Question1: Which of the following is the BEST indication that an organization follows best practices for system access authorization?
Question2: Which of the following should an IS auditor be MOST concerned with when a system uses RFID?
Question3: Which of the following is found in an audit charter?
Question4: A small startup organization does not have the resources to implement segregation of duties.
Which of the following is the MOST effective compensating control?
Question5: From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?
Question6: For effective IT governance, it is MOST important to have an independent reporting line for which of the following IT functions?
Question7: An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?
Question8: Which of the following should be the IS auditor's PRIMARY focus when evaluating an organization's offsite storage facility?
Question9: The PRIMARY purpose of running a new system in parallel is to:
Question10: As part of the architecture of virtualized environments, in a bare metal or native virtualization the hypervisor runs without:
Question11: A PRIMARY benefit derived by an organization employing control self-assessment (CSA) techniques is that CSA:
Question12: Which of the following is the GREATEST advantage of agile development over waterfall development?
Question13: An organization needs to comply with data privacy regulations forbidding the display of personally identifiable information (PII) on customer bills or receipts.
However, it is a business requirement to display at least one attribute so that customers can verify the bills or receipts are intended for them. What is the BEST recommendation?
Question14: Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?
Question15: An IS auditor should ensure that an application's audit trail:
Question16: When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
Question17: Which of the following BEST indicates that the effectiveness of an organization's security awareness program has improved?
Question18: An organization uses system interfaces to disburse money to various banks. Which of the following features in the system interfaces is MOST important to provide assurance that the money is going to the right bank account?
Question19: An organization that has suffered a cyber attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
Question20: Which of the following documents should specify roles and responsibilities within an IT audit organization?
Question21: What is MOST important to verify during an external assessment of network vulnerability?
Question22: Following the implementation of a data loss prevention (DLP) tool, administrators have been overwhelmed with a high number of false positives. Which of the following is the BEST way to address this issue?
Question23: Which of the following metrics is the BEST indicator of the performance of a web application?
Question24: Which of the following is the MOST effective control to mitigate against the risk of inappropriate activity by employees?
Question25: An IS auditor reviewing a financial organization's identity management solution finds that application owners are not identified for some critical business applications. Which of the following is the GREATEST risk in this situation?
Question26: Which of the following is an IS auditor's BEST recommendation for mitigating risk associated with inadvertent disclosure of sensitive information by employees?
Question27: Which of the following is the PRIMARY reason for using a digital signature?
Question28: Which of the following is the BEST way to ensure email confidentiality in transit?
Question29: A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?
Question30: An IS auditor observes that exceptions have been approved for an organization's information security policy. Which of the following is MOST important for the auditor to confirm?
Question31: What is the BEST way to evaluate a control environment where the organization and a third party have shared responsibility?
Question32: Which of the following should an IS auditor do FIRST when assessing the level of compliance for an organization in the banking industry?
Question33: During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?
Question34: Management has learned the implementation of a new IT system will not be completed on time and has requested an audit. Which of the following audit findings should be of GREATEST concern?
Question35: Which of the following is the MOST appropriate indicator of change management effectiveness?
Question36: Which of the following is the BEST method to safeguard data on an organization's laptop computers?
Question37: During which phase of a system development project should key performance indicators (KPIs) be established'?
Question38: Which of the following is the GREATEST risk associated with granting local administrative privileges to users for their laptops?
Question39: When implementing a new IT maturity model, which of the following should occur FIRST?
Question40: Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?
Question41: To develop meaningful recommendations for findings, which of the following is MOST important for an IS auditor to determine and understand?
Question42: Which of the following would BEST protect the confidentiality of sensitive data in transit between multiple offices?
Question43: An organization wants to change its project methodology to address increasing costs and process changes. Which of the following is the BEST methodology to use?
Question44: Which of the following would BEST detect unauthorized modification of data by a database administrator (DBA)?
Question45: Which of the following provides the BEST assurance of data integrity after file transfers?
Question46: An IS auditor observes that a business-critical application does not currently have any level of fault tolerance Which of the following is the GREATEST concern with this situation?
Question47: An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?
Question48: An organization has implemented segregation of duties with appropriate job definitions and restrictions on overlapping roles. Which type of control has been implemented?
Question49: Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
Question50: Which of the following would a digital signature MOST likely prevent?
Question51: In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the:
Question52: An IS auditor finds a computer that is suspected to have been involved in a cyber crime. Which of the following activities is MOST critical to ensure data collected is admissible in a court of law?
Question53: An organization is experiencing a large number of phishing attacks targeting employees and executives following a press release announcing an acquisition.
Which of the following would provide the BEST defense against these attacks?
Question54: An employee has accidentally posted confidential data to the company's social media page.
Which of the following is the BEST control to prevent this from recurring?
Question55: Which of the following is MOST important for the effective implementation of an intrusion detection system (IDS)?
Question56: Which of the following is the MOST effective way to assess the controls over the hardware maintenance process?
Question57: Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?
Question58: Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?
Question59: Which of the following is the MOST important outcome of an information security program?
Question60: To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?
Question61: IT governance should be driven by:
Question62: If enabled within firewall rules, which of the following services would present the GREATEST risk?
Question63: During a software acquisition review, an IS auditor should recommend that there be a software escrow agreement when:
Question64: Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?
Question65: An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?
Question66: Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?
Question67: An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following is the BEST recommendation?
Question68: Which of the following would be a concern of the auditor that should be explained in the audit report along with their findings?
Question69: Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
Question70: The MAIN benefit of using an integrated test facility (ITF) as an online auditing technique is that it enables:
Question71: An IS auditor is reviewing the maturity of a large organization's IT governance. Which of the following BEST demonstrates that IT governance has been effectively implemented?
Question72: Who is PRIMARILY responsible for the design of IT controls to meet control objectives?
Question73: Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?
Question74: Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?
Question75: What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?
Question76: As part of the risk management process, threats and vulnerabilities should be mapped to:
Question77: Which of the following strategies BEST optimizes data storage without compromising data retention practices?
Question78: Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?
Question79: An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation?
Question80: An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP). Which of the following is the auditor's BEST course of action?
Question81: Which type of control has been established when an organization implements a security information and event management (SIEM) system?
Question82: Which of the following is a threat to IS auditor independence?
Question83: An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?
Question84: When auditing an organization's software acquisition process the BEST way for an IS auditor to understand the software benefits to the organization would be to review the
Question85: Which of the following is MOST important with regard to an application development acceptance test?
Question86: An IS auditor reviewing an IT organization should be MOST concerned if the IT steering committee:
Question87: The application systems quality assurance (QA) function should:
Question88: Which of the following should be reviewed FIRST when assessing the effectiveness of an organization's network security procedures and controls?
Question89: Which of the following is the MOST important action to ensure timely detection and triage for potential security incidents within an organization?
Question90: A new system development project is running late against a critical implementation deadline.
Which of the following is the MOST important activity?
Question91: Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?
Question92: Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?
Question93: The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
Question94: To mitigate the risk of exposing data through application programming interface (API) queries, which of the following design considerations is MOST important?
Question95: Which of the following BEST supports the effectiveness of a compliance program?
Question96: An IS auditor has been tasked to review the processes that prevent fraud within a business expense claim system. Which of the following stakeholders is MOST important to involve in this review?
Question97: Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
Question98: During an exit meeting, an IS auditor highlights that backup cycles are being missed due to operator error and that these exceptions are not being managed.
Which of the following is the BEST way to help management understand the associated risk?
Question99: Which of the following is the BEST way for an IS auditor to determine the completeness of data migration?
Question100: What should an IS auditor do FIRST when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective?
Question101: Which of the following BEST protects private health information from data loss for clients that utilize remote health-monitoring devices?
Question102: During an organization's implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?
Question103: When is the BEST time to commence continuity planning for a new application system?
Question104: During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?
Question105: Which of the following would BEST prevent the potential leakage of sensitive corporate data from personal mobile devices accessing corporate applications?
Question106: Which of the following provides the MOST useful information for performing a business impact analysis (BIA)?
Question107: Which of the following is an indication of possible hacker activity involving voice communications?
Question108: Which of the following findings from an IT governance review should be of GREATEST concern?
Question109: An information systems security officer's PRIMARY responsibility for business process applications is to:
Question110: A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
Question111: Which of the following approaches provides the BEST assurance and user confidence when an organization migrates data to a more complex enterprise resource planning (ERP) system?
Question112: While reviewing an organization's business continuity plan (BCP), an IS auditor observes that a recently developed application is not included. The IS auditor should:
Question113: Which of the following BEST guards against the risk of attack by hackers?
Question114: An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?
Question115: Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?
Question116: An IS auditor is reviewing processes for importing market price data from external data providers.
Which of the following findings should the auditor consider MOST critical?
Question117: A matrix showing the current state and challenges of an organization's software release management practices is MOST useful for:
Question118: An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:
Question119: Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?
Question120: Which of the following should an IS auditor be MOST concerned with during a post- implementation review?
Question121: Which of the following is the MOST important activity in the data classification process?
Question122: Which of the following is the MOST effective method to identify new errors introduced as a result of program changes?
Question123: A data analytics team has developed a process automation bot for internal audit that scans user access to all servers in the environment and then randomly selects a sample of new users for testing. Which of the following presents the GREATEST concern with this approach?
Question124: Which of the following indicates that an internal audit organization is structured to support the independence and clarity of the reporting process?
Question125: Which of the following is the BEST use of a balanced scorecard when evaluating IT performance?
Question126: Which of the following software versions would an IS auditor MOST likely find in the production environment during a post-deployment review?
Question127: What is the purpose of the audit charter?
Question128: What is the BEST method to determine if IT resource spending is aligned with planned project spending?
Question129: Which of the following indicates an effective change control environment?
Question130: While conducting an IT operations audit, an internal IS auditor discovers there are backup media missing that potentially contain unencrypted data. Which of the following should be the IS auditor's NEXT step?
Question131: During a review of an organizations network threat response process, the IS auditor noticed that the majority of alerts were closed without resolution.
Management responded that those alerts were unworkable due to lack of actionable intelligence, and therefore the support team is allowed to close them. What is the BEST way for the auditor to address this situation?'
Question132: Which of the following is MOST important to verify when implementing an organization's information security program?
Question133: Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only. Which of the following did the IS auditor potentially compromise?
Question134: An IS auditor has discovered that a cloud-based application was not included in an application inventory that was used to confirm the scope of an audit. The business process owner explained that the application will be audited by a third party in the next year. The auditor's NEXT step should be to:
Question135: An IS auditor is reviewing a recent security incident and is seeking information about the approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?
Question136: An IS auditor has learned that access privileges are not periodically reviewed or updated. Which of the following would provide the BEST evidence to determine whether transactions have been executed by authorized employees?
Question137: Which of the following BEST enables an organization to control which software can be installed on a user's computer?
Question138: Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?
Question139: Which is not a purpose of risk analysis?
Question140: Which of the following should be the GREATEST concern for an IS auditor performing a post- implementation review for a major system upgrade?
Question141: When auditing the closing stages of a system development project, which of the following should be the MOST important consideration?
Question142: Which of the following is MOST likely to increase if an organization increases its risk appetite?
Question143: Which of the following BEST protects an organization's proprietary code during a joint- development activity involving a third party?
Question144: Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
Question145: An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner Which of the following is the auditor s BEST recommendation?
Question146: How does a switched network reduce the risk of network sniffing?
Question147: Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?
Question148: An IS auditor reviewing the physical access section of a security plan for a data center should expect to find that:
Question149: IT disaster recovery time objectives (RTOs) should be based on the:
Question150: An organization's information security department has recently created a centralized governance model to ensure that network-related findings are remediated within the service level agreement (SLA). What should the IS auditor use to assess the maturity and capability of this governance model?
Question151: Which of the following BEST enables an organization to improve the effectiveness of its incident response team?
Question152: An organization is enhancing the security of a client-facing web application following a proposal to acquire personal information for a business purpose. Which of the following is MOST important to review before implementing this initiative?
Question153: An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?
Question154: Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''
Question155: Which of the following backup schemes is the BEST option when storage media is limited?
Question156: Which of the following is the MOST important responsibility of data owners when implementing a data classification process?
Question157: An IS auditor is observing transaction processing and notes that a high-priority update job ran out of sequence. What is the MOST significant risk from this observation?
Question158: During an access review, an IS auditor observes a workstation message indicating the operating system has an expired software license. What should be done FIRST?
Question159: Which of the following is the GREATEST risk associated with hypervisors in virtual environments?
Question160: Which of the following is critical to the successful establishment of an enterprise IT architecture?
Question161: Which of the following would be MOST useful to an organization planning to adopt a public cloud computing model?
Question162: Which of the following is a social engineering attack method?
Question163: In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
Question164: Which of the following BEST enables an IS auditor to understand the shared control requirements between multiple cloud service providers and the customer organization?
Question165: Which of the following BEST enables a benefits realization process for a system development project?
Question166: Which of the following methods would BEST ensure that IT strategy is in line with business strategy?
Question167: An organization wants an independent measure of an outsourced system's availability. This measure is directly related to contractual payment obligations. Which of the following procedures would an IS auditor MOST likely recommend?
Question168: An organization shares some of its customers' personally identifiable information (PII) with third- party suppliers for business purposes. What is MOST important for the IS auditor to evaluate to ensure that risk associated with leakage of privacy-related data during transmission is effectively managed?
Question169: Which of the following provides the MOST comprehensive description of IT's role in an organization?
Question170: An organization uses public key infrastructure (PKI) to provide email security. Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?
Question171: Which of the following is the BEST report for an IS auditor to reference when tasked with reviewing the security of code written for a newly developed website?
Question172: An IS auditor noted that a change to a critical calculation was placed into the production environment without being tested. Which of the following is the BEST way to obtain assurance that the calculation functions correctly?
Question173: An organization has outsourced the maintenance of its customer database to an external vendor, and the vendor has requested live data to test the performance of the database. Which of the following is MOST important for the IS auditor to recommend?
Question174: Which of the following would an IS auditor consider the GREATEST risk associated with a mobile workforce environment?
Question175: An IS auditor is performing an integrated audit covering payment processing activities using point-of-sale (POS) systems. Which of the following findings related to personal identification numbers (PINs) should be of GREATEST concern?
Question176: An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production. Which of the following is the MOST significant risk from this situation?
Question177: Which of the following is the GREATEST benefit to an organization as a result of effective IS audit risk assessments?
Question178: Which of the following is the BEST indication that there are potential problems within an organization's IT service desk function?
Question179: An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
Question180: Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAs)?
Question181: Of the following, who are the MOST appropriate staff for ensuring the alignment of user authorization tables with approved authorization forms?
Question182: During an audit of an organization's financial statements, an IS auditor finds that the IT general controls are deficient. What should the IS auditor recommend?
Question183: An employee transfers from an organization's risk management department to become the lead IS auditor. While in the risk management department, the employee helped develop the key performance indicators (KPIs) now used by the organization. Which of the following would pose the GREATEST threat to the independence of this auditor?
Question184: Which of the following is an IS auditor's BEST course of action when senior management disagrees with audit findings during the closeout meeting?
Question185: What is the principal issue surrounding the use of CAAT tools?
Question186: An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:
Question187: Who would provide an IS auditor with the MOST helpful input during an interview to determine whether business requirements for an application were met?
Question188: What is a PRIMARY benefit of using Transport Layer Security (TLS) in an e-commerce application?
Question189: Which of the following is a concern when an organization's disaster recovery strategy utilizes a hot site?
Question190: Which of the following should be done FIRST to ensure that a data loss prevention (DLP) process is appropriately implemented?
Question191: During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data from any Internet-connected web browser.
Which of the following is the auditor's BEST recommendation to help prevent unauthorized access?
Question192: An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process. Which of the following is the MOST appropriate population to sample from when testing for remediation?
Question193: Management states that a recommendation made during a prior audit has been implemented, but the IS auditor doubts the effectiveness of the actions taken. Which of the following is the auditor's MOST appropriate course of action?
Question194: Which of the following is MOST important when planning a network audit?
Question195: Which of the following is the MOST important environmental equipment that should be located above the false ceiling of a data center?
Question196: During a review of an organization's technology policies, which of the following observations should be of MOST concern to the IS auditor?
Question197: What is the purpose of ISACA's professional ethics statement?
Question198: The BEST indicator of an optimized quality management system (QMS) is that it:
Question199: When reviewing a business case for a proposed implementation of a third-party system, which of the following should be an IS auditor's GREATEST concern?
Question200: Which of the following would be MOST useful to an IS auditor confirming that an IS department meets its service level agreements (SLAs)
Question201: Which of the following provides the MOST assurance of the integrity of a firewall log?
Question202: An emergency power-off switch should:
Question203: The PRIMARY benefit to using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system
Question204: Which of the following is the BEST evidence that an organization's IT strategy is aligned to its business objectives?
Question205: An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:
Question206: An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?
Question207: Which of the following should an IS auditor recommend be performed FIRST when evaluating potential enterprise resource planning (ERP) implementation vendors?
Question208: An IS auditor detects that event logging has been disabled on a critical server. Which of the following is the GREATEST concern?
Question209: When reviewing a business impact analysis (BIA), it is MOST important for an IS auditor to ensure input was obtained from which group of stakeholders?
Question210: Which of the following approaches would BEST enable an e-commerce website to handle unpredictable amounts of traffic?
Question211: An IS audit manager finds that data manipulation logic developed by the audit analytics team leads to incorrect conclusions. This inaccurate logic is MOST likely an indication of which of the following?
Question212: While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:
Question213: Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization?
Question214: Which of the following is an IS auditor's BEST approach when low-risk anomalies have been identified?
Question215: Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?
Question216: Which of the following would be MOST useful when analyzing computer performance?
Question217: An organization has implemented a distributed security administration system to replace the previous centralized one. Which of the following presents the GREATEST potential concern?
Question218: Which of the following is the BEST way to reduce the attack surface for a server farm?
Question219: An IS auditor has been asked to investigate critical business applications that have been producing suspicious results. Which of the following should be done FIRST?
Question220: Which of the following types of testing would BEST mitigate the risk of a newly implemented system adversely impacting existing systems?
Question221: Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
Question222: An IS auditor is evaluating the security of an organization's data backup process which includes the transmission of daily incremental backups to a public cloud provider Which of the following findings poses the GREATEST risk to the organization?
Question223: A small financial institution is preparing to implement a check image processing system to support planned mobile banking product offerings Which of the following is MOST critical to the successful implementation of the system?
Question224: An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?
Question225: During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period Which of the following is the auditor's MOST important course of action?
Question226: A web proxy server for corporate connections to external resources reduces organizational risk by:
Question227: Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?
Question228: Which of the following is the BEST way to verify the effectiveness of a data restoration process?
Question229: When reviewing an IT strategic plan, the GREATEST concern would be that:
Question230: An organization outsources its IT function to a third-party provider that supplies all hardware and support personnel. Which of the following poses the GREATEST risk that the provider's IT resources may not be available to meet the organization's objectives?
Question231: Which of the following is the BEST reason for an organization to use clustering?
Question232: The PRIMARY benefit of information asset classification is that it:
Question233: An organization has introduced a capability maturity model to the system development life cycle (SDLC) to measure improvements. Which of the following is the BEST indication of successful process improvement?
Question234: Which of the following features of a library control software package would protect against unauthorized updating of source code?
Question235: Which of the following would MOST effectively ensure the integrity of data transmitted over a network?
Question236: Which of the following would be MOST important to include in an IS audit report?
Question237: Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
Question238: Which of the following would be of GREATEST concern to an IS auditor when evaluating governance processes for a user-developed tool?
Question239: Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?
Question240: Which of the following is MOST important for an effective control self-assessment (CSA) program?
Question241: For the implementation of a program change in a production environment, the MOST important approval required is from:
Question242: What should an IS auditor review FIRST to verify that an organization's IT strategy is effectively implemented?
Question243: Which of the following is the PRIMARY responsibility of an internal IS auditor regarding IT controls?
Question244: An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:
Question245: Which of the following should be an IS auditor's PRIMARY focus when evaluating the response process for cyber crimes?
Question246: Which of the following BEST ensures that effective change management is in place in an IS environment?
Question247: An IS auditor should be MOST concerned with the placement of environmental detectors for heat, water, and smoke in which of the following locations?
Question248: An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?
Question249: Which of the following should be the FIRST step in a data migration project?
Question250: Which of the following is the MOST significant issue that could result when two separate release management schedules are maintained by different areas within IT?
Question251: Which of the following is MOST helpful to a data owner when classifying the organization's data?
Question252: Which of the following is MOST important when creating a forensic image of a hard drive?
Question253: An organization has recently implemented a Voice-over IP (VoIP) communication system. Which of the following should be the IS auditor's PRIMARY concern?
Question254: What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?
Question255: The practice of periodic secure code reviews is which type of control?
Question256: Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?
Question257: Which of the following provides the BEST evidence of effective IT portfolio management?
Question258: Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's capacity management planning?
Question259: During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?
Question260: An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:
Question261: Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?
Question262: During a database management evaluation, an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts. Which of the following is the auditor's BEST course of action?
Question263: Which of the following metrics would be MOST useful to an IS auditor when assessing the resilience of an application programming interface (API)?
Question264: Which of the following should be the FIRST step to successfully implement a corporate data classification program?
Question265: Which of the following yields the HIGHEST level of system availability?
Question266: What are the proper names of the four methods of risk response?
Question267: Which of the following is the BEST method to delete sensitive information from storage media that will be reused?
Question268: Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?
Question269: When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:
Question270: The MOST critical security weakness of a packet level firewall is that it can be circumvented by:
Question271: Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
Question272: The MOST important function of a business continuity plan (BCP) is to.
Question273: When conducting a requirements analysis for a project, the BEST approach would be to:
Question274: An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
Question275: Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?
Question276: Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?
Question277: An organization plans to deploy a data loss prevention (DLP) solution. Which of the following is the BEST control to implement along with the DLP solution?
Question278: An IS auditor found that operations personnel failed to run a script contributing to year-end financial statements. Which of the following is the BEST recommendation?
Question279: Which of the following key performance indicators (KPIs) provides stakeholders with the MOST useful information about whether information security risk is being managed?
Question280: On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else?
Question281: One advantage of monetary unit sampling is the fact that:
Question282: Which of the following is the BEST way to determine if IT is delivering value to the business?
Question283: During an exit interview senior management disagrees with some of the facts presented in the draft audit report and wants them removed from the report Which of the following would be the auditor's BEST course of action?
Question284: Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
Question285: An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?
Question286: During a review of IT service desk practices, an IS auditor notes that help desk personnel are spending more time fulfilling user requests for password resets than resolving critical incidents.
Which of the following recommendations to IT management would BEST address this situation?
Question287: Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?
Question288: A computer forensic audit is MOST relevant in which of the following situations?
Question289: An IS auditor is planning an audit of an organization's risk management practices. Which of the following would provide the MOST useful information about risk appetite?
Question290: Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?
Question291: During the post-implementation review of an application that was implemented six months ago which of the following would be MOST helpful in determining whether the application meets business requirements?
Question292: Which of the following techniques is MOST appropriate for verifying application program controls?
Question293: An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial draft of the audit report. Which of the following findings should be ranked as the HIGHEST risk?
Question294: An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:
Question295: In a typical system development life cycle (SDLC), which group is PRIMARILY responsible for confirming compliance with requirements?
Question296: During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
Question297: An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?
Question298: Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
Question299: After an employee termination, a network account was removed, but the application account remained active. To keep this issue from recurring, which of the following is the BEST recommendation?
Question300: When evaluating evidence as part of an IS audit, which of the following sources should be considered MOST reliable?
Question301: When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
Question302: The FIRST step in auditing a data communication system is to determine:
Question303: Which feature associated with an Infrastructure as a Service (IaaS) cloud service provider allows for the provisioning of new servers as demand changes?
Question304: An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.
Which of the following is the BEST course of action to address this issue?
Question305: An external IS auditor has been engaged to determine the organization's cybersecurity posture.
Which of the following is MOST useful for this purpose?
Question306: The MOST important reason why an IT risk assessment should be updated on a regular basis is to:
Question307: An IS auditor previously worked in an organization's IT department and was involved with the design of the business continuity plan (BCP). The IS auditor has now been asked to review this same BCP. What should the auditor do FIRST?
Question308: Which of the following BEST demonstrates alignment of the IT department with the corporate mission?
Question309: Which of the following should be given GREATEST consideration when implementing the use of an open-source product?
Question310: An IS auditor is reviewing an organization's overall incident response capability following recovery from a cybersecurity incident. Which of the following findings should be of MOST concern to the auditor?
Question311: Which of the following would be MOST time and cost efficient when performing a control self-assessment (CSA) for an organization with a large number of widely dispersed employees?
Question312: A bank's web-hosting provider has just completed an internal IT security audit and provides only a summary of the findings to the bank's auditor. Which of the following should be the bank's GREATEST concern?
Question313: An audit of environmental controls at a data center could include a review of the
Question314: An organization's strategy to source certain IT functions from a software as a service (SaaS) provider should be approved by the:
Question315: Which of the following is an IS auditor's GREATEST concern when an organization does not regularly update software on individual workstations in the internal environment?
Question316: Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
Question317: Which of the following is the PRIMARY protocol for protecting outbound content from tampering and eavesdropping?
Question318: The PRIMARY objective of a control self-assessment (CSA) is to:
Question319: Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
Question320: Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
Question321: An organization allows employees to use personally owned mobile devices to access customers' personal information. Which of the following is MOST important for an IS auditor to verify?
Question322: An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country. What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?
Question323: An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
Question324: As part of a recent business-critical initiative, an organization is re-purposing its customer data.
However, its customers are unaware that their data is being used for another purpose What is the BEST recommendation to address the associated data privacy risk to the organization?
Question325: Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?
Question326: The MOST appropriate person to chair the steering committee for an enterprise-wide system development should be the:
Question327: Which of the following is the ULTIMATE objective of performing a phishing simulation test?
Question328: Which of the following should be done FIRST to protect evidence on a computer suspected to be involved in online fraud?
Question329: To address issues related to privileged users identified in an IS audit, management implemented a security information and event management (SIEM) system. Which type of control is in place?
Question330: In a RACI model, which of the following roles must be assigned to only one individual?
Question331: Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?
Question332: Which of the following management decisions presents the GREATEST risk associated with data leakage?
Question333: Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
Question334: Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?
Question335: A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system.
Which of the following is the IS auditor's BEST recommendation?
Question336: Which of the following should be the GREATEST concern for an IS auditor reviewing the implementation of a security information and event management (SIEM) system?
Question337: An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance. Which of the following is the GREATEST concern with this lack of structure?
Question338: Which of the following is the BEST way for an IS auditor to determine whether an organization's disaster recovery plan (DRP) is current?
Question339: Which of the following is the GREATEST risk when using application programming interfaces (APIS) in a third-party hosted virtual environment?
Question340: An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?
Question341: A network review is being undertaken to evaluate security risks. Which of the following would be of MOST concern if identified during the review?
Question342: Which of the following is the BEST use of a maturity model in a small organization?
Question343: Which of the following is the BEST way for an IS auditor to validate that employees have been made aware of the organization's information security policy?
Question344: Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?
Question345: Which of the following BEST facilitates compliance with requirements mandating the security of confidential data?
Question346: Which of the following is the BEST way to mitigate the risk associated with malicious changes to binary code during the software development life cycle (SDLC)?
Question347: Which of the following is the BEST way to mitigate risk to an organization's network associated with devices permitted under a bring your own device (BYOD) policy?
Question348: Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?
Question349: Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
Question350: Which of the following BEST enables an organization to verify whether an encrypted message sent by a client has been altered?
Question351: Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's release management processes?
Question352: Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?
Question353: Which of the following is the BEST way to prevent social engineering incidents?
Question354: Which of the following controls is BEST implemented through system configuration?
Question355: An organization has engaged a third party to implement an application to perform business- critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?
Question356: Which of the following cloud deployment models would BEST meet the needs of a startup software development organization with limited initial capital?
Question357: During the discussion of a draft audit report, IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective. Which of the following is the auditor's BEST action?
Question358: Which of the following is a core functionality of a configuration and release management system?
Question359: Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of an organization's social media practices?
Question360: Which of the following should be used to evaluate an IT development project before an investment is committed?
Question361: A sample for testing must include the 80 largest client balances and a random sample of the rest.
What should the IS auditor recommend?
Question362: Which of the following is MOST important for an IS auditor to confirm during the implementation phase of a new system?
Question363: Which of the following is the PRIMARY reason that asset classification is vital to an information security program?
Question364: Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?
Question365: Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?
Question366: To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?
Question367: Which of the following should be the PRIMARY objective of an organization's incident management program?
Question368: A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items to the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?
Question369: Which of the following findings related to an organization's information security policy should be of GREATEST concern to an IS auditor?
Question370: The PRIMARY focus of a post-implementation review is to verify that:
Question371: During audit fieldwork, an IS auditor learns that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?
Question372: Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?
Question373: An IS auditor is analyzing a sample of accesses recorded on the system log of an application.
The auditor intends to launch an intensive investigation if one exception is found. Which sampling method would be appropriate?
Question374: Using swipe cards to limit employee access to restricted areas requires implementing which additional control?
Question375: Which of the following is the MOST important issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?
Question376: Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?
Question377: Which of the following provides the MOST reliable method of preventing unauthorized logon?
Question378: An IS auditor is performing a review of an application and finds something that might be illegal.
The IS auditor should
Question379: A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure in the affected country. Which of the following would be MOST helpful in making this assessment?
Question380: In order to be useful, a key performance indicator (KPI) MUST:
Question381: An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?
Question382: An IS auditor has been asked to perform a post-implementation assessment of a new corporate human resources (HR) system. Which of the following control areas would be MOST important to review for the protection of employee information?
Question383: Which of the following controls provides the MOST protection against ransomware attacks?
Question384: Which of the following will BEST help detect software licensing issues in a networked environment where all software is purchased and loaded by IT?
Question385: Which of the following would be of GREATEST concern to an IS auditor reviewing access controls for an organization's data?
Question386: Which of the following is MOST important when evaluating the design effectiveness of multi-factor authentication?
Question387: Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?
Question388: Which of the following would provide the BEST evidence of an IT strategy committee's effectiveness?
Question389: An organization sends daily backup media by courier to an offsite location. Which of the following provides the BEST evidence that the media is transported reliably?
Question390: Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS auditor has been asked to conduct a control assessment. The auditor's BEST course of action would be to determine if:
Question391: Which of the following is the MOST significant risk associated with the use of virtualization?
Question392: Which of the following BEST contributes to the quality of an audit of a business-critical application?
Question393: Which of the following is MOST important to include when developing a business continuity plan (BCP)?
Question394: Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?
Question395: An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited.
Which of the following should be of GREATEST concern to the auditor?
Question396: Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?
Question397: An organization has implemented a quarterly job schedule to update database tables so prices are adjusted in line with a price index These changes do not go through the regular change management process Which of the following is the MOST important control to have in place?
Question398: What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
Question399: An IS auditor observes that each department follows a different approach for creating and securing spreadsheet macros. Which of the following is the auditor's BEST recommendation for management in this situation?
Question400: The decision to accept an IT control risk related to data quality should be the responsibility of the:
Question401: Which type of threat can utilize a large group of automated social media accounts to steal data, send spam, or launch distributed denial of service (DDoS) attacks?
Question402: During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?
Question403: An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:
Question404: In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?
Question405: An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
Question406: An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center. Which of the following findings should be of GREATEST concern to the auditor?
Question407: The FIRST step in an incident response plan is to:
Question408: Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?
Question409: Which of the following is MOST important when implementing a data classification program?
Question410: An organization plans to replace its nightly batch processing backup to magnetic tape with real- time replication to a second data center. Which of the following is the GREATEST risk associated with this change?
Question411: Which of the following risks is BEST mitigated by implementing an automated three-way match?
Question412: Which of the following is the MOST cost-effective way to determine the effectiveness of a business continuity plan (BCP)?
Question413: When evaluating an information security risk assessment, what is MOST important to review to gain an understanding of how risk is reduced?
Question414: A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem.
Which of the following is the senior auditor's MOST appropriate course of action?
Question415: Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?
Question416: Which of the following controls associated with software development would be classified as a preventive control to address scope creep?
Question417: An IS auditor finds that irregularities have occurred and that auditee management has chosen to ignore them. If reporting to external authorities is required, which of the following is the BEST action for the IS auditor to take?
Question418: Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization's security policy?
Question419: During an IS audit, it is discovered that data classification rules are often ignored by programmers developing in-house software. Which of the following recommendations would BEST mitigate the risk in this situation?
Question420: Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?
Question421: Which of the following observations noted by an IS auditor reviewing internal IT standards is MOST important to address?
Question422: Which of the following is the MOST important consideration when relying on the work of the prior auditor?
Question423: Which of the following is the BEST way to ensure an organization's data classification policies are preserved during the process of data transformation?
Question424: An IS auditor assessing an organization's information systems needs to understand management's approach regarding controls. Which documentation should the auditor review FIRST?
Question425: Aligning IT strategy with business strategy PRIMARILY helps an organization to:
Question426: When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider's external audit report on service level management when the:
Question427: An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST
Question428: An auditee disagrees with a recommendation for corrective action that appears in the draft engagement report. Which of the following is the IS auditor's BEST course of action when preparing the final report?
Question429: Which type of framework is BEST suited to illustrate the traceability of information and communications technologies and their alignment with business objectives?
Question430: During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:
Question431: Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?
Question432: What is the MAIN reason to use incremental backups?
Question433: An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?
Question434: Which of the following is the BEST source of information for an IS auditor to use when determining whether an organization's information security policy is adequate?
Question435: Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?
Question436: Which of the following is the BEST control to mitigate attacks that redirect Internet traffic to an unauthorized website?
Question437: Which of the following is the MOST important advantage of participating in beta testing of software products?
Question438: An organization is planning to hire a third party to develop software. What is the MOST appropriate way for the organization to ensure access to code if the software development company goes out of business?
Question439: Which of the following organizational functions is MOST appropriate to monitor the budget associated with an IT project?
Question440: An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?
Question441: Which of the following is the PRIMARY purpose for external assessments of internal audit's quality assurance (QA) systems and frameworks?
Question442: Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?
Question443: Which of the following is the BEST reason to implement a data retention policy?
Question444: An organization is permanently transitioning from onsite to fully remote business operations.
When should the existing business impact analysis (BIA) be reviewed?
Question445: An organization has decided to outsource a critical application due to a lack of specialized resources. Which risk response has been adopted?
Question446: When determining whether a project in the design phase will meet organizational objectives what is BEST to compare against the business case?
Question447: An IS auditor is performing a project review and finds that scope reductions have been made without proper authorization. The IS auditor should be MOST concerned that:
Question448: When assessing whether an organization's IT performance measures are comparable to other organizations in the same industry which of the following would be MOST helpful to review?
Question449: Which of the following is MOST useful for matching records of incoming and outgoing personnel to identify tailgating in physical security logs?
Question450: After the release of an application system, an IS auditor wants to verify that the system is providing value to the organization. The auditor's BEST course of action would be to:
Question451: An organization considers implementing a system that uses a technology that is not in line with the organization's IT strategy. Which of the following is the BEST justification for deviating from the IT strategy?
Question452: During a security access review, an IS auditor identifies a segregation of duties issue involving financial reporting for which there are no mitigating controls. Which of the following stakeholders should be notified of this finding FIRST?
Question453: A help desk has been contacted regarding a lost business mobile device. The FIRST course of action should be to:
Question454: A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger, and in year one, the system version upgrade will be applied.
Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
Question455: An IS auditor finds that a recently deployed application has a number of developers with inappropriate update access left over from the testing environment. Which of the following would have BEST prevented the update access from being migrated?
Question456: Which of the following is the BEST way to ensure payment transaction data is restricted to the appropriate users?
Question457: Which of the following BEST enables an organization to balance value delivery and risk management?
Question458: Which of the following is MOST important to include within a business continuity plan (BCP) so that backup and replication is configured in a way that ensures data availability?
Question459: A firewall between internal network segments improves security and reduces risk by:
Question460: Which of the following is the BEST detective control for a job scheduling process involving data transmission?
Question461: Which of the following network topologies will provide the GREATEST fault tolerance?
Question462: One benefit of return on investment (ROI) analysis in IT decision making is that it provides the:
Question463: An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality. Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
Question464: Which of the following would be the MOST significant factor when choosing among several backup system alternatives with different restoration speeds?
Question465: Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?
Question466: Which of the following is the MOST effective control over visitor access to highly secured areas?
Question467: Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?
Question468: What would be the PRIMARY reason for an IS auditor to recommend using key risk indicators (KRIs)?
Question469: While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:
Question470: Which of the following business continuity activities prioritizes the recovery of critical functions?
Question471: An IS auditor has been tasked with auditing the inventory control process for a large organization that processes millions of data transactions. Which of the following is the BEST testing strategy to adopt?
Question472: Which of the following would provide multi-factor authentication for physical access to a data center?
Question473: Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?
Question474: Which of the following ensures components of an IT system are identified and baselined, and that changes to them are implemented in a controlled manner?
Question475: A month after a company purchased and implemented system and performance monitoring software reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to
Question476: When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if
Question477: Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
Question478: Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?
Question479: Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?
Question480: A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting. What would be MOST important to consider before including this audit in the program?
Question481: An IS auditor performing an audit of backup procedures observes that backup tapes are picked up weekly and stored offsite at a third-party hosting facility. Which of the following recommendations would be the BEST way to protect the integrity of the data on the backup tapes?
Question482: What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?
Question483: An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?
Question484: The IS quality assurance (QA) group is responsible for:
Question485: Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?
Question486: Invoking a business continuity plan (BCP) is demonstrating which type of control?
Question487: An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
Question488: Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
Question489: Which of the following is the PRIMARY reason to perform user acceptance testing (UAT) prior to production release for a new system?
Question490: Which of the following are used in a firewall to protect the entity's internal resources?
Question491: An IS auditor performing an application development review attends development team meetings.
The IS auditor's independence will be compromised if the IS auditor:
Question492: During an audit of an access control system an IS auditor finds that RFID card readers are not connected via the network to a central server Which of the following is the GREATEST risk associated with this finding?
Question493: As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (BIA)?
Question494: Which of the following is MOST important when defining the IS audit scope?
Question495: Which of the following would protect the confidentiality of information sent in email messages?
Question496: An IS auditor observes that a bank's web page address is prefixed "https://". The auditor would be correct to conclude that:
Question497: Which of the following is MOST important to include in a feasibility study when developing a business case for an IT investment?
Question498: Which of the following is the BEST recommendation to mitigate the risk associated with remote access through the hypervisor interface?
Question499: During an audit of payment services of a branch based in a foreign country, a large global bank's audit team identifies an opportunity to use data analytics techniques to identify abnormal payments. Which of the following is the team's MOST important course of action?
Question500: Which of the following is MOST critical to the success of an information security program?
Question501: When protecting mobile devices, which of the following is the PRIMARY risk mitigated by authentication controls?
Question502: Which of the following is a detective control?
Question503: Which of the following is the PRIMARY benefit of performing a maturity model assessment?
Question504: Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:
Question505: Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?
Question506: An IS auditor finds that the cost of developing an application is now projected to significantly exceed the budget. Which of the following is the GREATEST risk to communicate to senior management?
Question507: Which of the following is the PRIMARY reason an IS auditor would recommend offsite backups although critical data is already on a redundant array of inexpensive disks (RAID)?
Question508: What is the definition of a standard as compared to a guideline?
Question509: Which of the following provides the BEST evidence that a third-party service provider's information security controls are effective?
Question510: An IS auditor suspects an organization's computer may have been used to commit a crime.
Which of the following is the auditor's BEST course of action?
Question511: An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?
Question512: Many departments of an organization have not implemented audit recommendations by their agreed upon target dates. Who should address this situation?
Question513: The use of which of the following is an inherent risk in the application container infrastructure?
Question514: Which of the following should be the FIRST step in managing the impact of a recently discovered zero-day attack?
Question515: Which of the following MUST be completed as part of the annual audit planning process?
Question516: The BEST way to evaluate the effectiveness of a newly developed application is to:
Question517: During the review of a data conversion process for a retail application, an IS auditor noticed changes were made to a price listing. Whose approval is MOST appropriate for these changes?
Question518: An IS auditor learns of a new regulation which imposes penalties based on the number of individuals whose personally identifiable information (PII) is exposed by a security breach. What would be the BEST recommendation to help the organization limit the liability associated with a breach to its customer information database?
Question519: Which of the following is MOST important for an IS auditor to verify when an organization is preparing to implement a data loss prevention (DLP) system?
Question520: Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
Question521: An application development team is also promoting changes to production for a critical financial application. Which of the following is the BEST control to reduce the associated risk?
Question522: When assessing the quality of personnel data, an IS auditor finds that the data values reconcile to values outside of the database and logical access is appropriately restricted. Which of the following should also be reviewed to provide a comprehensive assessment of the data quality?
Question523: Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
Question524: Which of the following is MOST important for an IS auditor to verify during an audit closing meeting?
Question525: When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled backups are timely and run to completion?
Question526: An organization is considering using production data for testing a new application's functionality.
Which of the following data protection techniques would BEST ensure that personal data cannot be inadvertently recovered in test environments while also reducing the need for strict confidentiality of the data?
Question527: Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?
Question528: Which of the following is MOST helpful for understanding an organization's key driver to modernize application platforms?
Question529: Which of the following would be the BEST process for continuous auditing in a large financial institution?
Question530: The PRIMARY benefit of a risk-based audit methodology is to:
Question531: Which of the following incident response team activities contributes the MOST to preventing future incidents?
Question532: An IS auditors reviewing the perimeter security design of a network. Which of the following provides the GREATEST assurance that both incoming and outgoing internet traffic is controlled?
Question533: Which of the following is MOST critical for the effective implementation of IT governance?
Question534: An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
Question535: An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?
Question536: Which of the following is the MAIN purpose of an information security management system?
Question537: Which of the following is the PRIMARY objective of enterprise architecture (EA)?
Question538: Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
Question539: Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?
Question540: Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?
Question541: Which of the following is MOST important to include in a data retention policy to reduce legal liabilities associated with information life cycle management?
Question542: Which of the following BEST facilitates strategic program management?
Question543: An IS auditor is assigned to perform a post-implementation review of an application system.
Which of the following would impair the auditor's independence?
Question544: An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST recommendation to address this situation?
Question545: Which of the following would be of GREATEST concern to an IS auditor assessing the organizational risk associated with fraud?
Question546: Which of the following should be of GREATEST concern to an IS auditor reviewing controls around a system interface for two applications with high volumes of transferred data?
Question547: An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?
Question548: Which of the following would BEST indicate the effectiveness of a security awareness training program?
Question549: Which of the following is a concern associated with virtualization?
Question550: Which of the following is the MOST important responsibility of user departments associated with program changes?
Question551: Which of the following is an example of personally identifiable information (PII)?
Question552: Which of the following should be of GREATEST concern to an IS auditor reviewing the business continuity plan (BCP) of an organization with multiple vendors?
Question553: Which of the following is the MOST effective approach in assessing the quality of modifications made to financial software?
Question554: Which of the following is MOST important for an organization to complete prior to developing its disaster recovery plan (DRP)?
Question555: Which of the following responses to risk associated with segregation of duties would incur the LOWEST initial cost?
Question556: Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?
Question557: The members of an emergency incident response team should be:
Question558: Which of the following BEST indicates that an organization's risk management practices contribute to the effectiveness of internal IS audits?
Question559: Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?
Question560: An organization's IT risk assessment should include the identification of:
Question561: Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?
Question562: During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?
Question563: Which of the following should be responsible for verifying changes to an application are authorized?
Question564: Which of the following is the BEST way for an IS auditor to determine how well an information security program has been implemented throughout the organization?
Question565: Which of the following should be done FIRST when a major security incident has been confirmed?
Question566: Which of the following is not a type of quantitative sampling model?
Question567: Which of the following is the PRIMARY purpose of conducting an IS audit follow-up?
Question568: An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?
Question569: Following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?
Question570: Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?
Question571: Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?
Question572: Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
Question573: Which of the following is the PRIMARY purpose of conducting follow-up audits for material observations?
Question574: Which of the following is the GREATEST risk related to the use of virtualized environments?
Question575: What is the definition of a work breakdown structure?
Question576: Which control classification attempts to repair the impact of a threat?
Question577: Which of the following BEST enables an organization to identify potential security threats associated with a virtualization technique proposed by the vendor of a popular virtual machine (VM) system?
Question578: Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?
Question579: When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following IS the auditor's BEST course of action?
Question580: The two types of tests are referred to as _________ and _______ using __________ sampling methods.
Question581: Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?
Question582: Which of the following BEST enables an IS auditor to combine and compare access control lists from various applications and devices?
Question583: An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage?
Question584: During an investigation, it was determined that an employee leaked company system administrative credentials on a public social media site. What is the IS auditor's FIRST recommendation?
Question585: Which of the following would provide management with the MOST reasonable assurance that a new data warehouse will meet the needs of the organization?
Question586: Which of the following MOST effectively minimizes downtime during system conversions?
Question587: Which of the following is the BEST source of information to determine the required level of data protection on a file server?
Question588: Who should issue the organizational policies?
Question589: Which of the following is the BEST indication that a software development project is on track to meet its completion deadline?
Question590: Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
Question591: Which of the following will enable a customer to authenticate an online Internet vendor?
Question592: Which of the following would BEST integrate multiple data warehouses while reducing the workload required for moving data between the warehouses?
Question593: Which of the following is the MOST important consideration for an organization when strategizing to comply with privacy regulations?
Question594: Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
Question595: During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor's NEXT step should be to:
Question596: When planning an audit to assess application controls of a cloud-based system, it is MOST important for the IS auditor to understand the:
Question597: An internal audit department reports directly to the chief financial officer (CFO) of an organization.
This MOST likely leads to:
Question598: An IT steering committee assists the board of directors in fulfilling IT governance duties by:
Question599: An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern is that:
Question600: An organization allows employees to retain confidential data on personal mobile devices Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
Question601: The BEST way to provide assurance that a project is adhering to the project plan is to:
Question602: Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?
Question603: Which of the following data would be used when performing a business impact analysis (BIA)?
Question604: The record-locking option of a database management system (DBMS) serves to:
Question605: An IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?
Question606: An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following is the BEST way to prevent this vulnerability from being exploited?
Question607: An IS auditor observes a system performance monitoring too that states that a server critical to the organization averages high CPU utilization across a cluster of four virtual servers throughout the audit period. To determine if further investigation is required an IS auditor should review:
Question608: Which of the following is MOST important to consider when defining disaster recovery strategies?
Question609: Which of the following is a PRIMARY benefit of a maturity model?
Question610: Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects. Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?
Question611: A confidential file was sent to a legal entity, and hashing was used on the file. Which type of control has been applied?
Question612: Which of the following is the BEST way to mitigate the risk of services no longer being available from a bankrupt Software as a Service (SaaS) provider?
Question613: What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?
Question614: Which of the following governance functions is responsible for ensuring IT projects have sufficient resources and are prioritized appropriately?
Question615: Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?
Question616: During a project meeting for the Implementation of an Enterprise resource planning (ERP). a new requirement Is requested by the finance department. Which of the following would BEST Indicate to an IS auditor that the resulting risk to the project has been assessed?
Question617: Which of the following is MOST important for an IS auditor to confirm when conducting a review of an active-active application cluster configuration?
Question618: During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (AI) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?
Question619: Which of the following is the GREATEST risk associated with data conversion and migration during implementation of a new application?
Question620: Which of the following is the BEST indication that an IT service desk function needs to improve its incident management processes?
Question621: Which of the following will MOST likely compromise the control provided by a digital signature created using RSA encryption?
Question622: Which of the following would be of GREATEST concern if noted during an audit of compliance with licensing agreements?
Question623: Which of the following BEST enables system resiliency for an e-commerce organization that requires a low recovery time objective (RTO) and a low recovery point objective (RPO)?
Question624: After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit. This evidence indicates that procedural control may have failed and could contradict a conclusion of the audit. Which of the following risks is MOST affected by this oversight?