Question1: Which of the following is the BEST guidance from an IS auditor to an organization planning an initiative to improve the effectiveness of its IT processes?
Question2: During which IT project phase is it MOST appropriate to conduct a benefits realization analysis?
Question3: Which of the following is MOST important for an IS auditor to verify when reviewing a critical business application that requires high availability?
Question4: During a systems development project, participation in which of the following activities would compromise the IS auditor's independence?
Question5: An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?
Question6: Which of the following is the MOST important feature of access control software?
Question7: An IS auditor is reviewing database log settings and notices that only INSERT and DELETE operations are being monitored in the database. What is the MOST significant risk?
Question8: An organization's business function wants to capture customer data and must comply with global data protection regulations. Which of the following should be considered FIRST?
Question9: Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?
Question10: Data anonymizabon helps to prevent which types of attacks in a big data environment?
Question11: Which of the following demonstrates the use of data analytics for a loan origination process?
Question12: An IS auditor is evaluating a virtual server environment and teams that the production server, development server and management console are housed in the same physical host. What
Question13: An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?
Question14: In a typical system development life cycle (SDLC), which group is PRIMARILY responsible for confirming compliance with requirements?
Question15: When determining which IS audits to conduct during the upcoming year, internal audit has received a request from management for multiple audits of the contract division due to fraud findings during the prior year Which of the following is the BEST basis for selecting the audits to be performed?
Question16: Which of the following is the MOST likely cause of a successful firewall penetration?
Question17: An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?
Question18: Which of the following is the MOST important process to ensure planned IT system changes are completed in an efficient manner?
Question19: The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:
Question20: Spreadsheets are used to calculate project cost estimates Totals for each cost category are then keyed into the job-costing system. What is the BIST control to ensure that data are accurately entered into the system?
Question21: When auditing the alignment of IT to the business strategy, it is MOST important (or the IS auditor to:
Question22: An organization has adopted a backup and recovery strategy that involves copying on-premise virtual machine (VM) images to a cloud service provider Which of the following provides the BEST assurance that VMs can be recovered in the event of a disaster?
Question23: In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to "never expire.' Which of the following recommendations would BEST address the risk with minimal disruption to the business?
Question24: To protect information assets, which of the following should be done FIRST?
Question25: An organization has decided to implement a third-party system in its existing IT environment Which of the following is MOST important for the IS auditor to confirm?
Question26: Which of the following Is the MOST effective way for an IS auditor to evaluate whether an organization is well positioned to defend against an advanced persistent threat (APT)?
Question27: Which of the following technologies has the SMALLEST maximum range for data transmission between devices?
Question28: Disciplinary policies are BEST classified as.
Question29: After discussing findings with an auditee, an IS auditor is required to obtain approval of the report from the CEO before issuing it to the audit committee. This requirement PRIMARILY affects the IS auditor's:
Question30: An external IS auditor has been engaged to determine the organization's cybersecurity posture. Which of the following is MOST useful for this purpose?
Question31: For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:
Question32: A 5 year audit plan provides for general audits every year and application audits on alternating years. To achieve higher efficiency, the IS audit manager would MOST likely:
Question33: Which of the following metrics would be MOST useful to an IS auditor when assessing the resilience of an application programming interface (API)?
Question34: Which of the following is MOST appropriate for measuring a batch processing application's system performance over time?
Question35: A system development project is experiencing delays due to ongoing staff shortages Which of the following strategies would provide the GREATEST assurance of system quality at implementation?
Question36: A third-party service provider is hosting a private cloud for an organization. Which of the following findings during an audit of the provider poses the GREATEST risk to the organization?
Question37: Which of the following is the MOST effective way to identify anomalous transactions when performing a payroll fraud audit?
Question38: A CIO has asked an IS auditor to implement several security controls for an organization s IT processes and systems. The auditor should:
Question39: Which of the following is the BEST point in time to conduct a post-implementation review (PIR)?
Question40: When conducting a requirements analysis for a project, the BEST approach would be to:
Question41: Which of the following reports would provide the GREATEST assurance to an IS auditor about the controls of a third party that processes critical data for the organization?
Question42: During an audit of identity and access management, an IS auditory finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor's BEST course of action?
Question43: Which of the following is the BEST sampling method to ensure only active users have access to critical systems?
Question44: A financial institution is launching a mobile banking service utilizing multi-factor authentication. This access control is an example of which of the following?
Question45: Which of the following should be of GREATEST concern to an IS auditor testing interface controls for an associated bank wire transfer process?
Question46: Which of the following should be the FIRST step in an organization's forensics process to preserve evidence?
Question47: Which of the following falls within the scope of an information security governance committee?
Question48: When measuring the effectiveness of a security awareness program, the MOST helpful key performance indicator (KPI) is the number of:
Question49: Which of the following projects would be MOST important to review in an audit of an organizations financial statements?
Question50: Which of the following BEST facilitates the management of assets during the implementation of an information system?
Question51: An organization maintains an inventory of the IT applications used by its staff Which of the following would pose the GREATEST concern with regard to the quality of the inventory data?
Question52: Which of the following is MOST important for an IS auditor to verify during a disaster recovery audit?
Question53: An IS auditor noted that a change to a critical calculation was placed into the production environment without being tested. Which of the following is the BEST way to obtain assurance that the calculation functions correctly?
Question54: An IS auditor has obtained a large complex data set for analysis. Which of the following activities will MOST improve the output from the use of data analytics tools?
Question55: The IS auditor has recommended that management test a new system before using it in production mode The BEST approach for management in developing a test plan is to use processing parameters that are
Question56: Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change management process?
Question57: An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?
Question58: Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system''
Question59: Which of the following BEST ensures the confidentiality of sensitive data during transmission?
Question60: The operations team of an organization has reported an IS security attack. Which of the following should be the FIRST step for the security incident response team?
Question61: When is the BEST time to commence continuity planning for a new application system?
Question62: Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
Question63: Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
Question64: Which of the following controls is BEST implemented through system configuration?
Question65: In an IT organization where many responsibilities are shared, which of the following would be the BEST control for detecting unauthorized data changes?
Question66: An IS auditor is analysing a sample of assesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found. Which sampling method would be appropriate?
Question67: Which of the following should be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization's business critical server hardware?
Question68: What is the BEST control to address SQL injection vulnerabilities?
Question69: Which sampling method should an IS auditor employ when the likelihood of exceptions existing in the population is low''
Question70: Which of the following practices BEST ensures that archived electronic information of permanent importance is accessible over time?
Question71: The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
Question72: The use of which of the following would BEST enhance a process improvement program?
Question73: The maturity level of an organization s problem management support function is optimized when the function
Question74: Which of the following should be defined in an audit chatter?
Question75: The FIRST course of action an investigator should take when a computer is being attacked is to:
Question76: An auditor is creating an audit program in which the objective is to establish the adequacy of personal data privacy controls in a payroll process. Which of the following would be MOST important to include?
Question77: Which of the following BEST indicates that an organization has effective governance in place?
Question78: An organization wants to change its project methodology to address increasing costs and process changes Which of the following is the BEST methodology to use?
Question79: Which of the following development practices would BEST mitigate the risk associated with theft erf user credentials transmitted between mobile devices and the corporate network?
Question80: Which of the following security risks can be reduced by a properly configured network firewall?
Question81: The PRIMARY advantage of object-oriented technology is enhanced:
Question82: Which of the following types of testing would BEST mitigate the risk of a newly implemented system adversely impacting existing systems?
Question83: Capacity management enables organizations to:
Question84: Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
Question85: Which of the following focus areas is a responsibility of IT management rather than IT governance?
Question86: In an organization that has a staff-rotation policy, the MOST appropriate access control model is:
Question87: Which of the following is found in an audit charter?
Question88: Which of the following would provide the BEST evidence of the effectiveness of mandated annual security awareness training?
Question89: Which cloud deployment model is MOST likely to be limited in scalability?
Question90: An IS auditor finds that the process for removing access for terminated employee is not documented. What is the MOST significant risk from this observation?
Question91: An IS auditor is reviewing a recent security incident and is seeking information about the approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?
Question92: Which of the following governance functions is responsible for ensuring IT projects have sufficient resources and are prioritized appropriately?
Question93: Which of the following is the GREATEST concern associated with migrating computing resources to a cloud virtualized environment?
Question94: An IS auditor is reviewing a sample of production incidents and notes that a root cause analysis is not being performed. Which of the following is the GREATEST risk associated with this finding?
Question95: Which of the following cloud deployment models would BEST meet the needs of a startup software development organization with limited initial capital?
Question96: The PRIMARY focus of audit follow-up reports should be to:
Question97: When responding to an ongoing Daniel of service (DoS) attack, an organization's FIRST course of action should be to:
Question98: What is the PRIMARY benefit of prototyping as a method of system development?
Question99: Which of the following is MOST important for an IS auditor to review when assessing the integrity of encryption controls for data at rest?
Question100: Tunneling provides additional security for connecting one host to another through the Internet by:
Question101: Segregation of duties would be compromised if:
Question102: While conducting a system architecture review, an IS auditor learns of multiple complaints from field agents about the latency of a mobile thin client designed to provide information during site inspections Which of the following is the BEST way to address this situation?
Question103: Which of the following strategies BEST optimizes data storage without compromising data retention practices?
Question104: When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?
Question105: When classifying information, it is MOST important to align the classification to:
Question106: An IS auditor is assessing the results of an organization's post-implementation review of a newly developed information system. Which of the following should be the auditor's MAIN focus?
Question107: Which of the following is the BEST way to ensure payment transaction data is restricted to the appropriate users?
Question108: Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects.
Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?
Question109: Which of the following information security requirements BEST enables the tracking of organizational data in a bring your own device (BYOD) environment?
Question110: Which of the following should be an IS auditor's GREATEST concern when a security audit reveals the organization's vulnerability assessment approach is limited to running a vulnerability scanner on its network?
Question111: Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?
Question112: Which of the following is an example of a corrective control?
Question113: Which of the following is the GREATEST benefit of implementing an incident management process?
Question114: Which of the following should an IS auditor do FIRST when assessing the level of compliance for an organization in the banking industry?
Question115: When evaluating the ability of a disaster recovery plan (DRP) to enable the recovery of IT processing capabilities, it is MOST important for the IS auditor to verify the plan is:
Question116: Which of the following MUST be completed before selecting and deploying a biometric system that uses facial recognition software?
Question117: When assessing whether an organization's IT performance measures are comparable to other organizations in the same industry which of the following would be MOST helpful to review?
Question118: What is the MAIN purpose of an organization's internal IS audit function?
Question119: To develop a robust data security program, the FIRST course of action should be to:
Question120: Which of the following physical controls will MOST effectively prevent breaches of computer room security?
Question121: A characteristic of a digital signature is that it:
Question122: An organization implemented a cybersecurity policy last year. Which of the following is the GREATEST indicator that the policy may need to be revised?
Question123: Which of the following Is a challenge in developing a service level agreement (SLA) for network services?
Question124: Which of the following clauses is MOST important to include in a contract to help maintain data privacy in the event a Platform as a Service (PaaS) provider becomes financially insolvent?
Question125: An IS auditor is reviewing the business requirements for the deployment of a new website Which of the following cryptographic systems would provide the BEST evidence of secure communications on the internet?
Question126: An existing system is being replaced with a new application package User acceptance testing (UAT) should ensure that
Question127: Which of the following MOST effectively mitigates the risk of disclosure of sensitive data stored on company-owned smartphones?
Question128: An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities Which of the following is the BEST recommendation by the IS auditor?
Question129: Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's bring your own device (BYOD) policy?
Question130: Which of the following is the MOST effective way to minimize the risk of a SQL injection attack?
Question131: Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?
Question132: Which of the following should be the PRIMARY consideration for IT management when selecting a new information security tool that monitors suspicious file access patterns?
Question133: Following an IS audit, which of the following types of risk would be MOST critical to communicate to key stakeholders?
Question134: Which of the following should an IS auditor be MOST concerned with when reviewing the IT asset disposal process?
Question135: IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance Which of the following controls win MOST effectively compensate for the lack of referential integrity?
Question136: Which of the following processes BEST addresses the risk associated with the deployment of a new production system?
Question137: Which of the following control testing approaches is BEST used to evaluate a control's ongoing effectiveness by comparing processing results to independently calculated data?
Question138: Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?
Question139: The BEST way to validate whether a malicious act has actually occurred in an application is to review.
Question140: An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified. Which type of control is in place?
Question141: An organization's IT security policy requires annual security awareness training for all employees. Which of the following would provide the BEST evidence of the training's effectiveness?
Question142: A manufacturing company is implementing application software for its sales and distribution system. Which of the following is the MOST important reason for the company to choose a centralized online database?
Question143: Which of the following would be the MOST effective method to identify high risk areas in the business to be included in the audit plan?
Question144: Which of the following is the GREATEST risk associated with vulnerability scanning tools used to identify security weaknesses?
Question145: The objective of a vulnerability identification step in a risk assessment process is to.
Question146: A small financial institution is preparing to implement a check image processing system to support planned mobile banking product offerings Which of the following is MOST critical to the successful implementation of the system?
Question147: Which of the following is the MOST effective way to maintain network integrity when using mobile devices?
Question148: An organization has implemented a quarterly job schedule to update database tables so prices are adjusted in line with a price index These changes do not go through the regular change management process Which of the following is the MOST important control to have in place?
Question149: Which of the following is a benefit of the DevOps development methodology?
Question150: Which of the following is the MOST effective control against injection attacks on a web application?
Question151: An IS audit reveals that many of an organization's Internet of Things (loT) devices have not been patched.
Which of the following should the auditor do FIRST when determining why these devices have not received the required patches?
Question152: The IS quality assurance (OA) group is responsible for
Question153: Following a significant merger and acquisition, which of the following should the chief audit executive (CAE) do FIRST to evaluate the performance of the combined internal audit function?
Question154: Which of the following must be in place before an IS auditor initiates audit follow-up activities?
Question155: When aligning IT projects with organizational objectives, it is MOST important to ensure that the:
Question156: When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical systems do not exceed which of the following?
Question157: Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?
Question158: Which of the following should be done FIRST when developing a business continuity plan (BCP)?
Question159: An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?
Question160: Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system.
Which of the following is the IS auditor s BEST recommendation for a compensating control?
Question161: Which of the following should be done by an IS auditor during a post-implementation review of a critical application that has been operational for six months''
Question162: An organization decides to establish a formal incident response capability with clear roles and responsibilities facilitating centralized reporting of security incidents. Which type of control is being implemented?
Question163: An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?
Question164: An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
Question165: Which of the following provides the MOST comprehensive description of IT's role in an organization?
Question166: Which of the following MOST efficiently protects computer equipment against short-term reductions in electrical power?
Question167: An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?
Question168: Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?
Question169: Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?
Question170: During an IT operations audit multiple unencrypted backup tapes containing sensitive credit card information cannot be found Which of the following presents the GREATEST risk to the organization?
Question171: Which of the following presents the GREATEST concern when implementing data flow across borders?
Question172: Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?
Question173: During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditors NEXT step?
Question174: Which of the following BEST helps to identify errors during data transfer?
Question175: Which of the following is the PRIMARY reason an IS auditor should use an IT-related framework as a basis for scoping and structuring an audit?
Question176: The application systems quality assurance (QA) function should:
Question177: To BEST evaluate the effectiveness of a disaster recovery plan, the IS auditor should review the:
Question178: Which of the following validation techniques would BEST prevent duplicate electronic vouchers?
Question179: During the planning stage of a compliance audit an IS auditor discovers that a bank's Inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?
Question180: During a review of the IT strategic plan, an IS auditor finds several IT initiatives focused on delivering new systems and technology are not aligned with the organization's strategy. Which of the following would be the IS auditor's BEST recommendation?
Question181: Which of the following evidence-gathering techniques will provide the GREATEST assurance that procedures are understood and practiced?
Question182: Which of the following would BEST indicate the effectiveness of a security awareness training program?
Question183: An organization has recently implemented a Voice-over IP (VoIP) communication system. Which of the following should be the IS auditor's PRIMARY concern?
Question184: After an external IS audit, which of the following should be IT management's MAIN consideration when determining the prioritization of follow-up activities?
Question185: When an organization introduces virtualization into its architecture, which of the following should be an IS auditor's PRIMARY area of focus to verify adequate protection?
Question186: An IS auditor is conducting a pre-implementation review to determine a new system's production readiness.
The auditor's PRIMARY concern should be whether:
Question187: An IS auditor Is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes Which of the following findings should be me auditor's GREATEST concern?
Question188: An IS auditor reviewing the system development life cycle (SDLC) finds there is no requirement for business cases. Which of the following should be of GREATEST concern to the organization?
Question189: Which of the following are examples of detective controls?
Question190: Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?
Question191: An IS auditors independence with respect to the audit of an application system is MOST likely to be impaired if the auditor
Question192: Which of the following is an IS auditor's BEST course of action upon learning that preventive controls have been replaced with detective and corrective controls'
Question193: When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained Which of the following is the auditor's BEST course of action?
Question194: An IS audit reveals an organization's IT department reports any deviations from its security standards to an internal IT risk committee involving IT senior management. Which of the following should be the IS auditor's GREATEST concern?
Question195: Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
Question196: Which of the following development practices would BEST mitigate the risk associated with theft of user credentials transmitted between mobile devices and the corporate network?
Question197: Which of the following is MOST important to have in place to build consensus among key stakeholders on the cost-effectiveness of IT?
Question198: Which of the following provides for the GREATEST cost reduction in a large data center?
Question199: When reviewing an organization's data protection practices, an IS auditor should be MOST concerned with a lack of:
Question200: Which of the following findings should be of MOST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?
Question201: Which of the following is the BEST way to minimize the impact of a ransomware attack?
Question202: The implementation of an IT governance framework requires that the board of directors of an organization:
Question203: During a post-implementation review, a step in determining whether a project met user requirements is to review the:
Question204: The GREATEST benefit of using a prototyping approach in software development is that it helps to:
Question205: Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?
Question206: An IS auditor reviewing a purchase accounting system notices several duplicate payments made for the services rendered. Which of the following is the auditor's BEST recommendation for preventing duplicate payments?
Question207: Which of the following would BEST enable an IS auditor to perform an audit that requires testing the full population of data?
Question208: Which of the following is the BEST way for an IS auditor to maintain visibility of a new system implementation project when faced with resource limitations
Question209: Which of the following is an IS auditor's BEST recommendation to help an organization increase the efficiency of computing resources?
Question210: Following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?
Question211: Which of the following should be the PRIMARY audience for a third-party technical security assessment report?
Question212: Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?
Question213: Which of the following is a PRIMARY role of an IS auditor in a control self-assessment (CSA) workshop?
Question214: While conducting a review of project plans related to a new software development, an IS auditor finds the project initiation document (PID) is incomplete. What is the BEST way for the auditor to proceed?
Question215: Which of the following is MOST important when duties in a small organization cannot be appropriately segregated?
Question216: Which of the following is the BEST way for an IS auditor to reduce sampling risk when performing audit sampling to verify the adequacy of an organization's internal controls?
Question217: When engaging services from external auditors, which of the following should be established FIRST?
Question218: An advantage of object-oriented system development is that it:
Question219: An IS auditor finds that needed security patches cannot be applied to some of an organization's network devices due to compatibility issues. The organization has not budgeted sufficiently for security upgrades.
Which of the following should the auditor recommend be done FIRST?
Question220: Which of the following would be the MOST appropriate reason for an organization to purchase fault-tolerant hardware?
Question221: Which of the following should be included in a business impact analysis (BIA)
Question222: Which of the following is the PRIMARY reason that asset classification is vital to an information security program?
Question223: Which of the following is the BEST way to mitigate the risk associated with a document storage application that has a syncing feature that could allow malware to spread to other machines in the network?
Question224: Which of the following is MOST important to ensure during computer forensics investigations?
Question225: An organization has recently converted its infrastructure to a virtualized environment. The GREATEST benefit related to disaster recovery is that virtualized servers:
Question226: When developing customer-tearing IT applications, in which stage of the system development the cycle (SDLC) is it MOST beneficial to consider data privacy principles?
Question227: An organization has implemented periodic reviews of logs showing privileged user activity production servers.
Which type of control has been established?
Question228: An IT organization's incident response plan is which type of control?
Question229: In an environment that automatically reports all program changes. which of the following is the MOST efficient way to detect unauthorized changes to production programs?
Question230: Which of the following should be of GREATEST concern to an IS auditor planning to employ data analytics in an upcoming audit?
Question231: External experts were used on a recent IT audit engagement While assessing the external experts' work, the internal audit team found some gaps in the evidence that may have impacted their conclusions What is the internal audit team's BEST course of action?
Question232: Which of the following should an IS auditor review FIRST when evaluating a business process for auditing?
Question233: When auditing the alignment of IT to the business strategy, it is MOST important (or the IS auditor to:
Question234: A vulnerability in which of the following virtual systems would be of GREATEST concern to the IS auditor?
Question235: An IS auditor wants to understand the collective effect of the preventive, detective, and corrective controls for a specific business process. Which of the following should the auditor focus on FIRST?
Question236: An organization with high availability resource requirements is selecting a provider for cloud computing.
Which of the following would cause the GREATEST concern to an IS auditor? The provider:
Question237: Which of the following is MOST important for an IS auditor to consider when planning an assessment of the organization's end-user computing (EUC) program?
Question238: Which of the following is the PRIMARY purpose for external assessments of internal audit's quality assurance (OA) systems and frameworks?
Question239: Which of the following should occur EARLIEST in a business continuity management lifecycle?
Question240: An IS auditor is reviewing environmental controls and finds extremely high levels of humidity in the data center. Which of the following is the PRIMARY risk to computer equipment from this condition?
Question241: An IS audit found that malware entered the organization through a spreadsheet macro, and the auditor recommended that spreadsheet macros be disabled. All macros were disabled except those needed by the finance team for reporting purposes. Which of the following is the auditor's BEST course of action?
Question242: During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
Question243: An employee has accidentally posted confidential data to the company's social media page. Which of the following is the BEST control to prevent this from recurring?
Question244: An internal audit department recently established a quality assurance (QA) program. Which of the following activities is MOST important to include as part of the QA program requirements?
Question245: Which of the following is the BEST way to reduce sampling risk?
Question246: Which of the following is the GREATEST concern when using a cold backup site?
Question247: Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted audit techniques (CAATs)?
Question248: Which of the following is an example of a preventive control?
Question249: The use of symmetric key encryption controls to protect sensitive data transmitted over a communications network requires that.
Question250: Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?
Question251: An organization's IT security policy states that user ID's must uniquely identify individual's and that user should not disclose their passwords. An IS auditor discovers that several generic user ID's are being used.
Which of the following is the MOST appropriate course of action for the auditor?
Question252: Which of the following is the GREATEST advantage of application penetration testing over vulnerability scanning?
Question253: An organization offers an online information security awareness program to employees on an annual basis.
Which of the following from an audit of the program should be the auditor's GREATEST concern?
Question254: The use of cookies constitutes the MOST significant security threat when they are used for:
Question255: Which of the following is MOST important for an IS auditor to consider when reviewing documentation for an organization's forensics policy?
Question256: An IS auditor finds that corporate mobile devices used by employees have varying levels of password settings.
Which of the following would be the BEST recommendation?
Question257: An algorithm in an email program analyzes traffic to quarantine emails identified as spam The algorithm in the program is BEST characterized as which type of control?
Question258: When performing a post-implementation review, the adequacy of the data conversion effort would BEST be evaluated by performing a thorough review of the:
Question259: Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
Question260: Which of the following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?
Question261: An application used at a financial services organization transmits confidential customer data to downstream applications using a batch process. Which of the following controls would protect this information?
Question262: When deploying an application that was created using the programming language and tools supported by the cloud provider, the MOST appropriate cloud computing model for an organization to adopt is:
Question263: Which of the following is the BEST way for an IS auditor to validate that employees have been made aware of the organization's information security policy?
Question264: An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?
Question265: Which of the following is the GREATEST concern associated with control self-assessments (CSAs)?
Question266: Which of the following is MOST critical to include when developing a data loss prevention (DIP) policy?
Question267: On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else?
Question268: Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?
Question269: Which of the following should be the MOST important consideration when prioritizing the funding for competing IT projects?
Question270: Which of the following is the MOST important step in the development of an effective IT governance action plan?
Question271: When evaluating database management practices, which of the following controls would MOST effectively support data integrity?
Question272: An information systems security officer's PRIMARY responsibility for business process applications is to:
Question273: Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?
Question274: A help desk has been contacted regarding a lost business mobile device The FIRST course of action should be to
Question275: When conducting a post-implementation review of a new software application, an IS auditor should be MOST concerned with an increasing number of
Question276: Which of the following should an IS auditor expect to find when reviewing IT security policy?
Question277: Which of the following is the MOST significant operational risk associated with the use of virtualization?
Question278: An IS auditor is asked to provide feedback on the systems options analysis for a new project The BEST course of action for the IS auditor would be to:
Question279: An IS auditor finds that an organization's data toss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:
Question280: Which of the following is a preventive control related to change management?
Question281: A company uses a standard form to document and approve all changes in production programs. To ensure that the forms are properly authorized, which of the following is the MOST effective sampling method?
Question282: An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?
Question283: Which of the following is a corrective control?
Question284: Which of the following is a corrective control that reduces the impact of a threat event?
Question285: Which of the following communication modes should be of GREATEST concern to an IS auditor evaluating end user networking?
Question286: During recent post-implementation reviews, an IS auditor has noted that several deployed applications are not being used by the business. The MOST likely cause would be the lack of:
Question287: An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?
Question288: Which of the following is the PRIMARY purpose of quality assurance (QA) within an IS audit department?
Question289: Which of the following is the PRIMARY reason to adopt a capability model?
Question290: A review of an organization's IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.
Question291: Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at rest?
Question292: Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?
Question293: The use of control totals reduces the risk of
Question294: An e-commerce enterprise's disaster recovery (DR) site has 30% less processing capability than the primary site. Based on this information, which of the following presents the GREATEST risk?
Question295: During a review of operations, it is noted that during a batch update, an error was detected and the database initiated a roll-back. An IT operator stopped the roll-back and re-initiated the update. What should the operator have done PRIOR to re-initiating the update?
Question296: Which of the following BEST measures project progress?
Question297: An IS auditor has completed an audit on the organization's IT strategic planning process Which of the following findings should be given the HIGHEST priority?
Question298: What would be an IS auditors GREATEST concern when using a test environment for an application audit?
Question299: When of the following is to MOST important consideration when prioritizing IT system for penetration testing?
Question300: The activation of a pandemic response plan has resulted in a remote workforce situation. Which of the following technologies poses the GREATEST risk to data confidentiality?
Question301: Which of the following is MOST important for an IS auditor to test when reviewing market data received from external providers?
Question302: During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that not all critical systems are covered. What should the auditor do NEXT?
Question303: In a typical network architecture used for e-commerce a load balancer is normally found between the
Question304: An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:
Question305: Which of the following is the role of audit leadership in ensuring the quality of audit and engagement performance?
Question306: Which of the following is MOST likely to be included in computer operating procedures in a large data center?
Question307: servDuring an internal audit review of a human resources (HR) recruitment system implementation the IS auditor notes that several defects were unresolved at the time the system went live Which of the following is the auditor's MOST important task prior to formulating an audit opinion?
Question308: Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?
Question309: Which of the following will BEST help to ensure that an in-house application in the production environment is current?
Question310: An organization plans to eliminate pilot releases and instead deliver all functionality in a single release. Which of the following is the GREATEST risk with this approach?
Question311: Which of the following should be an IS auditor's BEST recommendation to prevent installation of unlicensed software on employees' company-provided devices?
Question312: Which of the following is the GREATEST concern with conducting penetration testing on an internally developed application in the production environment?
Question313: Which of the following is the BEST way to determine il IT is delivering value to the business?
Question314: chain management processes Customer orders are not being fulfilled in a timely manner, and the inventory in the warehouse does not match the quantity of goods in the sales orders. Which of the following is the auditor's BEST recommendation?
Question315: Which of the following is the BEST source of information for an IS auditor when planning an audit of a business application's controls?
Question316: The BEST indicator of an optimized quality management system (QMS) is that it
Question317: During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:
Question318: An organization allows employees to retain confidential data on personal mobile devices Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
Question319: These members of an emergency incident response team should be:
Question320: planning an end-user computing (EUC) audit, it is MO ST important for the IS auditor to
Question321: Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
Question322: Which of the following provides an IS auditor the MOST assurance that an organization is compliant with legal and regulatory requirements?
Question323: During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
Question324: Which of the following provides an IS auditor with the BEST evidence that a system has been assessed for known exploits?
Question325: Which of the following is the MOST effective sampling method for an IS auditor to use for identifying fraud and circumvention of regulations?
Question326: Regression testing should be used during a system development project to ensure that:
Question327: Which of the following is the BEST way to mitigate the risk associated with malicious changes to binary code during the software development life cycle (SDLC)?
Question328: Which of the following is the MOST important prerequisite for Implementing a data loss prevention (DLP) tool?
Question329: As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (BIA)?
Question330: Which of the following metrics is MOST useful to an IS auditor when evaluating whether IT investments are meeting business objectives?
Question331: Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change management process?
Question332: A bank is relocating its servers to a vendor that provides data center hosting services to multiple clients. Which of the following controls would restrict other clients from physical access to the bank servers?
Question333: An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk.
An IS auditor should be concerned because:
Question334: Batch processes running in multiple countries are merged to one batch job to be executed in a single data center. Which of the following is the GREATEST concern with this approach?
Question335: Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?
Question336: Which of the following is the PRIMARY reason for an organization's procurement processes to include an independent party who is not directly involved with business operations and related decision-making'?
Question337: An organization plans to launch a social media presence as part of a new customer service campaign. Which of the following is the MOST significant risk from the perspective of potential litigation?
Question338: An organization transmits large amount of data from one internal system to another. The IS auditor is reviewing quality of the data at the originating point. Which of the following should the auditor verify first?
Question339: To ensure the integrity of a recovered database, which of the following would be MOST useful?
Question340: When is it MOST important for an IS auditor to apply the concept of materiality in an audit?