Special Summer Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

CISA Certified Information Systems Auditor Questions and Answers

Questions 4

Retention periods and conditions for the destruction of personal data should be determined by the.

Options:

A.

risk manager.

B.

database administrator (DBA).

C.

privacy manager.

D.

business owner.

Buy Now
Questions 5

An IS auditor is planning a review of an organizations cybersecurity incident response maturity Which of the following methodologies would provide the MOST reliable conclusions?

Options:

A.

Judgmental sampling

B.

Data analytics testing

C.

Variable sampling

D.

Compliance testing

Buy Now
Questions 6

Which of the following constitutes an effective detective control in a distributed processing environment?

Options:

A.

A log of privileged account use is reviewed.

B.

A disaster recovery plan (DRP)4% in place for the entire system.

C.

User IDs are suspended after three incorrect passwords have been entered.

D.

Users are required to request additional access via an electronic mail system.

Buy Now
Questions 7

Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor's BEST recommendation?

Options:

A.

Create regional centers of excellence.

B.

Engage an IT governance consultant.

C.

Create regional IT steering committees.

D.

Update the IT steering committee's formal charter.

Buy Now
Questions 8

Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?

Options:

A.

Review of monthly performance reports submitted by the vendor

B.

Certifications maintained by the vendor

C.

Regular independent assessment of the vendor

D.

Substantive log file review of the vendor's system

Buy Now
Questions 9

When designing metrics for information security, the MOST important consideration is that the metrics:

Options:

A.

conform to industry standards.

B.

apply to all business units.

C.

provide actionable data.

D.

are easy to understand.

Buy Now
Questions 10

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Options:

A.

Legacy data has not been purged.

B.

Admin account passwords are not set to expire.

C.

Default settings have not been changed.

D.

Database activity logging is not complete.

Buy Now
Questions 11

Which of the following is an organization's BEST defense against malware?

Options:

A.

Documented security procedures

B.

Intrusion prevention system (IPS)

C.

Security awareness training

D.

Intrusion detection system (IDS)

Buy Now
Questions 12

When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?

Options:

A.

Ensuring the scope of penetration testing is restricted to the test environment

B.

Obtaining management's consent to the testing scope in writing

C.

Notifying the IT security department regarding the testing scope

D.

Agreeing on systems to be excluded from the testing scope with the IT department

Buy Now
Questions 13

Which of the following BEST describes a digital signature?

Options:

A.

It is under control of the receiver.

B.

It is capable of authorization.

C.

It dynamically validates modifications of data.

D.

It is unique to the sender using it.

Buy Now
Questions 14

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

Options:

A.

Performing a cyber resilience test

B.

Performing a full interruption test

C.

Performing a tabletop test

D.

Performing a parallel test

Buy Now
Questions 15

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

Options:

A.

The audit program does not involve periodic engagement with external assessors.

B.

Quarterly reports are not distributed to the audit committee.

C.

Results of corrective actions are not tracked consistently.

D.

Substantive testing is not performed during the assessment phase of some audits.

Buy Now
Questions 16

An organization's IT department and internal IS audit function all report to the chief information officer (CIO). Which of the following is the GREATEST concern associated with this reporting structure?

Options:

A.

Potential for inaccurate audit findings

B.

Compromise of IS audit independence

C.

IS audit resources being shared with other IT functions

D.

IS audit being isolated from other audit functions

Buy Now
Questions 17

An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance. Which of the following is the GREATEST concern with this lack of structure?

Options:

A.

Software developers may adopt inappropriate technology.

B.

Project managers may accept technology risks exceeding the organization's risk appetite.

C.

Key decision-making entities for technology risk have not been identified

D.

There is no clear approval entity for organizational security standards.

Buy Now
Questions 18

Which type of risk would MOST influence the selection of a sampling methodology?

Options:

A.

Inherent

B.

Residual

C.

Control

D.

Detection

Buy Now
Questions 19

Which of the following is the MAIN responsibility of the IT steering committee?

Options:

A.

Reviewing and assisting with IT strategy integration efforts

B.

Developing and assessing the IT security strategy

C.

Implementing processes to integrate security with business objectives

D.

Developing and implementing the secure system development framework

Buy Now
Questions 20

Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?

Options:

A.

Progress updates indicate that the implementation of agreed actions is on track.

B.

Sufficient time has elapsed since implementation to provide evidence of control operation.

C.

Business management has completed the implementation of agreed actions on schedule.

D.

Regulators have announced a timeline for an inspection visit.

Buy Now
Questions 21

During a follow-up engagement, an IS auditor confirms evidence of a problem that was not an issue in the original audit. Which of the following is the auditor's BEST course of action?

Options:

A.

Include the evidence as part of a future audit.

B.

Report only on the areas within the scope of the follow-up.

C.

Report the risk to management in the follow-up report.

D.

Expand the follow-up scope to include examining the evidence.

Buy Now
Questions 22

Which of the following is MOST important to include in security awareness training?

Options:

A.

How to respond to various types of suspicious activity

B.

The importance of complex passwords

C.

Descriptions of the organization's security infrastructure

D.

Contact information for the organization's security team

Buy Now
Questions 23

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

Options:

A.

Recipient's public key

B.

Sender's private key

C.

Sender's public key

D.

Recipient's private key

Buy Now
Questions 24

Which of the following is the BEST compensating control against segregation of duties conflicts in new code development?

Options:

A.

Adding the developers to the change approval board

B.

A small number of people have access to deploy code

C.

Post-implementation change review

D.

Creation of staging environments

Buy Now
Questions 25

What is the FIRST step when creating a data classification program?

Options:

A.

Categorize and prioritize data.

B.

Develop data process maps.

C.

Categorize information by owner.

D.

Develop a policy.

Buy Now
Questions 26

Which of the following BEST facilitates strategic program management?

Options:

A.

Implementing stage gates

B.

Establishing a quality assurance (QA) process

C.

Aligning projects with business portfolios

D.

Tracking key project milestones

Buy Now
Questions 27

Which of the following is the MOST important consideration for patching mission critical business application servers against known vulnerabilities?

Options:

A.

Patches are implemented in a test environment prior to rollout into production.

B.

Network vulnerability scans are conducted after patches are implemented.

C.

Vulnerability assessments are periodically conducted according to defined schedules.

D.

Roles and responsibilities for implementing patches are defined

Buy Now
Questions 28

Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?

Options:

A.

The data center is patrolled by a security guard.

B.

Access to the data center is monitored by video cameras.

C.

ID badges must be displayed before access is granted

D.

Access to the data center is controlled by a mantrap.

Buy Now
Questions 29

In the case of a disaster where the data center is no longer available, which of the following tasks should be done FIRST?

Options:

A.

Perform data recovery.

B.

Arrange for a secondary site.

C.

Analyze risk.

D.

Activate the call tree.

Buy Now
Questions 30

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?

Options:

A.

Enterprise risk manager

B.

Project sponsor

C.

Information security officer

D.

Project manager

Buy Now
Questions 31

An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart. Which of the following roles within the chart would provide this information?

Options:

A.

Consulted

B.

Informed

C.

Responsible

D.

Accountable

Buy Now
Questions 32

What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?

Options:

A.

Determine service level requirements.

B.

Complete a risk assessment.

C.

Perform a business impact analysis (BIA)

D.

Conduct a vendor audit.

Buy Now
Questions 33

An IT strategic plan that BEST leverages IT in achieving organizational goals will include:

Options:

A.

a comparison of future needs against current capabilities.

B.

a risk-based ranking of projects.

C.

enterprise architecture (EA) impacts.

D.

IT budgets linked to the organization's budget.

Buy Now
Questions 34

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Include the requirement in the incident management response plan.

B.

Establish key performance indicators (KPIs) for timely identification of security incidents.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Engage an external security incident response expert for incident handling.

Buy Now
Questions 35

An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Options:

A.

Assessment of the personnel training processes of the provider

B.

Adequacy of the service provider's insurance

C.

Review of performance against service level agreements (SLAs)

D.

Periodic audits of controls by an independent auditor

Buy Now
Questions 36

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

Options:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

Buy Now
Questions 37

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Buy Now
Questions 38

An IS auditor is reviewing an organization that performs backups on local database servers every two weeks and does not have a formal policy to govern data backup and restoration procedures. Which of the following findings presents the GREATEST risk to the organization?

Options:

A.

Lack of offsite data backups

B.

Absence of a data backup policy

C.

Lack of periodic data restoration testing

D.

Insufficient data backup frequency

Buy Now
Questions 39

A proper audit trail of changes to server start-up procedures would include evidence of:

Options:

A.

subsystem structure.

B.

program execution.

C.

security control options.

D.

operator overrides.

Buy Now
Questions 40

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Buy Now
Questions 41

Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?

Options:

A.

Conduct a data inventory and classification exercise.

B.

Identify approved data workflows across the enterprise_

C.

Conduct a threat analysis against sensitive data usage.

D.

Create the DLP policies and templates

Buy Now
Questions 42

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

Options:

A.

integrated test facility (ITF).

B.

parallel simulation.

C.

transaction tagging.

D.

embedded audit modules.

Buy Now
Questions 43

Which of the following is MOST important for the successful establishment of a security vulnerability management program?

Options:

A.

A robust tabletop exercise plan

B.

A comprehensive asset inventory

C.

A tested incident response plan

D.

An approved patching policy

Buy Now
Questions 44

An organization's senior management thinks current security controls may be excessive and requests an IS auditor's advice on how to assess the adequacy of current measures. What is the auditor's BEST recommendation to management?

Options:

A.

Perform correlation analysis between incidents and investments.

B.

Downgrade security controls on low-risk systems.

C.

Introduce automated security monitoring tools.

D.

Re-evaluate the organization's risk and control framework.

Buy Now
Questions 45

An IS auditor should be MOST concerned if which of the following fire suppression systems is utilized to protect an asset storage closet?

Options:

A.

Deluge system

B.

Wet pipe system

C.

Preaction system

D.

CO2 system

Buy Now
Questions 46

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

Options:

A.

Installing security cameras at the doors

B.

Changing to a biometric access control system

C.

Implementing a monitored mantrap at entrance and exit points

D.

Requiring two-factor authentication at entrance and exit points

Buy Now
Questions 47

An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?

Options:

A.

Computer-assisted technique

B.

Stratified sampling

C.

Statistical sampling

D.

Process walk-through

Buy Now
Questions 48

The following findings are the result of an IS auditor's post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?

Options:

A.

A lessons-learned session was never conducted.

B.

The projects 10% budget overrun was not reported to senior management.

C.

Measurable benefits were not defined.

D.

Monthly dashboards did not always contain deliverables.

Buy Now
Questions 49

Which of the following is MOST critical to the success of an information security program?

Options:

A.

Alignment of information security with IT objectives

B.

Management’s commitment to information security

C.

Integration of business and information security

D.

User accountability for information security

Buy Now
Questions 50

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:

Options:

A.

review recent changes to the system.

B.

verify completeness of user acceptance testing (UAT).

C.

verify results to determine validity of user concerns.

D.

review initial business requirements.

Buy Now
Questions 51

Which of the following is MOST useful when planning to audit an organization's compliance with cybersecurity regulations in foreign countries?

Options:

A.

Prioritize the audit to focus on the country presenting the greatest amount of operational risk.

B.

Follow the cybersecurity regulations of the country with the most stringent requirements.

C.

Develop a template that standardizes the reporting of findings from each country's audit team

D.

Map the different regulatory requirements to the organization's IT governance framework

Buy Now
Questions 52

Which of the following should be of GREATEST concern to an IS auditor reviewing project documentation for a client relationship management (CRM) system migration project?

Options:

A.

The technical migration is planned for a holiday weekend and end users may not be available.

B.

Five weeks prior to the target date, there are still numerous defects in the printing functionality.

C.

A single implementation phase is planned and the legacy system will be immediately decommissioned.

D.

Employees are concerned that data representation in the new system is completely different from the old system.

Buy Now
Questions 53

A disaster recovery plan (DRP) should include steps for:

Options:

A.

assessing and quantifying risk.

B.

negotiating contracts with disaster planning consultants.

C.

identifying application control requirements.

D.

obtaining replacement supplies.

Buy Now
Questions 54

An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Options:

A.

Require employees to attend security awareness training.

B.

Password protect critical data files.

C.

Configure to auto-wipe after multiple failed access attempts.

D.

Enable device auto-lock function.

Buy Now
Questions 55

Which of the following is the MOST important consideration for a contingency facility?

Options:

A.

The contingency facility has the same badge access controls as the primary site.

B.

Both the contingency facility and the primary site have the same number of business assets in their inventory.

C.

The contingency facility is located a sufficient distance away from the primary site.

D.

Both the contingency facility and the primary site are easily identifiable.

Buy Now
Questions 56

Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

Options:

A.

Periodic reporting of cybersecurity incidents to key stakeholders

B.

Periodic update of incident response process documentation

C.

Periodic cybersecurity training for staff involved in incident response

D.

Periodic tabletop exercises involving key stakeholders

Buy Now
Questions 57

Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?

Options:

A.

adequate measurement of key risk indicators (KRIS)

B.

Inadequate alignment of IT plans and business objectives

C.

Inadequate business impact analysis (BIA) results and predictions

D.

Inadequate measurement of key performance indicators (KPls)

Buy Now
Questions 58

Which of the following is MOST important for an effective control self-assessment (CSA) program?

Options:

A.

Determining the scope of the assessment

B.

Performing detailed test procedures

C.

Evaluating changes to the risk environment

D.

Understanding the business process

Buy Now
Questions 59

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Options:

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization's policies and procedures

Buy Now
Questions 60

Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

Options:

A.

File level encryption

B.

File Transfer Protocol (FTP)

C.

Instant messaging policy

D.

Application-level firewalls

Buy Now
Questions 61

Which of the following is the MOST effective way for an organization to project against data loss?

Options:

A.

Limit employee internet access.

B.

Implement data classification procedures.

C.

Review firewall logs for anomalies.

D.

Conduct periodic security awareness training.

Buy Now
Questions 62

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

Options:

A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Buy Now
Questions 63

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

Options:

A.

recommend that the option to directly modify the database be removed immediately.

B.

recommend that the system require two persons to be involved in modifying the database.

C.

determine whether the log of changes to the tables is backed up.

D.

determine whether the audit trail is secured and reviewed.

Buy Now
Questions 64

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?

Options:

A.

Examine the computer to search for evidence supporting the suspicions.

B.

Advise management of the crime after the investigation.

C.

Contact the incident response team to conduct an investigation.

D.

Notify local law enforcement of the potential crime before further investigation.

Buy Now
Questions 65

Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)

policy to help prevent data leakage?

Options:

A.

Require employees to waive privacy rights related to data on BYOD devices.

B.

Require multi-factor authentication on BYOD devices,

C.

Specify employee responsibilities for reporting lost or stolen BYOD devices.

D.

Allow only registered BYOD devices to access the network.

Buy Now
Questions 66

Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only. Which of the following did the IS auditor potentially compromise?

Options:

A.

Proficiency

B.

Due professional care

C.

Sufficient evidence

D.

Reporting

Buy Now
Questions 67

Which of the following would be a result of utilizing a top-down maturity model process?

Options:

A.

A means of benchmarking the effectiveness of similar processes with peers

B.

A means of comparing the effectiveness of other processes within the enterprise

C.

Identification of older, more established processes to ensure timely review

D.

Identification of processes with the most improvement opportunities

Buy Now
Questions 68

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Options:

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Buy Now
Questions 69

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

Options:

A.

Capacity management plan

B.

Training plans

C.

Database conversion results

D.

Stress testing results

Buy Now
Questions 70

Which of the following is MOST important with regard to an application development acceptance test?

Options:

A.

The programming team is involved in the testing process.

B.

All data files are tested for valid information before conversion.

C.

User management approves the test design before the test is started.

D.

The quality assurance (QA) team is in charge of the testing process.

Buy Now
Questions 71

Which of the following is a social engineering attack method?

Options:

A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Buy Now
Questions 72

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Options:

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The total transaction amount has no impact on financial reporting.

D.

The retention period complies with data owner responsibilities.

Buy Now
Questions 73

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

Options:

A.

Implement overtime pay and bonuses for all development staff.

B.

Utilize new system development tools to improve productivity.

C.

Recruit IS staff to expedite system development.

D.

Deliver only the core functionality on the initial target date.

Buy Now
Questions 74

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Options:

A.

Limiting the size of file attachments being sent via email

B.

Automatically deleting emails older than one year

C.

Moving emails to a virtual email vault after 30 days

D.

Allowing employees to store large emails on flash drives

Buy Now
Questions 75

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

Options:

A.

business impact analysis (BIA).

B.

threat and risk assessment.

C.

business continuity plan (BCP).

D.

disaster recovery plan (DRP).

Buy Now
Questions 76

The decision to accept an IT control risk related to data quality should be the responsibility of the:

Options:

A.

information security team.

B.

IS audit manager.

C.

chief information officer (CIO).

D.

business owner.

Buy Now
Questions 77

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

Options:

A.

Portfolio management

B.

Business plans

C.

Business processes

D.

IT strategic plans

Buy Now
Questions 78

Coding standards provide which of the following?

Options:

A.

Program documentation

B.

Access control tables

C.

Data flow diagrams

D.

Field naming conventions

Buy Now
Questions 79

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

Options:

A.

Implement a process to actively monitor postings on social networking sites.

B.

Adjust budget for network usage to include social media usage.

C.

Use data loss prevention (DLP) tools on endpoints.

D.

implement policies addressing acceptable usage of social media during working hours.

Buy Now
Questions 80

Which of the following BEST guards against the risk of attack by hackers?

Options:

A.

Tunneling

B.

Encryption

C.

Message validation

D.

Firewalls

Buy Now
Questions 81

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Options:

A.

Senior management's request

B.

Prior year's audit findings

C.

Organizational risk assessment

D.

Previous audit coverage and scope

Buy Now
Questions 82

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

Options:

A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Buy Now
Questions 83

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

Options:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Buy Now
Questions 84

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:

A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Buy Now
Questions 85

Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

Options:

A.

Rotate job duties periodically.

B.

Perform an independent audit.

C.

Hire temporary staff.

D.

Implement compensating controls.

Buy Now
Questions 86

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

Options:

A.

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

B.

Ensuring evidence is sufficient to support audit conclusions

C.

Ensuring appropriate statistical sampling methods were used

D.

Ensuring evidence is labeled to show it was obtained from an approved source

Buy Now
Questions 87

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Options:

A.

Developing and communicating test procedure best practices to audit teams

B.

Developing and implementing an audit data repository

C.

Decentralizing procedures and Implementing periodic peer review

D.

Centralizing procedures and implementing change control

Buy Now
Questions 88

Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

Options:

A.

Real-time audit software

B.

Performance data

C.

Quality assurance (QA) reviews

D.

Participative management techniques

Buy Now
Questions 89

An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

Options:

A.

Percentage of new hires that have completed the training.

B.

Number of new hires who have violated enterprise security policies.

C.

Number of reported incidents by new hires.

D.

Percentage of new hires who report incidents

Buy Now
Questions 90

Which of the following is the BEST method to safeguard data on an organization's laptop computers?

Options:

A.

Disabled USB ports

B.

Full disk encryption

C.

Biometric access control

D.

Two-factor authentication

Buy Now
Questions 91

An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:

Options:

A.

establish criteria for reviewing alerts.

B.

recruit more monitoring personnel.

C.

reduce the firewall rules.

D.

fine tune the intrusion detection system (IDS).

Buy Now
Questions 92

Which of the following is the BEST justification for deferring remediation testing until the next audit?

Options:

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management's planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Buy Now
Questions 93

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?

Options:

A.

Assignment of responsibility for each project to an IT team member

B.

Adherence to best practice and industry approved methodologies

C.

Controls to minimize risk and maximize value for the IT portfolio

D.

Frequency of meetings where the business discusses the IT portfolio

Buy Now
Questions 94

Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

Options:

A.

The exceptions are likely to continue indefinitely.

B.

The exceptions may result in noncompliance.

C.

The exceptions may elevate the level of operational risk.

D.

The exceptions may negatively impact process efficiency.

Buy Now
Questions 95

Which of the following demonstrates the use of data analytics for a loan origination process?

Options:

A.

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Buy Now
Questions 96

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Buy Now
Questions 97

The PRIMARY advantage of object-oriented technology is enhanced:

Options:

A.

efficiency due to the re-use of elements of logic.

B.

management of sequential program execution for data access.

C.

grouping of objects into methods for data access.

D.

management of a restricted variety of data types for a data object.

Buy Now
Questions 98

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:

A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

D.

Full operational test

Buy Now
Questions 99

Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

Options:

A.

Implement network access control.

B.

Implement outbound firewall rules.

C.

Perform network reviews.

D.

Review access control lists.

Buy Now
Questions 100

Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

Options:

A.

System flowchart

B.

Data flow diagram

C.

Process flowchart

D.

Entity-relationship diagram

Buy Now
Questions 101

Which of the following is MOST important to include in forensic data collection and preservation procedures?

Options:

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Buy Now
Questions 102

The PRIMARY role of an IS auditor in the remediation of problems found during an audit engagement is to:

Options:

A.

help auditee management by providing the solution.

B.

explain the findings and provide general advice.

C.

present updated policies to management for approval.

D.

take ownership of the problems and oversee remediation efforts.

Buy Now
Questions 103

Which of the following is the PRIMARY objective of cyber resiliency?

Options:

A.

To resume normal operations after service disruptions

B.

To prevent potential attacks or disruptions in operations

C.

To efficiently and effectively recover from an incident with limited operational impact

D.

To limit the severity of security breaches and maintain continuous operations

Buy Now
Questions 104

Which of the following presents the GREATEST risk associated with end-user computing (EUC) applica-tions over financial reporting?

Options:

A.

Inability to quickly modify and deploy a solution

B.

Lack of portability for users

C.

Loss of time due to manual processes

D.

Calculation errors in spreadsheets

Buy Now
Questions 105

Which of the following network topologies will provide the GREATEST fault tolerance?

Options:

A.

Bus configuration

B.

Mesh configuration

C.

Star configuration

D.

Ring configuration

Buy Now
Questions 106

Which of the following roles is PRIMARILY responsible for mitigating the risk of benefits not being realized in an IT project?

Options:

A.

Project sponsor

B.

Project manager

C.

Quality assurance (QA) manager

D.

Chief risk officer (CRO)

Buy Now
Questions 107

Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?

Options:

A.

Implement network address translation on the sensor system.

B.

Route the traffic from the sensor system through a proxy server.

C.

Hash the data that is transmitted from the sensor system.

D.

Transmit the sensor data via a virtual private network (VPN) to the server.

Buy Now
Questions 108

which of the following is a core functionality of a configuration and release management system?

Options:

A.

Managing privileged access to databases servers and infrastructure

B.

Identifying vulnerabilities in configuration settings

C.

Deploying a configuration change to the sandbox environment

D.

Identifying other configuration items that will be impacted by a given change

Buy Now
Questions 109

An organization plans to centrally decommission end-of-life databases and migrate the data to the latest model of hardware. Which of the following BEST ensures data integrity is preserved during the migration?

Options:

A.

Reconciling sample data to most recent backups

B.

Obfuscating confidential data

C.

Encrypting the data

D.

Comparing checksums

Buy Now
Questions 110

Which of the following is the BEST way to ensure a vendor complies with system security requirements?

Options:

A.

Require security training for vendor staff.

B.

Review past incidents reported by the vendor.

C.

Review past audits on the vendor's security compliance.

D.

Require a compliance clause in the vendor contract.

Buy Now
Questions 111

Which of the following provides the BEST assurance that vendor-supported software remains up to date?

Options:

A.

Release and patch management

B.

Licensing agreement and escrow

C.

Software asset management

D.

Version management

Buy Now
Questions 112

Which of the following is the BEST recommendation by an IS auditor to prevent unauthorized access to Internet of Things (loT) devices'?

Options:

A.

loT devices should only be accessible from the host network.

B.

loT devices should log and alert on access attempts.

C.

IoT devices should require identification and authentication.

D.

loT devices should monitor the use of device system accounts.

Buy Now
Questions 113

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identify as the

associated risk?

Options:

A.

Increased vulnerability due to anytime, anywhere accessibility

B.

Increased need for user awareness training

C.

The use of the cloud negatively impacting IT availability

D.

Lack of governance and oversight for IT infrastructure and applications

Buy Now
Questions 114

An IS audit manager is preparing the staffing plan for an audit engagement of a cloud service provider. What should be the manager's PRIMARY concern when being made aware that a new

auditor in the department previously worked for this provider?

Options:

A.

Independence

B.

Professional conduct

C.

Subject matter expertise

D.

Resource availability

Buy Now
Questions 115

Which of the following is the BEST metric to measure the quality of software developed in an organization?

Options:

A.

Amount of successfully migrated software changes

B.

Reduction in the help desk budget

C.

Number of defects discovered in production

D.

Increase in quality assurance (QA) activities

Buy Now
Questions 116

A security review focused on data loss prevention (DLP) revealed the organization has no visibility to data stored in the cloud. What is the IS auditor's BEST recommendation to address this

issue?

Options:

A.

Enhance the firewall at the network perimeter.

B.

Implement a file system scanner to discover data stored in the cloud.

C.

Employ a cloud access security broker (CASB).

D.

Utilize a DLP tool on desktops to monitor user activities.

Buy Now
Questions 117

Which of the following is the GREATEST benefit of adopting an Agile audit methodology?

Options:

A.

Better ability to address key risks

B.

Less frequent client interaction

C.

Annual cost savings

D.

Reduced documentation requirements

Buy Now
Questions 118

During which phase of the software development life cycle should an IS auditor be consulted to recommend security controls?

Options:

A.

Design and development

B.

Final acceptance testing

C.

Implementation of software

D.

Requirements definition

Buy Now
Questions 119

An IS auditor is reviewing a medical device that is attached to a patient’s body, which automatically takes and uploads measurements to a cloud server. Treatment may be updated based on the measurements. Which of the following should be the auditor's PRIMARY focus?

Options:

A.

Physical access controls on the device

B.

Security and quality certification of the device

C.

Device identification and authentication

D.

Confirmation that the device is regularly updated

Buy Now
Questions 120

An organization has decided to build a data warehouse using source data from several disparate systems to support strategic decision-making.

Which of the following is the BEST way to ensure the accuracy and completeness of the data used to support business decisions?

Options:

A.

The source data is pre-selected so that it already supports senior management's desired business decision outcome.

B.

The source data is from the current year of operations so that irrelevant data from prior years is not included.

C.

The source data is modified in the data warehouse to remove confidential or sensitive information.

D.

The source data is standardized and cleansed before loading into the data warehouse.

Buy Now
Questions 121

A new regulation has been enacted that mandates specific information security practices for the protection of customer data. Which of the following is MOST useful for an IS auditor to review when auditing against the regulation?

Options:

A.

Compliance gap analysis

B.

Customer data protection roles and responsibilities

C.

Customer data flow diagram

D.

Benchmarking studies of adaptation to the new regulation

Buy Now
Questions 122

The PRIMARY reason to perform internal quality assurance (QA) for an internal audit function is to ensure:

Options:

A.

Internal audit activity conforms with audit standards and methodology.

B.

The audit function is adequately governed and meets performance metrics.

C.

Inherent risk in audits is minimized.

D.

Audit resources are used most effectively.

Buy Now
Questions 123

When designing a data analytics process, which of the following should be the stakeholder's role in automating data extraction and validation?

Options:

A.

Indicating which data elements are necessary to make informed decisions

B.

Allocating the resources necessary to purchase the appropriate software packages

C.

Performing the business case analysis for the data analytics initiative

D.

Designing the workflow necessary for the data analytics tool to evaluate the appropriate data

Buy Now
Questions 124

An IS auditor finds that the cost of developing an application is now projected to significantly exceed the budget. Which of the following is the GREATEST risk to communicate to senior management?

Options:

A.

Noncompliance with project methodology

B.

Inability to achieve expected benefits

C.

Increased staff turnover

D.

Project abandonment

Buy Now
Questions 125

Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

Options:

A.

Scalability

B.

Maintainability

C.

Nonrepudiation

D.

Privacy

Buy Now
Questions 126

Which of the following is the MOST important consideration to facilitate prosecution of a perpetrator after a cybercrime?

Options:

A.

An active intrusion detection system (IDS)

B.

Professional collection of unaltered evidence

C.

Reporting to the internal legal department

D.

Immediate law enforcement involvement

Buy Now
Questions 127

Which of the following would MOST likely jeopardize the independence of a quality assurance (QA} team and could lead to conflict of interest?

Options:

A.

Cross checking testing assumptions with the solution design

B.

Inspecting code to ensure proper documentation

C.

Ensuring compliance with development methodologies

D.

Correcting coding errors during the testing process

Buy Now
Questions 128

Having knowledge in which of the following areas is MOST relevant for an IS auditor reviewing public key infrastructure (PKI)?

Options:

A.

Design and application of key controls in public audit

B.

Security strategy in public cloud Infrastructure as a Service (IaaS)

C.

Modern encoding methods for digital communications

D.

Technology and process life cycle for digital certificates and key pairs

Buy Now
Questions 129

Which of the following backup methods is MOST appropriate when storage space is limited?

Options:

A.

Incremental backups

B.

Mirror backups

C.

Full backups

D.

Annual backups

Buy Now
Questions 130

Which of the following BEST indicates to an IS auditor that an organization handles emergency changes appropriately and transparently?

Options:

A.

The application operations manual contains procedures to ensure emergency fixes do not compromise system integrity.

B.

Special logon IDs are used to grant programmers permanent access to the production environment.

C.

Change management controls are retroactively applied.

D.

Emergency changes are applied to production libraries immediately.

Buy Now
Questions 131

Which of the following should be of GREATEST concern to an IS auditor reviewing system interfaces used to transfer publicly available information?

Options:

A.

A system interface tracking program is not enabled.

B.

The data has not been encrypted.

C.

Data is intercepted while in transit between systems.

D.

The data from the originating system differs from the downloaded data.

Buy Now
Questions 132

During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report. Which of the following is the auditor's BEST course of action?

Options:

A.

Request that the IT manager be removed from the remaining meetings and future audits.

B.

Modify the finding to include the IT manager's comments and inform the audit manager of the changes.

C.

Remove the finding from the report and continue presenting the remaining findings.

D.

Provide the evidence which supports the finding and keep the finding in the report.

Buy Now
Questions 133

Which of the following BEST indicates that an incident management process is effective?

Options:

A.

Decreased number of calls to the help desk

B.

Decreased time for incident resolution

C.

Increased number of incidents reviewed by IT management

D.

Increased number of reported critical incidents

Buy Now
Questions 134

How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?

Options:

A.

Easy software version rollback

B.

Smaller incremental changes

C.

Fewer manual milestones

D.

Automated software testing

Buy Now
Questions 135

Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?

Options:

A.

Data privacy must be managed in accordance with the regulations applicable to the organization.

B.

Data privacy must be monitored in accordance with industry standards and best practices.

C.

No personal information may be transferred to the service provider without notifying the customer.

D.

Customer data transferred to the service provider must be reported to the regulatory authority.

Buy Now
Questions 136

A sample for testing must include the 80 largest client balances and a random sample of the rest. What should the IS auditor recommend?

Options:

A.

Query the database.

B.

Develop an integrated test facility (ITF).

C.

Use generalized audit software.

D.

Leverage a random number generator.

Buy Now
Questions 137

Which of the following should be the PRIMARY concern for the it department head when implementing operational log management?

Options:

A.

Diversity of log formats generated by different IT resources

B.

Retention and storage issues due to log volume

C.

Resistance by operational users

D.

Impact on performance of IT resources

Buy Now
Questions 138

Which of the following will BEST ensure that archived electronic information of permanent importance remains accessible over time?

Options:

A.

Performing preventive maintenance on old hardware

B.

Acquiring applications that emulate old software

C.

Regularly migrating data to current technology

D.

Periodically backing up archived data

Buy Now
Questions 139

An IS auditor finds a user account where privileged access is not appropriate for the user’s role. Which of the following would provide the BEST evidence to determine whether the risk of this access has been exploited?

Options:

A.

Activity log for the account

B.

Interview with the user's manager

C.

Last logon date for the account

D.

Documented approval for the account

Buy Now
Questions 140

Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?

Options:

A.

Verify that confidential files cannot be transmitted to a personal USB device.

B.

Conduct interviews to identify possible data protection vulnerabilities.

C.

Review data classification levels based on industry best practice.

D.

Verify that current DLP software is installed on all computer systems.

Buy Now
Questions 141

Which of the following is a PRIMARY function of an intrusion detection system (IDS)?

Options:

A.

Predicting an attack before it occurs

B.

Alerting when a scheduled backup job fails

C.

Blocking malicious network traffic

D.

Warning when executable programs are modified

Buy Now
Questions 142

Which of the following should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA)?

Options:

A.

A risk assessment was not conducted prior to completing the BIA.

B.

System criticality information was only provided by the IT manager.

C.

A questionnaire was used to gather information as opposed to in-person interviews.

D.

The BIA was not signed off by executive management.

Buy Now
Questions 143

The PRIMARY goal of capacity management is to:

Options:

A.

minimize data storage needs across the organization.

B.

provide necessary IT resources to meet business requirements.

C.

minimize system idle time to optimize cost.

D.

ensure that IT teams have sufficient personnel.

Buy Now
Questions 144

Which of the following BEST enables an organization to determine the effectiveness of its information security awareness program?

Options:

A.

Measuring user satisfaction with the quality of the training

B.

Evaluating the results of a social engineering exercise

C.

Reviewing security staff performance evaluations

D.

Performing an analysis of the number of help desk calls

Buy Now
Questions 145

Which of the following applications has the MOST inherent risk and should be prioritized during audit planning?

Options:

A.

A decommissioned legacy application

B.

An onsite application that is unsupported

C.

An outsourced accounting application

D.

An internally developed application

Buy Now
Questions 146

Which of the following findings would be of GREATEST concern to an IS auditor reviewing the security architecture of an organization that has just implemented a Zero Trust solution?

Options:

A.

An increase in security-related costs

B.

User complaints about the new mode of working

C.

An increase in user identification errors

D.

A noticeable drop in the performance of IT systems

Buy Now
Questions 147

Which of the following is the BEST approach to help organizations address risks associated with shadow IT?

Options:

A.

Implementing policies that prohibit the use of unauthorized systems and solutions

B.

Training employees on information security and conducting routine follow-ups

C.

Providing employees with access to necessary systems and unlimited software licenses

D.

Conducting regular security assessments to identify unauthorized systems and solutions

Buy Now
Questions 148

An IS auditor reviewing the system development life cycle (SDLC) finds there is no requirement for business cases. Which of the following should be offGREATEST concern to the organization?

Options:

A.

Vendor selection criteria are not sufficiently evaluated.

B.

Business resources have not been optimally assigned.

C.

Business impacts of projects are not adequately analyzed.

D.

Project costs exceed established budgets.

Buy Now
Questions 149

An organization is implementing a data loss prevention (DLP) system in response to a new regulatory requirement Reviewing. which of the following would be MOST helpful in evaluating the system's design?

Options:

A.

System manuals

B.

Enterprise architecture (EA)

C.

Historical record of data breaches

D.

Industry trends

Buy Now
Questions 150

Which of the following should be used to evaluate an IT development project before an investment is committed?

Options:

A.

Earned value analysis (EVA)

B.

Rapid application development

C.

Function point analysis

D.

Feasibility study

Buy Now
Questions 151

Which of the following is the MOST important task of an IS auditor during an application post-implementation review?

Options:

A.

Conduct a business impact analysis (BIA)

B.

Perform penetration testing

C.

identify project delays

D.

Verify user access controls

Buy Now
Questions 152

Which of the following MOST effectively enables consistency across high-volume software changes'?

Options:

A.

The use of continuous integration and deployment pipelines

B.

Management reviews of detailed exception reports for released code

C.

Publication of a refreshed policy on development and release management

D.

An ongoing awareness campaign for software deployment best practices

Buy Now
Questions 153

Which of the following should be of MOST concern to an IS auditor reviewing an organization's operational log management?

Options:

A.

Log file size has grown year over year.

B.

Critical events are being logged to immutable log files.

C.

Applications are logging events into multiple log files.

D.

Data formats have not been standardized across all logs.

Buy Now
Questions 154

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?

Options:

A.

Antivirus software was unable to prevent the attack even though it was properly updated

B.

The most recent security patches were not tested prior to implementation

C.

Backups were only performed within the local network

D.

Employees were not trained on cybersecurity policies and procedures

Buy Now
Questions 155

Which of the following should be an IS auditor's PRIMARY focus when evaluating the response process for cybercrimes?

Options:

A.

Communication with law enforcement

B.

Notification to regulators

C.

Root cause analysis

D.

Evidence collection

Buy Now
Questions 156

An IS auditor is preparing a plan for audits to be carried out over a specified period. Which of the following activities should the IS auditor perform FIRST?

Options:

A.

Allocate audit resources.

B.

Prioritize risks.

C.

Review prior audit reports.

D.

Determine the audit universe.

Buy Now
Questions 157

Which of the following is the BEST performance indicator for the effectiveness of an incident management program?

Options:

A.

Average time between incidents

B.

Incident alert meantime

C.

Number of incidents reported

D.

Incident resolution meantime

Buy Now
Questions 158

Which of the following management decisions presents the GREATEST risk associated with data leakage?

Options:

A.

There is no requirement for desktops to be encrypted

B.

Staff are allowed to work remotely

C.

Security awareness training is not provided to staff

D.

Security policies have not been updated in the past year

Buy Now
Questions 159

Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?

Options:

A.

Gap analysis

B.

Audit reports

C.

Risk profile

D.

Risk register

Buy Now
Questions 160

While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:

Options:

A.

data classifications are automated.

B.

a data dictionary is maintained.

C.

data retention requirements are clearly defined.

D.

data is correctly classified.

Buy Now
Questions 161

Which of the following is BEST used for detailed testing of a business application's data and configuration files?

Options:

A.

Version control software

B.

Audit hooks

C.

Utility software

D.

Audit analytics tool

Buy Now
Questions 162

Which of the following is the BEST point in time to conduct a post-implementation review?

Options:

A.

After a full processing cycle

B.

Immediately after deployment

C.

After the warranty period

D.

Prior to the annual performance review

Buy Now
Questions 163

Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics

system?

Options:

A.

Hashing in-scope data sets

B.

Encrypting in-scope data sets

C.

Running and comparing the count function within the in-scope data sets

D.

Hosting a digital certificate for in-scope data sets

Buy Now
Questions 164

The FIRST step in an incident response plan is to:

Options:

A.

validate the incident.

B.

notify the head of the IT department.

C.

isolate systems impacted by the incident.

D.

initiate root cause analysis.

Buy Now
Questions 165

During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor's NEXT step should be to:

Options:

A.

recommend a control to automatically update access rights.

B.

determine the reason why access rights have not been revoked.

C.

direct management to revoke current access rights.

D.

determine if access rights are in violation of software licenses.

Buy Now
Questions 166

When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following is the auditor's BEST course of action?

Options:

A.

Inform senior management.

B.

Reevaluate internal controls.

C.

Inform audit management.

D.

Re-perform past audits to ensure independence.

Buy Now
Questions 167

An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?

Options:

A.

Monitoring access rights on a regular basis

B.

Referencing a standard user-access matrix

C.

Granting user access using a role-based model

D.

Correcting the segregation of duties conflicts

Buy Now
Questions 168

An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?

Options:

A.

Determine exposure to the business

B.

Adjust future testing activities accordingly

C.

Increase monitoring for security incidents

D.

Hire a third party to perform security testing

Buy Now
Questions 169

in a post-implantation Nation review of a recently purchased system it is MOST important for the iS auditor to determine whether the:

Options:

A.

stakeholder expectations were identified

B.

vendor product offered a viable solution.

C.

user requirements were met.

D.

test scenarios reflected operating activities.

Buy Now
Questions 170

In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?

Options:

A.

Discovery sampling

B.

Variable sampling

C.

Stop-or-go sampling

D.

Judgmental sampling

Buy Now
Questions 171

Which of the following is the GREATEST advantage of outsourcing the development of an e-banking solution when in-house technical expertise is not available?

Options:

A.

Lower start-up costs

B.

Reduced risk of system downtime

C.

Direct oversight of risks

D.

Increased ability to adapt the system

Buy Now
Questions 172

Which type of attack targets security vulnerabilities in web applications to gain access to data sets?

Options:

A.

Denial of service (DOS)

B.

SQL injection

C.

Phishing attacks

D.

Rootkits

Buy Now
Questions 173

Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?

Options:

A.

Classifies documents to correctly reflect the level of sensitivity of information they contain

B.

Defines the conditions under which documents containing sensitive information may be transmitted

C.

Classifies documents in accordance with industry standards and best practices

D.

Ensures documents are handled in accordance With the sensitivity of information they contain

Buy Now
Questions 174

Aligning IT strategy with business strategy PRIMARILY helps an organization to:

Options:

A.

optimize investments in IT.

B.

create risk awareness across business units.

C.

increase involvement of senior management in IT.

D.

monitor the effectiveness of IT.

Buy Now
Questions 175

Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization's goals and strategic objectives?

Options:

A.

Enterprise architecture (EA)

B.

Business impact analysis (BIA)

C.

Risk assessment report

D.

Audit recommendations

Buy Now
Questions 176

In the development of a new financial application, the IS auditor's FIRST involvement should be in the:

Options:

A.

control design.

B.

feasibility study.

C.

application design.

D.

system test.

Buy Now
Questions 177

An IS auditor finds that while an organization's IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance. Which of the Mowing is the BEST recommendation?

Options:

A.

Align the IT strategy will business objectives

B.

Review priorities in the IT portfolio

C.

Change the IT strategy to focus on operational excellence.

D.

Align the IT portfolio with the IT strategy.

Buy Now
Questions 178

Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

Options:

A.

IT value analysis

B.

Prior audit reports

C.

IT balanced scorecard

D.

Vulnerability assessment report

Buy Now
Questions 179

Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?

Options:

A.

Embed details within source code.

B.

Standardize file naming conventions.

C.

Utilize automated version control.

D.

Document details on a change register.

Buy Now
Questions 180

Which of the following would BEST prevent an arbitrary application of a patch?

Options:

A.

Database access control

B.

Established maintenance windows

C.

Network based access controls

D.

Change management

Buy Now
Questions 181

Which of the following procedures for testing a disaster recovery plan (DRP) is MOST effective?

Options:

A.

Testing at a secondary site using offsite data backups

B.

Performing a quarterly tabletop exercise

C.

Reviewing recovery time and recovery point objectives

D.

Reviewing documented backup and recovery procedures

Buy Now
Questions 182

A new system development project is running late against a critical implementation deadline Which of the following is the MOST important activity?

Options:

A.

Document last-minute enhancements

B.

Perform a pre-implementation audit

C.

Perform user acceptance testing (UAT)

D.

Ensure that code has been reviewed

Buy Now
Questions 183

An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

Options:

A.

Biometrics

B.

Procedures for escorting visitors

C.

Airlock entrance

D.

Intruder alarms

Buy Now
Questions 184

Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?

Options:

A.

Implement data loss prevention (DLP) software

B.

Review perimeter firewall logs

C.

Provide ongoing information security awareness training

D.

Establish behavioral analytics monitoring

Buy Now
Questions 185

Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?

Options:

A.

To enable conclusions about me performance of the processes and target variances tor follow-up analysis

B.

To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value

C.

To assess the functionality of a software deliverable based on business processes

Buy Now
Questions 186

Which of the following is the BEST indication of effective IT investment management?

Options:

A.

IT investments are implemented and monitored following a system development life cycle (SDLC)

B.

IT investments are mapped to specific business objectives

C.

Key performance indicators (KPIs) are defined for each business requiring IT Investment

D.

The IT Investment budget is significantly below industry benchmarks

Buy Now
Questions 187

Which of the following should an IS auditor review when evaluating information systems governance for a large organization?

Options:

A.

Approval processes for new system implementations

B.

Procedures for adding a new user to the invoice processing system

C.

Approval processes for updating the corporate website

D.

Procedures for regression testing system changes

Buy Now
Questions 188

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

Options:

A.

Business continuity plan (BCP)

B.

Test results for backup data restoration

C.

A comprehensive list of disaster recovery scenarios and priorities

D.

Roles and responsibilities for recovery team members

Buy Now
Questions 189

Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods formanaging IT risks?

Options:

A.

Average the business units’ IT risk levels

B.

Identify the highest-rated IT risk level among the business units

C.

Prioritize the organization's IT risk scenarios

D.

Establish a global IT risk scoring criteria

Buy Now
Questions 190

Which of the following is an IS auditor's BEST approach when prepanng to evaluate whether the IT strategy supports the organization's vision and mission?

Options:

A.

Review strategic projects tor return on investments (ROls)

B.

Solicit feedback from other departments to gauge the organization's maturity

C.

Meet with senior management to understand business goals

D.

Review the organization's key performance indicators (KPls)

Buy Now
Questions 191

Which of the following indicates that an internal audit organization is structured to support the independence and clarity of the reporting process?

Options:

A.

Auditors are responsible for performing operational duties or activities.

B.

The internal audit manager reports functionally to a senior management official.

C.

The internal audit manager has a reporting line to the audit committee.

D.

Auditors are responsible for assessing and operating a system of internal controls.

Buy Now
Questions 192

Which of the following technologies has the SMALLEST maximum range for data transmission between devices?

Options:

A.

Wi-Fi

B.

Bluetooth

C.

Long-term evolution (LTE)

D.

Near-field communication (NFC)

Buy Now
Questions 193

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (B1A)?

Options:

A.

Risk appetite

B.

Critical applications m the cloud

C.

Completeness of critical asset inventory

D.

Recovery scenarios

Buy Now
Questions 194

Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?

Options:

A.

Inaccurate business impact analysis (BIA)

B.

Inadequate IT change management practices

C.

Lack of a benchmark analysis

D.

Inadequate IT portfolio management

Buy Now
Questions 195

Which of the following is MOST important for an IS auditor to validate when auditing network device management?

Options:

A.

Devices cannot be accessed through service accounts.

B.

Backup policies include device configuration files.

C.

All devices have current security patches assessed.

D.

All devices are located within a protected network segment.

Buy Now
Questions 196

What is the PRIMARY purpose of performing a parallel run of a now system?

Options:

A.

To train the end users and supporting staff on the new system

B.

To verify the new system provides required business functionality

C.

To reduce the need for additional testing

D.

To validate the new system against its predecessor

Buy Now
Questions 197

When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:

Options:

A.

legitimate packets blocked by the system have increased

B.

actual attacks have not been identified

C.

detected events have increased

D.

false positives have been reported

Buy Now
Questions 198

An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?

Options:

A.

The cloud provider's external auditor

B.

The cloud provider

C.

The operating system vendor

D.

The organization

Buy Now
Questions 199

Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?

Options:

A.

End-user computing (EUC) systems

B.

Email attachments

C.

Data sent to vendors

D.

New system applications

Buy Now
Questions 200

One advantage of monetary unit sampling is the fact that

Options:

A.

results are stated m terms of the frequency of items in error

B.

it can easily be applied manually when computer resources are not available

C.

large-value population items are segregated and audited separately

D.

it increases the likelihood of selecting material items from the population

Buy Now
Questions 201

Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?

Options:

A.

Return on investment (ROI)

B.

Business strategy

C.

Business cases

D.

Total cost of ownership (TCO)

Buy Now
Questions 202

Which of the following is the MAJOR advantage of automating internal controls?

Options:

A.

To enable the review of large value transactions

B.

To efficiently test large volumes of data

C.

To help identity transactions with no segregation of duties

D.

To assist in performing analytical reviews

Buy Now
Questions 203

Which of the following is the PRIMARY reason to perform a risk assessment?

Options:

A.

To determine the current risk profile

B.

To ensure alignment with the business impact analysis (BIA)

C.

To achieve compliance with regulatory requirements

D.

To help allocate budget for risk mitigation controls

Buy Now
Questions 204

Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?

Options:

A.

Stronger data security

B.

Better utilization of resources

C.

Increased application performance

D.

Improved disaster recovery

Buy Now
Questions 205

An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

Options:

A.

Review test procedures and scenarios

B.

Conduct a mock conversion test

C.

Establish a configuration baseline

D.

Automate the test scripts

Buy Now
Questions 206

Which of the following is a PRIMARY responsibility of an IT steering committee?

Options:

A.

Prioritizing IT projects in accordance with business requirements

B.

Reviewing periodic IT risk assessments

C.

Validating and monitoring the skill sets of IT department staff

D.

Establishing IT budgets for the business

Buy Now
Questions 207

A database administrator (DBA) should be prevented from having end user responsibilities:

Options:

A.

having end user responsibilities

B.

accessing sensitive information

C.

having access to production files

D.

using an emergency user ID

Buy Now
Questions 208

Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?

Options:

A.

To ensure the conclusions are adequately supported

B.

To ensure adequate sampling methods were used during fieldwork

C.

To ensure the work is properly documented and filed

D.

To ensure the work is conducted according to industry standards

Buy Now
Questions 209

Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?

Options:

A.

The testing produces a lower number of false positive results

B.

Network bandwidth is utilized more efficiently

C.

Custom-developed applications can be tested more accurately

D.

The testing process can be automated to cover large groups of assets

Buy Now
Questions 210

Which of the following would be the BEST criteria for monitoring an IT vendor's service levels?

Options:

A.

Service auditor's report

B.

Performance metrics

C.

Surprise visit to vendor

D.

Interview with vendor

Buy Now
Questions 211

Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?

Options:

A.

Data leakage as a result of employees leaving to work for competitors

B.

Noncompliance fines related to storage of regulated information

C.

Unauthorized logical access to information through an application interface

D.

Physical theft of media on which information is stored

Buy Now
Questions 212

Which of the following is MOST helpful to an IS auditor when assessing the effectiveness of controls?

Options:

A.

A control self-assessment (CSA)

B.

Results of control testing

C.

Interviews with management

D.

A control matrix

Buy Now
Questions 213

Which of the following is MOST important during software license audits?

Options:

A.

Judgmental sampling

B.

Substantive testing

C.

Compliance testing

D.

Stop-or-go sampling

Buy Now
Questions 214

Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a newapplication system?

Options:

A.

The change management process was not formally documented

B.

Backups of the old system and data are not available online

C.

Unauthorized data modifications occurred during conversion,

D.

Data conversion was performed using manual processes

Buy Now
Questions 215

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

Options:

A.

Inspecting a sample of alerts generated from the central log repository

B.

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

C.

Inspecting a sample of alert settings configured in the central log repository

D.

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

Buy Now
Questions 216

When assessing whether an organization's IT performance measures are comparable to other organizations in the same industry, which of the following would be MOST helpful to review?

Options:

A.

IT governance frameworks

B.

Benchmarking surveys

C.

Utilization reports

D.

Balanced scorecard

Buy Now
Questions 217

Which of the following is an IS auditor's BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?

Options:

A.

Enforce a secure tunnel connection.

B.

Enhance internal firewalls.

C.

Set up a demilitarized zone (DMZ).

D.

Implement a secure protocol.

Buy Now
Questions 218

Which of the following is the MOST appropriate indicator of change management effectiveness?

Options:

A.

Time lag between changes to the configuration and the update of records

B.

Number of system software changes

C.

Time lag between changes and updates of documentation materials

D.

Number of incidents resulting from changes

Buy Now
Questions 219

What is the MOST effective way to detect installation of unauthorized software packages by employees?

Options:

A.

Regular scanning of hard drives

B.

Communicating the policy to employees

C.

Logging of activity on the network

D.

Maintaining current antivirus software

Buy Now
Questions 220

An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process Which of the following is the MOST appropriate population to sample from when testing for remediation?

Options:

A.

All users provisioned after the finding was originally identified

B.

All users provisioned after management resolved the audit issue

C.

All users provisioned after the final audit report was issued

D.

All users who have followed user provisioning processes provided by management

Buy Now
Questions 221

An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center, which of the following findings should be of GREATEST concern to the auditor?

Options:

A.

The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (ORP).

B.

The SLA has not been reviewed in more than a year.

C.

Backup data is hosted online only.

D.

The recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan (DRP).

Buy Now
Questions 222

Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

Options:

A.

Degaussing

B.

Random character overwrite

C.

Physical destruction

D.

Low-level formatting

Buy Now
Questions 223

Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization's security policy?

Options:

A.

Analyzing how the configuration changes are performed

B.

Analyzing log files

C.

Reviewing the rule base

D.

Performing penetration testing

Buy Now
Questions 224

A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?

Options:

A.

Performance audit

B.

Integrated audit

C.

Cyber audit

D.

Financial audit

Buy Now
Questions 225

An organization's IT risk assessment should include the identification of:

Options:

A.

vulnerabilities

B.

compensating controls

C.

business needs

D.

business process owners

Buy Now
Questions 226

During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?

Options:

A.

Report the deviation by the control owner in the audit report.

B.

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.

C.

Cancel the follow-up audit and reschedule for the next audit period.

D.

Request justification from management for not implementing the recommended control.

Buy Now
Questions 227

A checksum is classified as which type of control?

Options:

A.

Detective control

B.

Preventive control

C.

Corrective control

D.

Administrative control

Buy Now
Questions 228

Which of the following is the MOST important responsibility of user departments associated with program changes?

Options:

A.

Providing unit test data

B.

Analyzing change requests

C.

Updating documentation lo reflect latest changes

D.

Approving changes before implementation

Buy Now
Questions 229

Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?

Options:

A.

Switch

B.

Intrusion prevention system (IPS)

C.

Gateway

D.

Router

Buy Now
Questions 230

Which of the following should an IS auditor recommend be done FIRST when an organization is made aware of a new regulation that is likely to impact IT security requirements?

Options:

A.

Update security policies based on the new regulation.

B.

Determine which systems and IT-related processes may be impacted.

C.

Evaluate how security awareness and training content may be impacted.

D.

Review the design and effectiveness of existing IT controls.

Buy Now
Questions 231

Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

Options:

A.

Cross-site scripting (XSS)

B.

Copyright violations

C.

Social engineering

D.

Adverse posts about the organization

Buy Now
Questions 232

Which of the following is the MOST appropriate control to ensure integrity of online orders?

Options:

A.

Data Encryption Standard (DES)

B.

Digital signature

C.

Public key encryption

D.

Multi-factor authentication

Buy Now
Questions 233

Upon completion of audit work, an IS auditor should:

Options:

A.

provide a report to senior management prior to discussion with the auditee.

B.

distribute a summary of general findings to the members of the auditing team.

C.

provide a report to the auditee stating the initial findings.

D.

review the working papers with the auditee.

Buy Now
Questions 234

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

Options:

A.

Security cameras deployed outside main entrance

B.

Antistatic mats deployed at the computer room entrance

C.

Muddy footprints directly inside the emergency exit

D.

Fencing around facility is two meters high

Buy Now
Questions 235

Which of the following would be MOST useful to an IS auditor when making recommendations to enable continual improvement of IT processes over time?

Options:

A.

IT incident log

B.

Benchmarking studies

C.

Maturity model

D.

IT risk register

Buy Now
Questions 236

Which of the following should be an IS auditor's GREATEST concern when assessing an IT service configuration database?

Options:

A.

The database is read-accessible for all users.

B.

The database is write-accessible for all users.

C.

The database is not encrypted at rest.

D.

The database is executable for all users.

Buy Now
Questions 237

The PRIMARY objective of a follow-up audit is to:

Options:

A.

assess the appropriateness of recommendations.

B.

verify compliance with policies.

C.

evaluate whether the risk profile has changed.

D.

determine adequacy of actions taken on recommendations.

Buy Now
Questions 238

The BEST way for an IS auditor to validate that separation of duties has been implemented is to perform:

Options:

A.

A review of personnel files.

B.

An analysis of documented job descriptions.

C.

A review of the organizational chart.

D.

A walk-through of job functions.

Buy Now
Questions 239

Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?

Options:

A.

Continuous auditing

B.

Manual checks

C.

Exception reporting

D.

Automated reconciliations

Buy Now
Questions 240

Which type of attack poses the GREATEST risk to an organization's most sensitive data?

Options:

A.

Password attack

B.

Eavesdropping attack

C.

Insider attack

D.

Spear phishing attack

Buy Now
Questions 241

During an audit, an IT finding is agreed upon by all IT teams involved, but no team wants to be responsible for remediation or considers the finding within Its area of responsibility Which of the following is the IS auditor's BEST course of action?

Options:

A.

Escalate to IT management for resolution.

B.

Issue the finding without identifying an owner

C.

Assign shared responsibility to all IT teams.

D.

Determine the most appropriate team and assign accordingly.

Buy Now
Questions 242

Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

Options:

A.

Lack of appropriate labelling

B.

Lack of recent awareness training.

C.

Lack of password protection

D.

Lack of appropriate data classification

Buy Now
Questions 243

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

Options:

A.

Review system and error logs to verify transaction accuracy.

B.

Review input and output control reports to verify the accuracy of the system decisions.

C.

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.

Review system documentation to ensure completeness.

Buy Now
Questions 244

Which of the following BEST indicates the effectiveness of an organization's risk management program?

Options:

A.

Inherent risk is eliminated.

B.

Residual risk is minimized.

C.

Control risk is minimized.

D.

Overall risk is quantified.

Buy Now
Questions 245

Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

Options:

A.

Align service level agreements (SLAs) with current needs.

B.

Monitor customer satisfaction with the change.

C.

Minimize costs related to the third-party agreement.

D.

Ensure right to audit is included within the contract.

Buy Now
Questions 246

Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

Options:

A.

Periodic vendor reviews

B.

Dual control

C.

Independent reconciliation

D.

Re-keying of monetary amounts

E.

Engage an external security incident response expert for incident handling.

Buy Now
Questions 247

Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

Options:

A.

Whether there is explicit permission from regulators to collect personal data

B.

The organization's legitimate purpose for collecting personal data

C.

Whether sharing of personal information with third-party service providers is prohibited

D.

The encryption mechanism selected by the organization for protecting personal data

Buy Now
Questions 248

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

Options:

A.

Revise the assessment based on senior management's objections.

B.

Escalate the issue to audit management.

C.

Finalize the draft audit report without changes.

D.

Gather evidence to analyze senior management's objections

Buy Now
Questions 249

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Options:

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The retention period complies with data owner responsibilities.

D.

The total transaction amount has no impact on financial reporting

Buy Now
Questions 250

In a RAO model, which of the following roles must be assigned to only one individual?

Options:

A.

Responsible

B.

Informed

C.

Consulted

D.

Accountable

Buy Now
Questions 251

Which of the following BEST Indicates that an incident management process is effective?

Options:

A.

Decreased time for incident resolution

B.

Increased number of incidents reviewed by IT management

C.

Decreased number of calls lo the help desk

D.

Increased number of reported critical incidents

Buy Now
Questions 252

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

Options:

A.

violation reports may not be reviewed in a timely manner.

B.

a significant number of false positive violations may be reported.

C.

violations may not be categorized according to the organization's risk profile.

D.

violation reports may not be retained according to the organization's risk profile.

Buy Now
Questions 253

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Options:

A.

Testing

B.

Replication

C.

Staging

D.

Development

Buy Now
Questions 254

Which of the following is the GREATEST risk associated with storing customer data on a web server?

Options:

A.

Data availability

B.

Data confidentiality

C.

Data integrity

D.

Data redundancy

Buy Now
Questions 255

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.

Obtain error codes indicating failed data feeds.

B.

Purchase data cleansing tools from a reputable vendor.

C.

Appoint data quality champions across the organization.

D.

Implement business rules to reject invalid data.

Buy Now
Questions 256

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Buy Now
Questions 257

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

Options:

A.

Available resources for the activities included in the action plan

B.

A management response in the final report with a committed implementation date

C.

A heal map with the gaps and recommendations displayed in terms of risk

D.

Supporting evidence for the gaps and recommendations mentioned in the audit report

Buy Now
Questions 258

Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?

Options:

A.

To optimize system resources

B.

To follow system hardening standards

C.

To optimize asset management workflows

D.

To ensure proper change control

Buy Now
Questions 259

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?

Options:

A.

Number of successful penetration tests

B.

Percentage of protected business applications

C.

Financial impact per security event

D.

Number of security vulnerability patches

Buy Now
Questions 260

An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?

Options:

A.

System event correlation report

B.

Database log

C.

Change log

D.

Security incident and event management (SIEM) report

Buy Now
Questions 261

An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?

Options:

A.

The standard is met as long as one member has a globally recognized audit certification.

B.

Technical co-sourcing must be used to help the new staff.

C.

Team member assignments must be based on individual competencies.

D.

The standard is met as long as a supervisor reviews the new auditors' work.

Buy Now
Questions 262

Which of the following is the BEST reason for an organization to use clustering?

Options:

A.

To decrease system response time

B.

To Improve the recovery lime objective (RTO)

C.

To facilitate faster backups

D.

To improve system resiliency

Buy Now
Questions 263

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

Options:

A.

Availability of IS audit resources

B.

Remediation dates included in management responses

C.

Peak activity periods for the business

D.

Complexity of business processes identified in the audit

Buy Now
Questions 264

While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

Options:

A.

Use automatic document classification based on content.

B.

Have IT security staff conduct targeted training for data owners.

C.

Publish the data classification policy on the corporate web portal.

D.

Conduct awareness presentations and seminars for information classification policies.

Buy Now
Questions 265

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

Options:

A.

architecture and cloud environment of the system.

B.

business process supported by the system.

C.

policies and procedures of the business area being audited.

D.

availability reports associated with the cloud-based system.

Buy Now
Questions 266

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Options:

A.

Logs are being collected in a separate protected host

B.

Automated alerts are being sent when a risk is detected

C.

Insider attacks are being controlled

D.

Access to configuration files Is restricted.

Buy Now
Questions 267

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Options:

A.

Expected deliverables meeting project deadlines

B.

Sign-off from the IT team

C.

Ongoing participation by relevant stakeholders

D.

Quality assurance (OA) review

Buy Now
Questions 268

Which of the following BEST enables the timely identification of risk exposure?

Options:

A.

External audit review

B.

Internal audit review

C.

Control self-assessment (CSA)

D.

Stress testing

Buy Now
Questions 269

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Options:

A.

Verifying that access privileges have been reviewed

B.

investigating access rights for expiration dates

C.

Updating the continuity plan for critical resources

D.

Updating the security policy

Buy Now
Questions 270

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.

Staging

B.

Testing

C.

Integration

D.

Development

Buy Now
Questions 271

An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?

Options:

A.

Data encryption on the mobile device

B.

Complex password policy for mobile devices

C.

The triggering of remote data wipe capabilities

D.

Awareness training for mobile device users

Buy Now
Questions 272

Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

Options:

A.

An increase in the number of identified false positives

B.

An increase in the number of detected Incidents not previously identified

C.

An increase in the number of unfamiliar sources of intruders

D.

An increase in the number of internally reported critical incidents

Buy Now
Questions 273

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

Options:

A.

Training was not provided to the department that handles intellectual property and patents

B.

Logging and monitoring for content filtering is not enabled.

C.

Employees can share files with users outside the company through collaboration tools.

D.

The collaboration tool is hosted and can only be accessed via an Internet browser

Buy Now
Questions 274

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

Options:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Buy Now
Questions 275

The waterfall life cycle model of software development is BEST suited for which of the following situations?

Options:

A.

The protect requirements are wall understood.

B.

The project is subject to time pressures.

C.

The project intends to apply an object-oriented design approach.

D.

The project will involve the use of new technology.

Buy Now
Questions 276

An IS auditor should ensure that an application's audit trail:

Options:

A.

has adequate security.

B.

logs ail database records.

C.

Is accessible online

D.

does not impact operational efficiency

Buy Now
Questions 277

Which type of security testing is MOST efficient for finding hidden errors in software and facilitating source code optimization?

Options:

A.

User acceptance testing (UAT)

B.

Black box testing

C.

White box testing

D.

Penetration testing

Buy Now
Questions 278

Which of the following should be the GREATEST concern for an IS auditor reviewing recent disaster recovery operations?

Options:

A.

The recovery point objective (RPO) was not defined.

B.

Test data was lost during a recovery operation.

C.

A warm site was used as a recovery strategy.

D.

A full backup was only performed once a week.

Buy Now
Questions 279

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

Options:

A.

Data migration is not part of the contracted activities.

B.

The replacement is occurring near year-end reporting

C.

The user department will manage access rights.

D.

Testing was performed by the third-party consultant

Buy Now
Questions 280

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

Options:

A.

Ask management why the regulatory changes have not been Included.

B.

Discuss potential regulatory issues with the legal department

C.

Report the missing regulatory updates to the chief information officer (CIO).

D.

Exclude recent regulatory changes from the audit scope.

Buy Now
Questions 281

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Options:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Buy Now
Questions 282

Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?

Options:

A.

Water sprinkler

B.

Fire extinguishers

C.

Carbon dioxide (CO2)

D.

Dry pipe

Buy Now
Questions 283

Which of the following would BEST help lo support an auditor’s conclusion about the effectiveness of an implemented data classification program?

Options:

A.

Purchase of information management tools

B.

Business use cases and scenarios

C.

Access rights provisioned according to scheme

D.

Detailed data classification scheme

Buy Now
Questions 284

UESTION NO: 210

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

Options:

A.

There Is a reconciliation process between the spreadsheet and the finance system

B.

A separate copy of the spreadsheet is routinely backed up

C.

The spreadsheet is locked down to avoid inadvertent changes

D.

Access to the spreadsheet is given only to those who require access

Buy Now
Questions 285

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

Options:

A.

reflect current practices.

B.

include new systems and corresponding process changes.

C.

incorporate changes to relevant laws.

D.

be subject to adequate quality assurance (QA).

Buy Now
Questions 286

Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

Options:

A.

Data from the source and target system may be intercepted.

B.

Data from the source and target system may have different data formats.

C.

Records past their retention period may not be migrated to the new system.

D.

System performance may be impacted by the migration

Buy Now
Questions 287

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Evaluate the appropriateness of the remedial action taken.

B.

Conduct a risk analysis incorporating the change.

C.

Report results of the follow-up to the audit committee.

D.

Inform senior management of the change in approach.

Buy Now
Questions 288

Which of the following establishes the PRIMARY difference between a business continuity plan (BCP) and a disaster recovery plan (DRP)?

Options:

A.

The annual testing requirements

B.

The focus on system recovery

C.

The timeframe for plan activation

D.

The involvement of senior management

Buy Now
Questions 289

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.

Identifying relevant roles for an enterprise IT governance framework

B.

Making decisions regarding risk response and monitoring of residual risk

C.

Verifying that legal, regulatory, and contractual requirements are being met

D.

Providing independent and objective feedback to facilitate improvement of IT processes

Buy Now
Questions 290

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the Internet.

B.

the demilitarized zone (DMZ).

C.

the organization's web server.

D.

the organization's network.

Buy Now
Questions 291

What is MOST important to verify during an external assessment of network vulnerability?

Options:

A.

Update of security information event management (SIEM) rules

B.

Regular review of the network security policy

C.

Completeness of network asset inventory

D.

Location of intrusion detection systems (IDS)

Buy Now
Questions 292

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Buy Now
Questions 293

What is the BEST control to address SQL injection vulnerabilities?

Options:

A.

Unicode translation

B.

Secure Sockets Layer (SSL) encryption

C.

Input validation

D.

Digital signatures

Buy Now
Questions 294

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

Options:

A.

Notify the cyber insurance company.

B.

Shut down the affected systems.

C.

Quarantine the impacted systems.

D.

Notify customers of the breach.

Buy Now
Questions 295

During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

Options:

A.

Review working papers with the auditee.

B.

Request the auditee provide management responses.

C.

Request management wait until a final report is ready for discussion.

D.

Present observations for discussion only.

Buy Now
Questions 296

When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

Options:

A.

a risk management process.

B.

an information security framework.

C.

past information security incidents.

D.

industry best practices.

Buy Now
Questions 297

During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

Options:

A.

Notify the chair of the audit committee.

B.

Notify the audit manager.

C.

Retest the control.

D.

Close the audit finding.

Buy Now
Questions 298

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

Options:

A.

Conduct periodic on-site assessments using agreed-upon criteria.

B.

Periodically review the service level agreement (SLA) with the vendor.

C.

Conduct an unannounced vulnerability assessment of vendor's IT systems.

D.

Obtain evidence of the vendor's control self-assessment (CSA).

Buy Now
Questions 299

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

Options:

A.

incident management.

B.

quality assurance (QA).

C.

change management.

D.

project management.

Buy Now
Questions 300

Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Options:

A.

Risk identification

B.

Risk classification

C.

Control self-assessment (CSA)

D.

Impact assessment

Buy Now
Questions 301

One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

Options:

A.

basis for allocating indirect costs.

B.

cost of replacing equipment.

C.

estimated cost of ownership.

D.

basis for allocating financial resources.

Buy Now
Questions 302

Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Options:

A.

Audit charter

B.

IT steering committee

C.

Information security policy

D.

Audit best practices

Buy Now
Questions 303

Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

Options:

A.

Findings from prior audits

B.

Results of a risk assessment

C.

An inventory of personal devices to be connected to the corporate network

D.

Policies including BYOD acceptable user statements

Buy Now
Questions 304

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Options:

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Buy Now
Questions 305

In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?

Options:

A.

Discovery

B.

Attacks

C.

Planning

D.

Reporting

Buy Now
Questions 306

Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?

Options:

A.

Human resources (HR) sourcing strategy

B.

Records of actual time spent on projects

C.

Peer organization staffing benchmarks

D.

Budgeted forecast for the next financial year

Buy Now
Questions 307

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

Options:

A.

Implementing the remediation plan

B.

Partially completing the CSA

C.

Developing the remediation plan

D.

Developing the CSA questionnaire

Buy Now
Questions 308

Which of the following is a detective control?

Options:

A.

Programmed edit checks for data entry

B.

Backup procedures

C.

Use of pass cards to gain access to physical facilities

D.

Verification of hash totals

Buy Now
Questions 309

To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Options:

A.

Root cause

B.

Responsible party

C.

impact

D.

Criteria

Buy Now
Questions 310

The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?

Options:

A.

Determine where delays have occurred

B.

Assign additional resources to supplement the audit

C.

Escalate to the audit committee

D.

Extend the audit deadline

Buy Now
Questions 311

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

Options:

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

Buy Now
Questions 312

Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Designing controls to protect personal data

C.

Defining roles within the organization related to privacy

D.

Developing procedures to monitor the use of personal data

Buy Now
Questions 313

Which of the following is MOST helpful for measuring benefits realization for a new system?

Options:

A.

Function point analysis

B.

Balanced scorecard review

C.

Post-implementation review

D.

Business impact analysis (BIA)

Buy Now
Questions 314

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

Options:

A.

Reviewing the last compile date of production programs

B.

Manually comparing code in production programs to controlled copies

C.

Periodically running and reviewing test data against production programs

D.

Verifying user management approval of modifications

Buy Now
Questions 315

In an online application which of the following would provide the MOST information about the transaction audit trail?

Options:

A.

File layouts

B.

Data architecture

C.

System/process flowchart

D.

Source code documentation

Buy Now
Questions 316

When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

Options:

A.

the organization's web server.

B.

the demilitarized zone (DMZ).

C.

the organization's network.

D.

the Internet

Buy Now
Questions 317

Which of the following metrics would BEST measure the agility of an organization's IT function?

Options:

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Buy Now
Questions 318

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

Options:

A.

compare the organization's strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Buy Now
Questions 319

Which of the following concerns is BEST addressed by securing production source libraries?

Options:

A.

Programs are not approved before production source libraries are updated.

B.

Production source and object libraries may not be synchronized.

C.

Changes are applied to the wrong version of production source libraries.

D.

Unauthorized changes can be moved into production.

Buy Now
Questions 320

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

Options:

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Buy Now
Questions 321

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

Options:

A.

The job scheduler application has not been designed to display pop-up error messages.

B.

Access to the job scheduler application has not been restricted to a maximum of two staff members

C.

Operations shift turnover logs are not utilized to coordinate and control the processing environment

D.

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

Buy Now
Questions 322

Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?

Options:

A.

Staff were not involved in the procurement process, creating user resistance to the new system.

B.

Data is not converted correctly, resulting in inaccurate patient records.

C.

The deployment project experienced significant overruns, exceeding budget projections.

D.

The new system has capacity issues, leading to slow response times for users.

Buy Now
Questions 323

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

Options:

A.

Staff members who failed the test did not receive follow-up education

B.

Test results were not communicated to staff members.

C.

Staff members were not notified about the test beforehand.

D.

Security awareness training was not provided prior to the test.

Buy Now
Questions 324

The IS quality assurance (OA) group is responsible for:

Options:

A.

ensuring that program changes adhere to established standards.

B.

designing procedures to protect data against accidental disclosure.

C.

ensuring that the output received from system processing is complete.

D.

monitoring the execution of computer processing tasks.

Buy Now
Questions 325

Which of the following is the MOST important activity in the data classification process?

Options:

A.

Labeling the data appropriately

B.

Identifying risk associated with the data

C.

Determining accountability of data owners

D.

Determining the adequacy of privacy controls

Buy Now
Questions 326

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

Options:

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Buy Now
Questions 327

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

Options:

A.

Availability of the user list reviewed

B.

Confidentiality of the user list reviewed

C.

Source of the user list reviewed

D.

Completeness of the user list reviewed

Buy Now
Questions 328

What is the MAIN reason to use incremental backups?

Options:

A.

To improve key availability metrics

B.

To reduce costs associates with backups

C.

To increase backup resiliency and redundancy

D.

To minimize the backup time and resources

Buy Now
Questions 329

Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

Options:

A.

Ensuring that audit trails exist for transactions

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator's user ID as a field in every transaction record created

D.

Restricting program functionality according to user security profiles

Buy Now
Questions 330

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

Options:

A.

the access control system's log settings.

B.

how the latest system changes were implemented.

C.

the access control system's configuration.

D.

the access rights that have been granted.

Buy Now
Questions 331

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

Options:

A.

Review sign-off documentation

B.

Review the source code related to the calculation

C.

Re-perform the calculation with audit software

D.

Inspect user acceptance lest (UAT) results

Buy Now
Questions 332

In order to be useful, a key performance indicator (KPI) MUST

Options:

A.

be approved by management.

B.

be measurable in percentages.

C.

be changed frequently to reflect organizational strategy.

D.

have a target value.

Buy Now
Questions 333

The use of control totals satisfies which of the following control objectives?

Options:

A.

Transaction integrity

B.

Processing integrity

C.

Distribution control

D.

System recoverability

Buy Now
Questions 334

Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

Options:

A.

Data storage costs

B.

Data classification

C.

Vendor cloud certification

D.

Service level agreements (SLAs)

Buy Now
Questions 335

An IS auditor reviewing the throat assessment for a data cantor would be MOST concerned if:

Options:

A.

some of the identified threats are unlikely to occur.

B.

all identified threats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations' operations have been included.

Buy Now
Questions 336

A computer forensic audit is MOST relevant in which of the following situations?

Options:

A.

Inadequate controls in the IT environment

B.

Mismatches in transaction data

C.

Missing server patches

D.

Data loss due to hacking of servers

Buy Now
Questions 337

In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?

Options:

A.

Onsite disk-based backup systems

B.

Tape-based backup systems

C.

Virtual tape library

D.

Redundant array of independent disks (RAID)

Buy Now
Questions 338

Which of the following is the PRIMARY basis on which audit objectives are established?

Options:

A.

Audit risk

B.

Consideration of risks

C.

Assessment of prior audits

D.

Business strategy

Buy Now
Questions 339

Which of the following is MOST critical to the success of an information security program?

Options:

A.

User accountability for information security

B.

Management's commitment to information security

C.

Integration of business and information security

D.

Alignment of information security with IT objectives

Buy Now
Questions 340

What would be the PRIMARY reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center?

Options:

A.

To improve traceability

B.

To prevent piggybacking

C.

To implement multi-factor authentication

D.

To reduce maintenance costs

Buy Now
Questions 341

During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS)

agreement. What should the auditor do NEXT?

Options:

A.

Verify whether IT management monitors the effectiveness of the environment.

B.

Verify whether a right-to-audit clause exists.

C.

Verify whether a third-party security attestation exists.

D.

Verify whether service level agreements (SLAs) are defined and monitored.

Buy Now
Questions 342

Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Options:

A.

Target architecture is defined at a technical level.

B.

The previous year's IT strategic goals were not achieved.

C.

Strategic IT goals are derived solely from the latest market trends.

D.

Financial estimates of new initiatives are disclosed within the document.

Buy Now
Questions 343

Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?

Options:

A.

Review data classification levels based on industry best practice

B.

Verify that current DLP software is installed on all computer systems.

C.

Conduct interviews to identify possible data protection vulnerabilities.

D.

Verify that confidential files cannot be transmitted to a personal USB device.

Buy Now
Questions 344

Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?

Options:

A.

Interview the application developer.

B.

Obtain management attestation and sign-off.

C.

Review the application implementation documents.

D.

Review system configuration parameters and output.

Buy Now
Questions 345

Which of the following is MOST likely to be a project deliverable of an agile software development methodology?

Options:

A.

Strictly managed software requirements baselines

B.

Extensive project documentation

C.

Automated software programming routines

D.

Rapidly created working prototypes

Buy Now
Questions 346

Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

Options:

A.

privacy

B.

Maintainability

C.

Scalability

D.

Nonrepudiation

Buy Now
Questions 347

Which of the following should be identified FIRST during the risk assessment process?

Options:

A.

Vulnerability to threats

B.

Existing controls

C.

Information assets

D.

Legal requirements

Buy Now
Questions 348

A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?

Options:

A.

Analyzing the root cause of the outage to ensure the incident will not reoccur

B.

Restoring the system to operational state as quickly as possible

C.

Ensuring all resolution steps are fully documented prior to returning thesystem to service

D.

Rolling back the unsuccessful change to the previous state

Buy Now
Questions 349

The PRIMARY purpose of an incident response plan is to:

Options:

A.

reduce the impact of an adverse event on information assets.

B.

increase the effectiveness of preventive controls.

C.

reduce the maximum tolerable downtime (MTD) of impacted systems.

D.

increase awareness of impacts from adverse events to IT systems.

Buy Now
Questions 350

Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor's BEST recommendation to protect data in case of recurrence?

Options:

A.

Encrypt the disk drive.

B.

Require two-factor authentication

C.

Enhance physical security

D.

Require the use of cable locks

Buy Now
Questions 351

An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?

Options:

A.

Determine whether the business impact analysis (BIA) is current with the organization's structure and context.

B.

Determine the types of technologies used at the plant and how they may affect the BCP.

C.

Perform testing to determine the impact to the recovery time objective (R TO).

D.

Assess the risk to operations from the closing of the plant.

Buy Now
Questions 352

Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?

Options:

A.

Data ownership

B.

Applicable laws and regulations

C.

Business requirements and data flows

D.

End-user access rights

Buy Now
Questions 353

Which of the following is the MOST significant risk when an application uses individual end-user accounts to access the underlying database?

Options:

A.

Multiple connects to the database are used and slow the process_

B.

User accounts may remain active after a termination.

C.

Users may be able to circumvent application controls.

D.

Application may not capture a complete audit trail.

Buy Now
Questions 354

Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?

Options:

A.

Requiring users to save files in secured folders instead of a company-wide shared drive

B.

Reviewing data transfer logs to determine historical patterns of data flow

C.

Developing a DLP policy and requiring signed acknowledgment by users

D.

Identifying where existing data resides and establishing a data classification matrix

Buy Now
Questions 355

A bank wants to outsource a system to a cloud provider residing in another country. Which of the following would be the MOST appropriate IS audit recommendation?

Options:

A.

Find an alternative provider in the bank's home country.

B.

Ensure the provider's internal control system meets bank requirements.

C.

Proceed as intended, as the provider has to observe all laws of the clients’ countries.

D.

Ensure the provider has disaster recovery capability.

Buy Now
Questions 356

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

Buy Now
Questions 357

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

Options:

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Buy Now
Questions 358

What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

Options:

A.

Earned value analysis (EVA)

B.

Return on investment (ROI) analysis

C.

Gantt chart

D.

Critical path analysis

Buy Now
Questions 359

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Options:

A.

Perform background verification checks.

B.

Review third-party audit reports.

C.

Implement change management review.

D.

Conduct a privacy impact analysis.

Buy Now
Questions 360

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Buy Now
Questions 361

An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

Options:

A.

some of the identified throats are unlikely to occur.

B.

all identified throats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations operations have been included.

Buy Now
Questions 362

During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

Options:

A.

Sampling risk

B.

Detection risk

C.

Control risk

D.

Inherent risk

Buy Now
Questions 363

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Options:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Buy Now
Questions 364

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Buy Now
Questions 365

Which of the following BEST helps to ensure data integrity across system interfaces?

Options:

A.

Environment segregation

B.

Reconciliation

C.

System backups

D.

Access controls

Buy Now
Questions 366

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

Options:

A.

Review of program documentation

B.

Use of test transactions

C.

Interviews with knowledgeable users

D.

Review of source code

Buy Now
Questions 367

Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?

Options:

A.

Role-based access control policies

B.

Types of data that can be uploaded to the platform

C.

Processes for on-boarding and off-boarding users to the platform

D.

Processes for reviewing administrator activity

Buy Now
Questions 368

An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?

Options:

A.

Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications

B.

Vulnerability in the virtualization platform affecting multiple hosts

C.

Data center environmental controls not aligning with new configuration

D.

System documentation not being updated to reflect changes in the environment

Buy Now
Questions 369

Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

Options:

A.

Restricting program functionality according to user security profiles

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator’s user ID as a field in every transaction record created

D.

Ensuring that audit trails exist for transactions

Buy Now
Questions 370

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Options:

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Buy Now
Questions 371

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Developing procedures to monitor the use of personal data

C.

Defining roles within the organization related to privacy

D.

Designing controls to protect personal data

Buy Now
Questions 372

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

Options:

A.

The end-to-end process is understood and documented.

B.

Roles and responsibilities are defined for the business processes in scope.

C.

A benchmarking exercise of industry peers who use RPA has been completed.

D.

A request for proposal (RFP) has been issued to qualified vendors.

Buy Now
Questions 373

What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

Options:

A.

it facilitates easier audit follow-up

B.

it enforces action plan consensus between auditors and auditees

C.

it establishes accountability for the action plans

D.

it helps to ensure factual accuracy of findings

Buy Now
Questions 374

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Options:

A.

Identify approved data workflows across the enterprise.

B.

Conduct a threat analysis against sensitive data usage.

C.

Create the DLP pcJc.es and templates

D.

Conduct a data inventory and classification exercise

Buy Now
Questions 375

An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

Options:

A.

Improve the change management process

B.

Establish security metrics.

C.

Perform a penetration test

D.

Perform a configuration review

Buy Now
Questions 376

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

Options:

A.

Separate authorization for input of transactions

B.

Statistical sampling of adjustment transactions

C.

Unscheduled audits of lost stock lines

D.

An edit check for the validity of the inventory transaction

Buy Now
Questions 377

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

Options:

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

Buy Now
Questions 378

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Buy Now
Questions 379

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Options:

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Buy Now
Questions 380

An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:

Options:

A.

reclassify the data to a lower level of confidentiality

B.

require the business owner to conduct regular access reviews.

C.

implement a strong password schema for users.

D.

recommend corrective actions to be taken by the security administrator.

Buy Now
Questions 381

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

Options:

A.

failure to maximize the use of equipment

B.

unanticipated increase in business s capacity needs.

C.

cost of excessive data center storage capacity

D.

impact to future business project funding.

Buy Now
Questions 382

Which of the following provides the BEST providence that outsourced provider services are being properly managed?

Options:

A.

The service level agreement (SLA) includes penalties for non-performance.

B.

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.

The vendor provides historical data to demonstrate its performance.

D.

Internal performance standards align with corporate strategy.

Buy Now
Questions 383

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.

Use an electronic vault for incremental backups

B.

Deploy a fully automated backup maintenance system.

C.

Periodically test backups stored in a remote location

D.

Use both tape and disk backup systems

Buy Now
Questions 384

Which of the following is a corrective control?

Options:

A.

Separating equipment development testing and production

B.

Verifying duplicate calculations in data processing

C.

Reviewing user access rights for segregation

D.

Executing emergency response plans

Buy Now
Questions 385

Which of the following BEST describes an audit risk?

Options:

A.

The company is being sued for false accusations.

B.

The financial report may contain undetected material errors.

C.

Employees have been misappropriating funds.

D.

Key employees have not taken vacation for 2 years.

Buy Now
Questions 386

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

Options:

A.

data analytics findings.

B.

audit trails

C.

acceptance lasting results

D.

rollback plans

Buy Now
Questions 387

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Buy Now
Questions 388

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.

Review the documentation of recant changes to implement sequential order numbering.

B.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.

Examine a sample of system generated purchase orders obtained from management

Buy Now
Questions 389

Which of the following is MOST important when planning a network audit?

Options:

A.

Determination of IP range in use

B.

Analysis of traffic content

C.

Isolation of rogue access points

D.

Identification of existing nodes

Buy Now
Questions 390

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

Options:

A.

Process and resource inefficiencies

B.

Irregularities and illegal acts

C.

Noncompliance with organizational policies

D.

Misalignment with business objectives

Buy Now
Questions 391

Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

Options:

A.

Analysis of industry benchmarks

B.

Identification of organizational goals

C.

Analysis of quantitative benefits

D.

Implementation of a balanced scorecard

Buy Now
Questions 392

An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

Options:

A.

Alarm system with CCTV

B.

Access control log

C.

Security incident log

D.

Access card allocation records

Buy Now
Questions 393

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

Options:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

report on the internal control weaknesses.

D.

provide solutions for control weaknesses.

Buy Now
Questions 394

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

Options:

A.

The DRP has not been formally approved by senior management.

B.

The DRP has not been distributed to end users.

C.

The DRP has not been updated since an IT infrastructure upgrade.

D.

The DRP contains recovery procedures for critical servers only.

Buy Now
Questions 395

Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

Options:

A.

Testing incident response plans with a wide range of scenarios

B.

Prioritizing incidents after impact assessment.

C.

Linking incidents to problem management activities

D.

Training incident management teams on current incident trends

Buy Now
Questions 396

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Options:

A.

Perform a business impact analysis (BIA).

B.

Determine which databases will be in scope.

C.

Identify the most critical database controls.

D.

Evaluate the types of databases being used

Buy Now
Questions 397

Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

Options:

A.

Program coding standards have been followed

B.

Acceptance test criteria have been developed

C.

Data conversion procedures have been established.

D.

The design has been approved by senior management.

Buy Now
Questions 398

In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?

Options:

A.

Approved test scripts and results prior to implementation

B.

Written procedures defining processes and controls

C.

Approved project scope document

D.

A review of tabletop exercise results

Buy Now
Questions 399

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Apply single sign-on for access control

B.

Implement segregation of duties.

C.

Enforce an internal data access policy.

D.

Enforce the use of digital signatures.

Buy Now
Questions 400

Which of the following would be MOST useful when analyzing computer performance?

Options:

A.

Statistical metrics measuring capacity utilization

B.

Operations report of user dissatisfaction with response time

C.

Tuning of system software to optimize resource usage

D.

Report of off-peak utilization and response time

Buy Now
Questions 401

Which of the following is the BEST reason to implement a data retention policy?

Options:

A.

To limit the liability associated with storing and protecting information

B.

To document business objectives for processing data within the organization

C.

To assign responsibility and ownership for data protection outside IT

D.

To establish a recovery point detective (RPO) for (toaster recovery procedures

Buy Now
Questions 402

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

The cost of outsourcing is lower than in-house development.

B.

The vendor development team is located overseas.

C.

A training plan for business users has not been developed.

D.

The data model is not clearly documented.

Buy Now
Questions 403

Which of the following is a challenge in developing a service level agreement (SLA) for network services?

Options:

A.

Establishing a well-designed framework for network servirces.

B.

Finding performance metrics that can be measured properly

C.

Ensuring that network components are not modified by the client

D.

Reducing the number of entry points into the network

Buy Now
Questions 404

Which of the following is necessary for effective risk management in IT governance?

Options:

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Buy Now
Questions 405

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Options:

A.

Mobile device tracking program

B.

Mobile device upgrade program

C.

Mobile device testing program

D.

Mobile device awareness program

Buy Now
Questions 406

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

Options:

A.

each information asset is to a assigned to a different classification.

B.

the security criteria are clearly documented for each classification

C.

Senior IT managers are identified as information owner.

D.

the information owner is required to approve access to the asset

Buy Now
Questions 407

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

Options:

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Buy Now
Questions 408

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Options:

A.

Restricting evidence access to professionally certified forensic investigators

B.

Documenting evidence handling by personnel throughout the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Engaging an independent third party to perform the forensic investigation

Buy Now
Questions 409

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

Options:

A.

Analyze a new application that moots the current re

B.

Perform an analysis to determine the business risk

C.

Bring the escrow version up to date.

D.

Develop a maintenance plan to support the application using the existing code

Buy Now
Questions 410

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

Options:

A.

Customer service complaints

B.

Automated monitoring of logs

C.

Server crashes

D.

Penetration testing

Buy Now
Questions 411

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?

Options:

A.

The use of the cloud negatively impacting IT availably

B.

Increased need for user awareness training

C.

Increased vulnerability due to anytime, anywhere accessibility

D.

Lack of governance and oversight for IT infrastructure and applications

Buy Now
Questions 412

An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?

Options:

A.

Users are not required to change their passwords on a regular basis

B.

Management does not review application user activity logs

C.

User accounts are shared between users

D.

Password length is set to eight characters

Buy Now
Questions 413

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Options:

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Buy Now
Questions 414

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Buy Now
Questions 415

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

Options:

A.

Risk avoidance

B.

Risk transfer

C.

Risk acceptance

D.

Risk reduction

Buy Now
Questions 416

An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

Options:

A.

security parameters are set in accordance with the manufacturer s standards.

B.

a detailed business case was formally approved prior to the purchase.

C.

security parameters are set in accordance with the organization's policies.

D.

the procurement project invited lenders from at least three different suppliers.

Buy Now
Questions 417

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Options:

A.

Improved disaster recovery

B.

Better utilization of resources

C.

Stronger data security

D.

Increased application performance

Buy Now
Questions 418

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

Options:

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Buy Now
Questions 419

During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?

Options:

A.

Leverage the work performed by external audit for the internal audit testing.

B.

Ensure both the internal and external auditors perform the work simultaneously.

C.

Request that the external audit team leverage the internal audit work.

D.

Roll forward the general controls audit to the subsequent audit year.

Buy Now
Questions 420

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.

Determine the resources required to make the controleffective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Buy Now
Questions 421

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

Options:

A.

Limit check

B.

Parity check

C.

Reasonableness check

D.

Validity check

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Mar 31, 2025
Questions: 1404

PDF + Testing Engine

$74.7  $249

Testing Engine

$67.5  $225
buy now CISA testing engine

PDF (Q&A)

$59.7  $199
buy now CISA pdf
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 03 Apr 2025