Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?
An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?
What should an IS auditor do FIRST when management responses
to an in-person internal control questionnaire indicate a key internal
control is no longer effective?
Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?
An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?
in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:
An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?
An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?
Which of the following is the BEST reason to implement a data retention policy?
Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?
Which of the following features of a library control software package would protect against unauthorized updating of source code?
Which of the following is an audit reviewer's PRIMARY role with regard to evidence?
Which of the following is a challenge in developing a service level agreement (SLA) for network services?
Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?
When an intrusion into an organization network is deleted, which of the following should be done FIRST?
An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?
Which of the following presents the GREATEST challenge to the alignment of business and IT?
Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?
Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?
During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?
Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?
Which of the following is MOST important when implementing a data classification program?
Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?
What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?
During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?
Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?
Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?
Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?
An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
Which of the following would protect the confidentiality of information sent in email messages?
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?
An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?
Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?
Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?
An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:
Which of the following is the MOST important responsibility of user departments associated with program changes?
An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?
During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts Which of the following is the auditor's BEST course of action?
Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?
Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?
Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?
Which of the following controls is MOST important for ensuring the integrity of system interfaces?
Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?
Which of the following would BEST indicate the effectiveness of a security awareness training program?
Which of the following is the PRIMARY purpose of obtaining a baseline image during an operating system audit?
An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?
Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?
An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services Which of the following would BEST enable the organization to resolve this issue?
Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?
An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.
Which of the following is the BEST course of action to address this issue?
An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?
Which of the following is the MOST important consideration when establishing vulnerability scanning on critical IT infrastructure?
What would be the PRIMARY reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center?
Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?
Which of the following is the MAIN responsibility of the IT steering committee?
Which of the following is an example of a preventive control for physical access?
Which of the following is the MOST effective control over visitor access to highly secured areas?
Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?
Which of the following presents the GREATEST risk to an organization's ability to manage quality control (QC) processes?
During an external review, an IS auditor observes an inconsistent approach in classifying system criticality
within the organization. Which of the following should be recommended as the PRIMARY factor to
determine system criticality?
In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?
Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?
An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?
Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?
During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor's GREATEST concern with this situation?
Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?
Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics
system?
An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified Which type of control is in place?
When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?
A bank wants to outsource a system to a cloud provider residing in another country. Which of the following would be the MOST appropriate IS audit recommendation?
An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?
If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?
An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?
An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the
business continuity plan (BCP). Which of the following is the auditor's BEST course of action?
In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:
How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?
An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?
Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization's security policy?
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''
Which of the following is the MOST important control for virtualized environments?
Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?
What is the PRIMARY reason for an organization to classify the data stored on its internal networks?
Which of the following would be the BEST process for continuous auditing to a large financial Institution?
A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's IT strategy development process?
Email required for business purposes is being stored on employees' personal devices.
Which of the following is an IS auditor's BEST recommendation?
An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?
The following findings are the result of an IS auditor's post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?
Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?
In an organization's feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?
The use of which of the following would BEST enhance a process improvement program?
During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?
A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?
Which of the following is the BEST indication that there are potential problems within an organization's IT service desk function?
During the discussion of a draft audit report IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective Which of the following is the auditor's BEST action?
An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy. What is the BEST way (or the auditor to address this issue?
An IS auditor finds that while an organization's IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance. Which of the Mowing is the BEST recommendation?
Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?
An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?
Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?
Which of the following strategies BEST optimizes data storage without compromising data retention practices?
An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?
Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?
During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:
Which of the following should an IS auditor be MOST concerned with during a post-implementation review?
What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?
Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?
Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
Which of the following would BEST facilitate the successful implementation of an IT-related framework?
An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
Which audit approach is MOST helpful in optimizing the use of IS audit resources?
Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?
An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:
Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?
An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?
While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:
An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:
Secure code reviews as part of a continuous deployment program are which type of control?
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?
The implementation of an IT governance framework requires that the board of directors of an organization:
Which of the following is MOST important to ensure when planning a black box penetration test?
Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?
An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?
Which of the following data would be used when performing a business impact analysis (BIA)?
When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:
An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?
Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?
Which of the following is MOST important to include in forensic data collection and preservation procedures?
Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?
Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?
What is MOST important to verify during an external assessment of network vulnerability?
Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:
An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?
When auditing the security architecture of an online application, an IS auditor should FIRST review the:
An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?
An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.
Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?
Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?
Which of the following is the MOST important activity in the data classification process?
Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
Which of the following business continuity activities prioritizes the recovery of critical functions?
Which of the following should an IS auditor consider FIRST when evaluating firewall rules?
An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?
While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.
Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?
Which of the following is the MAIN purpose of an information security management system?
An information systems security officer's PRIMARY responsibility for business process applications is to:
To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?
The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?
In an online application, which of the following would provide the MOST information about the transaction audit trail?
Which of the following BEST Indicates that an incident management process is effective?
The waterfall life cycle model of software development is BEST suited for which of the following situations?
For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?
Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?
When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?
A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?
In a RAO model, which of the following roles must be assigned to only one individual?
What is the Most critical finding when reviewing an organization’s information security management?
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
Which of the following is the GREATEST risk associated with storing customer data on a web server?
After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?
Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?
The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?
Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?
Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?
An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?
Which of the following metrics would BEST measure the agility of an organization's IT function?
Which of the following documents should specify roles and responsibilities within an IT audit organization?
During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?
Which of the following is MOST helpful for measuring benefits realization for a new system?
An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?
Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?
Which of the following security risks can be reduced by a property configured network firewall?
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?
Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?
Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?
In an online application which of the following would provide the MOST information about the transaction audit trail?
A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?
Which of the following would be MOST useful when analyzing computer performance?
An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that
Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?
Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?
Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?
Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?
Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?
Which of the following backup schemes is the BEST option when storage media is limited?
An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?
Which of the following BEST helps to ensure data integrity across system interfaces?
During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?
An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?
An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?
What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?
Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?
Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?
Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?
Which of the following should an IS auditor expect to see in a network vulnerability assessment?
Which of the following is the BEST metric to measure the alignment of IT and business strategy?
During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?
Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?
Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?