EMT Practice Test

1. Question Content...


Question List

Question1: During a systems development project, participation in which of the following activities would compromise the IS auditor's independence?

Question2: Upon completion of audit work, an IS auditor should:

Question3: As part of a follow-up of a previous year's audit, an IS auditor has increased the expected error rate for a sample. The impact will be:

Question4: Which of the following is the GREATEST concern when an organization allows personal devices to connect to its network?

Question5: Which of the following is the MOST significant risk associated with peer-to-peer networking technology?

Question6: An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

Question7: Which of the following will MOST likely compromise the control provided by a digital signature created using RSA encryption?

Question8: During an IT operations audit multiple unencrypted backup tapes containing sensitive credit card information cannot be found Which of the following presents the GREATEST risk to the organization?

Question9: Which of the following is MOST important to ensure during computer forensics investigations?

Question10: What should be the PRIMARY basis for scheduling a follow-up audit?

Question11: An IS auditor evaluating a three-tier client/server architecture observes an issue with graphical user interface (GUI) tasks. Which layer should the auditor recommend the client address?

Question12: After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit. Which of the following risks is MOST affected by the oversight?

Question13: An IS auditor is planning to audit an organization's infrastructure for access, patching, and change management. Which of the following is the BEST way to prioritize the systems?

Question14: An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?

Question15: In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?

Question16: Which of the following would be of GREATEST concern to an IS auditor reviewing backup and recovery controls?

Question17: Which of the following provides the MOST assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system?

Question18: Which of the following techniques would provide the BEST assurance to an IS auditor that all necessary data has been successfully migrated from a legacy system to a modern platform?

Question19: When using a wireless device, which of the following BEST ensures confidential access to email via web mail?

Question20: The objective of a vulnerability identification step in a risk assessment process is to.

Question21: Which of the following poses the GREATEST risk to a company that allows employees to use personally owned devices to access customer files on the company's network?

Question22: A new application will require multiple interfaces. Which of the following testing methods can be used to detect interface errors early in the development life cycle1?

Question23: Which of the following is the MAIN purpose of data classification?

Question24: Which of the following is the BEST way to minimize the impact of a ransomware attack?

Question25: Which of the following should be the PRIMARY concern of an IS auditor during a review of an external IT service level agreement (SLA) for computer operations?

Question26: Capacity management enables organizations to:

Question27: Which of the following is MOST influential when defining disaster recovery strategies?

Question28: Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system1?

Question29: Reconciliations have identified data discrepancies between an enterprise data warehouse and a revenue system for key financial reports. What is the GREATEST risk to the organization in this situation?

Question30: An IS auditor is evaluating a virtual server environment and teams that the production server, development server and management console are housed in the same physical host. What

Question31: Which of the following BEST demonstrates the degree of alignment between IT and business strategy?

Question32: In assessing the priority given to systems covered in an organization's business continuity plan (BCP), an IS auditor should FIRST:

Question33: An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?

Question34: When engaging services from external auditors, which of the following should be established FIRST?

Question35: Which of the following is the MOST effective way to minimize the risk of a SQL injection attack?

Question36: Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization"?

Question37: During business process reengineering (BPR) of a bank's teller activities, an IS auditor should evaluate:

Question38: An audit of the quality management system (QMS) begins with an evaluation of the:

Question39: Which of the following should be an IS auditor's PRIMARY focus when developing a risk-banned IS audit program?

Question40: An organization's IT security policy states that user ID's must uniquely identify individual's and that user should not disclose their passwords. An IS auditor discovers that several generic user ID's are being used. Which of the following is the MOST appropriate course of action for the auditor?

Question41: Which of the following is a preventive control related to change management?

Question42: Which of the following is the GREATEST benefit of utilizing data analytics?

Question43: An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?

Question44: Which of the following is the BEST justification for deferring remediation testing until the next audit?

Question45: The maturity level of an organization s problem management support function is optimized when the function

Question46: The information security function in a large organization is MOST effective when:

Question47: Which of the following should be the PRIMARY objective of a migration audit?

Question48: An IS auditor conducting a follow-up audit learns that previously funded recommendations have not been implemented due to recent budget restrictions. Which of the following should the

Question49: Which of the following BEST measures project progress?

Question50: A company uses a standard form to document and approve all changes in production programs. To ensure that the forms are properly authorized, which of the following is the MOST effective sampling method?

Question51: Which of the following is the MAIN advantage of using one-time passwords?

Question52: Which of the following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?

Question53: An IS auditor intends to accept a management position in the data processing department within the same organization. However, the auditor is currently working on an audit of a major application and has not yet finished the report. Which of the following would be the BEST step tor the IS auditor to take?

Question54: Which of the following projects would be MOST important to review in an audit of an organizations financial statements?

Question55: A bank has implemented a new accounting system. Which of the following is the BEST lime for an IS auditor to perform a post-implementation review?

Question56: During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:

Question57: Which of the following would be a result of utilizing a top-down maturity model process?

Question58: Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Question59: Which of the following focus areas is a responsibility of IT management rather than IT governance?

Question60: Which of the following is the BEST way to mitigate the risk associated with technology obsolescence?

Question61: Which of the following presents the GREATEST concern when implementing data flow across borders?

Question62: Which of the following physical controls will MOST effectively prevent breaches of computer room security?

Question63: What would be of GREATEST concern to an IS auditor observing shared key cards being utilized to access an organization's data center?

Question64: Which of the following findings should be of GREATEST concern to an IS auditor reviewing the effectiveness of an organization's problem management practices?

Question65: Which of the following provides an IS auditor with the BEST evidence that a system has been assessed for known exploits?

Question66: Following the discovery of inaccuracies in a data warehouse, an organization has implemented data profiling, cleansing, and handling filters to enhance the quality of data obtained from c

Question67: Which of the following is the MOST effective way to identify anomalous transactions when performing a payroll fraud audit?

Question68: A multinational organization is integrating its existing payroll system with a human resource information system. Which of the following should be of GREATEST concern to the IS auditor?

Question69: Which of the following is the MOST important difference between end-user computing (EUC) applications and traditional applications?

Question70: An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is I to assess m the audit?

Question71: An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Question72: During an operational audit of a biometric system used to control physical access, which of the following should be of GREATEST concern to an IS auditor?

Question73: What is the BEST population to select from when testing that programs are migrated to production with proper approval?

Question74: What is the BEST justification for allocating more funds to implement a control for an IT asset than the actual cost of the IT asset?

Question75: For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Question76: Which of the following observations noted during a review of the organization s social media practices should be of MOST concern to the IS auditor?

Question77: Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?

Question78: Which of the following would be the MOST significant factor when choosing among several backup system alternatives with different restoration speeds?

Question79: Which of the following is the GREATEST concern with conducting penetration testing on an internally developed application in the production environment?

Question80: An IS audit reveals an organization's IT department reports any deviations from its security standards to an internal IT risk committee involving IT senior management. Which of the following should be the IS auditor's GREATEST concern?

Question81: To create a digital signature in a message using asymmetric encryption, it is necessary to:

Question82: An IS auditor s role in privacy and security is to:

Question83: Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

Question84: Which of the following is found in an audit charter?

Question85: Which of the following backup schemes is the BEST option when storage media is limited?

Question86: Which of the following technologies has the SMALLEST maximum range for data transmission between devices?

Question87: When deciding whether a third party can be used in resolving a suspected security breach, which of the following should be the MOST important consideration for IT management?

Question88: Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Question89: Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor s BEST recommendation for a compensating control?

Question90: An IS auditor reviewing a purchase accounting system notices several duplicate payments made for the services rendered. Which of the following is the auditor's BEST recommendation for preventing duplicate payments?

Question91: An organization decides to establish a formal incident response capability with clear roles and responsibilities facilitating centralized reporting of security incidents. Which type of control is being implemented?

Question92: In the risk assessment process, which of the following should be identified FIRST?

Question93: Which of the following clauses is MOST important to include in a contract to help maintain data privacy in the event a Platform as a Service (PaaS) provider becomes financially insolvent?

Question94: Which of the following poses the GREATEST security risk when implementing acquired application systems?

Question95: Which of the following is the BEST way to detect system security breaches?

Question96: An organization plans to launch a social media presence as part of a new customer service campaign. Which of the following is the MOST significant risk from the perspective of potential litigation?

Question97: An IS auditor identifies key controls that have been overridden by management. The next step the IS auditor should take is to

Question98: Which of the following can help ensure that IT deliverables are linked to business goals and that appropriate performance criteria are in place?

Question99: Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (IDSs)?

Question100: Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

Question101: To protect information assets, which of the following should be done FIRST?

Question102: An IS auditor is reviewing security policies and finds no mention of the return of corporate-owned smartphones upon termination of employment. The GREATEST risk arising from this situation is that unreturned devices:

Question103: A sales representative is reviewing the organization's feedback blog and gets redirected to a site that sells illegal prescription drugs. The blog site is MOST likely susceptible to which of the following types of attacks?

Question104: Which of the following is MOST critical to include when developing a data loss prevention (DIP) policy?

Question105: An IS auditor finds the timeliness and depth of information regarding the organization's IT projects varies based on which project manager is assigned. Which of the following recommendations would be A MOST helpful in achieving predictable and repeatable project management processes?

Question106: An organization has decided to implement a third-party system in its existing IT environment Which of the following is MOST important for the IS auditor to confirm?

Question107: Of the following, who should approve a release to a critical application that would make the application inaccessible for 24 hours?

Question108: The BEST way to prevent fraudulent payments is to implement segregation of duties between payment processing and:

Question109: Which of the following is the BEST reason to utilize blockchain technology to record accounting transactions?

Question110: A security company and service provider have merged and the CEO has requested one comprehensive set of security policies be developed for the newly formed company. The IS auditor s BEST recommendation would be to:

Question111: An organization has outsourced its data leakage monitoring to an Internet service provider (ISP). Which of the following is the BEST way for an IS auditor to determine the effectiveness of this service?

Question112: Which of the following is the BEST sampling method when performing an audit test to determine the number of access requests without approval signatures?

Question113: An organization's IT security policy requires annual security awareness training for all employees. Which of the following would provide the BEST evidence of the training's effectiveness?

Question114: An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Question115: During a review of an application system, an IS auditor identifies automated controls designed to prevent the entry of duplicate transactions. What is the BEST way to verify that the controls work as designed?

Question116: A financial institution is launching a mobile banking service utilizing multi-factor authentication. This access control is an example of which of the following?

Question117: Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

Question118: Which of the following is the MOST important issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?

Question119: Which of the following is the BEST way to mitigate the risk associated with a document storage application that has a syncing feature that could allow malware to spread to other machines in the network?

Question120: What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

Question121: An IS auditor is reviewing an enterprise database platform. The review involves statistical methods. Benford analysis, and duplicate checks. Which of the following computer-assisted audit technique (CAAT) tools would be MOST useful for this review''

Question122: The FIRST course of action an investigator should take when a computer is being attacked is to:

Question123: Which of the following observations should be of GREATEST concern to an IS auditor reviewing a large organization's IT steering committee?

Question124: Which of the following should be of GREATEST concern to an IS auditor conducting a security review of a point-of-sale (POS) system?

Question125: When evaluating the recent implementation of an intrusion detection system (IDS), an IS auditor should be MOST concerned with inappropriate:

Question126: Which of the following is the GREATEST threat to Voice-over Internet Protocol (VoIP) related to privacy?

Question127: To ensure the integrity of a recovered database, which of the following would be MOST useful?

Question128: An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?

Question129: A software development organization with offshore personnel has implemented a third-party virtual workspace to allow the teams to collaborate. Which of the following should be of GREATEST concern?

Question130: Which of the following is an example of a preventive control?

Question131: An IS auditor has completed an audit of an organization's accounts payable system. Which of the following should be rated as the HIGHEST risk in the audit report and requires immediate remediation?

Question132: Which of the following would be the MOST appropriate reason for an organization to purchase fault-tolerant hardware?

Question133: An IS auditor is reviewing the implementation of an international quality management standard Which of the following provides the BEST evidence that quality management objectives have been achieved?

Question134: The BEST method an organization can employ to align its business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs is to:

Question135: The risk of communication failure in an e-commerce environment is BEST minimized through the use of

Question136: A project team evaluated vendor responses to a request for proposal (RFP). An IS auditor reviewing the evaluation process would expect the team to have considered each vendor's:

Question137: A bank is relocating its servers to a vendor that provides data center hosting services to multiple clients. Which of the following controls would restrict other clients from physical access to the bank servers?

Question138: Which of the following is MOST important lo have in place for he continuous improvement of process maturity within a large IT support function?

Question139: Which of the following is the BEST guidance from an IS auditor to an organization planning an initiative to improve the effectiveness of its IT processes?

Question140: Which of the following should be the PRIMARY consideration for IT management when selecting a new information security tool that monitors suspicious file access patterns?

Question141: When deploying an application that was created using the programming language and tools supported by the cloud provider, the MOST appropriate cloud computing model for an organization to adopt is:

Question142: What would be an IS auditors GREATEST concern when using a test environment for an application audit?

Question143: Which of the following would provide the BEST evidence for use in a forensic investigation of an employee's hard drive?

Question144: Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Question145: Which of the following is the BEST approach to identify whether a vulnerability is actively being exploited?

Question146: Which of the following is the BEST IS audit strategy?

Question147: Which of the following is the PRIMARY benefit of using a capability maturity model?

Question148: Which of the following should be the FIRST step in an organization's forensics process to preserve evidence?

Question149: An IT governance framework provides an organization with:

Question150: Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system''

Question151: When developing a business continuity plan (BCP), which of the following should be performed FIRST?

Question152: In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

Question153: An organization developed a comprehensive three-year IT strategic plan Halfway into the plan a major legislative change impacting the organization is enacted Which oi the following should be management's NEXT course of action?

Question154: Which of the following is the BEST solution to minimize risk from security flaws introduced by developers using open source libraries?

Question155: An IS auditor finds a number of system accounts that do not have documented approvals Which of the following should be performed FIRST by the auditor?

Question156: An organization recently implemented a data loss prevention (DLP) solution to control data in transit. Which of the following would be the GREATEST risk related to the DLP implementation?

Question157: Which of the following is the MOST effective control to ensure electronic records beyond their retention periods are deleted from IT systems?

Question158: After the release of an application system, an IS auditor wants to verify that the system is providing value to the organization. The auditor's BEST course of action would be to:

Question159: An organization with high availability resource requirements is selecting a provider for cloud computing. Which of the following would cause the GREATEST concern to an IS auditor? The provider:

Question160: Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?

Question161: Which of the following findings should be of GREATEST concern to an IS auditor conducting a forensic analysis following incidents of suspicious activities on a server?

Question162: During the post-implementation review of an application that was implemented six months ago which of the following would be MOST helpful in determining whether the application meets business requirements?

Question163: An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime This is BEST zed as an application of.

Question164: Which of the following should be an IS auditor's PRIMARY consideration when evaluating the development and design of a privacy program?

Question165: Which of the following is the BEST source for describing the objectives of an organization s information systems?

Question166: When evaluating an IT organizational structure, which of the following is MOST important to ensure has been documented?

Question167: After an external IS audit, which of the following should be IT management's MAIN consideration when determining the prioritization of follow-up activities?

Question168: An IS auditor is using data analytics in an audit and has obtained the data to be used for testing. Which of the following is the MOST important task before testing begins?

Question169: An organization is in the process of deciding whether to allow a bring your own device (BYOD) program. If approved, which of the following should be the FIRST control required before implementation?

Question170: Which of the following is MOST important for an effective control self-assessment (CSA) program?

Question171: Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Question172: Which of the following observations should be of GREATEST concern to an IS auditor reviewing a large organization's virtualization environment?

Question173: During a review of the IT strategic plan, an IS auditor finds several IT initiatives focused on delivering new systems and technology are not aligned with the organization's strategy. Which of the following would be the IS auditor's BEST recommendation?

Question174: Which of the following sampling techniques is BEST to use when verifying the operating effectiveness of internal controls during an audit of transactions?

Question175: Which of the following should an IS auditor recommend to reduce the likelihood of potential intruders using social engineering?

Question176: When evaluating the management practices at a third-party organization providing outsourced services, the IS auditor considers relying on an independent auditors report. The IS auditor.....

Question177: An IS auditor is examining a front-end sub ledger and a main ledger Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

Question178: Which of the following should be reviewed FIRST when assessing the effectiveness of an organization's network security procedures and controls?

Question179: Which of the following is a corrective control that reduces the impact of a threat event?

Question180: An IS auditor has completed an audit on the organization's IT strategic planning process Which of the following findings should be given the HIGHEST priority?

Question181: An IS auditor notes that IT and the business have different opinions on the availability of their application servers Which of the following should the IS auditor review FIRST in order to understand the problem?

Question182: Within the context of an IT-related governance framework, which type of organization would be considered MOST mature?

Question183: An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

Question184: Which of the following is a PRIMARY role of an IS auditor in a control self-assessment (CSA) workshop?

Question185: An IS auditor finds that corporate mobile devices used by employees have varying levels of password settings. Which of the following would be the BEST recommendation?

Question186: An effective implementation of security roles and responsibilities is BEST evidenced across an enterprise when:

Question187: Which of the following should be of MOST concern lo an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

Question188: Which of the following should be of concern to an IS auditor performing a software audit on virtual machines?

Question189: To help ensure the accuracy and completeness of end-user computing output it is MOST important to include strong:

Question190: When evaluating database management practices, which of the following controls would MOST effectively support data integrity?

Question191: Which of the following factors constitutes a strength in regard to the use of a disaster recovery planning reciprocal agreement?

Question192: An organization s audit charter PRIMARILY:

Question193: Which of the following would be the GREATEST risk associated with a new chat feature on a retailer's website?

Question194: A company converted its payroll system from an external service to an internal package Payroll processing in April was run in parallel. To validate the completeness of data after the conversion, which of the following comparisons from the old to the new system would be MOST effective?

Question195: Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:

Question196: Which of the following would be an appropriate role of internal audit in helping to establish an organization's privacy program?

Question197: During an exit interview senior management disagrees with some of the facts presented in the draft audit report and wants them removed from the report Which of the following would be the auditor's BEST course of action?

Question198: In an environment where most IT services have been outsourced, continuity planning is BEST controlled by:

Question199: During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed The auditor should FIRST.

Question200: Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing'?

Question201: Which of the following is the MOST important factor when an organization is developing information security policies and procedures?