EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following would be MOST time and cost efficient when performing a control self-assessment (CSA) for an organization with a large number of widely dispersed employees?

Question2: Which of the following is the GREATEST concern associated with control self-assessments (CSAs)?

Question3: An IS auditor finds that capacity management for a key system It bang performed by IT with no input from the business. The auditor s PMMARY concern would be:

Question4: An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Question5: Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?

Question6: An IS auditor performing an application development review attends development team meetings. The IS auditor's independence will be compromised if the IS auditor:

Question7: An IS auditor who was instrumental m designing an application is called upon to review the application. The auditor should:

Question8: An organization was recently notified by its regulatory body of significant discrepancies in its reporting data A preliminary investigation revealed that the discrepancies wore caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process To ensure that management concerns are addressed which data set should internal audit recommend be reviewed FIRST?

Question9: A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items to the inventory system Which control would have BEST prevented this type of fraud in a retail environment?

Question10: When implementing a new IT maturity model which of the following should occur FIRST?

Question11: During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?

Question12: IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance Which of the following controls win MOST effectively compensate for the lack of referential integrity?

Question13: Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (IDSs)?

Question14: The PRIMARY focus of audit follow-up reports should be to:

Question15: Which of the following security testing techniques is MOST effective in discovering unknown malicious attacks?

Question16: Which of the following to the MOST effective way for an IS auditor to evaluate whether an organization is well positioned to defend against an advanced persistent threat (APT)?

Question17: Which of the following should be the PRIMARY objective of conducting an audit follow-up of management action plans?

Question18: An algorithm in an email program analyzes traffic to quarantine emails identified as spam The algorithm in the program is BEST characterized as which type of control?

Question19: An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

Question20: Which of the following is the MOST important issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?

Question21: Which of the following is a corrective control?

Question22: An IS audit team is evaluating the documentation related to the most recent application user-access review performed by IT and business management. It is determined that the user list was not system-generated. Which of the following: should be the GREATEST concern?

Question23: As part of a recent business-critical initiative, an organization is re- purposing its customer dat a. However, its customers are unaware that their data is being used for another purpose. What is the BEST recommendation to address the associated data privacy risk to the organization?

Question24: Which of the following is the MOST effective control to ensure electronic records beyond their retention periods are deleted from IT systems?

Question25: An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system.
Which of the following would be the GREATEST concern?

Question26: Which of the following is MOST important to review when planning for an IS audit of an organization's cross-border data transfers?

Question27: Of the following, who are the MOST appropriate staff for ensuring the alignment of user authorization tables with approved authorization forms?

Question28: After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Question29: Which of the following would be of MOST concern when determining if information assets are adequately safeguarded during transport and disposal?

Question30: What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Question31: An audit has identified that business units have purchased cloud-based applications without ITs support. What is the GREATEST risk associated with this situation?

Question32: Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?

Question33: Which of the following BEST minimizes performance degradation of serve's used to authenticate users of an e-commerce website?

Question34: Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organizations information security policy?

Question35: In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

Question36: To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

Question37: Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

Question38: Which of the following should be of MOST concern to an IS auditor reviewing (he public key infrastructure (PKI) for enterprise email?

Question39: Due to tented storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Question40: What is the BEST method for securing credit card numbers stored temporarily on a file server prior to transmission to the downstream system for payment processing?

Question41: Which of the following is the BEST performance indicator for the effectiveness of an incident management program?

Question42: Which of the following would be MOST useful to an organization planning to adopt a public cloud computing model?

Question43: According to the three lines of defense model for risk management, the second line of defense includes functions that

Question44: During the implementation of an enterprise resource planning (ERP) system, an IS auditor is reviewing the results of user acceptance testing (UAT). The auditor's PRIMARY focus should be to determine if:

Question45: An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy. What is the BEST way (or the auditor to address this issue?

Question46: Which of the following is the BEST way to mitigate the risk associated with technology obsolescence?

Question47: Which of the following Is a challenge in developing a service level agreement (SLA) for network services?

Question48: As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (BIA)?

Question49: An IS auditor learns the organization has experienced several server failures in its distributed environment.
Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Question50: Which of the following is MOST important when implementing a data classification program?

Question51: Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's IT process performance reports over the last quarter?

Question52: An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

Question53: An IS auditor is asked to review a large organization's change management process. Which of the following practices presents the GREATEST risk?

Question54: Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

Question55: An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

Question56: Which of lite following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Question57: Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system.
Which of the following is the IS auditor s BEST recommendation for a compensating control?

Question58: Which of the following is the PRIMARY protocol for protecting outbound content from tampering and eavesdropping?

Question59: Which type of losing BEST determines whether a now system meets business requirements and is ready to be placed into production?

Question60: An IS auditor is reviewing an organization's primary router access control list. Which of the Mowing should result in a finding'

Question61: Which of the following is me GREATE ST impact as a result of the ongoing deterioration of a detective control?

Question62: During a review of IT service desk practices, an IS auditor notes that help desk personnel are spending more time fulfilling user requests (or password resets than resolving critical incidents. Which of the following recommendations to IT management would BEST address this situation?

Question63: Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

Question64: During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?

Question65: Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?

Question66: Which of the following should be the PRIMARY basis for procedures to dispose of data securely?

Question67: An IS auditor observes that a business-critical application does not currently have any level of fault tolerance Which of the following is the GREATEST concern with this situation?

Question68: The MOST important function of a business continuity plan (BCP) is to.

Question69: What is BEST for an IS auditor lo review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

Question70: Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Question71: The use of which of the following would BEST enhance a process improvement program?

Question72: When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:

Question73: An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited Which of the following should be of GREATEST concern to the auditor?

Question74: Which of the following is the GREATEST risk associated with lack of IT involvement in the organization's strategic planning initiatives?

Question75: Which of the following is the PRIMARY reason to follow a configuration management process to maintain applications?

Question76: Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Question77: An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk.
An IS auditor should be concerned because:

Question78: During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor's BEST course of action?

Question79: An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Question80: Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

Question81: The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

Question82: An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?

Question83: The PRIMARY benefit of information asset classification is that it:

Question84: An organization has recently implemented a Voice-over IP (VoIP) communication system. Which of the following should be the IS auditor's PRIMARY concern?

Question85: The use of cookies constitutes the MOST significant security threat when they are used for:

Question86: Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's bring your own device (BYOD) policy?

Question87: Winch of the following MOST effectively minimizes downtime during system conversions?

Question88: Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Question89: For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization s information security plan includes:

Question90: The risk of communication failure in an e-commerce environment is BEST minimized through the use of:

Question91: Which of the following security risks can be reduced by a property configured network firewall?

Question92: The PRIMARY objective of value delivery in reference to IT governance is to:

Question93: Management has decided to include a compliance manager in the approval process for a new business that may require changes to tie IT infrastructure. Which of the following is the GREATEST benefit of this approach?

Question94: Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Question95: An IS auditor discovers an option in a database that allows the administrator to directly modify any table This option is necessary to overcome Dugs in the software, but is rarely used Changes to tables are automatically logged The IS auditors FIRST action should be to:

Question96: Which of the following is MOST important for an IS auditor to consider when performing the risk assessment prior to an audit engagement?

Question97: During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

Question98: A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor s BEST recommendation to facilitate compliance with the regulation?

Question99: In order to be useful, a key performance indicator (KPI) MUST

Question100: Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?

Question101: During a review of an organization's network threat response process, the IS auditor noticed that the majority of alerts were closed without resolution. Management responded that those alerts were unworkable doe to lack of actionable intelligence, and therefore the support team is allowed to dose them. What is the BEST way for the auditor to address this

Question102: Which of the following is the GREATEST risk associated with conducting penetration testing on a business-critical application production environment?

Question103: What IS the GREATEST concern for an IS auditor reviewing contracts tor licensed software tut executes a critical business process?

Question104: An IS auditor is reviewing the release management process for an in-house software development solution. In which environment is the software version MOST likely to be the same as production?

Question105: Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Question106: Which of the following security assessment techniques attempts to exploit a system's open ports?

Question107: In the case of a disaster where the data center is no longer available which of the following tasks should be done FIRST?

Question108: An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

Question109: From an IS auditor's perspective. which of the following would be the GREATEST risk associated with an Incomplete Inventory of deployed software In an organization?

Question110: Which of the following is The BEST use of a maturity model in a small organization?

Question111: Which of the following is MOST important for an IS auditor to consider when planning an assessment of the organization's end-user computing (EUC) program?

Question112: An advantage of object-oriented system development is that it:

Question113: An IS auditor suspects an organization's computer may have been used to commit a crime Which of the following is the auditor's BEST course of action?

Question114: An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?

Question115: Batch processes running in multiple countries are merged to one batch job to be executed in a single data center. Which of the following is the GREATEST concern with this approach?

Question116: Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Question117: Code changes are compiled and placed in a change folder by the developer. An implementation learn migrates changes to production from the change folder. Which of the following BEST indicates separation of duties is in place during the migration process?

Question118: An organization is shifting to a remote workforce. In preparation, the IT department is performing stress and capacity testing of remote access infrastructure and systems. What type of control is being implemented?

Question119: Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Question120: When testing the adequacy of tape backup procedures which step BEST verities that regularly scheduled backups are timely and run to completion?

Question121: The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

Question122: Which of the following concerns is BEST addressed by securing production source libraries?

Question123: What is the PRIMARY reason to adopt a risk-based IS audit strategy?

Question124: Which cloud deployment model is MOST likely to be limited in scalability?

Question125: Which of the following is an advantage of using agile software development methodology over the waterfall methodology?

Question126: Which of the following is the BEST indicator that an application system's agreed-upon level of service has been met?

Question127: An organization's strategy to source certain IT functions from a Software as a Service (SaaS) provider should be approved by the:

Question128: Which of the following is the BEST reason for an organization to use clustering?

Question129: Which of the following is the PRIMARY benefit of performing a maturity model assessment'?

Question130: An IS auditor reviewing a project to acquire an IT-based solution learns the risk associated with project failure has been assessed as high. What is the auditor's BEST course of action?

Question131: Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm for potential software vulnerabilities?

Question132: When reviewing tin organization's information security policies. an IS auditor should verily that the polices have been defined PRIMARILY on the basis of

Question133: Which of the following BEST helps to ensure data integrity across system interfaces?

Question134: Which of the following metrics would BEST measure the agility of an organization's IT function?

Question135: Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Question136: An IS auditor finds that capacity management key a key system is being performed by IT with no input from the business. The auditor s PRIMARY concern would be

Question137: Which of the following provides the BEST evidence of the effectiveness of an organization s audit quality management procedures?

Question138: Which of the following is MOST helpful in preventing a systems failure from occurring when an application is replaced using the abrupt changeover technique?

Question139: Which of the following BEST determines if a batch update job was successfully executed?

Question140: When an IS audit reveals that a firewall was unable to recognize a number of attack attempts the auditor's BEST recommendation Is to place an Intrusion detection system ID between the firewall and:

Question141: Which of the following is necessary for effective risk management in IT governance?

Question142: Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment What type of control has been recommended?

Question143: The PRIMARY purpose of requiring source code escrow in a contractual agreement is to:

Question144: Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

Question145: Which of the following should an IS auditor expect to see in a network vulnerability assessment?

Question146: An IS auditor is analysing a sample of assesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found. Which sampling method would be appropriate?

Question147: An IS auditor is reviewing security controls related to collaboration to unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

Question148: Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?

Question149: An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?

Question150: Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

Question151: An organization allows employees to retain confidential data on personal mobile devices Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Question152: Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Question153: Which of the following is the PRIMARY basis on which audit objectives are established?

Question154: A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

Question155: During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would d be associated with the potential for the auditor to miss a sequence of togged events that could indicate an error in the IPS configuration?

Question156: When developing a business continuity plan (BCP), which of the following should be performed FIRST?

Question157: In an environment where development and IT operations teams are integrated (DevOps). which of the following approaches provides the BEST assurance for the automatic deployment of code into production?

Question158: When responding to an ongoing denial of service (DoS) attack, an organization's FIRST course of action should be to:

Question159: An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Question160: To confirm integrity for a hashed message the receiver should use:

Question161: Which of the following is the MOST useful information for an IS auditor to review when formulating an audit plan for the organization's outsourced service provider?

Question162: An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?

Question163: Which of the following would BEST help to ensure the availability of data stored with a cloud provider?

Question164: A manager identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?

Question165: Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

Question166: When auditing the alignment of IT to the business strategy, it is MOST important (or the IS auditor to:

Question167: Which of the following is an IS auditor's BEST recommendation to help an organization increase the efficiency of computing resources?

Question168: Stress testing should ideally be carried out under a:

Question169: Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system''

Question170: An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?

Question171: During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements. Which of the following is the BEST way to obtain this assurance?

Question172: Which of the following is the MOST effective approach in assessing the quality of modifications made to financial software?

Question173: Which of the following BEST facilitates the legal process in the event of an incident?

Question174: Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Question175: Which of the following observations noted during a review of the organization s social media practices should be of MOST concern to the IS auditor?

Question176: Which of the following would be MOST useful to an IS auditor confirming that an IS department meets its service level agreements (SLAs)?

Question177: Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Question178: An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Question179: While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level What is the MOST effective way for the organization to improve this situation?

Question180: Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Question181: AN IS auditor has been asked to perform an assurance review of an organization's mobile computing security.
To ensure the organization is able to centrally manage mobile devices to protect against data disclosure. It is MOST important for the auditor to determine whether:

Question182: What is the BEST control to address SQL injection vulnerabilities?

Question183: Which of the following provides the MOST useful information for performing a business impact analysis (BIA)?

Question184: An IS auditor is reviewing a recent security incident and is seeking information about the approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?

Question185: A checksum is classified as which type of control?

Question186: Which of the following is the MOST appropriate control to ensure integrity of online orders?

Question187: Which of the following would be of GREATEST concern to an IS auditor reviewing backup and recovery controls?

Question188: When reviewing an organization's IT governance processes, which of the following provides the BEST Indication tut Information security expectations are being met at all levels?

Question189: As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following would be the BEST course of action for the IS auditor?

Question190: Which of the following business continuity activities prioritizes the recovery of critical functions?

Question191: Which of the following attack techniques win succeed because of an inherent security weakness in an Internet firewall?

Question192: Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

Question193: Prior to the of acquired software into production, it is MOST important that the IS auditor review the:

Question194: Which of the following would an IS auditor consider the GREATEST risk associated with a mobile workforce environment?

Question195: A company converted its payroll system from an external service to an internal package Payroll processing in April was run in parallel. To validate the completeness of data after the conversion, which of the following comparisons from the old to the new system would be MOST effective?

Question196: Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

Question197: Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

Question198: During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Question199: Which of the following is the MOST appropriate role for an IS auditor assigned as a team member for a software development project?

Question200: An accounting department uses a spreadsheet lo calculate sensitive financial transactions Which of the following is the MOST important control for maintaining the security of data m the spreadsheet?

Question201: An IS auditor would MOST likely recommend that IT management use a balanced scorecard to

Question202: A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Question203: In an online application which of the following would provide the MOST information about the transaction audit trail?

Question204: An organization shares some of its customers' personally Identifiable Information (PH) with third-party suppliers for business purposes. What is MOST important for the IS auditor to evaluate to ensure that risk associated with leakage of privacy-related data during transmission is effectively managed?

Question205: Which of the following would be MOST useful when analyzing computer performance?

Question206: An organization has begun using social media to communicate with current and potential clients. Which of the following should be of PRIMARY concern to the auditor?

Question207: An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Question208: Which type of control has been established when an organization implements a security information and event management (SIEM) system?

Question209: A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Question210: Which of the following is MOST important to include within a business continuity plan (BCP) so that backup and replication is configured in a way that ensures data availability?

Question211: Which of the following is the GREATEST risk associated with utilizing spreadsheets for financial reporting in end-user computing (EUC)?

Question212: Which of the following is an example of a preventative control in an accounts payable system?

Question213: During an operational audit of a biometric system used to control physical access, which of the following should be of GREATEST concern to an IS auditor?

Question214: Which of the following indicates that an internal audit organization is structured to support the independence and clarity of the reporting process?

Question215: During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

Question216: An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

Question217: Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Question218: Invoking a business continuity plan (BCP) is demonstrating which type of control?

Question219: Which of the following BEST enables system resiliency for an e-commerce organization that requires a low recovery time objective (RTO) and a few recovery point objective (RPO)?

Question220: Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?

Question221: An organization is considering allowing users to conned personal devices to the corporate network. Which of the following should be done FIRST?

Question222: Which of the following establishes the role of the internal audit function?

Question223: IT disaster recovery lime objectives (RTOs) should be based on the:

Question224: Which of the following is the BEST source of information for an IS auditee of to use when determining whether an organization's information security policy is adequate?

Question225: Which of the following is MOST important for an IS auditor to confirm when conducting a review of an active-active application cluster configuration?

Question226: An IS auditor Is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes Which of the following findings should be me auditor's GREATEST concern?

Question227: Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective'

Question228: Which of the following approaches will ensure recovery lime objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

Question229: An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

Question230: Which of the following is the BEST data integrity check?

Question231: An organization seeks to control costs related to storage media throughout the information life cycle while still meeting business and regulatory requirements. Which of the following is the BEST way to achieve this objective?

Question232: Which of the following is a characteristic of a single mirrored data center used for disaster recovery?

Question233: An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is I to assess m the audit?

Question234: Which of the following is the PRIMARY purpose of conducting an IS audit follow-up?

Question235: Which of the following should be done FIRST when developing a business continuity plan (BCP)?

Question236: To lest the integrity of the data in the accounts receivable master file, an IS auditor is particularly interested in reviewing customers with balances over 400,000. The selection technique the IS auditor would use to obtain such a sample is called:

Question237: When conducting a post-implementation review of a new software application, an IS auditor should be MOST concerned with an increasing number of

Question238: Which of the following provides the MOST comprehensive description of IT's role in an organization?

Question239: A small startup organization does not have the resources to implement segregation of duties. Which of the following is the MOST effective compensating control?

Question240: Which of the following approaches would BEST ensure that data protection controls are embedded into software being developed?

Question241: Which of the following should be done by an IS auditor during a post-implementation review of a critical application that has been operational for six months''

Question242: Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?

Question243: Which of the following system conversion strategies provides the GREATEST redundancy?

Question244: Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

Question245: During an exit interview, senior management disagrees with some of the facts presented in the draft audit report and wants them removed from tie report. Which of the blowing would be the auditor's BEST course of action?

Question246: Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

Question247: Which type of attack poses the GREATEST risk to an organization's most sensitive data?

Question248: During an audit of an organization's financial statements, an IS auditor finds that the IT general controls are deficient. What should the IS auditor recommend?

Question249: An IS auditor following up on prior period items and finds management did not address an audit finding.
Which of the following should be the IS auditor's NEXT course of action?