Question1: A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items to the inventory system Which control would have BEST prevented this type of fraud in a retail environment?
Question2: Which of the following metrics would BEST measure the agility of an organization's IT function?
Question3: An IS auditor should ensure that an application's audit trail:
Question4: Which of the following control techniques BEST ensures the integrity of system interface transmissions?
Question5: Which of the following is the BEST detective control for a job scheduling process involving data transmission?
Question6: Which of the following findings should be of MOST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?
Question7: Which of the following is an example of a preventative control in an accounts payable system?
Question8: Which of the following is the MOST effective control against injection attacks on a web application?
Question9: Which of the following is the PRIMARY purpose for external assessments of internal audit's quality assurance (OA) systems and frameworks?
Question10: An IS auditor is using data analytics in an audit and has obtained the data to be used for testing. Which of the following is the MOST important task before testing begins?
Question11: Which of the following validation techniques would BEST prevent duplicate electronic vouchers?
Question12: Which of the following should be of MOST concern to an IS auditor during the review of a quality management system?
Question13: Which of the following is MOST important to include within a business continuity plan (BCP) so that backup and replication is configured in a way that ensures data availability?
Question14: Which of the following is an IS auditor's BEST recommendation to help an organization increase the efficiency of computing resources?
Question15: Following the discovery of inaccuracies in a data warehouse, an organization has implemented data profiling, cleansing, and handling filters to enhance the quality of data obtained from c
Question16: One advantage of monetary unit sampling is the fact that:
Question17: An IS auditor is assigned to review the IS departments quality procedures Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor's NEXT action?
Question18: An IS auditor finds the timeliness and depth of information regarding the organization's IT projects varies based on which project manager is assigned. Which of the following recommendations would be A MOST helpful in achieving predictable and repeatable project management processes?
Question19: An IS auditor has completed an audit on the organization's IT strategic planning process Which of the following findings should be given the HIGHEST priority?
Question20: Which of the following measures BEST mitigates the risk of exfiltration during a cyber attack?
Question21: When evaluating a protect immediately prior to implementation, which of the following would provide the BEST evidence that the system has the required functionality?
Question22: Which of the following should be an IS auditor's GREATEST concern when reviewing an outsourcing arrangement with a third-party cloud service provider to host personally identifiable data?
Question23: When auditing the closing stages of a system development project, which of the following should be the MOST important consideration?
Question24: An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?
Question25: An IS auditor notes that application super-user activity was not recorded in system logs. What is the auditor's BEST course of action?
Question26: When planning an end-user computing (EUC) audit, it is MOST important for the IS auditor to:
Question27: What is the BEST justification for allocating more funds to implement a control for an IT asset than the actual cost of the IT asset?
Question28: Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
Question29: An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
Question30: During a review of an application system, an IS auditor identifies automated controls designed to prevent the entry of duplicate transactions. What is the BEST way to verify that the controls work as designed?
Question31: When using a wireless device, which of the following BEST ensures confidential access to email via web mail?
Question32: An advantage of object-oriented system development is that it:
Question33: Which of the following is the PRIMARY purpose of conducting an IS audit follow-up?
Question34: Which of the following is the BEST reason to utilize blockchain technology to record accounting transactions?
Question35: During which IT project phase is it MOST appropriate to conduct a benefits realization analysis?
Question36: Which of the following would be MOST helpful in ensuring security procedures are followed by employees in a multinational organization?
Question37: Which of the following falls within the scope of an information security governance committee?
Question38: An IS auditor is reviewing the business requirements for the deployment of a new website Which of the following cryptographic systems would provide the BEST evidence of secure communications on the internet?
Question39: Which of the following would BEST indicate the effectiveness of a security awareness training program?
Question40: An IS auditof notes the transaction processing times in an order processing system have significantly increased after a major release Which of the following should the IS auditor review FIRST?
Question41: Which of the following would be of GREATEST concern to an IS auditor reviewing backup and recovery controls?
Question42: Which of the following are BEST suited for continuous auditing?
Question43: Which of the following indicates that an internal audit organization is structured to support the independence and clarity of the reporting process?
Question44: What should be the PRIMARY basis for scheduling a follow-up audit?
Question45: During an audit, the client learns that the IS auditor has recently completed a similar security review at a competitor. The client inquires about the competitor's audit results. What is the BEST way for the auditor to address this inquiry?
Question46: Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organizations information security policy?
Question47: An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
Question48: The GREATEST benefit of using a prototyping approach in software development is that it helps to:
Question49: An organization is shifting to a remote workforce. In preparation, the IT department is performing stress and capacity testing of remote access infrastructure and systems. What type of control is being implemented?
Question50: Which of the following techniques would provide the BEST assurance to an IS auditor that all necessary data has been successfully migrated from a legacy system to a modern platform?
Question51: Due to budget restraints, an organization is postponing the replacement of an in-house developed mission critical application. Which of the following represents the GREATEST risk?
Question52: Which of the following is the MOST effective way to reduce risk to an organization from widespread use of unauthorized web-based communication technologies?
Question53: An organization uses multiple offsite data center facilities Which of the following is MOST important to consider when choosing related backup devices and media?
Question54: An IS auditor determines that a business continuity plan has not been reviewed and approved by management. Which of the following is the MOST significant risk associated with this situation?
Question55: Which of the following human resources management practices BEST leads to the detection of fraudulent activity?
Question56: In a situation where the recovery point objective (RPO) is 0 for an online transaction processing system, which of the following is MOST important for an IS auditor to verify?
Question57: An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner Which of the following is the auditor s BEST recommendation?
Question58: An organization experienced a domain name system (DNS) attack caused by default user accounts not being removed from one of the servers. Which of the following would have been the BEST way to mitigate the risk of this DNS attack?
Question59: Which of the following is the MOST effective approach in assessing the quality of modifications made to financial software?
Question60: A month after a company purchased and implemented system and performance monitoring software reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to
Question61: During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that not all critical systems are covered. What should the auditor do NEXT?
Question62: Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?
Question63: Which of the following is MOST influential when defining disaster recovery strategies?
Question64: An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?
Question65: Which of the following should an IS auditor review FIRST when evaluating a business process for auditing?
Question66: Which of the following backup schemes is the BEST option when storage media is limited?
Question67: Which of the following should be of GREATEST concern to an IS auditor conducting a security review of a point-of-sale (POS) system?
Question68: When classifying information, it is MOST important to align the classification to:
Question69: A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem. Which of the following is the senior auditor's MOST appropriate course of action?
Question70: The activation of a pandemic response plan has resulted in a remote workforce situation. Which of the following technologies poses the GREATEST risk to data confidentiality?
Question71: Which of the following would be an appropriate role of internal audit in helping to establish an organization's privacy program?
Question72: Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor s BEST recommendation for a compensating control?
Question73: Which of the following is the BEST incident of an effective problem management process?
Question74: Which of the following system conversion strategies provides the GREATEST redundancy?
Question75: A software development organization with offshore personnel has implemented a third-party virtual workspace to allow the teams to collaborate. Which of the following should be of GREATEST concern?
Question76: An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?
Question77: Which of the following would be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?
Question78: Which of the following is the MOST important prerequisite for Implementing a data loss prevention (DLP) tool?
Question79: Which of the following would be of GREATEST concern to an IS auditor reviewing an organization's security incident handling procedures?
Question80: An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives Which of the following findings should be the IS auditor's GREATEST concern?
Question81: Which of the following is MOST important for an IS auditor to consider during a review of the IT governance of an organization?
Question82: Which of the following group is MOST likely responsible for the implementation of IT projects?
Question83: As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following would be the BEST course of action for the IS auditor?
Question84: Which of the following should be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization's business critical server hardware?
Question85: What would be of GREATEST concern to an IS auditor observing shared key cards being utilized to access an organization's data center?
Question86: The decision to accept an IT control risk related to data quality should be the responsibility of the:
Question87: The CIO of an organization is concerned that the information security policies may not be comprehensive. Which of the following should an IS auditor recommend be performed FIRST?
Question88: Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at rest?
Question89: Which of the following is the BEST way for an IS auditor to validate that employees have been made aware of the organization's information security policy?
Question90: During an audit, which of the following would be MOST helpful in establishing a baseline for measuring data quality?
Question91: Which of the following MOST efficiently protects computer equipment against short-term reductions in electrical power?
Question92: An IS auditor previously worked in an organization s IT department and was involved with the design of the business continuity plan (BCP). The IS auditor has now been asked to review this same BCP. The auditor should FIRST.
Question93: Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?
Question94: Which of the following BEST demonstrates that IT strategy is aligned with organizational goals and objectives?
Question95: Which of the following should be of GREATEST concern to an IS auditor reviewing the controls for a continuous software release process?
Question96: A banking organization has outsourced its customer data processing facilities to an external service provider. Which of the following roles is accountable for ensuring the security of customer data?
Question97: An IS auditor is reviewing environmental controls and finds extremely high levels of humidity in the data center. Which of the following is the PRIMARY risk to computer equipment from this condition?
Question98: Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
Question99: An accounts receivable data entry routine prevents the entry of the same customer with different account numbers. Which of the following is the BEST way to test if this programmed control is effective?
Question100: An organization has suffered a number of incidents in which USB flash drives with sensitive data have been lost. Which of the following would be MOST effective in preventing loss of sensitive data?
Question101: During a review, an IS auditor notes that an organization's marketing department has purchased a cloud-based software application without following the procurement process. What should the auditor do FIRST?
Question102: Which of the following should be of GREATEST concern to an IS auditor reviewing actions taken during a forensic investigation?
Question103: Which of the following is the BEST approach to identify whether a vulnerability is actively being exploited?
Question104: An audit of environmental controls at a data center could include a review of the
Question105: Which of the following BEST ensures the confidentiality of sensitive data during transmission?
Question106: Which of the following would be the MOST significant factor when choosing among several backup system alternatives with different restoration speeds?
Question107: Which of the following is MOST important for an effective control self-assessment (CSA) program?
Question108: When an organization introduces virtualization into its architecture, which of the following should be an IS auditor's PRIMARY area of focus to verify adequate protection?
Question109: The BEST method an organization can employ to align its business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs is to:
Question110: What is the PRIMARY benefit of prototyping as a method of system development?
Question111: The BEST way to prevent fraudulent payments is to implement segregation of duties between payment processing and:
Question112: Which of the following should an IS auditor be MOST concerned with when reviewing the IT asset disposal process?
Question113: An IS auditor reviewed the business case for a proposed investment to virtualize an organization's server infrastructure. Which of the following is MOST likely to be included among the benefits in the project proposal?
Question114: Which of the following would be the MOST effective method to identify high risk areas in the business to be included in the audit plan?
Question115: Which of the following is the BEST sampling method when performing an audit test to determine the number of access requests without approval signatures?
Question116: An organization decides to establish a formal incident response capability with clear roles and responsibilities facilitating centralized reporting of security incidents. Which type of control is being implemented?
Question117: An IS auditor has obtained a large complex data set for analysis. Which of the following activities will MOST improve the output from the use of data analytics tools?
Question118: When reviewing a contract for a disaster recovery hot site, which of the following would be the MOST significant omission?
Question119: Which of the following is the GREATEST advantage of application penetration testing over vulnerability scanning?
Question120: Which of the following processes BEST addresses the risk associated with the deployment of a new production system?
Question121: An organization wants to replace its suite of legacy applications with a new, in-house developed solution. Which of the following is the BEST way to address concerns associated with migration of all mission-critical business functionality?
Question122: When deciding whether a third party can be used in resolving a suspected security breach, which of the following should be the MOST important consideration for IT management?
Question123: In the case of a disaster where the data center is no longer available which of the following tasks should be done FIRST?
Question124: After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit. Which of the following risks is MOST affected by the oversight?
Question125: During an audit of identity and access management, an IS auditory finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor's BEST course of action?
Question126: An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?
Question127: When auditing the alignment of IT to the business strategy, it is MOST important (or the IS auditor to:
Question128: Which of the following is the BEST way to mitigate the risk associated with malicious changes to binary code during the software development life cycle (SDLC)?
Question129: Which of the following BEST measures project progress?
Question130: What is the BEST way to control updates to the vendor master file in an accounts payable system?
Question131: Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
Question132: Which of the following would be of GREATEST concern to an IS auditor evaluating governance over open source development components?
Question133: Which of the following is MOST important to review when evaluating the performance of a critical web application?
Question134: An IS auditor discovers an option in a database that allows the administrator to directly modify any table This option is necessary to overcome Dugs in the software, but is rarefy used Changes to tables are automatically logged The IS auditors FIRST action should be to:
Question135: Which of the following is an IS auditor s GREATEST concern when an organization does not regularly update software on individual workstations in the internal environment?
Question136: An organization is developing a web portal using some external components. Which of the following should be of MOST concern to an IS auditor?
Question137: Which of the following is an example of a preventive control?
Question138: To ensure efficient and economic use of limited resources in supporting a local area network (LAN) infrastructure, it is advisable to:
Question139: Which of the following is a corrective control?
Question140: An organization is disposing of a system containing sensitive data and has deleted ail files from the hard disk. An IS auditor should be concerned because:
Question141: Which of the following is the BEST way for an IS auditor to ensure the completeness of data collected for advanced analytics during an audit?
Question142: Which of the following would provide the BEST evidence of the effectiveness of mandated annual security awareness training?
Question143: Which of the following would provide the BEST evidence for use in a forensic investigation of an employee's hard drive?
Question144: During a database security audit, an IS auditor is reviewing the process used to upload source data Which of the following is the MOST significant risk area for the auditor to focus on?
Question145: Which of the following would BEST detect unauthorized modification of data by a database administrator (DBA)?
Question146: An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities Which of the following is the BEST recommendation by the IS auditor?
Question147: When assessing whether an organization's IT performance measures are comparable to other organizations in the same industry which of the following would be MOST helpful to review?
Question148: Which of the following should be the MOST important consideration when prioritizing the funding for competing IT projects?
Question149: Which of the following would an IS auditor PRIMARILY review to understand key drivers of a project?
Question150: An IS auditor finds that needed security patches cannot be applied to some of an organization's network devices due to compatibility issues. The organization has not budgeted sufficiently for security upgrades. Which of the following should the auditor recommend be done FIRST?
Question151: An auditor is creating an audit program in which the objective is to establish the adequacy of personal data privacy controls in a payroll process. Which of the following would be MOST important to include?
Question152: An IS auditor performing an application development review attends development team meetings. The IS auditor's independence will be compromised if the IS auditor:
Question153: A client/server configuration will:
Question154: An organization has implemented a quarterly job schedule to update database tables so prices are adjusted in line with a price index These changes do not go through the regular change management process Which of the following is the MOST important control to have in place?
Question155: Tunneling provides additional security for connecting one host to another through the Internet by:
Question156: An IS auditor is observing transaction processing and notes that a high-priority update job ran out of sequence What is the MOST significant risk from this observation?
Question157: An organization needs to comply with data privacy regulations forbidding the display of personally identifiable information (Pll) on customer bills or receipts However it is a business requirement to display at least one attribute so that customers can verify the bills or receipts are intended for them What is the BEST recommendation?
Question158: Which of the following practices BEST ensures that archived electronic information of permanent importance is accessible over time?
Question159: What privilege on a server containing data with different security classifications?
Question160: Which of the following should be of concern to an IS auditor performing a software audit on virtual machines?
Question161: The IS quality assurance (OA) group is responsible for
Question162: Which of the following control checks would utilize data analytics?
Question163: During which phase of the incident management life cycle should metrics such as "mean time to incident discovery" and "cost of recovery" be reported?
Question164: Which of the following is the GREATEST threat to Voice-over Internet Protocol (VoIP) related to privacy?
Question165: An IS auditor evaluating a three-tier client/server architecture observes an issue with graphical user interface (GUI) tasks. Which layer should the auditor recommend the client address?
Question166: When performing a post-implementation review, the adequacy of the data conversion effort would BEST be evaluated by performing a thorough review of the:
Question167: Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
Question168: During an operational audit of a biometric system used to control physical access, which of the following should be of GREATEST concern to an IS auditor?
Question169: Which of the following features can be provided only by asymmetric encryption?
Question170: For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:
Question171: chain management processes Customer orders are not being fulfilled in a timely manner, and the inventory in the warehouse does not match the quantity of goods in the sales orders. Which of the following is the auditor's BEST recommendation?
Question172: Which of the following is the MOST important feature of access control software?
Question173: Which of the following should be defined in an audit charter?
Question174: An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited Which of the following should be of GREATEST concern to the auditor?
Question175: When of the following is to MOST important consideration when prioritizing IT system for penetration testing?
Question176: The operations team of an organization has reported an IS security attack. Which of the following should be the FIRST step for the security incident response team?
Question177: Which of the following is a PRIMARY role of an IS auditor in a control self-assessment (CSA) workshop?
Question178: An organization's IT security policy states that user ID's must uniquely identify individual's and that user should not disclose their passwords. An IS auditor discovers that several generic user ID's are being used. Which of the following is the MOST appropriate course of action for the auditor?
Question179: During an exit interview senior management disagrees with some of the facts presented in the draft audit report and wants them removed from the report Which of the following would be the auditor's BEST course of action?
Question180: Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?
Question181: Which of the following should an IS auditor recommend to reduce the likelihood of potential intruders using social engineering?
Question182: Which of the following should be included in a business impact analysis (BIA)
Question183: An IS auditor finds that a document related to a client has been leaked. Which of the following should be the auditor's NEXT step?
Question184: Which of the following is a characteristic of a single mirrored data center used for disaster recovery?
Question185: A security company and service provider have merged and the CEO has requested one comprehensive set of security policies be developed for the newly formed company. The IS auditor s BEST recommendation would be to:
Question186: An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
Question187: An organization recently switched vendors to perform hardware service and maintenance. The new contract specifies a longer response time than the organization's requirement's. Which of the following is the GREATEST risk of this change?
Question188: Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?
Question189: Which of the following should the IS auditor do FIRST to ensure data transfer integrity for Internet of Things (loT) devices?
Question190: To develop meaningful recommendations for findings, which of the following is MOST important for an IS auditor to determine and understand?
Question191: During an audit of an organization's financial statements, an IS auditor finds that the IT general controls are deficient. What should the IS auditor recommend?
Question192: An IS audit team s evaluating the documentation related to the most recent application user-access review performed by IT and business management. It is determined that the user list was not system-generated. Which of the following: should be the GREATEST concern?
Question193: Which of the following is the BEST way to mitigate risk to an organization's network associated with devices permitted under a bring your own device (BYOD) policy?
Question194: Which of the following is MOST important when planning a network audit?
Question195: Which of the following is the MOST effective way to verify an organization's ability to continue its essential business operations after a disruption event?
Question196: The PRIMARY purpose of running a new system In parallel is to:
Question197: Which of the following focus areas is a responsibility of IT management rather than IT governance?
Question198: Which of the following should an IS auditor do FIRST when assessing the level of compliance for an organization in the banking industry?
Question199: Which of the following is found in an audit charter?
Question200: Which of the following projects would be MOST important to review in an audit of an organizations financial statements?
Question201: An organization issues digital certificates to employees to enable connectivity to a web-based application. Which of the following public key infrastructure (PKI) components MUST be included in the application architecture for determining the on-going validity of connections?
Question202: The BEST way to preserve data integrity through all phases of application containerization is to ensure which of the following?
Question203: Which of the following should be a concern to an IS auditor reviewing a digital forensic process for a security incident?
Question204: Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's bring your own device (BYOD) policy?
Question205: Which of the following should be included in emergency change control procedures?
Question206: To ensure the integrity of a recovered database, which of the following would be MOST useful?
Question207: An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following would be the MOST appropriate action for the auditor to take?
Question208: Which of the following is the MOST important issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?
Question209: Which of the following is the BEST data integrity check?
Question210: An IS auditor is performing a follow-up audit for findings identified In an organization's user provisioning process Which of the Mowing is the MOST appropriate population to sample from when testing for remediation?
Question211: An internal audit department recently established a quality assurance (QA) program. Which of the following activities is MOST important to include as part of the OA program requirements?
Question212: Which of the following is the GREATEST benefit of utilizing data analytics?
Question213: During a project meeting for the Implementation of an Enterprise resource planning (ERP). a new requirement Is requested by the finance department. Which of the following would BEST Indicate to an IS auditor that the resulting risk to the project has been assessed?
Question214: Due to a high volume of customer orders, an organization plans to implement a new application for customers to use for online ordering Which type of testing is MOST important to ensure the security of the application prior to go-live?
Question215: Which of the following security risks can be reduced by a property configured network firewall?
Question216: Which of the following is the MOST important consideration for building resilient systems?
Question217: Which of the following BEST enables an organization to quantify acceptable data loss in the event of a disaster?
Question218: In assessing the priority given to systems covered in an organization's business continuity plan (BCP), an IS auditor should FIRST:
Question219: Which of the following should be the FIRST step to help ensure the necessary regulatory requirements are addressed in an organization's cross-border data protection policy?
Question220: Which of the following should be of GREATEST concern to an IS auditor reviewing project documentation for a client relationship management (CRM) system migration project?
Question221: Which of the following evidence-gathering techniques will provide the GREATEST assurance that procedures are understood and practiced?
Question222: Which of the following security assessment techniques attempts to exploit a system's open ports?
Question223: Which control type would provide the MOST useful input to a root cause analysis?
Question224: Disciplinary policies are BEST classified as.
Question225: The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
Question226: The maturity level of an organization s problem management support function is optimized when the function
Question227: An IS auditor performing an audit of backup procedures observes that backup tapes are picked up weekly and stored offsite at a third-party hosting facility. Which of the following recommendations would be the BEST way to protect the integrity of the data on the backup tapes?
Question228: Which of the following an IS auditor assurance that the interface between a point of sale (POS) system and the general ledger is transferring sales data completely and accurately?
Question229: Which of the following is the MOST effective way to minimize the risk of a SQL injection attack?
Question230: An organization is within a jurisdiction where new regulations have recently been announced to restrict cross-border data transfer of personally identifiable information (PIl). Which of the following IT decisions will MOST likely need to be assessed in the context of this?
Question231: Which of the following is the MOST important process to ensure planned IT system changes are completed in an efficient manner?
Question232: Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change management process?
Question233: Stress testing should ideally be carried out under a:
Question234: An IS auditor reviewing a checkpoint/restart procedure should be MOST concerned if it is applied after:
Question235: A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system. Which of the following is.........
Question236: An IS auditor reviewing a project to acquire an IT-based solution learns the risk associated with project failure has been assessed as high. What is the auditor's BEST course of action?
Question237: An organization has recently converted its infrastructure to a virtualized environment. The GREATEST benefit related to disaster recovery is that virtualized servers:
Question238: An IS auditor assessing the controls within a newly implemented call center would FIRST
Question239: Which of the following should be the PRIMARY audience for a third-party technical security assessment report?
Question240: An organization maintains an inventory of the IT applications used by its staff Which of the following would pose the GREATEST concern with regard to the quality of the inventory data?
Question241: Which of the following is MOST important to ensure during computer forensics investigations?
Question242: Which type of attack poses the GREATEST risk to an organization's most sensitive data?
Question243: When reviewing an organization s IT governance processes, which of the following provides the BEST indication that information security expectations are being met at all levels?
Question244: An IS auditor finds that one employee has unauthorized access to confidential dat a. The IS auditor's BEST recommendation should be to:
Question245: Both statistical and nonstatistical sampling techniques:
Question246: An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?
Question247: An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
Question248: To help ensure the accuracy and completeness of end-user computing output it is MOST important to include strong:
Question249: Which of the following observations noted during a review of the organization s social media practices should be of MOST concern to the IS auditor?
Question250: When engaging services from external auditors, which of the following should be established FIRST?
Question251: What is the PRIMARY purpose of performing a parallel run of a new system?
Question252: Which of the following is the PRIMARY purpose of conducting follow-up audits for material observations?
Question253: An IS audit reveals an organization's IT department reports any deviations from its security standards to an internal IT risk committee involving IT senior management. Which of the following should be the IS auditor's GREATEST concern?
Question254: Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
Question255: An organization seeks to control costs related to storage media throughout the information life cycle while still meeting business and regulatory requirements. Which of the following is the BEST way to achieve this objective?
Question256: Which of the following communication modes should be of GREATEST concern to an IS auditor evaluating end user networking?
Question257: A manager identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?
Question258: The PRIMARY advantage of object-oriented technology is enhanced:
Question259: Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?
Question260: Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
Question261: Which of the following is the GREATEST concern when an organization allows personal devices to connect to its network?
Question262: Which of the following is the BEST way to mitigate the risk associated with technology obsolescence?
Question263: When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
Question264: Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted audit techniques (CAATs)?
Question265: What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?
Question266: Which of the following provides the BEST evidence of the effectiveness of an organization s audit quality management procedures?
Question267: Which of the following provides the BEST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?
Question268: Which of the following is the MOST effective control to ensure electronic records beyond their retention periods are deleted from IT systems?
Question269: Which of the following situations would impair the independence of an IS auditor involved in a software development project?
Question270: Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
Question271: An organization implemented a cybersecurity policy last year. Which of the following is the GREATEST indicator that the policy may need to be revised?
Question272: Which type of control is in place when an organization requires new employees to complete training on applicable privacy and data protection regulations?
Question273: When conducting a post-implementation review of a new software application, an IS auditor should be MOST concerned with an increasing number of
Question274: A data center's physical access log system captures each visitor's identification document numbers along with the visitor's photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?
Question275: An e-commerce enterprise's disaster recovery (DR) site has 30% less processing capability than the primary site. Based on this information, which of the following presents the GREATEST risk?
Question276: Batch processes running in multiple countries are merged to one batch job to be executed in a single data center. Which of the following is the GREATEST concern with this approach?
Question277: An IS auditor s role in privacy and security is to:
Question278: Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?
Question279: Which of the following provides for the GREATEST cost reduction in a large data center?
Question280: Which of the following BEST demonstrates the degree of alignment between IT and business strategy?
Question281: A financial institution has a system interface that is used by its branches to obtain applicable currency exchange rates when processing transactions Which of the following should be the PRIMARY control objective for maintaining the security of the system interface?
Question282: servDuring an internal audit review of a human resources (HR) recruitment system implementation the IS auditor notes that several defects were unresolved at the time the system went live Which of the following is the auditor's MOST important task prior to formulating an audit opinion?
Question283: Which of the following would an IS auditor consider the GREATEST risk associated with a mobile workforce environment?
Question284: An IS auditor is reviewing an enterprise database platform. The review involves statistical methods. Benford analysis, and duplicate checks. Which of the following computer-assisted audit technique (CAAT) tools would be MOST useful for this review''
Question285: Which of the following is a determine security control that reduces the likelihood of an insider threat event?
Question286: An organization shares some of its customers' personally Identifiable Information (PH) with third-party suppliers for business purposes. What is MOST important for the IS auditor to evaluate to ensure that risk associated with leakage of privacy-related data during transmission is effectively managed?
Question287: Segregation of duties would be compromised if:
Question288: When evaluating an IT organizational structure, which of the following is MOST important to ensure has been documented?
Question289: Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an organization's incident response process?
Question290: An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?
Question291: During a business process re-engineering (BPR) program, IT can assist with:
Question292: A bank's web-hosting provider has just completed an internal IT security audit and provides only a summary of the findings to the bank's auditor. Which of the following should be the bank's GREATEST concern?
Question293: Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?
Question294: An information systems security officer's PRIMARY responsibility for business process applications is to:
Question295: An IS auditor conducting a follow-up audit learns that previously funded recommendations have not been implemented due to recent budget restrictions. Which of the following should the
Question296: During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:
Question297: Which of the following is the MOST effective means of helping management and the IT strategy committee to monitor IT performance?
Question298: Which of the following is the MAIN advantage of using one-time passwords?
Question299: During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data (rom any Internet-connected web browser. Which of the following is the auditor's BEST recommendation to help prevent unauthorized access?
Question300: The purpose of data migration testing is to validate data:
Question301: Which of the following would provide an IS auditor with the MOST assurance when auditing the implementation of a new application system?
Question302: Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?
Question303: Which of the following poses the GREATEST security risk when implementing acquired application systems?
Question304: Which of the following would BEST help prioritize various projects in an organization's IT portfolio?
Question305: Which of the following is the PRIMARY purpose of quality assurance (QA) within an IS audit department?
Question306: An IS auditor observes that a business-critical application does not currently have any level of fault tolerance Which of the following is the GREATEST concern with this situation?
Question307: In an IT organization where many responsibilities are shared, which of the following would be the BEST control for detecting unauthorized data changes?
Question308: An IS auditor is a member of an application development team that is selecting software. Which of the following would impair the auditor's independence?
Question309: Which of the following is the PRIMARY reason an IS auditor should use an IT-related framework as a basis for scoping and structuring an audit?
Question310: An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?
Question311: Which of the following provides the MOST comprehensive understanding of an organizations information security posture?
Question312: When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of
Question313: An organization allows employees to use personally owned mobile devices to access customers' personal information Which of the following is MOST important for an IS auditor to verify?
Question314: Management has asked internal audit to prioritize and perform a specialized cybersecurity audit, but the IS audit team has no experience in this are a. Which of the following is the BEST course of action?
Question315: AN IS auditor has been asked to perform an assurance review of an organization's mobile computing security. To ensure the organization is able to centrally manage mobile devices to protect against data disclosure. It is MOST important for the auditor to determine whether:
Question316: An IS audit reveals that many of an organization's Internet of Things (loT) devices have not been patched. Which of the following should the auditor do FIRST when determining why these devices have not received the required patches?
Question317: A characteristic of a digital signature is that it:
Question318: Which of the following BEST indicates that an organization has effective governance in place?
Question319: An IS auditor is verifying the adequacy of an organization's internal and is concerned about potential circumvention of regulations. Which of the following is the BEST sampling method to use?
Question320: An organization plans to launch a social media presence as part of a new customer service campaign. Which of the following is the MOST significant risk from the perspective of potential litigation?
Question321: An incorrect version of source code was amended by a development team, This MOST likely indicates a weakness in:
Question322: A USB device containing sensitive production data was lost by an employee and its contents were subsequently found published online Which of the following controls is the BEST recommendation to prevent a similar recurrence?
Question323: Which of the following poses the GREATEST risk to a company that allows employees to use personally owned devices to access customer files on the company's network?
Question324: Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing'?
Question325: An IS auditor is reviewing a sample of production incidents and notes that a root cause analysis is not being performed. Which of the following is the GREATEST risk associated with this finding?
Question326: When developing a business continuity plan (BCP), which of the following should be performed FIRST?
Question327: A new application will require multiple interfaces. Which of the following testing methods can be used to detect interface errors early in the development life cycle1?
Question328: Which of the following is the MOST effective way to identify anomalous transactions when performing a payroll fraud audit?
Question329: An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:
Question330: When developing metrics to measure the contribution of IT to the achievement of business goals, the MOST important consideration is that the metrics:
Question331: Which of the following should an IS auditor expect to see in a network vulnerability assessment?
Question332: An IS auditor has discovered that unauthorized customer management software was installed on a workstation. The auditor determines the software has been uploading customer data to an external party Which of the following is the IS auditor's BEST course of action?
Question333: Which of the following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?