Question1: Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?
Question2: Which of the following presents the GREATEST risk of data leakage in the cloud environment?
Question3: The BEST way to provide assurance that a project is adhering to the project plan is to:
Question4: Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?
Question5: A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?
Question6: Which of the following BEST describes a digital signature?
Question7: A checksum is classified as which type of control?
Question8: Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?
Question9: Which of the following is MOST important to define within a disaster recovery plan (DRP)?
Question10: A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
Question11: Which of the following are used in a firewall to protect the entity's internal resources?
Question12: Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?
Question13: An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?
Question14: An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?
Question15: An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:
Question16: During which phase of the software development life cycle is it BEST to initiate the discussion of application controls?
Question17: During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?
Question18: Which of the following is a PRIMARY responsibility of an IT steering committee?
Question19: In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?
Question20: An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?
Question21: Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
Question22: An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
Question23: An IS auditor is reviewing an organization's business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of data quality would be to:
Question24: An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues. What is the MOST likely cause?
Question25: Capacity management tools are PRIMARILY used to ensure that:
Question26: Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?
Question27: An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.
What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?
Question28: When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.
Question29: What Is the BEST method to determine if IT resource spending is aligned with planned project spending?
Question30: An IS auditor finds that while an organization's IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance. Which of the Mowing is the BEST recommendation?
Question31: An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:
Question32: Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
Question33: Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
Question34: An organization has replaced all of the storage devices at its primary data center with new higher-capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether
Question35: Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?
Question36: Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?
Question37: During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor's GREATEST concern with this situation?
Question38: Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?
Question39: What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?
Question40: Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?
Question41: A data center's physical access log system captures each visitor's identification document numbers along with the visitor's photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?
Question42: Which of the following is the PRIMARY purpose of obtaining a baseline image during an operating system audit?
Question43: Which of the following is the MOST important advantage of participating in beta testing of software products?
Question44: Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?
Question45: A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
Question46: Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?
Question47: When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
Question48: Which of the following is MOST critical to the success of an information security program?
Question49: Which of the following is MOST helpful for an IS auditor to review when evaluating an organizations business process that are supported by applications and IT systems?
Question50: An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?
Question51: Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?
Question52: An organization uses public key infrastructure (PKI) to provide email security. Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?
Question53: An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?
Question54: When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
Question55: Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?
Question56: Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?
Question57: What is the MAIN reason to use incremental backups?
Question58: Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
Question59: Which type of attack poses the GREATEST risk to an organization's most sensitive data?
Question60: Which of the following is MOST critical for the effective implementation of IT governance?
Question61: An IS auditor is reviewing the service agreement with a technology company that provides IT help desk services to the organization. Which of the following monthly performance metrics is the BEST indicator of service quality?
Question62: Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?
Question63: Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?
Question64: An IS auditor Is renewing the deployment of a new automated system Which of the following findings presents the MOST significant risk?
Question65: Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
Question66: An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime This is BEST zed as an application of.
Question67: Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD) policy to help prevent data leakage?
Question68: Which of the following is the BEST indication that there are potential problems within an organization's IT service desk function?
Question69: While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:
Question70: Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
Question71: Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?
Question72: During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?
Question73: Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?
Question74: An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system.
End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:
Question75: Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?
Question76: During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?
Question77: Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system.
Which of the following is the IS auditor's BEST recommendation for a compensating control?
Question78: Which of the following is MOST important for an IS auditor to verify when evaluating an organization's data conversion and infrastructure migration plan?
Question79: Which of the following is an IS auditor's BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?
Question80: Which of the following should an organization do to anticipate the effects of a disaster?
Question81: The PRIMARY focus of a post-implementation review is to verify that:
Question82: What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?
Question83: What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?
Question84: During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
Question85: IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance. Which of the following controls will MOST effectively compensate for the lack of referential integrity?
Question86: An IS auditor is verifying the adequacy of an organization's internal controls and is concerned about potential circumvention of regulations. Which of the following is the BEST sampling method to use?
Question87: Which of the following is the BEST way to prevent social engineering incidents?
Question88: An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?
Question89: Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
Question90: Which of the following is the MOST important activity in the data classification process?
Question91: Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?
Question92: During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?
Question93: A programmer has made unauthorized changes lo key fields in a payroll system report. Which of the following control weaknesses would have contributed MOST to this problem?
Question94: An organization is concerned with meeting new regulations for protecting data confidentiality and asks an IS auditor to evaluate their procedures for transporting data. Which of the following would BEST support the organization's objectives?
Question95: A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year. Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?
Question96: Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?
Question97: Which of the following BEST protects evidence in a forensic investigation?
Question98: A database administrator (DBA) should be prevented from having end user responsibilities:
Question99: Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
Question100: Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?
Question101: When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?
Question102: What is the BEST control to address SQL injection vulnerabilities?
Question103: Which of the following are BEST suited for continuous auditing?
Question104: Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?
Question105: A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?
Question106: Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
Question107: Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?
Question108: Which of the following helps to ensure the integrity of data for a system interface?
Question109: Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
Question110: A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?
Question111: Which of the following information security requirements BE ST enables the tracking of organizational data in a bring your own device (BYOD) environment?
Question112: Which of the following BEST enables an organization to improve the visibility of end-user computing (EUC) applications that support regulatory reporting?
Question113: When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?
Question114: When auditing the closing stages of a system development protect which of the following should be the MOST important consideration?
Question115: The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:
Question116: Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
Question117: Which of the following should an IS auditor review when evaluating information systems governance for a large organization?
Question118: Which of the following is MOST useful when planning to audit an organization's compliance with cybersecurity regulations in foreign countries?
Question119: Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?
Question120: An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:
Question121: Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?
Question122: Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?
Question123: Which of the following is the GREATEST advantage of outsourcing the development of an e-banking solution when in-house technical expertise is not available?
Question124: An organization has made a strategic decision to split into separate operating entities to improve profitability.
However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
Question125: Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the
Question126: As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?
Question127: Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?
Question128: Which of the following should be restricted from a network administrator's privileges in an adequately segregated IT environment?
Question129: An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?
Question130: The PRIMARY purpose of a configuration management system is to:
Question131: Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?
Question132: A proper audit trail of changes to server start-up procedures would include evidence of:
Question133: An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?
Question134: Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?
Question135: Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?
Question136: Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?
Question137: Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?
Question138: Which of the following is MOST important with regard to an application development acceptance test?
Question139: A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal audit function to test its internal controls annually. Which of the following is the MOST significant benefit of this approach?
Question140: Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?
Question141: Which of the following findings from an IT governance review should be of GREATEST concern?
Question142: Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?
Question143: With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?
Question144: Which of following is MOST important to determine when conducing a post-implementation review?
Question145: During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?
Question146: During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.
Which of the following is the BEST recommendation to help prevent this situation in the future?
Question147: Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?
Question148: What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?
Question149: An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud.
Who should be responsible for the data
classification in this project?
Question150: An IS auditor should be MOST concerned if which of the following fire suppression systems is utilized to protect an asset storage closet?
Question151: An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?
Question152: Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?
Question153: When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
Question154: Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics system?
Question155: Which of the following documents should specify roles and responsibilities within an IT audit organization?
Question156: IT disaster recovery time objectives (RTOs) should be based on the:
Question157: Which of the following is MOST important to consider when developing a service level agreement (SLAP)?
Question158: An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center, which of the following findings should be of GREATEST concern to the auditor?
Question159: An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?
Question160: Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?
Question161: Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERR) system?
Question162: A vendor requires privileged access to a key business application. Which of the following is the BEST recommendation to reduce the risk of data leakage?
Question163: Which of the following represents the HIGHEST level of maturity of an information security program?
Question164: Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?
Question165: A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?
Question166: Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?
Question167: Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?
Question168: An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system.
Which of the following would be the GREATEST concern?
Question169: After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
Question170: Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?
Question171: Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?
Question172: Which of the following is MOST important during software license audits?
Question173: While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:
Question174: A computer forensic audit is MOST relevant in which of the following situations?
Question175: Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
Question176: In an online application which of the following would provide the MOST information about the transaction audit trail?
Question177: An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's GREATEST concern?
Question178: Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?
Question179: An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
Question180: Management has learned the implementation of a new IT system will not be completed on time and has requested an audit. Which of the following audit findings should be of GREATEST concern?
Question181: During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?
Question182: Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?
Question183: If enabled within firewall rules, which of the following services would present the GREATEST risk?
Question184: A disaster recovery plan (DRP) should include steps for:
Question185: An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?
Question186: Which of the following should an IS auditor recommend be done FIRST when an organization is made aware of a new regulation that is likely to impact IT security requirements?
Question187: Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides assurance that the BEST transactions were recovered successfully?
Question188: The charging method that effectively encourages the MOST efficient use of IS resources is:
Question189: Which of the following is the BEST method to safeguard data on an organization's laptop computers?
Question190: Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization's security policy?
Question191: Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?
Question192: Which of the following concerns is BEST addressed by securing production source libraries?
Question193: A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?
Question194: Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?
Question195: Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?
Question196: When auditing an organization's software acquisition process the BEST way for an IS auditor to understand the software benefits to the organization would be to review the
Question197: Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?
Question198: Which of the following MOST effectively minimizes downtime during system conversions?
Question199: An organization's IT risk assessment should include the identification of:
Question200: An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?
Question201: When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:
Question202: An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?
Question203: in a post-implantation Nation review of a recently purchased system it is MOST important for the iS auditor to determine whether the:
Question204: Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
Question205: Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?
Question206: An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
Question207: Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?
Question208: Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?
Question209: Which type of attack targets security vulnerabilities in web applications to gain access to data sets?
Question210: An organization is disposing of removable onsite media which contains sensitive information. Which of the following is the MOST effective method to prevent disclosure of sensitive data?
Question211: In a large organization, IT deadlines on important projects have been missed because IT resources are not prioritized properly. Which of the following is the BEST recommendation to address this problem?
Question212: Which of the following would provide the BEST evidence of an IT strategy corrections effectiveness?
Question213: An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP). Which of the following is the auditor's BEST course of action?
Question214: An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
Question215: The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:
Question216: Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
Question217: What is the FIRST step when creating a data classification program?
Question218: An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance. Which of the following is the GREATEST concern with this lack of structure?
Question219: An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?
Question220: During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts Which of the following is the auditor's BEST course of action?
Question221: Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
Question222: Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
Question223: In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?
Question224: An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?
Question225: Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?
Question226: Which of the following BEST helps to ensure data integrity across system interfaces?
Question227: Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?
Question228: In order to be useful, a key performance indicator (KPI) MUST
Question229: In the development of a new financial application, the IS auditor's FIRST involvement should be in the:
Question230: Which of the following is the BEST justification for deferring remediation testing until the next audit?
Question231: Which of the following is the MAJOR advantage of automating internal controls?
Question232: Which of the following is the MOST significant risk when an application uses individual end-user accounts to access the underlying database?
Question233: Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
Question234: Which of the following technologies has the SMALLEST maximum range for data transmission between devices?
Question235: Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?
Question236: An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?
Question237: Which of the following provides the MOST useful information for performing a business impact analysis (B1A)?
Question238: Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?
Question239: A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?
Question240: Which of the following is the BEST metric to measure the alignment of IT and business strategy?
Question241: Which of the following is MOST important when implementing a data classification program?
Question242: During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?
Question243: An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?
Question244: Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?
Question245: Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''
Question246: Which of the following BEST describes an audit risk?
Question247: Which of the following BEST facilitates the legal process in the event of an incident?
Question248: Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?
Question249: Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?
Question250: Coding standards provide which of the following?
Question251: When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary.
What should the auditor do NEXT?
Question252: An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:
Question253: When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?
Question254: An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
Question255: Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?
Question256: The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
Question257: What is the Most critical finding when reviewing an organization's information security management?
Question258: If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?
Question259: Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor's BEST recommendation to protect data in case of recurrence?
Question260: An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?
Question261: Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only. Which of the following did the IS auditor potentially compromise?
Question262: Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
Question263: Using swipe cards to limit employee access to restricted areas requires implementing which additional control?
Question264: The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers because they: (Identify Correct answer and related explanation/references from CISA Certification - Information Systems Auditor official Manual or book)
Question265: Which of the following BEST Indicates that an incident management process is effective?
Question266: An IS auditor has identified deficiencies within the organization's software development life cycle policies.
Which of the following should be done NEXT?
Question267: Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?
Question268: Which of the following is the BEST data integrity check?
Question269: Which audit approach is MOST helpful in optimizing the use of IS audit resources?
Question270: Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?
Question271: An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?
Question272: An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data Which of the following is the PRIMARY advantage of this approach?
Question273: Which of the following is the MOST appropriate indicator of change management effectiveness?
Question274: A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
Question275: During an audit, an IT finding is agreed upon by all IT teams involved, but no team wants to be responsible for remediation or considers the finding within Its area of responsibility Which of the following is the IS auditor's BEST course of action?
Question276: Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
Question277: Which of the following should an IS auditor be MOST concerned with when a system uses RFID?
Question278: An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?
Question279: Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?
Question280: Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?
Question281: An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?
Question282: When testing the accuracy of transaction data, which of the following situations BEST justifies the use of a smaller sample size?
Question283: An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?
Question284: The decision to accept an IT control risk related to data quality should be the responsibility of the:
Question285: To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?
Question286: An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:
Question287: Retention periods and conditions for the destruction of personal data should be determined by the.
Question288: Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?
Question289: Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?
Question290: Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?
Question291: Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?
Question292: Which of the following provides the BEST providence that outsourced provider services are being properly managed?
Question293: Which of the following is MOST important to ensure when planning a black box penetration test?
Question294: Audit frameworks cart assist the IS audit function by:
Question295: An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?
Question296: Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?
Question297: In an IT organization where many responsibilities are shared which of the following is the BEST control for detecting unauthorized data changes?
Question298: An information systems security officer's PRIMARY responsibility for business process applications is to:
Question299: An IS auditor determines that the vendor's deliverables do not include the source code for a newly acquired product. To address this issue, which of the following should the auditor recommend be included in the contract?
Question300: Aligning IT strategy with business strategy PRIMARILY helps an organization to:
Question301: An IS auditor is reviewing the perimeter security design of a network. Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?
Question302: An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern Is that:
Question303: Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's IT strategy development process?
Question304: IT governance should be driven by:
Question305: During the discussion of a draft audit report IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective Which of the following is the auditor's BEST action?
Question306: Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
Question307: Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?
Question308: An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?
Question309: An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?
Question310: Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
Question311: Which of the following is MOST important to consider when scheduling follow-up audits?
Question312: During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:
Question313: Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?
Question314: Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?
Question315: An organization has partnered with a third party to transport backup drives to an offsite storage facility. Which of the following is MOST important before sending the drives?
Question316: While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
Question317: Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
Question318: What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
Question319: In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?
Question320: In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?
Question321: Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?
Question322: Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?
Question323: Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?
Question324: An IS auditor is following up on prior period items and finds management did not address an audit finding.
Which of the following should be the IS auditor's NEXT course of action?
Question325: Which of the following should be the FIRST step in the incident response process for a suspected breach?
Question326: Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?
Question327: Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?
Question328: Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?
Question329: When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on
Question330: In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?
Question331: Which of the following is the PRIMARY reason to perform a risk assessment?
Question332: During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?
Question333: Which of the following biometric access controls has the HIGHEST rate of false negatives?
Question334: An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that
Question335: An organization's senior management thinks current security controls may be excessive and requests an IS auditor's advice on how to assess the adequacy of current measures. What is the auditor's BEST recommendation to management?
Question336: Which of the following BEST enables the timely identification of risk exposure?
Question337: Which of the following would minimize the risk of losing transactions as a result of a disaster?
Question338: Which of the following is the BEST reason to implement a data retention policy?
Question339: An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST recommendation to address this situation?
Question340: An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?
Question341: An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?
Question342: Which of the following is MOST important for an IS auditor to look
for in a project feasibility study?
Question343: A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?
Question344: A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?
Question345: An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?
Question346: Which of the following should be done FIRST to minimize the risk of unstructured data?
Question347: During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?
Question348: When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:
Question349: An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?
Question350: Which of the following would be an appropriate role of internal audit in helping to establish an organization's privacy program?
Question351: A web proxy server for corporate connections to external resources reduces organizational risk by:
Question352: An organization has implemented a distributed security administration system to replace the previous centralized one. Which of the following presents the GREATEST potential concern?
Question353: Which of the following provides the MOST protection against emerging threats?
Question354: An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?
Question355: Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?
Question356: An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?
Question357: An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?
Question358: An IT balanced scorecard is the MOST effective means of monitoring:
Question359: Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?
Question360: An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. Which of the following should the auditor do NEXT?
Question361: An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
Question362: An organization's IT department and internal IS audit function all report to the chief information officer (CIO).
Which of the following is the GREATEST concern associated with this reporting structure?
Question363: The use of control totals satisfies which of the following control objectives?
Question364: An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?
Question365: During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?
Question366: When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?
Question367: Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?
Question368: Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
Question369: The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?
Question370: Which of the following issues associated with a data center's closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?
Question371: Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
Question372: Which of the following is a concern associated with virtualization?
Question373: An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart. Which of the following roles within the chart would provide this information?
Question374: Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?
Question375: Which of the following be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization's business-critical server hardware?
Question376: When reviewing an IT strategic plan, the GREATEST concern would be that
Question377: Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?
Question378: Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?
Question379: Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?
Question380: The PRIMARY objective of a control self-assessment (CSA) is to:
Question381: During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?
Question382: Which of the following is the BEST detective control for a job scheduling process involving data transmission?
Question383: Which of the following is the BEST way to verify the effectiveness of a data restoration process?
Question384: Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization's goals and strategic objectives?
Question385: Which of the following features of a library control software package would protect against unauthorized updating of source code?
Question386: Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?
Question387: Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?
Question388: Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?
Question389: In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?
Question390: Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?
Question391: An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?
Question392: Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?
Question393: Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?
Question394: Which of the following is the PRIMARY basis on which audit objectives are established?
Question395: An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor's NEXT action1?
Question396: An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?
Question397: Which of the following is MOST critical to the success of an information security program?
Question398: Backup procedures for an organization's critical data are considered to be which type of control?
Question399: An IS auditor observes that a business-critical application does not currently have any level of fault tolerance.
Which of the following is the GREATEST concern with this situation?
Question400: Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?
Question401: Capacity management enables organizations to:
Question402: Audit observations should be FIRST communicated with the auditee:
Question403: Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?
Question404: Which of the following is MOST important to include in security awareness training?
Question405: In the case of a disaster where the data center is no longer available, which of the following tasks should be done FIRST?
Question406: An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
Question407: Which of the following is the GREATEST risk associated with storing customer data on a web server?
Question408: Which type of control is being implemented when a biometric access device is installed at the entrance to a facility?
Question409: Which of the following is MOST important for an IS auditor to validate when auditing network device management?
Question410: Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
Question411: One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:
Question412: An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
Question413: An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?
Question414: Which of the following is the MOST important Issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?
Question415: In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?
Question416: Controls related to authorized modifications to production programs are BEST tested by:
Question417: Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?
Question418: A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?