Question1: An IS auditor is evaluating the log management system for an organization with devices and systems in multiple geographic locations. Which of the following is MOST important for the auditor to verify?
Question2: Which of the following is the MOST effective approach in assessing the quality of modifications made to financial software?
Question3: Which of the following is MOST important for an organization to consider when planning to outsource data storage to a third-party provider?
Question4: During which IT project phase is it MOST appropriate to conduct a benefits realization analysis?
Question5: As part of the architecture of virtualized environments, in a bare metal or native virtualization the hypervisor runs without:
Question6: Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?
Question7: Which of the following is a concern associated with virtualization?
Question8: Which of the following is the MOST important responsibility of user departments associated with program changes?
Question9: Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?
Question10: When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:
Question11: Which of the following is the BEST way to ensure a vendor complies with system security requirements?
Question12: Which of the following is MOST important when creating a forensic image of a hard drive?
Question13: Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?
Question14: A security administrator is called in the middle of the night by the on-call programmer. A number of programs have failed, and the programmer has asked for access to the live system. What is the BEST course of action?
Question15: Which of the following is the BEST indication of the completeness of interface control documents used for the development of a new application?
Question16: Which of the following is the MOST effective audit approach to verify whether the projected benefits described in an IT project's business case are realistic?
Question17: Which of the following roles is PRIMARILY responsible for mitigating the risk of benefits not being realized in an IT project?
Question18: An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country. What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?
Question19: Following a discussion on the results of a recent audit engagement, the process owner of the audited area has provided an action plan addressing the gaps and recommendations. The auditor disagrees with some of the responses where the process owner is accepting a level of residual risk that is not within the organization's risk appetite. What is the auditor's BEST course of action?
Question20: A bank has a combination of corporate customer accounts (higher monetary value) and small business accounts (lower monetary value) as part of online banking. Which of the following is the BEST sampling approach for an IS auditor to use for these accounts?
Question21: Which of the following is the GREATEST advantage of agile development over waterfall development?
Question22: When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?
Question23: Which of the following should be identified FIRST during the risk assessment process?
Question24: Which of the following security risks can be reduced by a properly configured network firewall?
Question25: Which of the following would MOST effectively ensure the integrity of data transmitted over a network?
Question26: Which of the following is MOST important for an IS auditor to review when an audit identifies that the business continuity plan (BCP) does not address scenarios involving extended system outages?
Question27: Which of the following BEST ensures the confidentiality of sensitive data during transmission?
Question28: Management has agreed to move the organization's data center due to recent flood map changes in its current location. Which risk response has been adopted?
Question29: Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?
Question30: Which of the following would provide an organization with the GREATEST assurance that a service provider's controls for destroying personally identifiable information (PH) are operating effectively?
Question31: An IS auditor is reviewing processes for importing market price data from external data providers.
Which of the following findings should the auditor consider MOST critical?
Question32: When reviewing an IT strategic plan, the GREATEST concern would be that:
Question33: Which of the following is the BEST indicator of the effectiveness of an organization's portfolio management program?
Question34: Which of the following should be the role of internal audit in an organization's move to the cloud?
Question35: An IS auditor observes that a business-critical application does not currently have any level of fault tolerance Which of the following is the GREATEST concern with this situation?
Question36: Which of the following would be of GREATEST concern to an IS auditor evaluating an organization's change management process?
Question37: An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?
Question38: Which of the following is an analytical review procedure for a payroll system?
Question39: An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?
Question40: Which of the following is MOST important to include in a business case for an IT-enabled investment?
Question41: Which of the following is MOST important for an IS auditor to confirm upon learning that an organization utilizes storage virtualization for key systems in their environment?
Question42: Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?
Question43: An advantage of object-oriented system development is that it:
Question44: An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following should the auditor do FIRST?
Question45: Which of the following is an effective way to ensure the integrity of file transfers in a peer-to-peer (P2P) computing environment?
Question46: IT management has not implemented action plans for a previous audit report finding and has decided to accept the associated risk. Which of the following is the auditor's BEST course of action?
Question47: Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?
Question48: Which of the following is MOST likely to increase if an organization increases its risk appetite?
Question49: Which of the following is a challenge in developing a service level agreement (SLA) for network services?
Question50: Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?
Question51: Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?
Question52: Which of the following is the BEST use of a balanced scorecard when evaluating IT performance?
Question53: Which of the following is BEST used for detailed testing of a business application's data and configuration files?
Question54: Which of the following is a preventive control that can protect against internal fraud in an organization?
Question55: What should be an IS auditor's MOST important consideration when assessing whether an organization's IT project portfolio is appropriately prioritized?
Question56: An IS auditor finds that a new network connection allows communication between the Internet and the internal enterprise resource planning (ERP) system. Which of the following is the PRIMARY business impact to include when presenting this observation to management?
Question57: Which of the following is the BEST way to verify the effectiveness of a data restoration process?
Question58: Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?
Question59: Which of the following is MOST important to ensuring the IT governance function can fulfill its responsibilities?
Question60: During an IT operations audit multiple unencrypted backup tapes containing sensitive credit card information cannot be found Which of the following presents the GREATEST risk to the organization?
Question61: An IT steering committee assists the board of directors in fulfilling IT governance duties by:
Question62: An organization has recently implemented a Voice-over IP (VoIP) communication system. Which of the following should be the IS auditor's PRIMARY concern?
Question63: An IS auditor is reviewing an organization's plan to migrate a legacy database platform to a cloud-based database service. Which of the following steps is MOST important during the migration to preserve data integrity?
Question64: An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?
Question65: During a vendor management database audit, an IS auditor identifies multiple instances of duplicate vendor records. In order to prevent recurrence of the same issue, which of the following is the IS auditor's BEST recommendation to management?
Question66: Audit observations should be FIRST communicated with the auditee:
Question67: Which of the following is the PRIMARY reason for using a digital signature?
Question68: The PRIMARY objective of IT service level management is to.
Question69: An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
Question70: An IS audit reveals an organization has decided not to implement a new regulation by the required deadline because the cost of rapid implementation is higher than the penalty for noncompliance. Which of the following is the auditor's BEST course of action?
Question71: What is the PRIMARY reason to adopt a risk-based IS audit strategy?
Question72: An emergency power-off switch should:
Question73: After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
Question74: Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?
Question75: Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
Question76: Which of the following observations noted during a review of the organization s social media practices should be of MOST concern to the IS auditor?
Question77: Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?
Question78: Which of the following BEST enables an organization to verify whether an encrypted message sent by a client has been altered?
Question79: An IS auditor finds an emergency change request where an IT manager approved the change, modified the code on the production platform, and resolved the ticket. Which of the following should be the auditor's GREATEST concern?
Question80: An organization has developed mature risk management practices that are followed across all departments. What is the MOST effective way for the audit team to leverage this risk management maturity?
Question81: A bank's transactional services are exclusively conducted online via Internet and mobile banking.
Both its primary and disaster recovery sites are supported by the same Internet service provider (ISP). Which of the following is the BEST way for the bank to minimize risk in this situation?
Question82: Which of the following is the MOST appropriate control to ensure integrity of online orders?
Question83: An IS auditor finds that communication closets requiring electronic swipe card access are missing access logs. Which of the following should be done NEXT?
Question84: Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?
Question85: An organization has shifted from a bottom-up approach to a top-down approach in the development of IT policies. This should result in:
Question86: To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?
Question87: Which of the following is the PRIMARY reason to perform a risk assessment?
Question88: Which of the following should be of MOST concern to an IS auditor reviewing data backup procedures prior to a system migration?
Question89: During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
Question90: Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?
Question91: While reviewing an organization's business continuity plan (BCP), an IS auditor observes that a recently developed application is not included. The IS auditor should:
Question92: Which of the following BEST enables the timely identification of risk exposure?
Question93: What is a PRIMARY benefit of using Transport Layer Security (TLS) in an e-commerce application?
Question94: An IS auditor finds that irregularities have occurred and that auditee management has chosen to ignore them. If reporting to external authorities is required, which of the following is the BEST action for the IS auditor to take?
Question95: Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
Question96: Which of the following should be the GREATEST concern for an IS auditor reviewing data management of a data warehouse?
Question97: Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?
Question98: Which of the following changes intended to improve and streamline an organization's incident management process would be a potential concern to an IS auditor?
Question99: Which of the following is the PRIMARY purpose of conducting an IS audit follow-up?
Question100: A help desk has been contacted regarding a lost business mobile device. The FIRST course of action should be to:
Question101: An IS auditor is reviewing results from the testing of an organization's disaster recovery plan (DRP). Which of the following findings should be of GREATEST concern?
Question102: What should an IS auditor verify FIRST when evaluating the implementation of a data classification scheme?
Question103: Which of the following techniques provides the BEST assurance of server availability over time?
Question104: The use of control totals reduces the risk of
Question105: Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only. Which of the following did the IS auditor potentially compromise?
Question106: What should an IS auditor do FIRST when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective?
Question107: Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?
Question108: The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
Question109: Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?
Question110: Which of the following provides the MOST useful information for performing a business impact analysis (BIA)?
Question111: Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERP) system?
Question112: Which of the following tasks would cause the GREATEST segregation of duties (SoD) concern if performed by the person who reconciles the organization's device inventory?
Question113: Which of the following is the MOST critical factor for the successful implementation of an IT governance framework?
Question114: Which of the following is acceptable to be left out of a final audit report?
Question115: An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?
Question116: During an annual payroll audit, an IS auditor identifies issues that were also in the previous year's audit. Which of the following is the GREATEST concern?
Question117: Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
Question118: Which of the following governance functions is responsible for ensuring IT projects have sufficient resources and are prioritized appropriately?
Question119: Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?
Question120: What are the three competing demands to be addressed by project management?
Question121: Which of the following should be the PRIMARY basis for procedures to dispose of data securely?
Question122: Which of the following is MOST important to review when auditing an identity provider's use of access tokens to control the interaction between an application programming interface (API) and a server?
Question123: When classifying information, it is MOST important to align the classification to:
Question124: Which of the following is the MOST important factor when an organization is developing information security policies and procedures?
Question125: Which of the following is the PRIMARY reason an IS auditor would recommend offsite backups although critical data is already on a redundant array of inexpensive disks (RAID)?
Question126: Which of the following controls associated with software development would be classified as a preventive control to address scope creep?
Question127: Which of the following is the MOST important consideration for patching mission critical business application servers against known vulnerabilities?
Question128: Which of the following is the BEST method to delete sensitive information from storage media that will be reused?
Question129: Which of the following MOST effectively minimizes downtime during system conversions?
Question130: Which of the following is the MOST appropriate role for an IS auditor assigned as a team member for a software development project?
Question131: Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?
Question132: Audits are intended be conducted in accordance with which of the following ideals?
Question133: Which of the following would be of MOST concern when determining if information assets are adequately safeguarded during transport and disposal?
Question134: In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:
Question135: What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?
Question136: Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?
Question137: Which of the following features of a library control software package would protect against unauthorized updating of source code?
Question138: Which of the following is MOST likely to increase non-sampling risk?
Question139: Using swipe cards to limit employee access to restricted areas requires implementing which additional control?
Question140: The PRIMARY focus of a post-implementation review is to verify that:
Question141: When planning an audit to assess application controls of a cloud-based system, it is MOST important for the IS auditor to understand the:
Question142: During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?
Question143: Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?
Question144: Which of the following should be of GREATEST concern to an IS auditor when using data analytics?
Question145: Which of the following is MOST important to ensure when planning a black box penetration test?
Question146: An IS auditor observes that each department follows a different approach for creating and securing spreadsheet macros. Which of the following is the auditor's BEST recommendation for management in this situation?
Question147: An IS audit team is evaluating documentation of the most recent application user access review.
It is determined that the user list was not system generated. Which of the following should be of MOST concern?
Question148: When performing an audit of a third-party provider, it is MOST important to ensure:
Question149: Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?
Question150: An organization has implemented a distributed security administration system to replace the previous centralized one. Which of the following presents the GREATEST potential concern?
Question151: Which of the following is MOST important to determine when conducting a post-implementation review?
Question152: An organization is running servers with critical business applications that are in an area subject to frequent but brief power outages. Knowledge of which of the following would allow the organization's management to monitor the ongoing adequacy of the uninterruptible power supply (UPS)?
Question153: Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?
Question154: Which of the following BEST ensures that effective change management is in place in an IS environment?
Question155: Which of the following is MOST important to consider when developing a business continuity plan (BCP)?
Question156: Which of the following should be an IS auditor's PRIMARY consideration when evaluating the development and design of a privacy program?
Question157: When an intrusion into an organization's network is detected, which of the following should be done FIRST?
Question158: An IS auditor detects that event logging has been disabled on a critical server. Which of the following is the GREATEST concern?
Question159: Which of the following should be of MOST concern to an IS auditor reviewing a system interface that exchanges data across borders?
Question160: In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?
Question161: Which of the following should be given GREATEST consideration when implementing the use of an open-source product?
Question162: An organization's IT risk assessment should include the identification of:
Question163: Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?
Question164: A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?
Question165: Which of the following presents the GREATEST threat to an organization's entire virtual infrastructure?
Question166: After the release of an application system, an IS auditor wants to verify that the system is providing value to the organization. The auditor's BEST course of action would be to:
Question167: Which of the following is MOST important to ensure when developing an effective security awareness program?
Question168: During an audit of a data center with updated technology, the auditee indicates that environmental controls are the same as those used in the previous environment. The IS auditor should FIRST:
Question169: An IS auditor is reviewing a sample of production incidents and notes that a root cause analysis is not being performed. Which of the following is the GREATEST risk associated with this finding?
Question170: An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following is the BEST way to prevent this vulnerability from being exploited?
Question171: A configuration management audit identified that predefined automated procedures are used when deploying and configuring application infrastructure in a cloud-based environment. Which of the following is MOST important for the IS auditor to review?
Question172: Which of the following is MOST important to verify when implementing an organization's information security program?
Question173: Which of the following is MOST useful for matching records of incoming and outgoing personnel to identify tailgating in physical security logs?
Question174: What should be the PRIMARY objective of performing a risk assessment when planning for an IS audit engagement?
Question175: Which of the following should be done FIRST to develop an effective business continuity plan (BCP)?
Question176: An IS auditor learns that a web application within the audit scope has a vulnerability that could lead to the exposure of sensitive data. Which of the following should the auditor do FIRST?
Question177: Which of the following should be the FIRST step in managing the impact of a recently discovered zero-day attack?
Question178: Which of the following is the BEST control to help detect input errors in the customer account number field during accounts receivable transaction processing?
Question179: Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?
Question180: Which of the following BEST enables an IS auditor to objectively determine the performance of an IT business process?
Question181: Which of the following BEST helps to ensure data integrity across system interfaces?
Question182: An organization uses public key infrastructure (PKI) to provide email security. Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?
Question183: Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
Question184: Which of the following is an IS auditor's BEST approach when low-risk anomalies have been identified?
Question185: Which of the following would BEST protect the confidentiality of sensitive data in transit between multiple offices?
Question186: An organization plans to centrally decommission end-of-life databases and migrate the data to the latest model of hardware. Which of the following BEST ensures data integrity is preserved during the migration?
Question187: Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
Question188: When protecting the confidentiality of information assets, the MOST effective control practice is the:
Question189: Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
Question190: Which of the following is the MOST important feature of access control software?
Question191: What is the BEST method to determine if IT resource spending is aligned with planned project spending?
Question192: An organization that has suffered a cyber attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
Question193: Which of the following provides the BEST evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system?
Question194: What is the BEST method for securing credit card numbers stored temporarily on a file server prior to transmission to the downstream system for payment processing?
Question195: Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
Question196: When conducting a requirements analysis for a project, the BEST approach would be to:
Question197: Which of the following is MOST important for an IS auditor to verify when an organization is preparing to implement a data loss prevention (DLP) system?
Question198: For the implementation of a program change in a production environment, the MOST important approval required is from:
Question199: Internal audit is evaluating an organization's IT portfolio management. Which of the following would be the BEST recommendation for prioritizing the funding of IT projects?
Question200: What is the definition of a standard as compared to a guideline?
Question201: Which of the following is the BEST justification for deferring remediation testing until the next audit?
Question202: When auditing the security architecture of an online application, an IS auditor should FIRST review the:
Question203: Which of the following should be of GREATEST concern to an IS auditor planning to employ data analytics in an upcoming audit?
Question204: An IS auditor performing a review of a newly purchased software program notes that an escrow agreement has been executed for acquiring the source code.
What is MOST important for the IS auditor to verify?
Question205: An organization outsourced its IS functions. To meet its responsibility for disaster recovery, the organization should:
Question206: A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger. While management states a system fix has been implemented, what should the IS auditor recommend to validate the interface is working in the future?
Question207: Which of the following should be the GREATEST concern to an IS auditor reviewing the information security framework of an organization?
Question208: Which of the following is the MOST appropriate testing approach when auditing a daily data flow between two systems via an automated interface to confirm that it is complete and accurate?
Question209: An IS auditor is reviewing the maturity of a large organization's IT governance. Which of the following BEST demonstrates that IT governance has been effectively implemented?
Question210: A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
Question211: Which of the following BEST enables an organization to manage unexpected or on-request jobs?
Question212: Which of the following Is the MOST effective way for an IS auditor to evaluate whether an organization is well positioned to defend against an advanced persistent threat (APT)?
Question213: An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:
Question214: Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?
Question215: An IS auditor is providing input to an RFP to acquire a financial application system. Which of the following is MOST important for the auditor to recommend?
Question216: Which of the following would be a concern of the auditor that should be explained in the audit report along with their findings?
Question217: An IS auditor is testing the accuracy of transactions in a system to ensure financial statements are reasonably accurate. Which of the following is the BEST testing methodology to use in this situation?
Question218: An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
Question219: After discussing findings with an auditee, an IS auditor is required to obtain approval of the report from the CEO before issuing it to the audit committee. This requirement PRIMARILY affects the IS auditor's:
Question220: An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application The audit manager Is the only one in the audit department with IT project management experience. What is the BEST course of action?
Question221: An organization is migrating its HR application to an Infrastructure as a Service (IaaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?
Question222: While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
Question223: During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS) agreement. What should the auditor do NEXT?
Question224: An IS auditor finds that an online retailer is experiencing unacceptable system response times due to high demand. Which of the following would BEST help to improve system performance?
Question225: During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (AI) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?
Question226: Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
Question227: Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?
Question228: An IS auditor discovers that validation controls in a web application have been moved from the server side into the browser to boost performance. This would MOST likely increase the risk of a successful attack by:
Question229: Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?
Question230: Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?
Question231: An IS auditor assessing the controls within a newly implemented call center would FIRST:
Question232: An IS auditor has been tasked to review the processes that prevent fraud within a business expense claim system. Which of the following stakeholders is MOST important to involve in this review?
Question233: Which of the following management decisions presents the GREATEST risk associated with data leakage?
Question234: An organization s audit charter PRIMARILY:
Question235: An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?
Question236: Which of the following presents the GREATEST concern for an organization that plans to interconnect client databases across national borders?
Question237: An IS auditor is reviewing an artificial intelligence (AI) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?
Question238: Which of the following should be of GREATEST concern to an IS auditor reviewing a report of an unsuccessful disaster recovery test?
Question239: Which of the following should be of GREATEST concern to an IS auditor assessing an organization's patch management program?
Question240: The concept of due care is best defined as which of the following?
Question241: An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?
Question242: Which of the following is the BEST way to ensure an organization's data classification policies are preserved during the process of data transformation?
Question243: When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
Question244: Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?
Question245: Which of the following is the BEST indicator to measure service quality of change and incident management processes outsourced to an external provider?
Question246: An organization has both an IT strategy committee and an IT steering committee. When reviewing the minutes of the IT steering committee, an IS auditor would expect to find that the committee:
Question247: Which of the following BEST indicates a need to review an organization's information security policy?
Question248: Which of the following is MOST critical for the effective implementation of IT governance?
Question249: During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?
Question250: The MOST important measure of the effectiveness of an organization's security program is the:
Question251: Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?
Question252: An IS auditor suspects a company-owned computer may have been involved in illegal trading activities. What is the BEST way for the auditor to proceed?
Question253: Which type of framework is BEST suited to illustrate the traceability of information and communications technologies and their alignment with business objectives?
Question254: In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?
Question255: Which of the following metrics is the BEST indicator of the performance of a web application?
Question256: Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor's BEST recommendation?
Question257: Which of the following should an IS auditor do FIRST upon finding that a business impact analysis (BIA) was not conducted during a business continuity audit?
Question258: An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?
Question259: An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart. Which of the following roles within the chart would provide this information?
Question260: The two types of tests are referred to as _________ and _______ using __________ sampling methods.
Question261: An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding. Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
Question262: During an exit meeting, an IS auditor highlights that backup cycles are being missed due to operator error and that these exceptions are not being managed.
Which of the following is the BEST way to help management understand the associated risk?
Question263: Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's newly established enterprise architecture (EA)?
Question264: In an area susceptible to unexpected increases in electrical power, which of the following would MOST effectively protect the system?
Question265: An organization considers implementing a system that uses a technology that is not in line with the organization's IT strategy. Which of the following is the BEST justification for deviating from the IT strategy?
Question266: Which of the following should be the GREATEST concern for an IS auditor performing a post- implementation review for a major system upgrade?
Question267: How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?
Question268: Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?
Question269: Following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?
Question270: A national bank recently migrated a large number of business-critical applications to the cloud.
Which of the following is MOST important to ensuring the resiliency of the applications?
Question271: A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor s BEST recommendation to facilitate compliance with the regulation?
Question272: Which of the following BEST enables an organization to control which software can be installed on a user's computer?
Question273: Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of on e-commerce application system's edit routine?
Question274: Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?
Question275: During an organization's implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?
Question276: Which of the following would provide the BEST evidence of the effectiveness of mandated annual security awareness training?
Question277: Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
Question278: What is the BEST way to evaluate a control environment where the organization and a third party have shared responsibility?
Question279: Which of the following should be done FIRST when auditing an IT portfolio management process at a large organization?
Question280: Which of the following is the MOST important advantage of participating in beta testing of software products?
Question281: Which of the following processes is MOST important to define within a data classification policy?
Question282: Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?
Question283: Which type of data analytics can be used to identify invalid data, extreme values, or linear correlations between data elements?
Question284: An audit has identified that business units have purchased cloud-based applications without IT's support. What is the GREATEST risk associated with this situation?
Question285: Which of the following is MOST important for an organization to complete prior to developing its disaster recovery plan (DRP)?
Question286: Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?
Question287: An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage?
Question288: Data anonymization helps to prevent which types of attacks in a big data environment?
Question289: Management has decided to accept a risk in response to a draft audit recommendation. Which of the following should be the IS auditor's NEXT course of action?
Question290: Which of the following BEST indicates that an incident management process is effective?
Question291: Which of the following findings would be of GREATEST concern when auditing an organization's end-user computing (EUC)?
Question292: Which of the following is the BEST recommendation to mitigate the risk associated with remote access through the hypervisor interface?
Question293: A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger, and in year one, the system version upgrade will be applied.
Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
Question294: An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?
Question295: Which of the following is the BEST use of a maturity model in a small organization?
Question296: An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release. Which of the following should be the auditor's NEXT step?
Question297: Which of the following applications has the MOST inherent risk and should be prioritized during audit planning?
Question298: Management states that a recommendation made during a prior audit has been implemented, but the IS auditor doubts the effectiveness of the actions taken. Which of the following is the auditor's MOST appropriate course of action?
Question299: During a security access review, an IS auditor identifies a segregation of duties issue involving financial reporting for which there are no mitigating controls. Which of the following stakeholders should be notified of this finding FIRST?
Question300: Which of the following indicators would BEST demonstrate the efficiency of a help desk operation?
Question301: Which of the following security testing techniques is MOST effective in discovering unknown malicious attacks?
Question302: When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
Question303: Which of the following is MOST important for an IS auditor to confirm when conducting a review of an active-active application cluster configuration?
Question304: In the development of a new financial application, the IS auditor's FIRST involvement should be in the:
Question305: Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?
Question306: An organization requires any travel and entertainment expenses over $10,000 to be approved by senior management. Which of the following is the MOST effective way to mitigate the risk that employees will split invoices to avoid the approval process?
Question307: Which of the following findings should be of GREATEST concern during an audit of IT governance and management?
Question308: When protecting mobile devices, which of the following is the PRIMARY risk mitigated by authentication controls?
Question309: Which of the following would be an auditor's GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?
Question310: Which of the following would aid an IS auditor reviewing the integrity of program changes migrated into production?
Question311: Which of the following provides the BEST evidence that all elements of a business continuity plan (BCP) are operating effectively?
Question312: Which of the following would be MOST useful to an IS auditor when making recommendations to enable continual improvement of IT processes over time?
Question313: An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?
Question314: An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:
Question315: Which of the following is the BEST way for senior audit leadership to be engaged during the planning phase of an audit in order to improve audit quality?
Question316: What is the purpose of the audit committee?
Question317: Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides the BEST assurance that the transactions were recovered successfully?
Question318: The PRIMARY purpose of running a new system in parallel is to:
Question319: Which of the following should be of GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?
Question320: An IS auditor is evaluating the IT business planning process. Which of the following should be of GREATEST concern to the auditor?
Question321: A bank wants to outsource a system to a cloud provider residing in another country. Which of the following would be the MOST appropriate IS audit recommendation?
Question322: Which of the following is MOST important to have in place to build consensus among key stakeholders on the cost-effectiveness of IT?
Question323: Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?
Question324: A manager identifies active privileged accounts belonging to staff who have left the organization.
Which of the following is the threat actor in this scenario?
Question325: Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
Question326: Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?
Question327: Critical processes are not defined in an organization's business continuity plan (BCP). Which of the following would have MOST likely identified the gap?
Question328: Which of the following is the MOST useful information for an IS auditor to review when formulating an audit plan for the organization's outsourced service provider?
Question329: In an IT organization where many responsibilities are shared, which of the following is the BEST control for detecting unauthorized data changes?
Question330: A large organization has a centralized infrastructure team and decentralized application support teams reporting into their respective business units. Which of the following is the GREATEST potential issue with his organizational structure?
Question331: A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal audit function to test its internal controls annually. Which of the following is the MOST significant benefit of this approach?
Question332: The IS quality assurance (QA) group is responsible for:
Question333: A bank uses a system that requires monetary amounts found on check images to be input twice by two separate individuals. The system then identifies any mismatches between the first and second input. Which type of control has the bank implemented?
Question334: Which of the following should be the FIRST step when conducting an IT risk assessment?
Question335: Which of the following is the BEST way to evaluate customer satisfaction and system reliability when considering a prospective IT vendor during the request for proposal (RFP) process?
Question336: An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?
Question337: An audit of environmental controls at a data center could include a review of the
Question338: When assessing the quality of personnel data, an IS auditor finds that the data values reconcile to values outside of the database and logical access is appropriately restricted. Which of the following should also be reviewed to provide a comprehensive assessment of the data quality?
Question339: Which of the following BEST enables an organization to balance value delivery and risk management?
Question340: An IS auditor has been tasked with auditing the inventory control process for a large organization that processes millions of data transactions. Which of the following is the BEST testing strategy to adopt?
Question341: In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
Question342: During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor's NEXT step should be to:
Question343: Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
Question344: A bank performed minor changes to the interest calculation computer program. Which of the following techniques would provide the STRONGEST evidence to determine whether the interest calculations are correct?
Question345: Prior to the migration of acquired software into production, it is MOST important that the IS auditor review the:
Question346: Which of the following is the BEST evidence that an organization's IT strategy is aligned to its business objectives?
Question347: Which of the following is MOST important when implementing a data classification program?
Question348: Which of the following is the MOST effective control over visitor access to highly secured areas?
Question349: While reviewing the effectiveness of an incident response program, an IS auditor notices a high number of reported incidents involving malware originating from removable media found by employees. Which of the following is the MOST appropriate recommendation to management?
Question350: Which of the following data would be used when performing a business impact analysis (BIA)?
Question351: Which of the following cloud capabilities BEST enables an organization to meet unexpectedly high service demand?
Question352: Which type of testing BEST determines whether a new system meets business requirements and is ready to be placed into production?
Question353: Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?
Question354: Which of the following would provide the BEST evidence of an IT strategy committee's effectiveness?
Question355: Which of the following findings should be of MOST concern to an IS audit or reviewing an organization's business continuity plan (BCP)?
Question356: Which of the following conditions should be of GREATEST concern to an IS auditor reviewing change management?
Question357: Which of the following is MOST helpful to a data owner when classifying the organization's data?
Question358: Which of the following IT processes should be correlated to incidents as the BEST way to support continuous improvement in service management?
Question359: Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?
Question360: Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?
Question361: Which of the following is the PRIMARY advantage of using an automated security log monitoring tool instead of conducting a manual review to monitor the use of privileged access?
Question362: An organization's strategy to source certain IT functions from a software as a service (SaaS) provider should be approved by the:
Question363: Which of the following should be an IS auditor's GREATEST concern when reviewing a reciprocal disaster recovery agreement between two organizations?
Question364: A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system.
Which of the following is the IS auditor's BEST recommendation?
Question365: Which of the following is MOST important when duties in a small organization cannot be appropriately segregated?
Question366: An application development team is also promoting changes to production for a critical financial application. Which of the following is the BEST control to reduce the associated risk?
Question367: Which of the following BEST enables system resiliency for an e-commerce organization that requires a low recovery time objective (RTO) and a low recovery point objective (RPO)?
Question368: Which of the following is the PRIMARY objective of implementing IT governance?
Question369: Which of the following provides the BEST evidence that IT portfolio management is aligned with organizational strategies?
Question370: Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
Question371: Which of the following is the GREATEST concern when consolidating several applications from two outdated servers onto one new server?
Question372: Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
Question373: Which of the following is an example of inherent risk?
Question374: An organization is modernizing its technology policy framework to demonstrate compliance with external industry standards. Which of the following would be MOST useful to an IS auditor for validating the outcome?
Question375: Which of the following is the MOST appropriate control to have in place after data migration?
Question376: An IS auditor is assigned to review the IS departments quality procedures Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the following should be the auditor's NEXT action?
Question377: Which of the following should an IS auditor expect to see in a network vulnerability assessment?
Question378: During audit fieldwork, an IS auditor learns that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?
Question379: A source code repository should be designed to:
Question380: Which of the following should be an IS auditor's GREATEST concern when assessing an IT service configuration database?
Question381: Which of the following is the GREATEST risk associated with granting local administrative privileges to users for their laptops?
Question382: Which of the following should be the PRIMARY objective of conducting an audit follow-up of management action plans?
Question383: A bank's web-hosting provider has just completed an internal IT security audit and provides only a summary of the findings to the bank's auditor. Which of the following should be the bank's GREATEST concern?
Question384: Who is responsible for authorizing data access for users?
Question385: An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs). Which of the following findings should be of MOST concern to the auditor?
Question386: Which of the following indicates that an internal audit organization is structured to support the independence and clarity of the reporting process?
Question387: Which of the following BEST enables a benefits realization process for a system development project?
Question388: Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?
Question389: Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?
Question390: Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?
Question391: An organization has installed blade server technology in its data center. To determine whether higher cooling demands are maintained, which of the following should the IS auditor review?
Question392: The PRIMARY benefit of automating application testing is to:
Question393: Which of the following is the BEST way to reduce the chance of false positive alerts in an intrusion prevention system (IPS) from interrupting network communications?
Question394: Which of the following user actions poses the GREATEST risk for inadvertently introducing malware into a local network?
Question395: Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?
Question396: Which of the following is MOST important for an IS auditor to look for in a project feasibility study?
Question397: A white box testing method is applicable with which of the following testing processes?
Question398: Which of the following would be of MOST concern during an audit of an end-user computing (EUC) system containing sensitive information?
Question399: What would be an IS auditor's GREATEST concern when conducting an internal audit of a project to implement a customer relationship management (CRM) system?
Question400: Which of the following biometric access controls has the HIGHEST rate of false negatives?
Question401: The PRIMARY reason to assign data ownership for protection of data is to establish:
Question402: When determining whether a project in the design phase will meet organizational objectives what is BEST to compare against the business case?
Question403: When building or upgrading enterprise cryptographic infrastructure, which of the following is the MOST critical requirement for growing business requirements?
Question404: Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?
Question405: The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
Question406: Which of the following BEST enables an organization to improve the effectiveness of its incident response team?
Question407: An IS auditor identifies that an accounts payable clerk has direct access to a payment file after it has been generated. The MOST significant risk to the organization is that payments may be:
Question408: During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor's BEST recommendation?
Question409: When evaluating information security governance within an organization which of the following findings should be of MOST concern to an IS auditor?
Question410: An IS auditor is assessing the adequacy of management's remediation action plan. Which of the following should be the MOST important consideration?
Question411: Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?
Question412: An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:
Question413: An organization recently decided to send the backup of its customer relationship management (CRM) system to its cloud provider for recovery. Which of the following should be of GREATEST concern to an IS auditor reviewing this process?
Question414: An organization has replaced all of the storage devices at its primary data center with new, higher capacity units. The replaced devices have been installed at the disaster recovery site to replace older units. An IS auditor's PRIMARY concern would be whether:
Question415: An organization uses multiple offsite data center facilities. Which of the following is MOST important to consider when choosing related backup devices and media?
Question416: Which of the following reports would provide the GREATEST assurance to an IS auditor about the controls of a third party that processes critical data for the organization?
Question417: An IS audit manager finds that data manipulation logic developed by the audit analytics team leads to incorrect conclusions. This inaccurate logic is MOST likely an indication of which of the following?
Question418: An IS auditor has scanned an organization's wireless network. Which of the following data sources would BEST enable the auditor to identify rogue wireless access points?
Question419: During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
Question420: Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's capacity management planning?
Question421: Which of the following is the BEST way for an IS auditor to verify whether help desk tickets are being managed by IT support in accordance with business expectations?
Question422: IT governance should be driven by:
Question423: Which of the following is MOST important to effectively manage risk associated with application programming interfaces (APIs) and third-party virtual environments?
Question424: Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
Question425: An external IS auditor has been engaged to determine the organization's cybersecurity posture.
Which of the following is MOST useful for this purpose?
Question426: The BEST indicator of an optimized quality management system (QMS) is that it:
Question427: Which of the following BEST supports the effectiveness of a compliance program?
Question428: When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider's external audit report on service level management when the:
Question429: An IS auditor has been tasked with analyzing an organization's capital expenditures against its repair and maintenance costs. Which of the following is the BEST reason to use a data analytics tool for this purpose?
Question430: An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified Which type of control is in place?
Question431: Which of the following is false concerning a control self-assessment?
Question432: Which of the following is MOST important for an IS auditor to identify in a project business case?
Question433: When removing a financial application system from production, which of the following is MOST important?
Question434: An organization performs virtual machine (VM) replication instead of daily backups of its critical servers. Which of the following is MOST important to validate when evaluating the adequacy of recovery procedures?
Question435: Failing to prevent or detect a material error would represent which type of risk?
Question436: Code changes are compiled and placed in a change folder by the developer. An implementation team migrates changes to production from the change folder.
Which of the following BEST indicates separation of duties is in place during the migration process?
Question437: Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?
Question438: Which of the following is a PRIMARY benefit of a maturity model?
Question439: Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?
Question440: Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?
Question441: The use of which of the following would BEST enhance a process improvement program?
Question442: What is the MOST difficult aspect of access control in a multiplatform, multiple-site client/server environment?
Question443: Which of the following is a detective control?
Question444: Which of the following would BEST prevent an arbitrary application of a patch?
Question445: Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?
Question446: Which of the following should be the PRIMARY objective of an IS audit exit interview?
Question447: Which of the following documents should specify roles and responsibilities within an IT audit organization?
Question448: The record-locking option of a database management system (DBMS) serves to:
Question449: An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?
Question450: One advantage of monetary unit sampling is the fact that:
Question451: During a follow-up audit, an IS auditor learns that management has deferred the implementation of a previously agreed-upon recommendation. What is the responsibility of the auditor?
Question452: A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem.
Which of the following is the senior auditor's MOST appropriate course of action?
Question453: Stress testing should ideally be carried out under a:
Question454: Which of the following is a core functionality of a configuration and release management system?
Question455: Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?
Question456: Which of the following is the BEST way for an IS auditor to determine whether an organization's disaster recovery plan (DRP) is current?
Question457: Which of the following is the FIRST step when determining the feasibility of using data analytics in an audit?
Question458: During a follow-up, an IS auditor learns the auditee has not implemented agreed-upon monitoring controls over a critical legacy system due to a business decision to migrate to a new system in six months. Which of the following is the auditor's BEST course of action?
Question459: During an audit, an IT finding is agreed upon by all IT teams involved, but no team wants to be responsible for remediation or considers the finding within its area of responsibility. Which of the following is the IS auditor's BEST course of action?
Question460: A chief information officer (CIO) has asked an IS auditor to implement several security controls for an organization's IT processes and systems. The auditor should:
Question461: To address issues related to privileged users identified in an IS audit, management implemented a security information and event management (SIEM) system. Which type of control is in place?
Question462: Which of the following would minimize the risk of losing transactions as a result of a disaster?
Question463: An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?
Question464: Which of the following is the GREATEST advantage of maintaining an internal IS audit function within an organization?
Question465: Which of the following ensures components of an IT system are identified and baselined, and that changes to them are implemented in a controlled manner?
Question466: An organization needs to comply with data privacy regulations forbidding the display of personally identifiable information (PII) on customer bills or receipts.
However, it is a business requirement to display at least one attribute so that customers can verify the bills or receipts are intended for them. What is the BEST recommendation?
Question467: Which of the following is a concern when an organization's disaster recovery strategy utilizes a hot site?
Question468: Which of the following would be MOST important to include in an IS audit report?
Question469: An IS auditor has discovered that a cloud-based application was not included in an application inventory that was used to confirm the scope of an audit. The business process owner explained that the application will be audited by a third party in the next year. The auditor's NEXT step should be to:
Question470: Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?
Question471: Following the implementation of a data loss prevention (DLP) tool, administrators have been overwhelmed with a high number of false positives. Which of the following is the BEST way to address this issue?
Question472: Which of the following is the PRIMARY role of the IS auditor In an organization's information classification process?
Question473: Which of the following should be of GREATEST concern to an IS auditor reviewing controls around a system interface for two applications with high volumes of transferred data?
Question474: Which of the following would BEST integrate multiple data warehouses while reducing the workload required for moving data between the warehouses?
Question475: Which of the following is the GREATEST security concern specific to virtualized environments?
Question476: Which of the following should an IS auditor regard as the PRIMARY role of IT governance when considering an outsourcing arrangement for IT services?
Question477: An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives.
Which of the following findings should be the IS auditor's GREATEST concern?
Question478: An IS auditor has been asked to perform a post-implementation assessment of a new corporate human resources (HR) system. Which of the following control areas would be MOST important to review for the protection of employee information?
Question479: An organization is planning to hire a third party to develop software. What is the MOST appropriate way for the organization to ensure access to code if the software development company goes out of business?
Question480: During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. Which of the following is the BEST course of action in this situation?
Question481: Capacity management enables organizations to:
Question482: During the evaluation of controls for a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:
Question483: Evaluating application development projects against a defined maturity model enables an IS auditor to determine whether:
Question484: The MOST critical security weakness of a packet level firewall is that it can be circumvented by:
Question485: A financial institution suspects that a manager has been crediting customer accounts without authorization. Which of the following is the MOST effective method to validate this concern?
Question486: If a recent release of a program has to be backed out of production, the corresponding changes within the delta version of the code should be:
Question487: A client reviewing a preliminary version of the audit report asks whether a finding in the report could be eliminated or have its risk rating lowered upon retest and audit validation. What would be the auditor's MOST appropriate response?
Question488: Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
Question489: Which of the following is the MOST effective control to mitigate against the risk of inappropriate activity by employees?
Question490: A network review is being undertaken to evaluate security risks. Which of the following would be of MOST concern if identified during the review?
Question491: An IS auditor notes that a mortgage origination team receives customer loan applications via a shared repository. Which of the following findings presents the GREATEST privacy risk for this process?
Question492: Which of the following should an IS auditor do FIRST when determining whether unauthorized changes have been made to production code?
Question493: Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics system?
Question494: To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?
Question495: Which of the following is the MOST important consideration when designing a risk-based incident response management program?
Question496: Which of the following is the MOST appropriate procedure for an organization to use when classifying data?
Question497: Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?
Question498: What is the PRIMARY reason for an organization to classify the data stored on its internal networks?
Question499: When developing customer-facing IT applications, in which stage of the system development life cycle (SLC) MOST beneficial to consider data privacy principles?
Question500: An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following would be the MOST appropriate action for the auditor to take?
Question501: Which of the following controls BEST mitigates the risk associated with password compromise?
Question502: As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (BIA)?
Question503: An IS auditor observes that a bank's web page address is prefixed "https://". The auditor would be correct to conclude that:
Question504: A staff accountant regularly uploads spreadsheets with inventory levels to the organization's financial reporting system. The transfers are executed through a customized interface created by an in-house developer. Which of the following is MOST important for the IS auditor to confirm during a review of the interface?
Question505: Which of the following is the PRIMARY purpose for external assessments of internal audit's quality assurance (QA) systems and frameworks?
Question506: An organization has developed processes to recover critical files in the event of a ransomware attack. Which type of control do these processes represent?
Question507: An organization that processes credit card information employs a remote workforce. Which of the following is the MOST effective way to mitigate risk associated with data exfiltration?
Question508: The PRIMARY purpose of a configuration management system is to:
Question509: An IS auditor observes that exceptions have been approved for an organization's information security policy. Which of the following is MOST important for the auditor to confirm?
Question510: Which of the following would BEST enhance the capability of a web server to accommodate a significant increase in web traffic?
Question511: An IS auditor can BEST evaluate the business impact of system failures by:
Question512: A legacy application is running on an operating system that is no longer supported by the vendor.
If the organization continues to use the current application, which of the following should be the IS auditor's GREATEST concern?
Question513: An external attacker spoofing an internal Internet Protocol (IP) address can BEST be detected by which of the following?
Question514: Which of the following would be of GREATEST concern to an IS auditor assessing the organizational risk associated with fraud?
Question515: Which of the following is the GREATEST advantage of outsourcing the development of an e- banking solution when in-house technical expertise is not available?
Question516: Which of the following will BEST ensure that archived electronic information of permanent importance remains accessible over time?
Question517: An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center. Which of the following findings should be of GREATEST concern to the auditor?
Question518: Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's information security governance?
Question519: Which of the following should be an IS auditor's PRIMARY focus when evaluating the response process for cyber crimes?
Question520: Which of the following provides the BEST assurance that an organization's internal IT projects will consistently deliver the expected return on investment (ROI)?
Question521: When auditing the closing stages of a system development project, which of the following should be the MOST important consideration?
Question522: Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?
Question523: An information systems security officer's PRIMARY responsibility for business process applications is to:
Question524: Which of the following BEST demonstrates to senior management and the board that an audit function is compliant with standards and the code of ethics?
Question525: Which of the following would be of GREATEST concern to an IS auditor when a multi-function printer device is sent offsite for maintenance?
Question526: Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm for potential software vulnerabilities?
Question527: Which of the following is MOST beneficial to executive management in achieving IT and business alignment?
Question528: Which of the following is an audit reviewer's PRIMARY role with regard to evidence?
Question529: Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?
Question530: Which of the following is MOST important when defining the IS audit scope?
Question531: In a post-implementation review of a recently purchased system, it is MOST important for the IS auditor to determine whether the:
Question532: An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?
Question533: Which of the following is the PRIMARY reason that asset classification is vital to an information security program?
Question534: What is the BEST way for an IS auditor to assess the adequacy of an expert consultant who was selected to be involved in an audit engagement?
Question535: Which of the following is the MAIN responsibility of the IT steering committee?
Question536: An IS auditor reviewing the physical access section of a security plan for a data center should expect to find that:
Question537: Which of the following should be done FIRST when a computer is compromised?
Question538: An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner Which of the following is the auditor s BEST recommendation?
Question539: When is the MOST appropriate time to establish metrics for assessing the effectiveness of an outsourced IT project?
Question540: Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
Question541: In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the:
Question542: An employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?
Question543: During a review of an organizations network threat response process, the IS auditor noticed that the majority of alerts were closed without resolution.
Management responded that those alerts were unworkable due to lack of actionable intelligence, and therefore the support team is allowed to close them. What is the BEST way for the auditor to address this situation?'
Question544: During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?
Question545: During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST
Question546: In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?
Question547: Halfway through an enterprise-wide project to implement business solutions, an IS auditor is called in to do a project risk evaluation. The results from this audit are to be communicated directly to the project steering committee. What should the auditor do FIRST?
Question548: Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor s BEST recommendation for a compensating control?
Question549: In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?
Question550: A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?
Question551: The BEST way to evaluate the effectiveness of a newly developed application is to:
Question552: An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?
Question553: In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?
Question554: An IS auditor reviewing the IS strategic planning process should FIRST review the:
Question555: Which of the following BEST enables an organization to identify potential security threats associated with a virtualization technique proposed by the vendor of a popular virtual machine (VM) system?
Question556: Which of the following BEST addresses the availability of an online store?
Question557: During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?
Question558: An IS auditor is auditing the operating effectiveness of weekly user access reviews. Of the five weekly reviews sampled, one has not been signed or dated. What is the MAIN reason to note this observation as a finding?
Question559: Which of the following control measures is the MOST effective against unauthorized access of confidential information on stolen or lost laptops?
Question560: An IS auditor is observing transaction processing and notes that a high-priority update job ran out of sequence. What is the MOST significant risk from this observation?
Question561: Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's release management processes?
Question562: Which of the following is the MOST important outcome of the data classification process?
Question563: An organization is permanently transitioning from onsite to fully remote business operations.
When should the existing business impact analysis (BIA) be reviewed?
Question564: Cross-site scripting (XSS) attacks are BEST prevented through:
Question565: During an internal audit of automated controls, an IS auditor identifies that the integrity of data transfer between systems has not been tested since successful implementation two years ago.
Which of the following should the auditor do NEXT?
Question566: Which of the following is the PRIMARY purpose of performing a parallel run of a new system?
Question567: An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:
Question568: In the case of a disaster where the data center is no longer available which of the following tasks should be done FIRST?
Question569: Which of the following best describes the early stages of an IS audit?
Question570: For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:
Question571: Which of the following is MOST important to ensure when reviewing a global organization's controls to protect data held on its IT infrastructure across all of its locations?
Question572: The decision to accept an IT control risk related to data quality should be the responsibility of the:
Question573: When responding to an ongoing denial of service (DoS) attack, an organization's FIRST course of action should be to
Question574: In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?
Question575: Which of the following is MOST important to review when evaluating the performance of a critical web application?
Question576: A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure in the affected country. Which of the following would be MOST helpful in making this assessment?
Question577: Which of the following incident response team activities contributes the MOST to preventing future incidents?
Question578: Which of the following organizational functions is MOST appropriate to monitor the budget associated with an IT project?
Question579: Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?
Question580: Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?
Question581: When designing metrics for information security, the MOST important consideration is that the metrics:
Question582: Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?
Question583: Which of the following should an IS auditor verify FIRST when evaluating data quality and life cycle management?
Question584: An organization implemented a cybersecurity policy last year. Which of the following is the GREATEST indicator that the policy may need to be revised?
Question585: Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?
Question586: IS audit management reviewed the audit work done for a system implementation and determined that the weaknesses responsible for a major issue were not in the audit scope. Which type of audit risk was MOST likely overlooked when planning the audit?
Question587: End users with read access to a central database can extract data to their desktops for analysis and reporting to management. What should be the GREATEST concern with this situation?
Question588: Which of the following provides the BEST assurance that a new process for purging transactions does not have a detrimental impact on the integrity of the database?
Question589: Which of the following audit findings should be given the HIGHEST priority?
Question590: During the discussion of a draft audit report, IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective. Which of the following is the auditor's BEST action?
Question591: A vendor requires privileged access to a key business application. Which of the following is the BEST recommendation to reduce the risk of data leakage?
Question592: An internal audit department recently established a quality assurance (QA) program. Which of the following activities is MOST important to include as part of the QA program requirements?
Question593: An IS auditor is reviewing a recent security incident and is seeking information about the approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?
Question594: An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?
Question595: Which of the following is the BEST way to mitigate the risk associated with malicious changes to binary code during the software development life cycle (SDLC)?
Question596: When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?
Question597: Which of the following is the GREATEST benefit of an effective data classification process?
Question598: Which of the following is the GREATEST concern associated with control self-assessments (CSAs)?
Question599: A company converted its payroll system from an external service to an internal package. Payroll processing in April was run in parallel. To validate the completeness of data after the conversion, which of the following comparisons from the old to the new system would be MOST effective?
Question600: Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?
Question601: An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
Question602: An IS auditor may be justified in using a SMALLER sample size under which of the following circumstances?
Question603: Which of the following network topologies will provide the GREATEST fault tolerance?
Question604: An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
Question605: What should be an IS auditor's PRIMARY focus when reviewing a patch management procedure in an environment where availability is a top priority?
Question606: Which of the following would be a result of utilizing a top-down maturity model process?
Question607: During the implementation of an enterprise resource planning (ERP) system, an IS auditor is reviewing the results of user acceptance testing (UAT). The auditor's PRIMARY focus should be to determine if:
Question608: An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's GREATEST concern?
Question609: Which of the following is the BEST indication of effective governance over IT infrastructure?
Question610: Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
Question611: To create a digital signature in a message using asymmetric encryption, it is necessary to:
Question612: An IS auditor should be MOST concerned with the placement of environmental detectors for heat, water, and smoke in which of the following locations?
Question613: Which of the following is MOST important for an IS auditor to confirm when assessing the security of a new cloud-based IT application that is linked with the organization's existing technology?
Question614: Which of the following is the GREATEST risk when relying on reports generated by end-user computing (EUC)?
Question615: Which of the following is critical to the successful establishment of an enterprise IT architecture?
Question616: An organization has implemented a policy to require minimum security control baselines when configuring servers or systems. What control type has been implemented?
Question617: An IS auditor assesses an organization's backup management practices for optimization potential. Which of the following features of a regular backup tape reorganization job BEST enables the organization to realize cost savings?
Question618: Following an internal audit of a database, management has committed to enhance password management controls. Which of the following provides the BEST evidence that management has remediated the audit finding?
Question619: Which of the following provides the MOST comprehensive information about inherent risk within an organization?
Question620: Which of the following is the BEST method to validate that a cloud service provider has implemented information security controls?
Question621: An organization's business continuity plan (BCP) should be:
Question622: What is the purpose of the audit charter?
Question623: Which of the following indicates an effective change control environment?
Question624: The use of which of the following is an inherent risk in the application container infrastructure?
Question625: Which of the following is the MOST important element of quality control with respect to an audit engagement?
Question626: Which of the following should an IS auditor do FIRST when assessing the level of compliance for an organization in the banking industry?
Question627: Which of the following should be the FIRST step to successfully implement a corporate data classification program?
Question628: Which of the following is the BEST way to prevent social engineering incidents?
Question629: When reviewing a business impact analysis (BIA), it is MOST important for an IS auditor to ensure input was obtained from which group of stakeholders?
Question630: The objectives of business process reengineering (BPR) should PRIMARILY include:
Question631: Shortly after a system was deployed into production, it was identified that some key scenarios were not tested during user acceptance testing (UAT). Which of the following is the GREATEST concern with this situation?
Question632: Which of the following should an organization do to anticipate the effects of a disaster?
Question633: Which of the following should be defined in an audit charter?
Question634: Which of the following is the ULTIMATE objective of performing a phishing simulation test?
Question635: When auditing IT organizational structure, which of the following findings presents the GREATEST risk to an organization?
Question636: Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?
Question637: Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?
Question638: Which of the following is the BEST indication that an IT service desk function needs to improve its incident management processes?
Question639: Which of the following is the PRIMARY benefit of performing a maturity model assessment?
Question640: Which of the following demonstrates the use of data analytics for a loan origination process?
Question641: Which of the following is the GREATEST benefit related to disaster recovery for an organization that has converted its infrastructure to a virtualized environment?
Question642: An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern is that:
Question643: In the review of a feasibility study for an IS acquisition, the MOST important step is to:
Question644: Which of the following is an IS auditor's BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?
Question645: In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?
Question646: What would be the PRIMARY reason for an IS auditor to recommend using key risk indicators (KRIs)?
Question647: Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?
Question648: When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on
Question649: The application systems quality assurance (QA) function should:
Question650: Which of the following BEST protects private health information from data loss for clients that utilize remote health-monitoring devices?
Question651: Which of the following would be MOST useful to an organization planning to adopt a public cloud computing model?
Question652: Which of the following should be of GREATEST concern to an IS auditor reviewing a system software development project based on agile practices?
Question653: Which of the following is the MOST effective way to evaluate the physical security of a data center?
Question654: Which of the following should be the GREATEST concern for an IS auditor reviewing the implementation of a security information and event management (SIEM) system?
Question655: An IS audit manager is reviewing workpapers for a recently completed audit of the corporate disaster recovery test. Which of the following should the IS audit manager specifically review to substantiate the conclusions?
Question656: Which of the following issues identified during a formal review of an organization's information security policies presents the GREATEST potential risk to the organization?
Question657: Which of the following should be the FIRST step in a data migration project?
Question658: Which of the following is the MOST important consideration when relying on the work of the prior auditor?
Question659: Which of the following is a social engineering attack method?
Question660: During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements. Which of the following is the BEST way to obtain this assurance?
Question661: Which of the following is the BEST way for an organization that is using a Software as a Service (SaaS) application to reduce its risk associated with the collection and protection of personal information?
Question662: Which of the following is MOST important for an IS auditor to verify when evaluating an organization's data conversion and infrastructure migration plan?
Question663: An IS auditor is reviewing an organization's overall incident response capability following recovery from a cybersecurity incident. Which of the following findings should be of MOST concern to the auditor?
Question664: Which of the following should an IS auditor be MOST concerned with during a post- implementation review?
Question665: An IS auditor is performing an integrated audit covering payment processing activities using point-of-sale (POS) systems. Which of the following findings related to personal identification numbers (PINs) should be of GREATEST concern?
Question666: In order for a firewall to effectively protect a network against external attacks, what fundamental practice must be followed?
Question667: An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?
Question668: A review of an organization's IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.
Question669: Which of the following presents the GREATEST challenge to the alignment of business and IT?
Question670: An IS auditor is reviewing documentation from a change that was applied to an application. Which of the following findings would be the GREATEST concern?
Question671: What is the BEST way to control updates to the vendor master file in an accounts payable system?
Question672: Which of the following is the GREATEST risk associated with storing customer data on a web server?
Question673: Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAs)?
Question674: Which of the following findings should be of MOST concern to an IS auditor assessing agile software development practices?
Question675: During preparation for an IS audit of an organization's IT security processes, which of the following documents would BEST enable the IS auditor to understand the ownership of specific operational tasks?
Question676: Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?
Question677: During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed as management has decided to accept the risk. Which of the following is the IS auditor's BEST course of action?
Question678: Which of the following cloud deployment models would BEST meet the needs of a startup software development organization with limited initial capital?
Question679: A database administrator (DBA) should be prevented from:
Question680: When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
Question681: Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?
Question682: Which of the following is the BEST way to mitigate the risk associated with technology obsolescence?
Question683: What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?
Question684: Which of the following should be done FIRST to protect evidence on a computer suspected to be involved in online fraud?
Question685: When reviewing an organization's IT governance processes, which of the following provides the BEST indication that information security expectations are being met at all levels?
Question686: Which of the following should an IS auditor expect to see as a role of an IT strategy committee during the review of an organization's IT governance framework?
Question687: Which of the following is the BEST way to reduce the risk of vulnerabilities introduced by rapid deployment of applications?
Question688: An organization wants to classify database tables according to its data classification scheme.
From an IS auditor's perspective, the tables should be classified based on the:
Question689: Which of the following procedures for testing a disaster recovery plan (DRP) is MOST effective?
Question690: A business has requested an audit to determine whether information stored in an application is adequately protected. Which of the following is the MOST important action before the audit work begins?
Question691: An IS auditor has been asked to review an organization's IT resource management practices.
Which of the following findings should be of GREATEST concern?
Question692: Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?
Question693: Which of the following should be reviewed FIRST when assessing the effectiveness of an organization's network security procedures and controls?
Question694: Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?
Question695: During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor's BEST course of action?
Question696: Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?
Question697: Which of the following methods would BEST ensure that IT strategy is in line with business strategy?
Question698: An IT strategic plan that BEST leverages IT in achieving organizational goals will include:
Question699: Which of the following yields the HIGHEST level of system availability?
Question700: During a physical security audit, an IS auditor was provided a proximity badge that granted access to three specific floors in a corporate office building. Which of the following issues should be of MOST concern?
Question701: The PRIMARY benefit of information asset classification is that it:
Question702: Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?
Question703: What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?
Question704: A computer forensic audit is MOST relevant in which of the following situations?
Question705: Which of the following BEST indicates that an organization's risk management practices contribute to the effectiveness of internal IS audits?
Question706: Which of the following should be an IS auditor's GREATEST concern when evaluating an organization's ability to recover from system failures?
Question707: An IS auditor is conducting an IT governance audit and notices many initiatives are managed informally by isolated project managers. Which of the following recommendations would have the GREATEST impact on improving the maturity of the IT team?
Question708: When an IS auditor evaluates key performance indicators (KPIs) for IT initiatives, it is MOST important that the KPIs indicate:
Question709: Effective separation of duties in an online environment can BEST be achieved by utilizing:
Question710: A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?
Question711: When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if
Question712: During an emergency change management audit, an IS auditor notes that one of the changes sampled was a standard change, which follows a different process. What should the auditor do NEXT?
Question713: Many departments of an organization have not implemented audit recommendations by their agreed upon target dates. Who should address this situation?
Question714: Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?
Question715: During the course of fieldwork, an internal IS auditor observes a critical vulnerability within a newly deployed application. What is the auditor's BEST course of action?
Question716: Which of the following helps to ensure the integrity of data for a system interface?
Question717: In an annual audit cycle, the audit of an organization's IT department resulted in many findings.
Which of the following would be the MOST important consideration when planning the next audit?
Question718: Which of the following provides the BEST assurance that vendor-supported software remains up to date?
Question719: Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?
Question720: Which of the following is the BEST preventive control to protect the confidentiality of data on a corporate smartphone in the event it is lost?
Question721: Which of the following is the MOST appropriate indicator of change management effectiveness?
Question722: When implementing a new IT maturity model, which of the following should occur FIRST?
Question723: Which of the following can BEST reduce the impact of a long-term power failure?
Question724: Which of the following is the BEST reason to implement a data retention policy?
Question725: Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?
Question726: Which of the following should an IS auditor be MOST concerned with when a system uses RFID?
Question727: One benefit of return on investment (ROI) analysis in IT decision making is that it provides the:
Question728: Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
Question729: Which of the following is the MOST important action to ensure timely detection and triage for potential security incidents within an organization?
Question730: Which of the following observations should be of GREATEST concern to an IS auditor when auditing web application security control as part of an IT general controls audit?
Question731: An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?
Question732: When auditing an organization's procurement process, which of the following observations should be of MOST concern to an IS auditor?
Question733: Which of the following is an example of a corrective control?
Question734: Which of the following is the GREATEST risk associated with data conversion and migration during implementation of a new application?
Question735: Which of the following BEST demonstrates that IT strategy is aligned with organizational goals and objectives?
Question736: Which of the following is a deterrent security control that reduces the likelihood of an insider threat event?
Question737: Which of the following would be the BEST criteria for monitoring an IT vendor's service levels?
Question738: Which of the following would be the MOST useful metric for senior management to consider when reviewing the current project portfolio?
Question739: An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality.
Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?
Question740: Which of the following describes the relationship between compliance testing and substantive testing?
Question741: An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
Question742: Which of the following is the BEST source of information for examining the classification of new data?
Question743: Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
Question744: An IS auditor is determining the scope for an upcoming audit. Which of the following BEST enables the auditor to ensure appropriate controls are considered?
Question745: Which of the following is the MOST important reason for IS auditors to perform post- implementation reviews for critical IT projects?
Question746: Which of the following should an IS auditor consider FIRST when evaluating firewall rules?