EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERP) system?

Question2: Which of the following is the GREATEST risk of cloud computing?

Question3: Which of the following methodologies is MOST appropriate to use for developing software with incomplete requirements?

Question4: During an audit of a payroll system, an IS auditor identifies that two employees share the same bank account.
The auditor is concerned they may be ghost employees. Which of the following should the auditor do NEXT?

Question5: Which of the following is the MOST effective way to assess whether an outsourcer's controls are following the service level agreement (SLA)?

Question6: Which of the following is MOST important to helping incident response managers quickly and accurately estimate the overall business impact of security incidents?

Question7: An internal audit department recently established a quality assurance (QA) program as part of its overall audit program. Which of the following activities is MOST important to rlude as part of the QA program requirements?

Question8: Which of the following IS functions can be performed by the same group or individual while still providing the proper segregation of duties?

Question9: Which of the following components of a scheduling tool BEST prevents job failures due to insufficient system resources?

Question10: The information security function in a large organization is MOST effective when:

Question11: Which of the following should be performed immediately after a computet security incident has been detected and analyzed by an incident response team?

Question12: Which of the following is MOST important when planning a network audit?

Question13: Which of the following is MOST important for an IS auditor to consider during a review of the IT governance of an organization?

Question14: Which of the following is the MOST significant risk associated with peer-to-peer networking technology?

Question15: An IS auditor is reviewing the upgrading of an operating system. Which of the following would be the GREATEST audit concern?

Question16: Which of the following is MOST important for an IS auditor to verify when reviewing a critical business application that requires high availability?

Question17: An organization has implemented an automated match between purchase orders, goods receipts, and invoices.
Which of the following risks will this control BEST mitigate?

Question18: Which of the following is the MOST appropriate action to formalize IT governance in an organization?

Question19: While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed the audit function. In order to resolve the situation, the IS auditor/, BEST course of action would be to:

Question20: What is an IS auditor's BEST recommendation for management if a network vulnerability assessment confirms that critical patches have not been applied since the last assessment?

Question21: The PRIMARY advantage of object oriented technology is enhanced:

Question22: An organization s data retention policy states that all data will be backed up, retained for 10 years, and then destroyed. When conducting an audit of the long-term offsite backup program, an IS auditor should:

Question23: Which of the following is the PRIMARY reason for database optimization in an environment with a high volume of transactions?

Question24: An IS auditor discovers instances where software with the same license key is depbyed to multiple workstations, in breach of the licensing agreement. Which of the following is the auditor's BEST recommendation?

Question25: Capacity management enables organizations to:

Question26: In a decentralized organization, the selection and purchase of IS products is acceptable as long as which of the following conditions exists?

Question27: The IS auditor's PRIMARY role in control self-assessment (CSA) is to:

Question28: Which of the following would be MOST critical for an IS auditor to look for when evaluating fire precautions in a manned data center located in the upper floor of a multi-story building?

Question29: Which of the following is MOST important to ensure when planning a black box penetration test?

Question30: IS audit is asked 10 explain how local area network (LAN) servers can contribute to a rapid dissemination of viruses. The IS auditor's BEST response is that:

Question31: Which of the following is the MOST important process to ensure planned IT system changes are completed in an efficient manner?

Question32: Which of the following would BEST facilitate the detection of internal fraud perpetrated by an individual?

Question33: Which of the following would be MOST helpful when assessing how applications exchange data with other applications?

Question34: Which of the following would BEST prevent data from being orphaned?

Question35: Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization's security policy?

Question36: Which of the following procedures should be implemented prior to disposing of surplus computer equipment to employees?

Question37: Which of the following should be of GREATEST concern to an organization's board when reviewing the internal audit department's quality assurance and improvement program?

Question38: An IS auditor observes that an organization s critical IT systems nave experienced several failures throughout the year. Which of the following is the BEST recommendation?

Question39: Which of the following is MOST likely to be prevented by a firewall connected to the Internet?

Question40: An organization has software that is not compliant with data protection requirements. To help ensure that appropriate and relevant data protection controls are implemented in the future, the auditor s BEST course of action would be to:

Question41: Which of the following activities would allow an IS auditor to maintain independence while facilitating a control self-assessment (CSA)?

Question42: Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's information security awareness

Question43: An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

Question44: An organization plans to launch a social media presence as part of a new customer service campaign. Which of the following is the MOST significant risk from the perspective of potential litigation?

Question45: An IS auditor discovered abnormalities in a monthly report generated from a system upgraded six months ago.
Which of the following should be the auditor's FIRST course of action?

Question46: An organization recently implemented an industry-recognized IT framework to improve the overall effectiveness of IT governance. Which of the following would BEST enable an IS auditor to assess the implementation against the framework?

Question47: The MAJOR reason for segregating test programs from production programs is to:

Question48: Which of the following BEST indicates the effectiveness of an organization's risk management program?

Question49: During a review of information security procedures for disabling user accounts, an IS auditor discovers that IT is only disabling network access for terminated employees IT management maintains if terminated users cannot access the network, they will not be able to access any applications Which of the following is the GREATEST risk associated with application access?

Question50: The BEST method an organization can employ to align its business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs is to:

Question51: An organization offers an online information security awareness program to employees on an annual basis.
Which of the following findings from an audit of the program should be the IS auditor's GREATEST concern?

Question52: To create a digital signature in a message using asymmetric encryption, it is necessary to:

Question53: An organization allows employees to use personally owned mobile devices to access customer's personal information. An IS auditor's GREATEST concern should be whether

Question54: What is the MOST important business concern when an organization is about to migrate a mission-critical application to a virtual environment?

Question55: During a database audit, an IS auditor notes frequent problems due to the growing size of the order tables.
Which of the following is the BEST recommendation in this situation?

Question56: Which of the following BEST describes an audit risk?

Question57: Which of ihe following is the BEST way to control scope creep during application system development?

Question58: Which of the following would be an IS auditor's GREATEST concern when reviewing an organization s security controls for policy compliance?

Question59: Which of the following is the BEST approach to help ensure evidence from a computer forensics investigation is legally admissible?

Question60: An organization was recently notified by its regulatory body of significant discrepancies in its reporting data.
A preliminary investigation revealed that the discrepancies were caused problems with the organization's data quality. Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be visors to the process. After the data quality team identifies the system data at fault which of the following should internal audit recommend as the NEXT step m the process?

Question61: Which of the following is corrective control?

Question62: A security regulation requires the disabling of direct administrator access. Such access must occur through an intermediate server that holds administrator passwords for all systems d records all actions. An IS auditor s PRIMARY concern with this solution would be that:

Question63: Which of the following should an IS auditor recommend to reduce the likelihood of potential intruders using social engineering?

Question64: Which of the following is MOST important for an IS auditor to consider when evaluating a Software as a Service (SaaS) arrangement?

Question65: Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceeding?

Question66: What is the PRIMARY advantage of prototyping as part of systems development?

Question67: Which of the following controls MOST effectively reduces the risk associated with use of instant messaging (IM) in the workplace?

Question68: As part of an IS audit, the auditor notes the practices listed below.
Which of the following would be a segregation of duties concern?

Question69: Which of the following cloud deployment models would BEST meet the needs of a startup software development organization with limited initial capital?

Question70: An organization transmits large amount of data from one internal system to another. The IS auditor is reviewing quality of the data at the originating point. Which of the following should the auditor verify first?

Question71: Which of the following should be an IS auditor's FIRST action when assessing the risk associated with unstructured data?

Question72: Which of the following is the MOST effective way to minimize the risk of a SQL injection attack?

Question73: During audit planning, an IS auditor walked through the design of controls related to a new data loss prevention tool. It was noted that the tool will be configured to alert. IT management when large files are sent outside of the organization via email. What type of control will be tested?

Question74: What is an IS auditor's BEST recommendation to management if a review of the incident management process finds multiple instances of incident tickets remaining open for an unusually long time?

Question75: Which of the following methods should be used to purge confidential data from write-once optical media?

Question76: During an audit of the organization's data privacy policy, the IS auditor identified that only some IT application databases have encryption in place. What should be the auditors FIRST action?

Question77: Which of the following is the MOST important consideration for building resilient systems?

Question78: Which of the following is the BEST type of backup to minimize the associated time and media?

Question79: When testing segregation of duties, which of the following audit techniques provides the MOST reliable evidence?

Question80: A technology service organization has recently acquired a new subsidiary. What should be the IS auditor's NEXT course of action when considering the impact on the development of the IT audit plan?

Question81: An IS auditor is assessing an organization's data loss prevention (DLP) solution for protecting intellectual property from insider theft. Which of the following would the auditor consider MOST important for effective data protection?

Question82: An IS auditor identifies key controls that have been overridden by management. The next step the IS auditor should take is to

Question83: Due to the small size of the payroll department, an organization is unable to segregate the employee setup and payroll processing functions. Which of the following would be the BEST compensating control for the lack of segregation of duties?

Question84: Which of the following is the GREATEST concern when an organization allows personal devices to connect to its network?

Question85: Which of the following access rights in the production environment should be granted to a developer to maintain segregation of duties?

Question86: While performing a risk-based audit, which of the following would BEST enable an IS auditor to identify and category risk?

Question87: An IS auditor has performed an agreed-upon procedures engagement for the organization's IT steering committee. Which of the following would be the MOST important element to include in the report?

Question88: Which of the following types of controls would BEST facilitate a root cause analysis for an information security incident?

Question89: Which of the following is the BEST way to control the concurrent use of licensed software?

Question90: An organization has decided to migrate payroll processing to a new platform hosted by a third party in a different country. Which of the following is MOST important for the IS auditor to consider?

Question91: A CIO has asked an IS auditor to implement several security controls for an organization s IT processes and systems. The auditor should:

Question92: An IS auditor is conducting a review of an organization s information systems and discovers data that is no longer needed by business applications. Which of the following would b IS auditor's BEST recommendation?

Question93: What is the FIRST step an auditor should take when beginning a follow-up audit?

Question94: On a daily basis, an in-house development team moves duplicate copies of production data containing personally identifiable information (Pll) to the test environment Which of the following is the BEST way to mitigate the privacy risk involved?

Question95: Which of the following requirements in a document control standard would provide nonrepudiation to digitally signed legal documents?

Question96: Following a security breach, in which a hacker exploited a well-known vulnerability in the domain controller, an IS auditor has been asked to conduct a control assessment. The auditor's BEST course of action would be to determine it:

Question97: Which of the following validation techniques would BEST prevent duplicate electronic vouchers?

Question98: Which of the following is the BEST reason to perform root cause analysis after a critical server failure?

Question99: An organization has agreed to perform remediation related to high-risk audit findings. The remediation process involves a complex reorganization of user roles as well as the Implementation of several compensating controls that may not be completed within the next audit cycle Which of the following is the BEST way for an IS auditor to follow up on their activities?

Question100: Buffer overflow in an Internet environment is of particular concern to the IS auditor because it can:

Question101: Which of the following is the GREATEST risk resulting from conducting periodic reviews of IT over several years based on the same audit program?

Question102: An IS auditor notes that application super-user activity was not recorded in system logs. What is the auditor's BEST course of action?

Question103: mission-critical applications with a low recovery time objective (RTO). which of the following is the BEST backup strategy?

Question104: An organization is using a single account shared by personnel for its social networking marketing page. Which of the following is the BEST method to maintain accountability over the account?

Question105: To help ensure the organization s information assets are adequately protected, which of the following considerations is MOST important when developing an information classification and handling policy?

Question106: Which of the following would BEST provide executive management with current information on IT related costs and IT performance indicators?

Question107: Which of the following would be the GREATEST concern to an IS auditor reviewing an IT outsourcing arrangement?

Question108: An IS auditor performing an application development review attends development team meetings. The IS auditor's independence will be compromised if the IS auditor:

Question109: An IS auditor finds that confidential company data has been inadvertently leaked through social engineering.
The MOST effective way to help prevent a recurrence of this issue is to implement:

Question110: An IS auditor has discovered that unauthorized customer management software was installed on a workstation.
The auditor determines the software has been uploading customer ita to an external party. Which of the following is the IS auditor's BEST course of action?

Question111: What is the GREASTEST concern for an IS auditory reviewing contracts for licensed software that executes a critical business process?

Question112: A recent audit identified duplicate software licenses and technologies Which of the following would be MOST helpful to prevent this type of duplication in the future?

Question113: A legacy application is running on an operating system that is no longer supported by vendor, if the organization continues to use the current application, which of the application should be the IS auditor's GREATEST concern?

Question114: Which of the following is MOST likely to be included in a post-implementation review?

Question115: An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:

Question116: Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?

Question117: An IT department installed critical patches provided by the vendor to HR production servers. Immediately after the installation was completed, the HR department called to report that none of its users could access the system, what should be the IT department's FIRST step in addressing this issue?

Question118: Which of the following a the MOST important prerequisite for Implementing a data loss prevention (DLP) tool?

Question119: Which of the following would BEST enable effective IT resource management?

Question120: Adopting a service-oriented architecture would MOST likely:

Question121: While evaluating an organization's program for tracking system interfaces and data transfers, the IS auditor notices the program does not record some of the ad hoc transfers that occur. Which of the following is the GREATEST potential risk?

Question122: Which of the following MOST efficiently protects computer equipment against short-term reductions in electrical power?

Question123: The BEST way to evaluate a shared control environment is to obtain an assurance report and review which of the following?

Question124: When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs due to scope creep?

Question125: Which of the following should MOST concern an IS auditor reviewing an intrusion detection system (IDS)?

Question126: For an organization which uses a VoIP telephony system exclusively, the GREATEST concern associated with leaving a connected telephone in an unmonitored public area is the possibility of:

Question127: To maintain the confidentiality of information moved between office and home on removable media, which of the following is the MOST effective control?

Question128: Since data storage of a critical business application is on a redundant array of inexpensive disks (RAID).
Backup are not considered essential. The IS auditor should recommend proper backup because RAID:

Question129: A review of an organization's IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

Question130: Which of the following methods should be used to effectively erase sensitive data from portable storage devices that are to be reused?

Question131: Which of the following is the BEST method for converting a file into a format suitable for data analysis in a forensic investigation?

Question132: An organization using instant messaging to communicate with customers prevent legitimate customers from being impersonated by:

Question133: An IS auditor has completed a review of an outsourcing agreement and has communicating the issues at a meeting with senior management?

Question134: The GREATEST benefit of risk-based auditing is that it:

Question135: Which of the following is MOST important in the audit quality assurance process?

Question136: An IS auditor finds that a mortgage origination team receives customer mortgage applications via a shared repository. Which of the following test procedures is the BEST way to assess whether there are adequate privacy controls over this process?

Question137: An employee transfers from an organization's risk management department to become the lead IS auditor.
While in the risk management department, the employee helped developed the key performance indicators (KPIs) now used by the organization. Which of the following would pose the GREATEST threat to the independence of this auditor?

Question138: A multinational organization is integrating its existing payroll system with a human resource information system. Which of the following should be of GREATEST concern to the IS auditor?

Question139: When designing metrics for information security, the MOST important consideration is that the metrics:

Question140: In a typical SDLC, which group is PRIMARILY responsible for confirming compliance with requirements?

Question141: One advantage of monetary unit sampling is the fact that:

Question142: An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:

Question143: Which of the following would be MOST helpful in ensuring security procedures are followed by employees in a multinational organization?

Question144: The GREATEST risk of database renormalization is:

Question145: An organization recently experienced a phishing attack that resulted in a breach of confidential information.
Which of the following would be MOST relevant for an IS auditor to review when determining the root cause of the incident?

Question146: Which of the following would an IS auditor consider to be the MOST significant risk associated with a project to reengineer a business process?

Question147: A large insurance company is about to replace a major financial application. Which of the following is the IS auditor's PRIMARY focus when conducting the pre-implementation review?

Question148: An IS auditor has discovered that a cloud-based application was not included in an application inventory that was used to confirm the scope of an audit. The business process owner explained that the application will be audited by a third party in the next year. The auditor's NEXT step should be to:

Question149: A vulnerability in which of the following virtual systems would be of GREATEST concern to the IS auditor?

Question150: Which of the following presents the GREATEST concern when implementing data flow across borders?

Question151: During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration foe a go-live decision?

Question152: Which of the following controls should be implemented to BEST minimize system downtime for maintenance?

Question153: Which of the following is the MOST important reason to use statistical sampling?

Question154: Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?

Question155: An airlines online booking system uses an automated script that checks whether fares are within the defined threshold of what is reasonable before the fares are displayed on the website. Which type of control is in place?

Question156: What should an IS auditor do when informed that some recommendations cannot be implemented due to financial constraints?

Question157: An effective implementation of security roles and responsibilities is BEST evidenced across an enterprise when:

Question158: Which of the following is an IS auditor s GREATEST concern when an organization does not regularly update software on individual workstations in the internal environment?

Question159: When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor should FIRST review;

Question160: MOST effective way to determine if IT is meeting business requirements is to establish:

Question161: Which of the following group is MOST likely responsible for the implementation of IT projects?

Question162: An organization has outsourced its data leakage monitoring to an Internet service provider (ISP). Which of the following is the BEST way for an IS auditor to determine the effectiveness of this service?

Question163: Which of the following is MOST important to consider when creating audit follow-up procedures?

Question164: Which of the following activities is MOST important to consider when conducting IS audit planning?

Question165: An IS auditor begins an assignment and identifies audit components for which the auditor is not qualified to assess. Which of the following is the BEST course of anion?

Question166: When introducing a maturity model to the IT management process, it is BEST to align the maturity level to a point that reflects which of the following?

Question167: During an audit, it is discovered that several suppliers with standing orders have been deleted from the supplier master file Which of the following controls would have BEST evented such an occurrence?

Question168: Which of the following should the IS auditor do FIRST to ensure data transfer integrity for Internet of Things (loT) devices?

Question169: ..risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?

Question170: Which of the following is an example of a data analytics use case during the fieldwork phase of an IS audit?

Question171: Attribute sampling is BEST suited to estimate:

Question172: Which of the following will BEST protect the confidentiality of data stored on the hard drive of a laptop computer?

Question173: Which of the following is the GREATEST concern with conducting penetration testing on an internally developed application in the production environment?

Question174: Which of the following is the PRIMARY advantage of the IT portfolio management approach over the balanced scorecard approach when managing IT investments?

Question175: Which of the following is the PRIMARY objective of the IS audit function?

Question176: To preserve chain-of-custody following an internal server compromise, which of the following should be the FIRST step?

Question177: Which of the following BEST demonstrates to an IS auditor that an organization has implemented effective risk management processes?

Question178: Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage'

Question179: Which of the following could be determined by an entity-relationship diagram?

Question180: The risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?

Question181: During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures-The auditor's NEXT step should be to:

Question182: Which of the following is the BEST way to address ongoing concerns with the quality and accuracy of internal audits?

Question183: Which of the following is MOST important for an IS auditor to confirm when reviewing the effectiveness of an incident response program?

Question184: Which of ihe following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?

Question185: An audit team has a completed schedule approved by the audit committee. After starting some of the scheduled audits, executive management asked the team to immediately audit an additional process. There are not enough resources available to add the additional audit to the schedule. Which of the following is the BEST course of action?

Question186: Which of the following should an IS auditor recommend to facilitate the management of baseline requirements for hardening of firewalls?

Question187: The IS auditor of a power company finds that the radio link to a remote mountain site is experience systematic outages under specific weather conditions. The communications managers explains that increasing the radio power would require a new license and would help. What is the MOST appropriate action by the IS auditor?

Question188: An IS auditor has been asked to perform a post-implementation assessment of a new corporate human resources (HR) system. Which of the following control areas would be OST important to review for the protection of employee information?

Question189: Which of the following entities is BEST suited to define the data classification levels within an organization?

Question190: An IS auditor performing an audit of backup procedures observes that backup tapes are picked up weekly and stored offsite at a deed party hosting faculty. Which of the following recommendations would be the BEST way to maintain data integrity during transport?

Question191: A company has implemented an IT segregation of duties policy In a role-based environment, which of the following roles may be assigned to an application developer?

Question192: A small startup organization does not have the resources to implement segregation of duties. Which of the following would be the MOST effective compensating control?

Question193: Which of the following is MOST important to include in a business continuity plan (BCP)?

Question194: An IS Auditor is performing a business continuity plan (BCP) audit and identifies that the plan has not been tested for five years, however, the plan was successfully activated during a recent extended power outage.
Which of the following is the 15 auditor's BEST count of action?

Question195: An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner Which of the following is the auditor s BEST recommendation?

Question196: Which of the following IS audit findings should be of GREATEST concern when preparing to migrate to a new core system using a direct cut-over?

Question197: Previous audits have found that a large organization has had a number of segregation of duties conflicts between various roles, and the IT governance committee has asked the audit function for guidance on how to address this issue. Which of the following is the BEST recommendation?

Question198: Which of the following it BEST enabled by following a configuration management process for new applications?

Question199: Which of the following should be performed FIRST when preparing to deploy a major upgrade to a critical online application?

Question200: An IS auditor reviewing an incident management process identifies client information was lost due to ransomware attacks. Which of the following would MOST effectively minimize the impact of future occurrences?

Question201: Which of the following is MOST important to include in forensic data collection and preservation procedure?

Question202: An IS auditor is using data analytics in an audit and has obtained the data to be used for testing. Which of the following is the MOST important task before testing begins?

Question203: A security administrator should have read-only access for which of the following?

Question204: Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

Question205: When engaging services from external auditors, which of the following should be established FIRST7

Question206: An IS auditor auditing the effectiveness of utilizing a hot site will MOST likely:

Question207: Which of the following is the MOST effective way for an IS auditor to identify unauthorized changes to the production state of a critical business application?

Question208: An IS auditor finds multiple situations where the help desk resolved security incidents without notifying IT security as required by policy. Which of the following is the BEST audit recommendation?

Question209: Which of the following should be an IS auditor's PRIMARY consideration when reviewing a project to outsource data center hosting services?

Question210: Due to cost restraints, a company defers the replacement of hardware supporting core applications. Which of the following represents the GREATEST risk?

Question211: Which of the following is the PRIMARY responsibility of an information owner?

Question212: Which of the following is the MOST effective control to ensure electronic records beyond their retention periods are deleted from IT systems?

Question213: The MOST important reason for documenting all aspects of a digital forensic investigation is that documentation:

Question214: After an external IS audit, which of the following should be IT management's MAIN consideration when determining the prioritization of follow-up activities?

Question215: An IS auditor is a member of an application development team that is selecting software. Which of the following would impair the auditor's independence?

Question216: During a security audit, which of the following is MOST important to review to ensure data confidentiality is managed?

Question217: Which of the following is BEST addressed when using a timestamp within a digital signature to deliver sensitive financial information?

Question218: Which of the following BEST enables an IS auditor to identify gaps between the current state and future state of an organization's IT infrastructure?

Question219: Which of the following is the BEST approach to identify whether a vulnerability is actively being exploited?

Question220: Which of the following provides the GREATEST assurance that any confidential information on a disk is no longer accessible but the device is still usable by the other internal users?

Question221: The lack of which of the following represents the GREATEST risk to the quality of developed software?

Question222: An IS auditor concludes that a local area network's (LAN's) access security is satisfactory. In reviewing the work, the audit manager should:

Question223: During an audit of information security procedures of a large retailer s online store, an IS auditor notes that operating system (OS) patches are automatically deployed upon -. Which of the following should be of GREATEST concern to the auditor?

Question224: maturity model is useful in the assessment of IT service management because it:

Question225: A sales representative is reviewing the organization's feedback blog and gets redirected to a site that sells illegal prescription drugs. The blog site is MOST likely susceptible to which of the following types of attacks?

Question226: Which of the following will BEST help to ensure that an in-house application in the production environment is current?

Question227: Which of the following is the MOST critical characteristic of a biometric system?

Question228: Which of the following is the BEST physical security solution for granting and restricting access to individuals based on their unique access needs?

Question229: What would be an IS auditors GREATEST concern when using a test environment for an application audit?

Question230: Which of the following is the MOST effective control to minimize the risk of cross-site scripting (XSS)?

Question231: While reviewing similar issues in an organization s help desk system, an IS auditor finds that they were analyzed independently and resolved differently This situation MOST likely indicates a deficiency in:

Question232: Which of the following observations noted during a review of the organization s social media practices should be of MOST concern to the IS auditor?

Question233: Which of the following is the GREATEST benefit of implementing an IT governance strategy within an organization?

Question234: Which of the following system deployments requires the cloud provider to assume the widest range of responsibilities for data protection?

Question235: Which of the following would be MOST important to include in a data security policy to adequately manage the privacy of customer information?

Question236: Which of the following should an IS auditor verify when auditing the effectiveness of virus protection?

Question237: When reviewing the effectiveness of data center operations, the IS auditor would FIRST -stablish that system performance:

Question238: An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

Question239: An organization is currently replacing its accounting system. Which of the following strategies will BEST minimize risk associated with the loss of data integrity from the upgrade?

Question240: The MOST effective method for an IS auditor to determine which controls are functioning in an operating system is to:

Question241: Which of the following provides the BEST evidence of the effectiveness of an organization s audit quality management procedures?

Question242: An IS auditor is evaluating a virtual server environment and learns that the production server, development server, and management console are housed in the same physical host. What should be the auditor's PRIMARY concern?

Question243: An IS auditor concludes that a local area network (LAN) access security satisfactory. In reviewing the work, the audit manager should

Question244: Which of the following would be the MOST appropriate reason for an organization to purchase fault-tolerant hardware?

Question245: An organization is considering outsourcing the processing of customer insurance claims. An IS auditor notes that customer data will be sent offshore for processing. Which of the following would be the BEST way to address the risk of exposing customer data?

Question246: internal IS auditor recommends that incoming accounts payable payment files be encrypted. Which type of control is the auditor recommending?

Question247: An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

Question248: An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified. Which type of control is in place?

Question249: The quality assurance (QA) function should be prevented from

Question250: Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves for care?

Question251: Of the following, who should authorize a project management team's request to take a mission-critical application offline to implement a new release and configuration?

Question252: An IS auditor learns a server administration team regularly applies work arounds to address repeated failures of critical data processing services. Which of the following would BEST enable the organization to resolve the issue?

Question253: Which of the following poses the GREATEST risk to the enforceability of networking policies in a virtualized environment?

Question254: An IS auditor notes that several users have not logged into an application for more than one year. Which of the following would be the BEST audit recommendation?

Question255: The PRIMARY reason an IS department should analyze past incidents and problems is to:

Question256: An IS auditor was involved in the design phase for a new system's security architecture. For the planned post-implementation audit which of the following would be the MOST appropriate course of action for the auditor?

Question257: A start-up company acquiring for its order-taking system is unable to predict the volume of transactions.
Which of the following is MOST important for the company to consider?

Question258: Which of the following occurs during the issues management process for a system development project?

Question259: Assessments of critical information systems are based on a cyclical audit plan that has not been updated for several years. Which of the following should the IS auditor recommend to BEST address this situation?

Question260: Which of the following is a reason for implementing a decentralized IT governance model?

Question261: Which of the following is the BEST method for uncovering shadow IT within an organization?

Question262: An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor s NEXT course of action?

Question263: The BEST data backup strategy for mobile users is to:

Question264: A previously agreed-upon recommendation was not implemented because the auditee no longer agrees with the original finding. The IS auditor's FIRST course of action should be to:

Question265: Which of the following is the PRIMARY benefit of implementing configuration management for IT?

Question266: During a vulnerability assessment, an IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer orders via credit card. The IS auditor could FIRST:

Question267: Which of the following would be MOST important to update once a decision has been made to outsource a critical application to a cloud service provider?

Question268: An organization's plans to implement a virtualization strategy enabling multiple operating systems on a single host. Which of the following should be the GREATEST concern with this strategy?

Question269: The MAIN reason an organization's incident management procedures should include a post-incident review is to: