March Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: geek65

CISA Certified Information Systems Auditor Questions and Answers

Questions 4

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

Options:

A.

SIEM reporting is customized.

B.

SIEM configuration is reviewed annually

C.

The SIEM is decentralized.

D.

SIEM reporting is ad hoc.

Buy Now
Questions 5

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.

Review the documentation of recant changes to implement sequential order numbering.

B.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.

Examine a sample of system generated purchase orders obtained from management

Buy Now
Questions 6

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

Options:

A.

The DRP has not been formally approved by senior management.

B.

The DRP has not been distributed to end users.

C.

The DRP has not been updated since an IT infrastructure upgrade.

D.

The DRP contains recovery procedures for critical servers only.

Buy Now
Questions 7

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.

Determine the resources required to make the control

effective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Buy Now
Questions 8

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:

A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Buy Now
Questions 9

An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

Options:

A.

The applications are not included in business continuity plans (BCFs)

B.

The applications may not reasonably protect data.

C.

The application purchases did not follow procurement policy.

D.

The applications could be modified without advanced notice.

Buy Now
Questions 10

in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

Options:

A.

application programmer

B.

systems programmer

C.

computer operator

D.

quality assurance (QA) personnel

Buy Now
Questions 11

An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?

Options:

A.

Loss of application support

B.

Lack of system integrity

C.

Outdated system documentation

D.

Developer access 1o production

Buy Now
Questions 12

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

Options:

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Buy Now
Questions 13

Which of the following is the BEST reason to implement a data retention policy?

Options:

A.

To limit the liability associated with storing and protecting information

B.

To document business objectives for processing data within the organization

C.

To assign responsibility and ownership for data protection outside IT

D.

To establish a recovery point detective (RPO) for (toaster recovery procedures

Buy Now
Questions 14

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Options:

A.

Improved disaster recovery

B.

Better utilization of resources

C.

Stronger data security

D.

Increased application performance

Buy Now
Questions 15

Which of the following features of a library control software package would protect against unauthorized updating of source code?

Options:

A.

Required approvals at each life cycle step

B.

Date and time stamping of source and object code

C.

Access controls for source libraries

D.

Release-to-release comparison of source code

Buy Now
Questions 16

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

Options:

A.

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.

Ensuring evidence is sufficient to support audit conclusions

C.

Ensuring appropriate statistical sampling methods were used

D.

Ensuring evidence is labeled to show it was obtained from an approved source

Buy Now
Questions 17

Which of the following is a challenge in developing a service level agreement (SLA) for network services?

Options:

A.

Establishing a well-designed framework for network servirces.

B.

Finding performance metrics that can be measured properly

C.

Ensuring that network components are not modified by the client

D.

Reducing the number of entry points into the network

Buy Now
Questions 18

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

Options:

A.

Review of program documentation

B.

Use of test transactions

C.

Interviews with knowledgeable users

D.

Review of source code

Buy Now
Questions 19

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Accept management's decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Buy Now
Questions 20

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Options:

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Buy Now
Questions 21

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

Options:

A.

Assign responsibility for improving data quality.

B.

Invest in additional employee training for data entry.

C.

Outsource data cleansing activities to reliable third parties.

D.

Implement business rules to validate employee data entry.

Buy Now
Questions 22

The PRIMARY objective of value delivery in reference to IT governance is to:

Options:

A.

promote best practices

B.

increase efficiency.

C.

optimize investments.

D.

ensure compliance.

Buy Now
Questions 23

Which of the following presents the GREATEST challenge to the alignment of business and IT?

Options:

A.

Lack of chief information officer (CIO) involvement in board meetings

B.

Insufficient IT budget to execute new business projects

C.

Lack of information security involvement in business strategy development

D.

An IT steering committee chaired by the chief information officer (CIO)

Buy Now
Questions 24

Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

Options:

A.

Write access to production program libraries

B.

Write access to development data libraries

C.

Execute access to production program libraries

D.

Execute access to development program libraries

Buy Now
Questions 25

Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

Options:

A.

Change management

B.

Problem management

C.

incident management

D.

Configuration management

Buy Now
Questions 26

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?

Options:

A.

The use of the cloud negatively impacting IT availably

B.

Increased need for user awareness training

C.

Increased vulnerability due to anytime, anywhere accessibility

D.

Lack of governance and oversight for IT infrastructure and applications

Buy Now
Questions 27

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

Options:

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Buy Now
Questions 28

Which of the following is MOST important when implementing a data classification program?

Options:

A.

Understanding the data classification levels

B.

Formalizing data ownership

C.

Developing a privacy policy

D.

Planning for secure storage capacity

Buy Now
Questions 29

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

Options:

A.

The end-to-end process is understood and documented.

B.

Roles and responsibilities are defined for the business processes in scope.

C.

A benchmarking exercise of industry peers who use RPA has been completed.

D.

A request for proposal (RFP) has been issued to qualified vendors.

Buy Now
Questions 30

What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

Options:

A.

The contract does not contain a right-to-audit clause.

B.

An operational level agreement (OLA) was not negotiated.

C.

Several vendor deliverables missed the commitment date.

D.

Software escrow was not negotiated.

Buy Now
Questions 31

During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?

Options:

A.

There are documented compensating controls over the business processes.

B.

The risk acceptances were previously reviewed and approved by appropriate senior management

C.

The business environment has not significantly changed since the risk acceptances were approved.

D.

The risk acceptances with issues reflect a small percentage of the total population

Buy Now
Questions 32

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Options:

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Buy Now
Questions 33

Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

Options:

A.

Shared facilities

B.

Adequacy of physical and environmental controls

C.

Results of business continuity plan (BCP) test

D.

Retention policy and period

Buy Now
Questions 34

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Options:

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Buy Now
Questions 35

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

Options:

A.

Risk avoidance

B.

Risk transfer

C.

Risk acceptance

D.

Risk reduction

Buy Now
Questions 36

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.

the provider has alternate service locations.

B.

the contract includes compensation for deficient service levels.

C.

the provider's information security controls are aligned with the company's.

D.

the provider adheres to the company's data retention policies.

Buy Now
Questions 37

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Options:

A.

Perform background verification checks.

B.

Review third-party audit reports.

C.

Implement change management review.

D.

Conduct a privacy impact analysis.

Buy Now
Questions 38

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Buy Now
Questions 39

An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Identify existing mitigating controls.

B.

Disclose the findings to senior management.

C.

Assist in drafting corrective actions.

D.

Attempt to exploit the weakness.

Buy Now
Questions 40

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.

Verify all patches have been applied to the software system's outdated version.

B.

Close all unused ports on the outdated software system.

C.

Monitor network traffic attempting to reach the outdated software system.

D.

Segregate the outdated software system from the main network.

Buy Now
Questions 41

Which of the following would protect the confidentiality of information sent in email messages?

Options:

A.

Secure Hash Algorithm 1(SHA-1)

B.

Digital signatures

C.

Encryption

D.

Digital certificates

Buy Now
Questions 42

What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

Options:

A.

Full test results

B.

Completed test plans

C.

Updated inventory of systems

D.

Change management processes

Buy Now
Questions 43

An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?

Options:

A.

Segregation of duties between issuing purchase orders and making payments.

B.

Segregation of duties between receiving invoices and setting authorization limits

C.

Management review and approval of authorization tiers

D.

Management review and approval of purchase orders

Buy Now
Questions 44

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Options:

A.

Annual sign-off of acceptable use policy

B.

Regular monitoring of user access logs

C.

Security awareness training

D.

Formalized disciplinary action

Buy Now
Questions 45

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

Options:

A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Buy Now
Questions 46

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Include the requirement in the incident management response plan.

B.

Establish key performance indicators (KPIs) for timely identification of security incidents.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Engage an external security incident response expert for incident handling.

Buy Now
Questions 47

Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

Options:

A.

The IT strategy is modified in response to organizational change.

B.

The IT strategy is approved by executive management.

C.

The IT strategy is based on IT operational best practices.

D.

The IT strategy has significant impact on the business strategy

Buy Now
Questions 48

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

Options:

A.

failure to maximize the use of equipment

B.

unanticipated increase in business s capacity needs.

C.

cost of excessive data center storage capacity

D.

impact to future business project funding.

Buy Now
Questions 49

Which of the following is the MOST important responsibility of user departments associated with program changes?

Options:

A.

Providing unit test data

B.

Analyzing change requests

C.

Updating documentation lo reflect latest changes

D.

Approving changes before implementation

Buy Now
Questions 50

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?

Options:

A.

Benchmark organizational performance against industry peers

B.

Implement key performance indicators (KPIs).

C.

Require executive management to draft IT strategy

D.

Implement annual third-party audits.

Buy Now
Questions 51

During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts Which of the following is the auditor's BEST course of action?

Options:

A.

Identify accounts that have had excessive failed login attempts and request they be disabled

B.

Request the IT manager to change administrator security parameters and update the finding

C.

Document the finding and explain the risk of having administrator accounts with inappropriate security settings

Buy Now
Questions 52

Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?

Options:

A.

Voice recovery

B.

Alternative routing

C.

Long-haul network diversity

D.

Last-mile circuit protection

Buy Now
Questions 53

Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

Options:

A.

Cross-site scripting (XSS)

B.

Copyright violations

C.

Social engineering

D.

Adverse posts about the organization

Buy Now
Questions 54

Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

Options:

A.

Periodic reporting of cybersecurity incidents to key stakeholders

B.

Periodic update of incident response process documentation

C.

Periodic cybersecurity training for staff involved in incident response

D.

Periodic tabletop exercises involving key stakeholders

Buy Now
Questions 55

Which of the following controls is MOST important for ensuring the integrity of system interfaces?

Options:

A.

Periodic audits

B.

File counts

C.

File checksums

D.

IT operator monitoring

Buy Now
Questions 56

Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?

Options:

A.

The vendor's process appropriately sanitizes the media before disposal

B.

The contract includes issuance of a certificate of destruction by the vendor

C.

The vendor has not experienced security incidents in the past.

D.

The disposal transportation vehicle is fully secure

Buy Now
Questions 57

Which of the following would BEST indicate the effectiveness of a security awareness training program?

Options:

A.

Results of third-party social engineering tests

B.

Employee satisfaction with training

C.

Increased number of employees completing training

D.

Reduced unintentional violations

Buy Now
Questions 58

Which of the following is the PRIMARY purpose of obtaining a baseline image during an operating system audit?

Options:

A.

To identify atypical running processes

B.

To verify antivirus definitions

C.

To identify local administrator account access

D.

To verify the integrity of operating system backups

Buy Now
Questions 59

An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

Options:

A.

Review test procedures and scenarios

B.

Conduct a mock conversion test

C.

Establish a configuration baseline

D.

Automate the test scripts

Buy Now
Questions 60

The PRIMARY purpose of a configuration management system is to:

Options:

A.

track software updates.

B.

define baselines for software.

C.

support the release procedure.

D.

standardize change approval.

Buy Now
Questions 61

Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?

Options:

A.

End-user computing (EUC) systems

B.

Email attachments

C.

Data sent to vendors

D.

New system applications

Buy Now
Questions 62

An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services Which of the following would BEST enable the organization to resolve this issue?

Options:

A.

Problem management

B.

Incident management

C.

Service level management

D.

Change management

Buy Now
Questions 63

Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?

Options:

A.

The testing produces a lower number of false positive results

B.

Network bandwidth is utilized more efficiently

C.

Custom-developed applications can be tested more accurately

D.

The testing process can be automated to cover large groups of assets

Buy Now
Questions 64

An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.

Which of the following is the BEST course of action to address this issue?

Options:

A.

Examine the workflow to identify gaps in asset-handling responsibilities.

B.

Escalate the finding to the asset owner for remediation.

C.

Recommend the drives be sent to the vendor for destruction.

D.

Evaluate the corporate asset-handling policy for potential gaps.

Buy Now
Questions 65

An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

Options:

A.

Differential backup

B.

Full backup

C.

Incremental backup

D.

Mirror backup

Buy Now
Questions 66

Which of the following is the MOST important consideration when establishing vulnerability scanning on critical IT infrastructure?

Options:

A.

The scanning will be performed during non-peak hours.

B.

The scanning will be followed by penetration testing.

C.

The scanning will be cost-effective.

D.

The scanning will not degrade system performance.

Buy Now
Questions 67

What would be the PRIMARY reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center?

Options:

A.

To improve traceability

B.

To prevent piggybacking

C.

To implement multi-factor authentication

D.

To reduce maintenance costs

Buy Now
Questions 68

Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?

Options:

A.

Deviation detection

B.

Cluster sampling

C.

Random sampling

D.

Classification

Buy Now
Questions 69

Which of the following is the MAIN responsibility of the IT steering committee?

  • Reviewing and assisting with IT strategy integration efforts

  • Developing and assessing the IT security strategy

  • Implementing processes to integrate security with business objectives

Options:

A.

Developing and implementing the secure system development framework

Buy Now
Questions 70

Which of the following is an example of a preventive control for physical access?

Options:

A.

Keeping log entries for all visitors to the building

B.

Implementing a fingerprint-based access control system for the building

C.

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

D.

Implementing a centralized logging server to record instances of staff logging into workstations

Buy Now
Questions 71

Which of the following is the MOST effective control over visitor access to highly secured areas?

Options:

A.

Visitors are required to be escorted by authorized personnel.

B.

Visitors are required to use biometric authentication.

C.

Visitors are monitored online by security cameras

D.

Visitors are required to enter through dead-man doors.

Buy Now
Questions 72

Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?

Options:

A.

Stronger data security

B.

Better utilization of resources

C.

Increased application performance

D.

Improved disaster recovery

Buy Now
Questions 73

Which of the following presents the GREATEST risk to an organization's ability to manage quality control (QC) processes?

Options:

A.

Lack of segregation of duties

B.

Lack of a dedicated QC function

C.

Lack of policies and procedures

D.

Lack of formal training and attestation

Buy Now
Questions 74

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality

within the organization. Which of the following should be recommended as the PRIMARY factor to

determine system criticality?

Options:

A.

Recovery point objective (RPO)

B.

Maximum allowable downtime (MAD)

C.

Mean time to restore (MTTR)

D.

Key performance indicators (KPls)

Buy Now
Questions 75

In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?

Options:

A.

Onsite disk-based backup systems

B.

Tape-based backup systems

C.

Virtual tape library

D.

Redundant array of independent disks (RAID)

Buy Now
Questions 76

Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?

Options:

A.

Review exception reports

B.

Review IT staffing schedules.

C.

Analyze help desk ticket logs

D.

Conduct IT management interviews

Buy Now
Questions 77

An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?

Options:

A.

Database clustering

B.

Data caching

C.

Reindexing of the database table

D.

Load balancing

Buy Now
Questions 78

Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?

Options:

A.

Classifies documents to correctly reflect the level of sensitivity of information they contain

B.

Defines the conditions under which documents containing sensitive information may be transmitted

C.

Classifies documents in accordance with industry standards and best practices

D.

Ensures documents are handled in accordance With the sensitivity of information they contain

Buy Now
Questions 79

During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor's GREATEST concern with this situation?

Options:

A.

Unrealistic milestones

B.

Inadequate deliverables

C.

Unclear benefits

D.

Incomplete requirements

Buy Now
Questions 80

An IT balanced scorecard is PRIMARILY used for:

Options:

A.

evaluating the IT project portfolio

B.

measuring IT strategic performance

C.

allocating IT budget and resources

D.

monitoring risk in lT-related processes

Buy Now
Questions 81

Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?

Options:

A.

Gap analysis

B.

Audit reports

C.

Risk profile

D.

Risk register

Buy Now
Questions 82

Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics

system?

Options:

A.

Hashing in-scope data sets

B.

Encrypting in-scope data sets

C.

Running and comparing the count function within the in-scope data sets

D.

Hosting a digital certificate for in-scope data sets

Buy Now
Questions 83

An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified Which type of control is in place?

Options:

A.

Detective

B.

Compensating

C.

Corrective

D.

Directive

Buy Now
Questions 84

When is it MOST important for an IS auditor to apply the concept of materiality in an audit?

Options:

A.

When planning an audit engagement

B.

When gathering information for the fieldwork

C.

When a violation of a regulatory requirement has been identified

D.

When evaluating representations from the auditee

Buy Now
Questions 85

A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?

Options:

A.

Performance audit

B.

Integrated audit

C.

Cyber audit

D.

Financial audit

Buy Now
Questions 86

A bank wants to outsource a system to a cloud provider residing in another country. Which of the following would be the MOST appropriate IS audit recommendation?

Options:

A.

Find an alternative provider in the bank's home country.

B.

Ensure the provider's internal control system meets bank requirements.

C.

Proceed as intended, as the provider has to observe all laws of the clients’ countries.

D.

Ensure the provider has disaster recovery capability.

Buy Now
Questions 87

An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?

Options:

A.

Monitoring access rights on a regular basis

B.

Referencing a standard user-access matrix

C.

Granting user access using a role-based model

D.

Correcting the segregation of duties conflicts

Buy Now
Questions 88

If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?

Options:

A.

Comparison of object and executable code

B.

Review of audit trail of compile dates

C.

Comparison of date stamping of source and object code

D.

Review of developer comments in executable code

Buy Now
Questions 89

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

Options:

A.

A significant increase in authorized connections to third parties

B.

A significant increase in cybersecurity audit findings

C.

A significant increase in approved exceptions

D.

A significant increase in external attack attempts

Buy Now
Questions 90

An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the

business continuity plan (BCP). Which of the following is the auditor's BEST course of action?

Options:

A.

Confirm the BCP has been recently updated.

B.

Review the effectiveness of the business response.

C.

Raise an audit issue for the lack of simulated testing.

D.

Interview staff members to obtain commentary on the BCP's effectiveness.

Buy Now
Questions 91

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

Options:

A.

integrated test facility (ITF).

B.

parallel simulation.

C.

transaction tagging.

D.

embedded audit modules.

Buy Now
Questions 92

How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?

Options:

A.

Easy software version rollback

B.

Smaller incremental changes

C.

Fewer manual milestones

D.

Automated software testing

Buy Now
Questions 93

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

Options:

A.

Source code version control

B.

Project change management controls

C.

Existence of an architecture review board

D.

Configuration management

Buy Now
Questions 94

Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization's security policy?

Options:

A.

Analyzing how the configuration changes are performed

B.

Analyzing log files

C.

Reviewing the rule base

D.

Performing penetration testing

Buy Now
Questions 95

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''

Options:

A.

Steps taken to address identified vulnerabilities are not formally documented

B.

Results are not reported to individuals with authority to ensure resolution

C.

Scans are performed less frequently than required by the organization's vulnerability scanning schedule

D.

Results are not approved by senior management

Buy Now
Questions 96

Which of the following is the MOST important control for virtualized environments?

Options:

A.

Regular updates of policies for the operation of the virtualized environment

B.

Hardening for the hypervisor and guest machines

C.

Redundancy of hardware resources and network components

D.

Monitoring utilization of resources at the guest operating system level

Buy Now
Questions 97

Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?

Options:

A.

Continuous network monitoring

B.

Periodic network vulnerability assessments

C.

Review of electronic access logs

D.

Physical security reviews

Buy Now
Questions 98

What is the PRIMARY reason for an organization to classify the data stored on its internal networks?

Options:

A.

To determine data retention policy

B.

To implement data protection requirements

C.

To comply with the organization's data policies

D.

To follow industry best practices

Buy Now
Questions 99

Which of the following would be the BEST process for continuous auditing to a large financial Institution?

Options:

A.

Testing encryption standards on the disaster recovery system

B.

Validating access controls for real-time data systems

C.

Performing parallel testing between systems

D.

Validating performance of help desk metrics

Buy Now
Questions 100

A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?

Options:

A.

unit testing

B.

Network performance

C.

User acceptance testing (UAT)

D.

Regression testing

Buy Now
Questions 101

Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's IT strategy development process?

Options:

A.

The IT strategy was developed before the business plan

B.

A business impact analysis (BIA) was not performed to support the IT strategy

C.

The IT strategy was developed based on the current IT capability

D.

Information security was not included as a key objective m the IT strategic plan.

Buy Now
Questions 102

Email required for business purposes is being stored on employees' personal devices.

Which of the following is an IS auditor's BEST recommendation?

Options:

A.

Require employees to utilize passwords on personal devices

B.

Prohibit employees from storing company email on personal devices

C.

Ensure antivirus protection is installed on personal devices

D.

Implement an email containerization solution on personal devices

Buy Now
Questions 103

The FIRST step in an incident response plan is to:

Options:

A.

validate the incident.

B.

notify the head of the IT department.

C.

isolate systems impacted by the incident.

D.

initiate root cause analysis.

Buy Now
Questions 104

An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?

Options:

A.

The cloud provider's external auditor

B.

The cloud provider

C.

The operating system vendor

D.

The organization

Buy Now
Questions 105

The following findings are the result of an IS auditor's post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?

Options:

A.

A lessons-learned session was never conducted.

B.

The projects 10% budget overrun was not reported to senior management.

C.

Measurable benefits were not defined.

D.

Monthly dashboards did not always contain deliverables.

Buy Now
Questions 106

Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

Options:

A.

Data storage costs

B.

Data classification

C.

Vendor cloud certification

D.

Service level agreements (SLAs)

Buy Now
Questions 107

In an organization's feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?

Options:

A.

Alternatives for financing the acquisition

B.

Financial stability of potential vendors

C.

Reputation of potential vendors

D.

Cost-benefit analysis of available products

Buy Now
Questions 108

The use of which of the following would BEST enhance a process improvement program?

Options:

A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Buy Now
Questions 109

During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?

Options:

A.

Recommend the utilization of software licensing monitoring tools

B.

Recommend the purchase of additional software license keys

C.

Validate user need for shared software licenses

D.

Verify whether the licensing agreement allows shared use

Buy Now
Questions 110

A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?

Options:

A.

Analyzing the root cause of the outage to ensure the incident will not reoccur

B.

Restoring the system to operational state as quickly as possible

C.

Ensuring all resolution steps are fully documented prior to returning the

system to service

D.

Rolling back the unsuccessful change to the previous state

Buy Now
Questions 111

Which of the following is the BEST indication that there are potential problems within an organization's IT service desk function?

Options:

A.

Undocumented operating procedures

B.

Lack of segregation of duties

C.

An excessive backlog of user requests

D.

Lack of key performance indicators (KPIs)

Buy Now
Questions 112

During the discussion of a draft audit report IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective Which of the following is the auditor's BEST action?

Options:

A.

Explain to IT management that the new control will be evaluated during follow-up

B.

Add comments about the action taken by IT management in the report

C.

Change the conclusion based on evidence provided by IT management

D.

Re-perform the audit before changing the conclusion

Buy Now
Questions 113

An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy. What is the BEST way (or the auditor to address this issue?

Options:

A.

Recommend the application be patched to meet requirements.

B.

Inform the IT director of the policy noncompliance.

C.

Verify management has approved a policy exception to accept the risk.

D.

Take no action since the application will be decommissioned in three months.

Buy Now
Questions 114

An IS auditor finds that while an organization's IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance. Which of the Mowing is the BEST recommendation?

Options:

A.

Align the IT strategy will business objectives

B.

Review priorities in the IT portfolio

C.

Change the IT strategy to focus on operational excellence.

D.

Align the IT portfolio with the IT strategy.

Buy Now
Questions 115

Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?

Options:

A.

Data ownership

B.

Applicable laws and regulations

C.

Business requirements and data flows

D.

End-user access rights

Buy Now
Questions 116

Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?

Options:

A.

Data conversion was performed using manual processes.

B.

Backups of the old system and data are not available online.

C.

Unauthorized data modifications occurred during conversion.

D.

The change management process was not formally documented

Buy Now
Questions 117

An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

Options:

A.

The default configurations have been changed.

B.

All tables in the database are normalized.

C.

The service port used by the database server has been changed.

D.

The default administration account is used after changing the account password.

Buy Now
Questions 118

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Options:

A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Buy Now
Questions 119

Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

Options:

A.

The lack of technical documentation to support the program code

B.

The lack of completion of all requirements at the end of each sprint

C.

The lack of acceptance criteria behind user requirements.

D.

The lack of a detailed unit and system test plan

Buy Now
Questions 120

Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

Options:

A.

Lack of appropriate labelling

B.

Lack of recent awareness training.

C.

Lack of password protection

D.

Lack of appropriate data classification

Buy Now
Questions 121

The PRIMARY advantage of object-oriented technology is enhanced:

Options:

A.

efficiency due to the re-use of elements of logic.

B.

management of sequential program execution for data access.

C.

grouping of objects into methods for data access.

D.

management of a restricted variety of data types for a data object.

Buy Now
Questions 122

Cross-site scripting (XSS) attacks are BEST prevented through:

Options:

A.

application firewall policy settings.

B.

a three-tier web architecture.

C.

secure coding practices.

D.

use of common industry frameworks.

Buy Now
Questions 123

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Report the mitigating controls.

B.

Report the security posture of the organization.

C.

Determine the value of the firewall.

D.

Determine the risk of not replacing the firewall.

Buy Now
Questions 124

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Options:

A.

Limiting the size of file attachments being sent via email

B.

Automatically deleting emails older than one year

C.

Moving emails to a virtual email vault after 30 days

D.

Allowing employees to store large emails on flash drives

Buy Now
Questions 125

An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

Options:

A.

Percentage of new hires that have completed the training.

B.

Number of new hires who have violated enterprise security policies.

C.

Number of reported incidents by new hires.

D.

Percentage of new hires who report incidents

Buy Now
Questions 126

Which of the following is the BEST method to prevent wire transfer fraud by bank employees?

Options:

A.

Independent reconciliation

B.

Re-keying of wire dollar amounts

C.

Two-factor authentication control

D.

System-enforced dual control

Buy Now
Questions 127

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

Options:

A.

Ensure corrected program code is compiled in a dedicated server.

B.

Ensure change management reports are independently reviewed.

C.

Ensure programmers cannot access code after the completion of program edits.

D.

Ensure the business signs off on end-to-end user acceptance test (UAT) results.

Buy Now
Questions 128

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

Alignment with the IT tactical plan

B.

IT steering committee minutes

C.

Compliance with industry best practice

D.

Business objectives

Buy Now
Questions 129

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

Options:

A.

Verify the disaster recovery plan (DRP) has been tested.

B.

Ensure the intrusion prevention system (IPS) is effective.

C.

Assess the security risks to the business.

D.

Confirm the incident response team understands the issue.

Buy Now
Questions 130

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:

Options:

A.

allocation of resources during an emergency.

B.

frequency of system testing.

C.

differences in IS policies and procedures.

D.

maintenance of hardware and software compatibility.

Buy Now
Questions 131

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

Options:

A.

The system does not have a maintenance plan.

B.

The system contains several minor defects.

C.

The system deployment was delayed by three weeks.

D.

The system was over budget by 15%.

Buy Now
Questions 132

An organizations audit charier PRIMARILY:

Options:

A.

describes the auditors' authority to conduct audits.

B.

defines the auditors' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Buy Now
Questions 133

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Options:

A.

Senior management's request

B.

Prior year's audit findings

C.

Organizational risk assessment

D.

Previous audit coverage and scope

Buy Now
Questions 134

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

Options:

A.

Blocking attachments in IM

B.

Blocking external IM traffic

C.

Allowing only corporate IM solutions

D.

Encrypting IM traffic

Buy Now
Questions 135

Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Options:

A.

Monitor access to stored images and snapshots of virtual machines.

B.

Restrict access to images and snapshots of virtual machines.

C.

Limit creation of virtual machine images and snapshots.

D.

Review logical access controls on virtual machines regularly.

Buy Now
Questions 136

Which of the following would BEST facilitate the successful implementation of an IT-related framework?

Options:

A.

Aligning the framework to industry best practices

B.

Establishing committees to support and oversee framework activities

C.

Involving appropriate business representation within the framework

D.

Documenting IT-related policies and procedures

Buy Now
Questions 137

An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Options:

A.

Require employees to attend security awareness training.

B.

Password protect critical data files.

C.

Configure to auto-wipe after multiple failed access attempts.

D.

Enable device auto-lock function.

Buy Now
Questions 138

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Options:

A.

Agile auditing

B.

Continuous auditing

C.

Outsourced auditing

D.

Risk-based auditing

Buy Now
Questions 139

Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Options:

A.

Lessons learned were implemented.

B.

Management approved the PIR report.

C.

The review was performed by an external provider.

D.

Project outcomes have been realized.

Buy Now
Questions 140

Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Options:

A.

Risk identification

B.

Risk classification

C.

Control self-assessment (CSA)

D.

Impact assessment

Buy Now
Questions 141

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:

Options:

A.

review recent changes to the system.

B.

verify completeness of user acceptance testing (UAT).

C.

verify results to determine validity of user concerns.

D.

review initial business requirements.

Buy Now
Questions 142

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

Options:

A.

Phishing

B.

Using a dictionary attack of encrypted passwords

C.

Intercepting packets and viewing passwords

D.

Flooding the site with an excessive number of packets

Buy Now
Questions 143

An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

Options:

A.

The number of users deleting the email without reporting because it is a phishing email

B.

The number of users clicking on the link to learn more about the sender of the email

C.

The number of users forwarding the email to their business unit managers

D.

The number of users reporting receipt of the email to the information security team

Buy Now
Questions 144

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

Options:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Buy Now
Questions 145

An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

Options:

A.

The current business capabilities delivered by the legacy system

B.

The proposed network topology to be used by the redesigned system

C.

The data flows between the components to be used by the redesigned system

D.

The database entity relationships within the legacy system

Buy Now
Questions 146

One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

Options:

A.

basis for allocating indirect costs.

B.

cost of replacing equipment.

C.

estimated cost of ownership.

D.

basis for allocating financial resources.

Buy Now
Questions 147

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Buy Now
Questions 148

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Options:

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Buy Now
Questions 149

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Options:

A.

Data masking

B.

Data tokenization

C.

Data encryption

D.

Data abstraction

Buy Now
Questions 150

The implementation of an IT governance framework requires that the board of directors of an organization:

Options:

A.

Address technical IT issues.

B.

Be informed of all IT initiatives.

C.

Have an IT strategy committee.

D.

Approve the IT strategy.

Buy Now
Questions 151

Which of the following is MOST important to ensure when planning a black box penetration test?

Options:

A.

The management of the client organization is aware of the testing.

B.

The test results will be documented and communicated to management.

C.

The environment and penetration test scope have been determined.

D.

Diagrams of the organization's network architecture are available.

Buy Now
Questions 152

Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

Options:

A.

To determine whether project objectives in the business case have been achieved

B.

To ensure key stakeholder sign-off has been obtained

C.

To align project objectives with business needs

D.

To document lessons learned to improve future project delivery

Buy Now
Questions 153

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?

Options:

A.

Enterprise risk manager

B.

Project sponsor

C.

Information security officer

D.

Project manager

Buy Now
Questions 154

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

Options:

A.

Capacity management plan

B.

Training plans

C.

Database conversion results

D.

Stress testing results

Buy Now
Questions 155

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.

Projected impact of current business on future business

B.

Cost-benefit analysis of running the current business

C.

Cost of regulatory compliance

D.

Expected costs for recovering the business

Buy Now
Questions 156

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Buy Now
Questions 157

An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?

Options:

A.

The data is taken directly from the system.

B.

There is no privacy information in the data.

C.

The data can be obtained in a timely manner.

D.

The data analysis tools have been recently updated.

Buy Now
Questions 158

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?

Options:

A.

Reconciliation of total amounts by project

B.

Validity checks, preventing entry of character data

C.

Reasonableness checks for each cost type

D.

Display the back of the project detail after the entry

Buy Now
Questions 159

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

Options:

A.

Audit cycle defined in the audit plan

B.

Complexity of management's action plans

C.

Recommendation from executive management

D.

Residual risk from the findings of previous audits

Buy Now
Questions 160

Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

Options:

A.

Rotate job duties periodically.

B.

Perform an independent audit.

C.

Hire temporary staff.

D.

Implement compensating controls.

Buy Now
Questions 161

Which of the following is MOST important to include in forensic data collection and preservation procedures?

Options:

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Buy Now
Questions 162

Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Options:

A.

Availability of the site in the event of multiple disaster declarations

B.

Coordination with the site staff in the event of multiple disaster declarations

C.

Reciprocal agreements with other organizations

D.

Complete testing of the recovery plan

Buy Now
Questions 163

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Buy Now
Questions 164

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Options:

A.

Analyze whether predetermined test objectives were met.

B.

Perform testing at the backup data center.

C.

Evaluate participation by key personnel.

D.

Test offsite backup files.

Buy Now
Questions 165

What is MOST important to verify during an external assessment of network vulnerability?

Options:

A.

Update of security information event management (SIEM) rules

B.

Regular review of the network security policy

C.

Completeness of network asset inventory

D.

Location of intrusion detection systems (IDS)

Buy Now
Questions 166

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

Options:

A.

business impact analysis (BIA).

B.

threat and risk assessment.

C.

business continuity plan (BCP).

D.

disaster recovery plan (DRP).

Buy Now
Questions 167

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

Options:

A.

Double-posting of a single journal entry

B.

Inability to support new business transactions

C.

Unauthorized alteration of account attributes

D.

Inaccuracy of financial reporting

Buy Now
Questions 168

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

Options:

A.

firewall standards.

B.

configuration of the firewall

C.

firmware version of the firewall

D.

location of the firewall within the network

Buy Now
Questions 169

An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:

Options:

A.

establish criteria for reviewing alerts.

B.

recruit more monitoring personnel.

C.

reduce the firewall rules.

D.

fine tune the intrusion detection system (IDS).

Buy Now
Questions 170

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Options:

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The total transaction amount has no impact on financial reporting.

D.

The retention period complies with data owner responsibilities.

Buy Now
Questions 171

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?

Options:

A.

Increase the capacity of existing systems.

B.

Upgrade hardware to newer technology.

C.

Hire temporary contract workers for the IT function.

D.

Build a virtual environment.

Buy Now
Questions 172

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

Options:

A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Buy Now
Questions 173

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

Options:

A.

Portfolio management

B.

Business plans

C.

Business processes

D.

IT strategic plans

Buy Now
Questions 174

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

Options:

A.

The IS auditor provided consulting advice concerning application system best practices.

B.

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

C.

The IS auditor designed an embedded audit module exclusively for auditing the application system.

D.

The IS auditor implemented a specific control during the development of the application system.

Buy Now
Questions 175

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

Options:

A.

Availability of IS audit resources

B.

Remediation dates included in management responses

C.

Peak activity periods for the business

D.

Complexity of business processes identified in the audit

Buy Now
Questions 176

An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

Options:

A.

The security of the desktop PC is enhanced.

B.

Administrative security can be provided for the client.

C.

Desktop application software will never have to be upgraded.

D.

System administration can be better managed

Buy Now
Questions 177

An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

Options:

A.

The exact definition of the service levels and their measurement

B.

The alerting and measurement process on the application servers

C.

The actual availability of the servers as part of a substantive test

D.

The regular performance-reporting documentation

Buy Now
Questions 178

Which of the following is the MOST important activity in the data classification process?

Options:

A.

Labeling the data appropriately

B.

Identifying risk associated with the data

C.

Determining accountability of data owners

D.

Determining the adequacy of privacy controls

Buy Now
Questions 179

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

Options:

A.

The organization's systems inventory is kept up to date.

B.

Vulnerability scanning results are reported to the CISO.

C.

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.

Access to the vulnerability scanning tool is periodically reviewed

Buy Now
Questions 180

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?

Options:

A.

Short key length

B.

Random key generation

C.

Use of symmetric encryption

D.

Use of asymmetric encryption

Buy Now
Questions 181

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.

Staging

B.

Testing

C.

Integration

D.

Development

Buy Now
Questions 182

An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

Options:

A.

Data with customer personal information

B.

Data reported to the regulatory body

C.

Data supporting financial statements

D.

Data impacting business objectives

Buy Now
Questions 183

Which of the following business continuity activities prioritizes the recovery of critical functions?

Options:

A.

Business continuity plan (BCP) testing

B.

Business impact analysis (BIA)

C.

Disaster recovery plan (DRP) testing

D.

Risk assessment

Buy Now
Questions 184

Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

Options:

A.

The organization's security policy

B.

The number of remote nodes

C.

The firewalls' default settings

D.

The physical location of the firewalls

Buy Now
Questions 185

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

Options:

A.

Training was not provided to the department that handles intellectual property and patents

B.

Logging and monitoring for content filtering is not enabled.

C.

Employees can share files with users outside the company through collaboration tools.

D.

The collaboration tool is hosted and can only be accessed via an Internet browser

Buy Now
Questions 186

While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

Options:

A.

Use automatic document classification based on content.

B.

Have IT security staff conduct targeted training for data owners.

C.

Publish the data classification policy on the corporate web portal.

D.

Conduct awareness presentations and seminars for information classification policies.

Buy Now
Questions 187

An IS auditor should ensure that an application's audit trail:

Options:

A.

has adequate security.

B.

logs ail database records.

C.

Is accessible online

D.

does not impact operational efficiency

Buy Now
Questions 188

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

Options:

A.

architecture and cloud environment of the system.

B.

business process supported by the system.

C.

policies and procedures of the business area being audited.

D.

availability reports associated with the cloud-based system.

Buy Now
Questions 189

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.

Statement of work (SOW)

B.

Nondisclosure agreement (NDA)

C.

Service level agreement (SLA)

D.

Privacy agreement

Buy Now
Questions 190

The IS quality assurance (OA) group is responsible for:

Options:

A.

ensuring that program changes adhere to established standards.

B.

designing procedures to protect data against accidental disclosure.

C.

ensuring that the output received from system processing is complete.

D.

monitoring the execution of computer processing tasks.

Buy Now
Questions 191

Which of the following is the MAIN purpose of an information security management system?

Options:

A.

To identify and eliminate the root causes of information security incidents

B.

To enhance the impact of reports used to monitor information security incidents

C.

To keep information security policies and procedures up-to-date

D.

To reduce the frequency and impact of information security incidents

Buy Now
Questions 192

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

Buy Now
Questions 193

To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Options:

A.

Root cause

B.

Responsible party

C.

impact

D.

Criteria

Buy Now
Questions 194

The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?

Options:

A.

Determine where delays have occurred

B.

Assign additional resources to supplement the audit

C.

Escalate to the audit committee

D.

Extend the audit deadline

Buy Now
Questions 195

The PRIMARY focus of a post-implementation review is to verify that:

Options:

A.

enterprise architecture (EA) has been complied with.

B.

user requirements have been met.

C.

acceptance testing has been properly executed.

D.

user access controls have been adequately designed.

Buy Now
Questions 196

In an online application, which of the following would provide the MOST information about the transaction audit trail?

Options:

A.

System/process flowchart

B.

File layouts

C.

Data architecture

D.

Source code documentation

Buy Now
Questions 197

Which of the following BEST Indicates that an incident management process is effective?

Options:

A.

Decreased time for incident resolution

B.

Increased number of incidents reviewed by IT management

C.

Decreased number of calls lo the help desk

D.

Increased number of reported critical incidents

Buy Now
Questions 198

The waterfall life cycle model of software development is BEST suited for which of the following situations?

Options:

A.

The protect requirements are wall understood.

B.

The project is subject to time pressures.

C.

The project intends to apply an object-oriented design approach.

D.

The project will involve the use of new technology.

Buy Now
Questions 199

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Options:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Buy Now
Questions 200

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

Options:

A.

Attack vectors are evolving for industrial control systems.

B.

There is a greater risk of system exploitation.

C.

Disaster recovery plans (DRPs) are not in place.

D.

Technical specifications are not documented.

Buy Now
Questions 201

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

Options:

A.

compare the organization's strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Buy Now
Questions 202

An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?

Options:

A.

Conduct security awareness training.

B.

Implement an acceptable use policy

C.

Create inventory records of personal devices

D.

Configure users on the mobile device management (MDM) solution

Buy Now
Questions 203

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Options:

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The retention period complies with data owner responsibilities.

D.

The total transaction amount has no impact on financial reporting

Buy Now
Questions 204

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?

Options:

A.

Service management standards are not followed.

B.

Expected time to resolve incidents is not specified.

C.

Metrics are not reported to senior management.

D.

Prioritization criteria are not defined.

Buy Now
Questions 205

Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?

Options:

A.

Requirements may become unreasonable.

B.

The policy may conflict with existing application requirements.

C.

Local regulations may contradict the policy.

D.

Local management may not accept the policy.

Buy Now
Questions 206

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

Options:

A.

Observing the execution of a daily backup run

B.

Evaluating the backup policies and procedures

C.

Interviewing key personnel evolved In the backup process

D.

Reviewing a sample of system-generated backup logs

Buy Now
Questions 207

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

Options:

A.

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.

Identifying data security threats in the affected jurisdiction

C.

Reviewing data classification procedures associated with the affected jurisdiction

D.

Identifying business processes associated with personal data exchange with the affected jurisdiction

Buy Now
Questions 208

In a RAO model, which of the following roles must be assigned to only one individual?

Options:

A.

Responsible

B.

Informed

C.

Consulted

D.

Accountable

Buy Now
Questions 209

What is the Most critical finding when reviewing an organization’s information security management?

Options:

A.

No dedicated security officer

B.

No official charier for the information security management system

C.

No periodic assessments to identify threats and vulnerabilities

D.

No employee awareness training and education program

Buy Now
Questions 210

Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

Options:

A.

Data from the source and target system may be intercepted.

B.

Data from the source and target system may have different data formats.

C.

Records past their retention period may not be migrated to the new system.

D.

System performance may be impacted by the migration

Buy Now
Questions 211

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Options:

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Buy Now
Questions 212

Which of the following is the GREATEST risk associated with storing customer data on a web server?

Options:

A.

Data availability

B.

Data confidentiality

C.

Data integrity

D.

Data redundancy

Buy Now
Questions 213

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Options:

A.

Verifying that access privileges have been reviewed

B.

investigating access rights for expiration dates

C.

Updating the continuity plan for critical resources

D.

Updating the security policy

Buy Now
Questions 214

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

Options:

A.

Reviewing the parameter settings

B.

Reviewing the system log

C.

Interviewing the firewall administrator

D.

Reviewing the actual procedures

Buy Now
Questions 215

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Buy Now
Questions 216

The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

Options:

A.

Technology risk

B.

Detection risk

C.

Control risk

D.

Inherent risk

Buy Now
Questions 217

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

Options:

A.

Preserving the same data classifications

B.

Preserving the same data inputs

C.

Preserving the same data structure

D.

Preserving the same data interfaces

Buy Now
Questions 218

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

Options:

A.

Configure data quality alerts to check variances between the data warehouse and the source system

B.

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.

Include the data warehouse in the impact analysis (or any changes m the source system

D.

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

Buy Now
Questions 219

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

Options:

A.

the patches were updated.

B.

The logs were monitored.

C.

The network traffic was being monitored.

D.

The domain controller was classified for high availability.

Buy Now
Questions 220

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

Options:

A.

Implementing the remediation plan

B.

Partially completing the CSA

C.

Developing the remediation plan

D.

Developing the CSA questionnaire

Buy Now
Questions 221

A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Establish key performance indicators (KPls) for timely identification of security incidents.

B.

Engage an external security incident response expert for incident handling.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Include the requirement in the incident management response plan.

Buy Now
Questions 222

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Options:

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Buy Now
Questions 223

A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?

Options:

A.

Terminated staff

B.

Unauthorized access

C.

Deleted log data

D.

Hacktivists

Buy Now
Questions 224

An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?

Options:

A.

Long-term Internal audit resource planning

B.

Ongoing monitoring of the audit activities

C.

Analysis of user satisfaction reports from business lines

D.

Feedback from Internal audit staff

Buy Now
Questions 225

Which of the following metrics would BEST measure the agility of an organization's IT function?

Options:

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Buy Now
Questions 226

Which of the following documents should specify roles and responsibilities within an IT audit organization?

Options:

A.

Organizational chart

B.

Audit charier

C.

Engagement letter

D.

Annual audit plan

Buy Now
Questions 227

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

Options:

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Buy Now
Questions 228

Which of the following is MOST helpful for measuring benefits realization for a new system?

Options:

A.

Function point analysis

B.

Balanced scorecard review

C.

Post-implementation review

D.

Business impact analysis (BIA)

Buy Now
Questions 229

An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?

Options:

A.

Data encryption on the mobile device

B.

Complex password policy for mobile devices

C.

The triggering of remote data wipe capabilities

D.

Awareness training for mobile device users

Buy Now
Questions 230

Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?

Options:

A.

The person who collected the evidence is not qualified to represent the case.

B.

The logs failed to identify the person handling the evidence.

C.

The evidence was collected by the internal forensics team.

D.

The evidence was not fully backed up using a cloud-based solution prior to the trial.

Buy Now
Questions 231

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Options:

A.

Testing

B.

Replication

C.

Staging

D.

Development

Buy Now
Questions 232

Which of the following security risks can be reduced by a property configured network firewall?

Options:

A.

SQL injection attacks

B.

Denial of service (DoS) attacks

C.

Phishing attacks

D.

Insider attacks

Buy Now
Questions 233

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Options:

A.

Require written authorization for all payment transactions

B.

Restrict payment authorization to senior staff members.

C.

Reconcile payment transactions with invoices.

D.

Review payment transaction history

Buy Now
Questions 234

An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?

Options:

A.

There are conflicting permit and deny rules for the IT group.

B.

The network security group can change network address translation (NAT).

C.

Individual permissions are overriding group permissions.

D.

There is only one rule per group with access privileges.

Buy Now
Questions 235

Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Options:

A.

Audit charter

B.

IT steering committee

C.

Information security policy

D.

Audit best practices

Buy Now
Questions 236

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Buy Now
Questions 237

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

Options:

A.

Use of stateful firewalls with default configuration

B.

Ad hoc monitoring of firewall activity

C.

Misconfiguration of the firewall rules

D.

Potential back doors to the firewall software

Buy Now
Questions 238

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

Options:

A.

reflect current practices.

B.

include new systems and corresponding process changes.

C.

incorporate changes to relevant laws.

D.

be subject to adequate quality assurance (QA).

Buy Now
Questions 239

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

Options:

A.

Reviewing the last compile date of production programs

B.

Manually comparing code in production programs to controlled copies

C.

Periodically running and reviewing test data against production programs

D.

Verifying user management approval of modifications

Buy Now
Questions 240

In an online application which of the following would provide the MOST information about the transaction audit trail?

Options:

A.

File layouts

B.

Data architecture

C.

System/process flowchart

D.

Source code documentation

Buy Now
Questions 241

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

Options:

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization's staff to manage the new software

Buy Now
Questions 242

To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

Options:

A.

Review IT staff job descriptions for alignment

B.

Develop quarterly training for each IT staff member.

C.

Identify required IT skill sets that support key business processes

D.

Include strategic objectives m IT staff performance objectives

Buy Now
Questions 243

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Options:

A.

Expected deliverables meeting project deadlines

B.

Sign-off from the IT team

C.

Ongoing participation by relevant stakeholders

D.

Quality assurance (OA) review

Buy Now
Questions 244

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

Options:

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Buy Now
Questions 245

Which of the following would be MOST useful when analyzing computer performance?

Options:

A.

Statistical metrics measuring capacity utilization

B.

Operations report of user dissatisfaction with response time

C.

Tuning of system software to optimize resource usage

D.

Report of off-peak utilization and response time

Buy Now
Questions 246

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

Options:

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization's policies.

D.

the procurement project invited lenders from at least three different suppliers.

Buy Now
Questions 247

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Options:

A.

Temperature sensors

B.

Humidity sensors

C.

Water sensors

D.

Air pressure sensors

Buy Now
Questions 248

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

Options:

A.

Users can export application logs.

B.

Users can view sensitive data.

C.

Users can make unauthorized changes.

D.

Users can install open-licensed software.

Buy Now
Questions 249

An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:

Options:

A.

deleted data cannot easily be retrieved.

B.

deleting the files logically does not overwrite the files' physical data.

C.

backup copies of files were not deleted as well.

D.

deleting all files separately is not as efficient as formatting the hard disk.

Buy Now
Questions 250

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Options:

A.

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.

Review compliance with data loss and applicable mobile device user acceptance policies.

C.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.

Verify employees have received appropriate mobile device security awareness training.

Buy Now
Questions 251

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

Options:

A.

Disposal policies and procedures are not consistently implemented

B.

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.

Business units are allowed to dispose printers directly to

D.

Inoperable printers are stored in an unsecured area.

Buy Now
Questions 252

Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

Options:

A.

Cost of projects divided by total IT cost

B.

Expected return divided by total project cost

C.

Net present value (NPV) of the portfolio

D.

Total cost of each project

Buy Now
Questions 253

An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

Options:

A.

Increasing the frequency of risk-based IS audits for each business entity

B.

Developing a risk-based plan considering each entity's business processes

C.

Conducting an audit of newly introduced IT policies and procedures

D.

Revising IS audit plans to focus on IT changes introduced after the split

Buy Now
Questions 254

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

Options:

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Buy Now
Questions 255

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Developing procedures to monitor the use of personal data

C.

Defining roles within the organization related to privacy

D.

Designing controls to protect personal data

Buy Now
Questions 256

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Options:

A.

Identify approved data workflows across the enterprise.

B.

Conduct a threat analysis against sensitive data usage.

C.

Create the DLP pcJc.es and templates

D.

Conduct a data inventory and classification exercise

Buy Now
Questions 257

Which of the following backup schemes is the BEST option when storage media is limited?

Options:

A.

Real-time backup

B.

Virtual backup

C.

Differential backup

D.

Full backup

Buy Now
Questions 258

An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Options:

A.

Installing security software on the devices

B.

Partitioning the work environment from personal space on devices

C.

Preventing users from adding applications

D.

Restricting the use of devices for personal purposes during working hours

Buy Now
Questions 259

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

Options:

A.

The BCP's contact information needs to be updated

B.

The BCP is not version controlled.

C.

The BCP has not been approved by senior management.

D.

The BCP has not been tested since it was first issued.

Buy Now
Questions 260

Which of the following BEST helps to ensure data integrity across system interfaces?

Options:

A.

Environment segregation

B.

Reconciliation

C.

System backups

D.

Access controls

Buy Now
Questions 261

During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?

Options:

A.

Leverage the work performed by external audit for the internal audit testing.

B.

Ensure both the internal and external auditors perform the work simultaneously.

C.

Request that the external audit team leverage the internal audit work.

D.

Roll forward the general controls audit to the subsequent audit year.

Buy Now
Questions 262

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Buy Now
Questions 263

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Options:

A.

Utilize a network-based firewall.

B.

Conduct regular user security awareness training.

C.

Perform domain name system (DNS) server security hardening.

D.

Enforce a strong password policy meeting complexity requirement.

Buy Now
Questions 264

A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

Options:

A.

IT operator

B.

System administration

C.

Emergency support

D.

Database administration

Buy Now
Questions 265

An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

Options:

A.

Manual sign-in and sign-out log

B.

System electronic log

C.

Alarm system with CCTV

D.

Security incident log

Buy Now
Questions 266

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

Options:

A.

To address the overall risk associated with the activity under review

B.

To identify areas with relatively high probability of material problems

C.

To help ensure maximum use of audit resources during the engagement

D.

To help prioritize and schedule auditee meetings

Buy Now
Questions 267

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

Options:

A.

Separate authorization for input of transactions

B.

Statistical sampling of adjustment transactions

C.

Unscheduled audits of lost stock lines

D.

An edit check for the validity of the inventory transaction

Buy Now
Questions 268

Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?

Options:

A.

Server room access history

B.

Emergency change records

C.

IT security incidents

D.

Penetration test results

Buy Now
Questions 269

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

Options:

A.

Limit check

B.

Parity check

C.

Reasonableness check

D.

Validity check

Buy Now
Questions 270

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

Buy Now
Questions 271

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

Options:

A.

Customer service complaints

B.

Automated monitoring of logs

C.

Server crashes

D.

Penetration testing

Buy Now
Questions 272

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Options:

A.

Perform a business impact analysis (BIA).

B.

Determine which databases will be in scope.

C.

Identify the most critical database controls.

D.

Evaluate the types of databases being used

Buy Now
Questions 273

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

Options:

A.

Implement key performance indicators (KPIs)

B.

Implement annual third-party audits.

C.

Benchmark organizational performance against industry peers.

D.

Require executive management to draft IT strategy

Buy Now
Questions 274

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

Options:

A.

Misconfiguration and missing updates

B.

Malicious software and spyware

C.

Zero-day vulnerabilities

D.

Security design flaws

Buy Now
Questions 275

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

Options:

A.

Level of stakeholder satisfaction with the scope of planned IT projects

B.

Percentage of enterprise risk assessments that include IT-related risk

C.

Percentage of stat satisfied with their IT-related roles

D.

Frequency of business process capability maturity assessments

Buy Now
Questions 276

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Options:

A.

Require the auditee to address the recommendations in full.

B.

Adjust the annual risk assessment accordingly.

C.

Evaluate senior management's acceptance of the risk.

D.

Update the audit program based on management's acceptance of risk.

Buy Now
Questions 277

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Options:

A.

Mobile device tracking program

B.

Mobile device upgrade program

C.

Mobile device testing program

D.

Mobile device awareness program

Buy Now
Questions 278

Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

Options:

A.

Project segments are established.

B.

The work is separated into phases.

C.

The work is separated into sprints.

D.

Project milestones are created.

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Mar 28, 2024
Questions: 928
CISA pdf

CISA PDF

$69.65  $199
CISA Engine

CISA Testing Engine

$78.75  $225
CISA PDF + Engine

CISA PDF + Testing Engine

$87.15  $249