IDS)?

Options:

A.

High false-positive rate

B.

Delay in signature updates

C.

High false-negative rate

D.

Decrease in processing speed

Buy Now
Questions 317

An administrator performs firewall configuration changes for a small organization. Which of the following is the BEST compensating control to mitigate the risk of unauthorized changes in this situation?

Options:

A.

Requiring log review by management.

B.

Restricting administrator access to the firewall.

C.

Obtaining supervisor approval for implementation.

D.

Conducting an annual audit.

Buy Now
Questions 318

An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

Options:

A.

The applications are not included in business continuity plans (BCFs)

B.

The applications may not reasonably protect data.

C.

The application purchases did not follow procurement policy.

D.

The applications could be modified without advanced notice.

Buy Now
Questions 319

An IS auditor is reviewing a machine learning algorithm-based system for loan approvals and is preparing a data set to test the algorithm for bias. Which of the following is MOST important for the auditor’s test data set to include?

Options:

A.

Applicants of all ages

B.

Applicants from a range of geographic areas and income levels

C.

Incomplete records and incorrectly formatted data

D.

Duplicate records

Buy Now
Questions 320

Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?

Options:

A.

Integration testing results

B.

Sign-off from senior management

C.

User acceptance testing (UAT) results

D.

Regression testing results

Buy Now
Questions 321

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

Options:

A.

A significant increase in authorized connections to third parties

B.

A significant increase in cybersecurity audit findings

C.

A significant increase in approved exceptions

D.

A significant increase in external attack attempts

Buy Now
Questions 322

If concurrent update transactions to an account are not processed properly, which of the following will be affected?

Options:

A.

Confidentiality

B.

Integrity

C.

Accountability

D.

Availability

Buy Now
Questions 323

Which of the following would be the BEST criteria for monitoring an IT vendor ' s service levels?

Options:

A.

Service auditor ' s report

B.

Performance metrics

C.

Surprise visit to vendor

D.

Interview with vendor

Buy Now
Questions 324

What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

Options:

A.

Notify law enforcement of the finding.

B.

Require the third party to notify customers.

C.

The audit report with a significant finding.

D.

Notify audit management of the finding.

Buy Now
Questions 325

Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

Options:

A.

Establish the timing of testing.

B.

Identify milestones.

C.

Determine the test reporting

D.

Establish the rules of engagement.

Buy Now
Questions 326

Which of the following provides the MOST protection against emerging threats?

Options:

A.

Demilitarized zone (DMZ)

B.

Heuristic intrusion detection system (IDS)

C.

Real-time updating of antivirus software

D.

Signature-based intrusion detection system (IDS)

Buy Now
Questions 327

An organization is implementing a new data loss prevention (DLP) tool. Which of the following will BEST enable the organization to reduce false positive alerts?

Options:

A.

Using the default policy and tool rule sets

B.

Configuring a limited set of rules

C.

Deploying the tool in monitor mode

D.

Reducing the number of detection points

Buy Now
Questions 328

Which of the following audit evidence collection procedures is MOST reliable?

Options:

A.

Inspecting paper documentation obtained from an independent third party

B.

Inspecting system-generated evidence provided by a control owner

C.

Examining critical data received from an auditee

D.

Performing manual procedures independently from a control owner

Buy Now
Questions 329

Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

Options:

A.

Penetration testing

B.

Application security testing

C.

Forensic audit

D.

Server security audit

Buy Now
Questions 330

Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?

Options:

A.

Hash totals

B.

Online review of description

C.

Comparison to historical order pattern

D.

Self-checking digit

Buy Now
Questions 331

The PRIMARY role of an IS auditor in the remediation of problems found during an audit engagement is to:

Options:

A.

help auditee management by providing the solution.

B.

explain the findings and provide general advice.

C.

present updated policies to management for approval.

D.

take ownership of the problems and oversee remediation efforts.

Buy Now
Questions 332

Which of the following BEST indicates that the effectiveness of an organization ' s security awareness program has improved?

Options:

A.

A decrease in the number of information security audit findings

B.

An increase in the number of staff who complete awareness training

C.

An increase in the number of phishing emails reported by employees

D.

A decrease in the number of malware outbreaks

Buy Now
Questions 333

Which of the following should be the GREATEST concern to an IS auditor reviewing the information security framework of an organization?

Options:

A.

The information security policy has not been updated in the last two years.

B.

Senior management was not involved in the development of the information security policy.

C.

A list of critical information assets was not included in the information security policy.

D.

The information security policy is not aligned with regulatory requirements.

Buy Now
Questions 334

Which of the following is the MOST important consideration to facilitate prosecution of a perpetrator after a cybercrime?

Options:

A.

An active intrusion detection system (IDS)

B.

Professional collection of unaltered evidence

C.

Reporting to the internal legal department

D.

Immediate law enforcement involvement

Buy Now
Questions 335

Which of the following observations should be of GREATEST concern to an IS auditor assessing access controls for the accounts payable module of a finance system?

Options:

A.

Payment files are stored on a shared drive in a writable format prior to processing.

B.

Accounts payable staff have access to update vendor bank account details.

C.

The IS auditor was granted access to create purchase orders.

D.

Configured delegation limits do not align to the organization ' s delegation’s policy.

Buy Now
Questions 336

Which of the following represents the HIGHEST level of maturity of an information security program?

Options:

A.

A training program is in place to promote information security awareness.

B.

A framework is in place to measure risks and track effectiveness.

C.

Information security policies and procedures are established.

D.

The program meets regulatory and compliance requirements.

Buy Now
Questions 337

To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?

Options:

A.

Data retention

B.

Data minimization

C.

Data quality

D.

Data integrity

Buy Now
Questions 338

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

Options:

A.

Recipient ' s public key

B.

Sender ' s private key

C.

Sender ' s public key

D.

Recipient ' s private key

Buy Now
Questions 339

Which of the following provides the MOST assurance of the integrity of a firewall log?

Options:

A.

The log is reviewed on a monthly basis.

B.

Authorized access is required to view the log.

C.

The log cannot be modified.

D.

The log is retained per policy.

Buy Now
Questions 340

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?

Options:

A.

Reconciliation of total amounts by project

B.

Validity checks, preventing entry of character data

C.

Reasonableness checks for each cost type

D.

Display the back of the project detail after the entry

Buy Now
Questions 341

Which of the following is the MOST appropriate control to ensure integrity of online orders?

Options:

A.

Data Encryption Standard (DES)

B.

Digital signature

C.

Public key encryption

D.

Multi-factor authentication

Buy Now
Questions 342

An IS auditor learns that an organization ' s business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor ' s BEST course of action?

Options:

A.

Determine whether the business impact analysis (BIA) is current with the organization ' s structure and context.

B.

Determine the types of technologies used at the plant and how they may affect the BCP.

C.

Perform testing to determine the impact to the recovery time objective (R TO).

D.

Assess the risk to operations from the closing of the plant.

Buy Now
Questions 343

Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?

Options:

A.

Completing the incident management log

B.

Broadcasting an emergency message

C.

Requiring a dedicated incident response team

D.

Implementing incident escalation procedures

Buy Now
Questions 344

A hearth care organization utilizes Internet of Things (loT) devices to improve patient outcomes through real-time patient monitoring and advanced diagnostics. Which of the following would BEST assist in isolating these devices from corporate network traffic?

Options:

A.

Internal firewalls

B.

Blockchain technology

C.

Content filtering proxy

D.

Zero Trust architecture

Buy Now
Questions 345

Which of the following methods provides the MOST reliable audit evidence?

Options:

A.

Inquiry

B.

Management attestation

C.

Re-performance of controls

D.

Observation

Buy Now
Questions 346

Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?

Options:

A.

Regression testing

B.

Unit testing

C.

Integration testing

D.

Acceptance testing

Buy Now
Questions 347

An IS auditor is reviewing database fields updated in real-time and displayed through other applications in multiple organizational functions. When validating business approval for these various use cases, which of the following sources of information would be the BEST starting point?

Options:

A.

Network map from the network administrator

B.

Historical database change log records

C.

List of integrations from the database administrator (DBA)

D.

Business process flow from management

Buy Now
Questions 348

During an exit meeting, an IS auditor highlights that backup cycles

are being missed due to operator error and that these exceptions

are not being managed. Which of the following is the BEST way to

help management understand the associated risk?

Options:

A.

Explain the impact to disaster recovery.

B.

Explain the impact to resource requirements.

C.

Explain the impact to incident management.

D.

Explain the impact to backup scheduling.

Buy Now
Questions 349

An organization has replaced all of the storage devices at its primary data center with new higher-capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether

Options:

A.

the recovery site devices can handle the storage requirements

B.

hardware maintenance contract is in place for both old and new storage devices

C.

the procurement was in accordance with corporate policies and procedures

D.

the relocation plan has been communicated to all concerned parties

Buy Now
Questions 350

Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

Options:

A.

Periodic reporting of cybersecurity incidents to key stakeholders

B.

Periodic update of incident response process documentation

C.

Periodic cybersecurity training for staff involved in incident response

D.

Periodic tabletop exercises involving key stakeholders

Buy Now
Questions 351

When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on

Options:

A.

employee retention

B.

enterprise architecture (EA)

C.

future task updates

D.

task capacity output

Buy Now
Questions 352

An emergency power-off switch should:

Options:

A.

not be identified.

B.

be remotely accessible.

C.

be under dual control.

D.

be protected.

Buy Now
Questions 353

An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes. Which of the following is the MOST appropriate method to use for this purpose?

Options:

A.

Penetration testing

B.

Authenticated scanning

C.

Change management records

D.

System log review

Buy Now
Questions 354

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

Options:

A.

firewall standards.

B.

configuration of the firewall

C.

firmware version of the firewall

D.

location of the firewall within the network

Buy Now
Questions 355

Which of the following should be an IS auditor ' s PRIMARY consideration when determining which issues to include in an audit report?

Options:

A.

Professional skepticism

B.

Management ' s agreement

C.

Materiality

D.

Inherent risk

Buy Now
Questions 356

An organization has introduced a capability maturity model to the system development life cycle (SDLC) to measure improvements. Which of the following is the BEST indication of successful process improvement?

Options:

A.

Evaluation results align with defined business goals

B.

Process maturity reaches the highest state of process optimization.

C.

Evaluation results exceed process maturity benchmarks against competitors.

D.

Processes demonstrate the mitigation of inherent business risk.

Buy Now
Questions 357

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

Options:

A.

Implement key performance indicators (KPIs)

B.

Implement annual third-party audits.

C.

Benchmark organizational performance against industry peers.

D.

Require executive management to draft IT strategy

Buy Now
Questions 358

Attribute sampling is BEST suited to estimate:

Options:

A.

the true monetary value of a population.

B.

the total error amount in the population.

C.

the degree of compliance with approved procedures

D.

standard deviation from the mean.

Buy Now
Questions 359

Which of the following security measures is MOST important for protecting Internet of Things (IoT) devices from potential cyberattacks?

Options:

A.

Logging and monitoring network traffic

B.

Confirming firmware compliance to current security requirements

C.

Changing default passwords

D.

Reviewing and updating the network diagram on a regular basis

Buy Now
Questions 360

Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization ' s goals and strategic objectives?

Options:

A.

Enterprise architecture (EA)

B.

Business impact analysis (BIA)

C.

Risk assessment report

D.

Audit recommendations

Buy Now
Questions 361

Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?

Options:

A.

Server room access history

B.

Emergency change records

C.

IT security incidents

D.

Penetration test results

Buy Now
Questions 362

An organization ' s payroll department recently implemented a new Software as a Service (SaaS) tool for payment processing. Which of the following audits is MOST appropriate for an IS auditor to validate that the new tool is configured as expected to meet performance requirements?

Options:

A.

Financial audit

B.

Administrative audit

C.

Functional audit

D.

Compliance audit

Buy Now
Questions 363

An organization recently migrated Us data warehouse from a legacy system to a different architecture in the cloud. Which of the following should be of GREATEST concern to the IS auditor reviewing the new data architecture?

Options:

A.

The data was not cleansed before moving to the cloud data warehouse.

B.

The cloud data warehouse uses a hybrid cloud architecture.

C.

The migration analyst is not fully trained on the new tools.

D.

The data is stored in a multi-tenant environment.

Buy Now
Questions 364

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

Options:

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Buy Now
Questions 365

Which of the following is the BEST point in time to conduct a post-implementation review?

Options:

A.

After a full processing cycle

B.

Immediately after deployment

C.

After the warranty period

D.

Prior to the annual performance review

Buy Now
Questions 366

A system experiences multiple recurring processing errors. Which of the following is the PRIMARY concern for an IS auditor?

Options:

A.

Inefficient incident management

B.

Lack of problem management

C.

Lack of change management

D.

Inefficient project management

Buy Now
Questions 367

Which of the following findings should be an IS auditor’s GREATEST concern when reviewing a project to migrate confidential data backups to a cloud-based solution?

Options:

A.

Lack of chain of custody for retired backup media

B.

Insufficient scalability

C.

Insufficient due diligence performed on the vendor

D.

Increased storage cost

Buy Now
Questions 368

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor ' s BEST recommendation?

Options:

A.

Increase the capacity of existing systems.

B.

Upgrade hardware to newer technology.

C.

Hire temporary contract workers for the IT function.

D.

Build a virtual environment.

Buy Now
Questions 369

A mission-critical application utilizes a one-node database server. On multiple occasions, the database service has been stopped to perform routine patching, causing application outages. Which of the following should be the IS auditor’s GREATEST concern?

Options:

A.

Revenue lost due to application outages

B.

Patching performed by the vendor

C.

A large number of scheduled database changes

D.

The presence of a single point of failure

Buy Now
Questions 370

Which of the following is the BEST indication that there are potential problems within an organization ' s IT service desk function?

Options:

A.

Undocumented operating procedures

B.

Lack of segregation of duties

C.

An excessive backlog of user requests

D.

Lack of key performance indicators (KPIs)

Buy Now
Questions 371

During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?

Options:

A.

The project manager will have to be replaced.

B.

The project reporting to the board of directors will be incomplete.

C.

The project steering committee cannot provide effective governance.

D.

The project will not withstand a quality assurance (QA) review.

Buy Now
Questions 372

When planning a review of IT governance, an IS auditor is MOST likely to:

Options:

A.

assess whether business process owner responsibilities are consistent.

B.

obtain information about the control framework adopted by management.

C.

examine audit committee minutes for IT-related controls.

D.

define key performance indicators (KPIs).

Buy Now
Questions 373

Which of the following BEST helps to establish that digital evidence is in its original form and has not been tampered with?

Options:

A.

Imaging of digital media.

B.

Write-protecting media.

C.

Hash values.

D.

Chain of custody.

Buy Now
Questions 374

An organization ' s information security policies should be developed PRIMARILY on the basis of:

Options:

A.

enterprise architecture (EA).

B.

industry best practices.

C.

a risk management process.

D.

past information security incidents.

Buy Now
Questions 375

Which of the following controls would BEST help a forensic investigator prevent modifications in digital evidence?

Options:

A.

Write-protecting media that contains evidence

B.

Creating digital images of the media that contains evidence

C.

Generating hash values of evidence files on media

D.

Maintaining the chain of custody for digital evidence

Buy Now
Questions 376

Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?

Options:

A.

Performing independent reviews of responsible parties engaged in the project

B.

Shortlisting vendors to perform renovations

C.

Ensuring the project progresses as scheduled and milestones are achieved

D.

Implementing data center operational controls

Buy Now
Questions 377

An organization plans to centrally decommission end-of-life databases and migrate the data to the latest model of hardware. Which of the following BEST ensures data integrity is preserved during the migration?

Options:

A.

Reconciling sample data to most recent backups

B.

Obfuscating confidential data

C.

Encrypting the data

D.

Comparing checksums

Buy Now
Questions 378

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Buy Now
Questions 379

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Buy Now
Questions 380

Which of the following should an IS auditor perform FIRST when auditing an outsourced human resource application?

Options:

A.

Verify that fees billed for the service are appropriate to the work performed.

B.

Review the terms and provisions in the contract.

C.

Implement data access rights consistent with the organization’s security policy.

D.

Verify that security incident reports are issued in a timely manner.

Buy Now
Questions 381

The PRIMARY objective of value delivery in reference to IT governance is to:

Options:

A.

promote best practices

B.

increase efficiency.

C.

optimize investments.

D.

ensure compliance.

Buy Now
Questions 382

Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

Options:

A.

Requiring users to save files in secured folders instead of a company-wide shared drive

B.

Reviewing data transfer logs to determine historical patterns of data flow

C.

Developing a DLP policy and requiring signed acknowledgment by users

D.

Identifying where existing data resides and establishing a data classification matrix

Buy Now
Questions 383

Which of the following concerns is BEST addressed by securing production source libraries?

Options:

A.

Programs are not approved before production source libraries are updated.

B.

Production source and object libraries may not be synchronized.

C.

Changes are applied to the wrong version of production source libraries.

D.

Unauthorized changes can be moved into production.

Buy Now
Questions 384

Which of the following BEST facilitates the legal process in the event of an incident?

Options:

A.

Right to perform e-discovery

B.

Advice from legal counsel

C.

Preserving the chain of custody

D.

Results of a root cause analysis

Buy Now
Questions 385

Which of the following is the MAJOR advantage of automating internal controls?

Options:

A.

To enable the review of large value transactions

B.

To efficiently test large volumes of data

C.

To help identity transactions with no segregation of duties

D.

To assist in performing analytical reviews

Buy Now
Questions 386

An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?

Options:

A.

Computer-assisted technique

B.

Stratified sampling

C.

Statistical sampling

D.

Process walk-through

Buy Now
Questions 387

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization ' s information cannot be accessed?

Options:

A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Buy Now
Questions 388

During an organization ' s implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?

Options:

A.

Configuring reports

B.

Configuring rule sets

C.

Enabling detection points

D.

Establishing exceptions workflow

Buy Now
Questions 389

An organization saves confidential information in a file with password protection and the file is placed in a shared folder. An attacker has stolen this information by obtaining the password through social engineering. Implementing which of the following would BEST enable the organization to prevent this type of incident in the future?

Options:

A.

Multi-factor authentication (MFA)

B.

Security awareness programs for employees

C.

Access history log review by the business manager

D.

File encryption along with password protection

Buy Now
Questions 390

The PRIMARY focus of a post-implementation review is to verify that:

Options:

A.

enterprise architecture (EA) has been complied with.

B.

user requirements have been met.

C.

acceptance testing has been properly executed.

D.

user access controls have been adequately designed.

Buy Now
Questions 391

What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

Options:

A.

Earned value analysis (EVA)

B.

Return on investment (ROI) analysis

C.

Gantt chart

D.

Critical path analysis

Buy Now
Questions 392

When building or upgrading enterprise cryptographic infrastructure, which of the following is the MOST critical requirement for growing business environments?

Options:

A.

Service discovery

B.

Backup and restoration capabilities

C.

Network throttling

D.

Scalable architectures and systems

Buy Now
Questions 393

A small organization has cut costs by reducing IT positions and consolidating a large number of critical responsibilities into the role of its most senior IT engineer. Which of the following is the PRIMARY risk in this situation?

Options:

A.

The consolidated role will result in a lack of resource optimization.

B.

The consolidation of the role creates limited authority.

C.

The consolidated responsibilities do not allow for appropriate separation of duties.

D.

The consolidation of the responsibilities will weaken succession planning.

Buy Now
Questions 394

What should an IS auditor evaluate FIRST when reviewing an organization ' s response to new privacy legislation?

Options:

A.

Implementation plan for restricting the collection of personal information

B.

Privacy legislation in other countries that may contain similar requirements

C.

Operational plan for achieving compliance with the legislation

D.

Analysis of systems that contain privacy components

Buy Now
Questions 395

When auditing the closing stages of a system development protect which of the following should be the MOST important consideration?

Options:

A.

Control requirements

B.

Rollback procedures

C.

Functional requirements documentation

D.

User acceptance lest (UAT) results

Buy Now
Questions 396

An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor ' s NEXT action1?

Options:

A.

Make recommendations to IS management as to appropriate quality standards

B.

Postpone the audit until IS management implements written standards

C.

Document and lest compliance with the informal standards

D.

Finalize the audit and report the finding

Buy Now
Questions 397

Which of the following is the MOST efficient way to identify separation of duties violations in a new system?

Options:

A.

Review process flow diagrams.

B.

Examine recent system access rights violations.

C.

Interview staff to identify authorization conflicts.

D.

Review an automated report of user privileges.

Buy Now
Questions 398

Which of the following findings from a network security review presents the GREATEST risk to the organization?

Options:

A.

There are shared administrator accounts on internet-facing routers.

B.

An internet server in the demilitarized zone (DMZ) hosts a test web page.

C.

Operating system patches released last week have not been applied.

D.

The intrusion detection system (IDS) has pending updates from within the last week.

Buy Now
Questions 399

Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?

Options:

A.

Certification practice statement

B.

Certificate policy

C.

PKI disclosure statement

D.

Certificate revocation list

Buy Now
Questions 400

Which type of control has been established when an organization implements a security information and event management (SIEM) system?

Options:

A.

Preventive

B.

Detective

C.

Directive

D.

Corrective

Buy Now
Questions 401

An organization has developed processes to recover critical files in the event of a ransomware attack. Which type of control do these processes represent?

Options:

A.

Compensating

B.

Preventive

C.

Detective

D.

Corrective

Buy Now
Questions 402

Which of the following is the BEST evidence that an organization ' s IT strategy is aligned lo its business objectives?

Options:

A.

The IT strategy is modified in response to organizational change.

B.

The IT strategy is approved by executive management.

C.

The IT strategy is based on IT operational best practices.

D.

The IT strategy has significant impact on the business strategy

Buy Now
Questions 403

Which of the following is the BEST reason to implement a data retention policy?

Options:

A.

To limit the liability associated with storing and protecting information

B.

To document business objectives for processing data within the organization

C.

To assign responsibility and ownership for data protection outside IT

D.

To establish a recovery point detective (RPO) for (toaster recovery procedures

Buy Now
Questions 404

Which of the following applications has the MOST inherent risk and should be prioritized during audit planning?

Options:

A.

A decommissioned legacy application

B.

An onsite application that is unsupported

C.

An outsourced accounting application

D.

An internally developed application

Buy Now
Questions 405

Which of the following system redundancy configurations BEST improves system resiliency and reduces the possibility of a single cause of failure impacting system dependability?

Options:

A.

Active redundancy

B.

Homogeneous redundancy

C.

Diverse redundancy

D.

Passive redundancy

Buy Now
Questions 406

Which of the following can only be provided by asymmetric encryption?

Options:

A.

Information privacy

B.

256-brt key length

C.

Data availability

D.

Nonrepudiation

Buy Now
Questions 407

which of the following is a core functionality of a configuration and release management system?

Options:

A.

Managing privileged access to databases servers and infrastructure

B.

Identifying vulnerabilities in configuration settings

C.

Deploying a configuration change to the sandbox environment

D.

Identifying other configuration items that will be impacted by a given change

Buy Now
Questions 408

Which of the following network topologies will provide the GREATEST fault tolerance?

Options:

A.

Star configuration

B.

Ring configuration

C.

Bus configuration

D.

Mesh configuration

Buy Now
Questions 409

Which of the following is the BEST example of continuous auditing?

Options:

A.

Periodic confirmation that controls are operating effectively.

B.

Periodic touchpoints to identify emerging risks.

C.

Continuous feedback provided to management on controls.

D.

Ongoing assessments that evaluate the fulfillment of service level objectives.

Buy Now
Questions 410

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system. Which of the following is the IS

auditor ' s BEST recommendation?

Options:

A.

Enable automatic encryption, decryption, and electronic signing of data files.

B.

Automate the transfer of data between systems as much as is feasible.

C.

Have coders perform manual reconciliation of data between systems.D

D.

Implement software to perform automatic reconciliations of data between systems.

Buy Now
Questions 411

An organization has replaced its call center with Al chatbots that autonomously learn new responses through internet queries and customer conversation history. Which of the following would an IS auditor tasked with verifying IT controls consider to be the GREATEST risk?

Options:

A.

The model may not result in expected efficiencies.

B.

The model ' s operations may be difficult for the IT team to document.

C.

The model may not generate accurate responses due to overfitting.

D.

It may be difficult to audit the model due to the lack of a suitable framework.

Buy Now
Questions 412

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Options:

A.

Verifying that access privileges have been reviewed

B.

investigating access rights for expiration dates

C.

Updating the continuity plan for critical resources

D.

Updating the security policy

Buy Now
Questions 413

Which of the following is a PRIMARY purpose of a privacy notice?

Options:

A.

To indemnify the organization against litigation by users for the appropriation of personal information

B.

To establish the organization’s accountability for the use and protection of personal information

C.

To obtain approval for the sale of personal information to third-party organizations

D.

To ensure that the organization’s privacy controls comply with the privacy laws of the user’s region

Buy Now
Questions 414

An IS auditor is assessing an organization ' s DevSecOps approach. Which of the following BEST indicates a proactive approach to identifying vulnerabilities?

Options:

A.

Integration of automated security testing tools into the continuous integration/continuous delivery (CI/CD) process

B.

Open-source dependency checks within continuous integration/continuous delivery (CI/CD) process

C.

Use of the most current development frameworks and libraries

D.

Post-implementation vulnerability scans on application deployments

Buy Now
Questions 415

Which of the following is the PRIMARY purpose of a rollback plan for a system change?

Options:

A.

To ensure steps exist to remove the change if necessary

B.

To ensure testing can be re-performed if required

C.

To ensure a backup exists before implementing a change

D.

To ensure the system change is effective

Buy Now
Questions 416

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

Options:

A.

The policy aligns with corporate policies and practices.

B.

The policy aligns with global best practices.

C.

The policy aligns with business goals and objectives.

D.

The policy aligns with local laws and regulations.

Buy Now
Questions 417

The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:

Options:

A.

Internal audit activity conforms with audit standards and methodology.

B.

The audit function is adequately governed and meets performance metrics.

C.

Inherent risk in audits is minimized.

D.

Audit resources are used most effectively.

Buy Now
Questions 418

An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following should the auditor do FIRST?

Options:

A.

Recommend reverting to the previous application.

B.

Discuss the concern with audit management.

C.

Conduct a review of the application.

D.

Disclose the concern to legal counsel.

Buy Now
Questions 419

In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?

Options:

A.

Planning phase

B.

Execution phase

C.

Follow-up phase

D.

Selection phase

Buy Now
Questions 420

Which of the following BEST enables an organization to standardize its IT infrastructure to align with business goals?

Options:

A.

Enterprise architecture (EA)

B.

Operational technologies

C.

Data architecture

D.

Robotic process automation (RPA)

Buy Now
Questions 421

An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users ' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

Options:

A.

An imaging process was used to obtain a copy of the data from each computer.

B.

The legal department has not been engaged.

C.

The chain of custody has not been documented.

D.

Audit was only involved during extraction of the Information

Buy Now
Questions 422

When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following is the auditor ' s BEST course of action?

Options:

A.

Inform senior management.

B.

Reevaluate internal controls.

C.

Inform audit management.

D.

Re-perform past audits to ensure independence.

Buy Now
Questions 423

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

Options:

A.

Staff were not involved in the procurement process, creating user resistance to the new system.

B.

Data is not converted correctly, resulting in inaccurate patient records.

C.

The deployment project experienced significant overruns, exceeding budget projections.

D.

The new system has capacity issues, leading to slow response times for users.

Buy Now
Questions 424

During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor ' s GREATEST concern with this situation?

Options:

A.

Unrealistic milestones

B.

Inadequate deliverables

C.

Unclear benefits

D.

Incomplete requirements

Buy Now
Questions 425

Who is PRIMARILY responsible for the design of IT controls to meet control objectives?

Options:

A.

Risk management

B.

Business management

C.

IT manager

D.

Internal auditor

Buy Now
Questions 426

Which of the following is the PRIMARY advantage of using an automated security log monitoring tool over a manual review to monitor the use of privileged access?

Options:

A.

Increased likelihood of detecting suspicious activity

B.

Reduced costs associated with automating the review

C.

Improved incident response time

D.

Reduced manual effort of reviewing logs

Buy Now
Questions 427

An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?

Options:

A.

Interview IT management to clarify the current procedure.

B.

Report this finding to senior management.

C.

Review the organization ' s patch management policy.

D.

Request a plan of action to be established as a follow-up item.

Buy Now
Questions 428

Which of the following is the MOST important control for virtualized environments?

Options:

A.

Regular updates of policies for the operation of the virtualized environment

B.

Hardening for the hypervisor and guest machines

C.

Redundancy of hardware resources and network components

D.

Monitoring utilization of resources at the guest operating system level

Buy Now
Questions 429

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Options:

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Buy Now
Questions 430

The PRIMARY purpose of an incident response plan is to:

Options:

A.

reduce the impact of an adverse event on information assets.

B.

increase the effectiveness of preventive controls.

C.

reduce the maximum tolerable downtime (MTD) of impacted systems.

D.

increase awareness of impacts from adverse events to IT systems.

Buy Now
Questions 431

From an IS auditor ' s perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Options:

A.

Inability to close unused ports on critical servers

B.

Inability to identify unused licenses within the organization

C.

Inability to deploy updated security patches

D.

Inability to determine the cost of deployed software

Buy Now
Questions 432

Which of the following is the PRIMARY purpose of enterprise architecture (EA) within an organization?

Options:

A.

To design and implement individual IT systems

B.

To oversee network security protocols

C.

To design and manage day-to-day IT operations

D.

To structure IT projects to achieve desired business results

Buy Now
Questions 433

An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?

Options:

A.

Directive

B.

Detective

C.

Preventive

D.

Compensating

Buy Now
Questions 434

An outsourced recruitment vendor processes personally identifiable information (PII) related to an organization’s new hires. Which of the following would be the GREATEST concern to an IS auditor reviewing the third-party risk management process?

Options:

A.

The vendor collects data using an external-facing web service.

B.

The vendor lacks a team of dedicated privacy professionals.

C.

The vendor uses a fourth party to host client data.

D.

The vendor is excluded from the third-party due diligence process.

Buy Now
Questions 435

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

Options:

A.

Review system and error logs to verify transaction accuracy.

B.

Review input and output control reports to verify the accuracy of the system decisions.

C.

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.

Review system documentation to ensure completeness.

Buy Now
Questions 436

Which of the following is the BEST compensating control against separation of duties conflicts in new code development?

Options:

A.

Post-implementation change review

B.

Adding the developers to the change approval board

C.

Creation of staging environments

D.

A small number of people have access to deploy code

Buy Now
Questions 437

An IS auditor is reviewing the service management of an outsourced help desk. Which of the following is the BEST indicator of how effectively the service provider is performing this function?

Options:

A.

Average ticket age

B.

Number of calls worked

C.

Customer satisfaction ratings

D.

Call transcript reviews

Buy Now
Questions 438

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Options:

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Buy Now
Questions 439

Which of the following is the MOST important activity in the data classification process?

Options:

A.

Labeling the data appropriately

B.

Identifying risk associated with the data

C.

Determining accountability of data owners

D.

Determining the adequacy of privacy controls

Buy Now
Questions 440

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

Options:

A.

The contract does not contain a right-to-audit clause.

B.

An operational level agreement (OLA) was not negotiated.

C.

Several vendor deliverables missed the commitment date.

D.

Software escrow was not negotiated.

Buy Now
Questions 441

Which of the following would be MOST helpful to an IS auditor performing a risk assessment of an application programming interface (API) that feeds credit scores from a well-known commercial credit agency into an organizational system?

Options:

A.

A data dictionary of the transferred data

B.

A technical design document for the interface configuration

C.

The most recent audit report from the credit agency

D.

The approved business case for the API

Buy Now
Questions 442

The FIRST step in auditing a data communication system is to determine:

Options:

A.

traffic volumes and response-time criteria

B.

physical security for network equipment

C.

the level of redundancy in the various communication paths

D.

business use and types of messages to be transmitted

Buy Now
Questions 443

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

Options:

A.

Source code version control

B.

Project change management controls

C.

Existence of an architecture review board

D.

Configuration management

Buy Now
Questions 444

Which of the following is the MOST significant risk when an application uses individual end-user accounts to access the underlying database?

Options:

A.

Multiple connects to the database are used and slow the process_

B.

User accounts may remain active after a termination.

C.

Users may be able to circumvent application controls.

D.

Application may not capture a complete audit trail.

Buy Now
Questions 445

When selecting a new data loss prevention (DLP) solution, the MOST important consideration is that the solution:

Options:

A.

is cost effective and meets proposed return on investment (ROI) criteria.

B.

provides comprehensive reporting and alerting features with detailed insights on data movements.

C.

is compatible with legacy IT infrastructure and integrates with other security tools.

D.

identifies and safeguards confidential information from unauthorized transmission.

Buy Now
Questions 446

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Buy Now
Questions 447

What should an IS auditor ensure when a financial organization intends to utilize production data in the testing environment?

Options:

A.

The data utilized is de-identified.

B.

The data utilized is accurate.

C.

The data utilized is complete.

D.

The data utilized is current.

Buy Now
Questions 448

When processing speed is the highest priority, which cryptographic algorithm should be used to verify the integrity of a bit-for-bit copy from digital evidence?

Options:

A.

MD5

B.

SHA-1

C.

AES

D.

SHA-2

Buy Now
Questions 449

Which of the following should be of GREATEST concern to an IS auditor when using data analytics?

Options:

A.

The data source lacks integrity.

B.

The data analytics software is open source.

C.

The data set contains irrelevant fields.

D.

The data was not extracted by the auditor.

Buy Now
Questions 450

Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor ' s BEST recommendation to protect data in case of recurrence?

Options:

A.

Encrypt the disk drive.

B.

Require two-factor authentication

C.

Enhance physical security

D.

Require the use of cable locks

Buy Now
Questions 451

Which of the following is the BEST metric to measure the quality of software developed in an organization?

Options:

A.

Amount of successfully migrated software changes

B.

Reduction in the help desk budget

C.

Number of defects discovered in production

D.

Increase in quality assurance (QA) activities

Buy Now
Questions 452

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

Options:

A.

Availability of IS audit resources

B.

Remediation dates included in management responses

C.

Peak activity periods for the business

D.

Complexity of business processes identified in the audit

Buy Now
Questions 453

Which of the following should be the role of internal audit in an organization’s move to the cloud?

Options:

A.

Mitigating risk to an acceptable level.

B.

Assessing key controls that support the migration.

C.

Implementing security controls for data prior to migration.

D.

Identifying impacts to organizational budgets and resources.

Buy Now
Questions 454

Which of the following MOST effectively minimizes downtime during system conversions?

Options:

A.

Phased approach

B.

Direct cutover

C.

Pilot study

D.

Parallel run

Buy Now
Questions 455

The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

Options:

A.

Technology risk

B.

Detection risk

C.

Control risk

D.

Inherent risk

Buy Now
Questions 456

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

Options:

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Buy Now
Questions 457

An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor ' s BEST course of action?

Options:

A.

Determine exposure to the business

B.

Adjust future testing activities accordingly

C.

Increase monitoring for security incidents

D.

Hire a third party to perform security testing

Buy Now
Questions 458

A finance department has a two-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger in year one the system version upgrade will be applied and in year two business processes will be updated to implement new system functionality. Which of the following should be the PRIMARY focus of an IS auditor reviewing the second year of the implementation ' ?

Options:

A.

Data migration

B.

Sociability testing

C.

User acceptance testing (UAT)

D.

Initial user access provisioning

Buy Now
Questions 459

During an audit of payment services of a branch based in a foreign country, a large global bank ' s audit team identifies an opportunity to use data analytics techniques to identify abnormal payments. Which of the following is the team ' s MOST important course of action?

Options:

A.

Consult the legal department to understand the procedure for requesting data from a different jurisdiction.

B.

Conduct a walk through of the analytical strategy with stakeholders of the audited branch to obtain their buy-in.

C.

Request the data from the branch as the team audit charter covers the country where it is based.

D.

Agree on a data extraction and sharing strategy with the IT team of the audited branch.

Buy Now
Questions 460

Which of the following presents the GREATEST challenge to the alignment of business and IT?

Options:

A.

Lack of chief information officer (CIO) involvement in board meetings

B.

Insufficient IT budget to execute new business projects

C.

Lack of information security involvement in business strategy development

D.

An IT steering committee chaired by the chief information officer (CIO)

Buy Now
Questions 461

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization ' s disaster recovery plan (DRP)?

Options:

A.

The DRP has not been formally approved by senior management.

B.

The DRP has not been distributed to end users.

C.

The DRP has not been updated since an IT infrastructure upgrade.

D.

The DRP contains recovery procedures for critical servers only.

Buy Now
Questions 462

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Options:

A.

Senior management ' s request

B.

Prior year ' s audit findings

C.

Organizational risk assessment

D.

Previous audit coverage and scope

Buy Now
Questions 463

In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?

Options:

A.

Implementation

B.

Development

C.

Feasibility

D.

Design

Buy Now
Questions 464

When reviewing whether IT investments are meeting business objectives, which of the following evaluations would be MOST useful?

Options:

A.

A break-even analysis

B.

Realized return on investment (ROI) versus projected ROI

C.

Budgeted spend versus actual spend

D.

Actual return on investment (ROI) versus industry average ROI

Buy Now
Questions 465

Upon completion of a penetration test with findings for an IT system, the NEXT step should be:

Options:

A.

Vulnerability scanning and reconfirmation.

B.

Analyzing all changes made to the system.

C.

Remediation and retesting.

D.

Maintaining the confidentiality of the testing report.

Buy Now
Questions 466

An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?

Options:

A.

Review the decision-making logic built into the system.

B.

Interview the system owner.

C.

Understand the purpose and functionality of the system.

D.

Verify system adherence to corporate policy.

Buy Now
Questions 467

In a data center audit, an IS auditor finds that the humidity level is very low. The IS auditor would be MOST concerned because of an expected increase in:

Options:

A.

risk of fire.

B.

backup tape failures.

C.

static electricity problems.

D.

employee discomfort.

Buy Now
Questions 468

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

Options:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

Buy Now
Questions 469

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization ' s vulnerability scanning program ' '

Options:

A.

Steps taken to address identified vulnerabilities are not formally documented

B.

Results are not reported to individuals with authority to ensure resolution

C.

Scans are performed less frequently than required by the organization ' s vulnerability scanning schedule

D.

Results are not approved by senior management

Buy Now
Questions 470

A cloud access security broker (CASB) administers the user access of a Software as a Service {SaaS) on behalf of the customer organization. When conducting an audit of the service, which of the following is MOST important for the IS auditor to confirm?

Options:

A.

The CASB logs the access request as a service record that is reviewed after granting access.

B.

The CASB verifies the access request from a named customer contact before granting access.

C.

The CASB manages secure access to the federated directory service used by the SaaS application.

D.

The CASB conducts periodic audits of access requests to ensure compliance with customer policy.

Buy Now
Questions 471

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

Options:

A.

Staff members who failed the test did not receive follow-up education

B.

Test results were not communicated to staff members.

C.

Staff members were not notified about the test beforehand.

D.

Security awareness training was not provided prior to the test.

Buy Now
Questions 472

Which of the following is the BEST review for an IS auditor to conduct when a vulnerability has been exploited by an employee?

Options:

A.

Compliance audit

B.

Application security testing

C.

Forensic audit

D.

Penetration testing

Buy Now
Questions 473

When auditing IT organizational structure, which of the following findings presents the GREATEST risk to an organization?

Options:

A.

Significantly higher turnover

B.

Lack of customer satisfaction surveys

C.

Aging staff

D.

Increase in the frequency of software upgrades

Buy Now
Questions 474

An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?

Options:

A.

Monitoring access rights on a regular basis

B.

Referencing a standard user-access matrix

C.

Granting user access using a role-based model

D.

Correcting the segregation of duties conflicts

Buy Now
Questions 475

Which of the following controls is MOST important for ensuring the integrity of system interfaces?

Options:

A.

Periodic audits

B.

File counts

C.

File checksums

D.

IT operator monitoring

Buy Now
Questions 476

Which of the following BEST enables the timely identification of risk exposure?

Options:

A.

External audit review

B.

Internal audit review

C.

Control self-assessment (CSA)

D.

Stress testing

Buy Now
Questions 477

Which of the following is the MOST important consideration for a contingency facility?

Options:

A.

The contingency facility has the same badge access controls as the primary site.

B.

Both the contingency facility and the primary site have the same number of business assets in their inventory.

C.

The contingency facility is located a sufficient distance away from the primary site.

D.

Both the contingency facility and the primary site are easily identifiable.

Buy Now
Questions 478

Which of the following is MOST critical to the success of an information security program?

Options:

A.

Management ' s commitment to information security

B.

User accountability for information security

C.

Alignment of information security with IT objectives

D.

Integration of business and information security

Buy Now
Questions 479

Which of the following would BEST protect the confidentiality of sensitive data in transit between multiple offices?

Options:

A.

Hash algorithms

B.

Digital signatures

C.

Public key infrastructure (PKI)

D.

Kerberos

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Jul 19, 2026
Questions: 1598

PDF + Testing Engine

$249

Testing Engine

$225

PDF (Q&A)

$199