New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

CISA Certified Information Systems Auditor Questions and Answers

Questions 4

Which of the following BEST facilitates the legal process in the event of an incident?

Options:

A.

Right to perform e-discovery

B.

Advice from legal counsel

C.

Preserving the chain of custody

D.

Results of a root cause analysis

Buy Now
Questions 5

What should an IS auditor do FIRST when management responses

to an in-person internal control questionnaire indicate a key internal

control is no longer effective?

Options:

A.

Determine the resources required to make the control

effective.

B.

Validate the overall effectiveness of the internal control.

C.

Verify the impact of the control no longer being effective.

D.

Ascertain the existence of other compensating controls.

Buy Now
Questions 6

Which of the following issues associated with a data center's closed-circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?

Options:

A.

CCTV recordings are not regularly reviewed.

B.

CCTV cameras are not installed in break rooms

C.

CCTV records are deleted after one year.

D.

CCTV footage is not recorded 24 x 7.

Buy Now
Questions 7

Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

Options:

A.

Change management

B.

Problem management

C.

incident management

D.

Configuration management

Buy Now
Questions 8

Which of the following would be MOST useful when analyzing computer performance?

Options:

A.

Statistical metrics measuring capacity utilization

B.

Operations report of user dissatisfaction with response time

C.

Tuning of system software to optimize resource usage

D.

Report of off-peak utilization and response time

Buy Now
Questions 9

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Options:

A.

Require the auditee to address the recommendations in full.

B.

Adjust the annual risk assessment accordingly.

C.

Evaluate senior management's acceptance of the risk.

D.

Update the audit program based on management's acceptance of risk.

Buy Now
Questions 10

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identity as the associated risk?

Options:

A.

The use of the cloud negatively impacting IT availably

B.

Increased need for user awareness training

C.

Increased vulnerability due to anytime, anywhere accessibility

D.

Lack of governance and oversight for IT infrastructure and applications

Buy Now
Questions 11

What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

Options:

A.

Notify law enforcement of the finding.

B.

Require the third party to notify customers.

C.

The audit report with a significant finding.

D.

Notify audit management of the finding.

Buy Now
Questions 12

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

Options:

A.

failure to maximize the use of equipment

B.

unanticipated increase in business s capacity needs.

C.

cost of excessive data center storage capacity

D.

impact to future business project funding.

Buy Now
Questions 13

Which of the following is MOST important when planning a network audit?

Options:

A.

Determination of IP range in use

B.

Analysis of traffic content

C.

Isolation of rogue access points

D.

Identification of existing nodes

Buy Now
Questions 14

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.

the provider has alternate service locations.

B.

the contract includes compensation for deficient service levels.

C.

the provider's information security controls are aligned with the company's.

D.

the provider adheres to the company's data retention policies.

Buy Now
Questions 15

Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

Options:

A.

Shared facilities

B.

Adequacy of physical and environmental controls

C.

Results of business continuity plan (BCP) test

D.

Retention policy and period

Buy Now
Questions 16

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Buy Now
Questions 17

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Options:

A.

Identify approved data workflows across the enterprise.

B.

Conduct a threat analysis against sensitive data usage.

C.

Create the DLP pcJc.es and templates

D.

Conduct a data inventory and classification exercise

Buy Now
Questions 18

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

Options:

A.

The security weakness facilitating the attack was not identified.

B.

The attack was not automatically blocked by the intrusion detection system (IDS).

C.

The attack could not be traced back to the originating person.

D.

Appropriate response documentation was not maintained.

Buy Now
Questions 19

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Developing procedures to monitor the use of personal data

C.

Defining roles within the organization related to privacy

D.

Designing controls to protect personal data

Buy Now
Questions 20

Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

Options:

A.

Cost of projects divided by total IT cost

B.

Expected return divided by total project cost

C.

Net present value (NPV) of the portfolio

D.

Total cost of each project

Buy Now
Questions 21

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Buy Now
Questions 22

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

Options:

A.

SIEM reporting is customized.

B.

SIEM configuration is reviewed annually

C.

The SIEM is decentralized.

D.

SIEM reporting is ad hoc.

Buy Now
Questions 23

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Buy Now
Questions 24

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

Options:

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

Buy Now
Questions 25

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.

Review the documentation of recant changes to implement sequential order numbering.

B.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.

Examine a sample of system generated purchase orders obtained from management

Buy Now
Questions 26

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Buy Now
Questions 27

What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

Options:

A.

Earned value analysis (EVA)

B.

Return on investment (ROI) analysis

C.

Gantt chart

D.

Critical path analysis

Buy Now
Questions 28

Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

Options:

A.

Restricting program functionality according to user security profiles

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator’s user ID as a field in every transaction record created

D.

Ensuring that audit trails exist for transactions

Buy Now
Questions 29

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Apply single sign-on for access control

B.

Implement segregation of duties.

C.

Enforce an internal data access policy.

D.

Enforce the use of digital signatures.

Buy Now
Questions 30

An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?

Options:

A.

Users are not required to change their passwords on a regular basis

B.

Management does not review application user activity logs

C.

User accounts are shared between users

D.

Password length is set to eight characters

Buy Now
Questions 31

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

Options:

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Buy Now
Questions 32

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Options:

A.

Restricting evidence access to professionally certified forensic investigators

B.

Documenting evidence handling by personnel throughout the forensic investigation

C.

Performing investigative procedures on the original hard drives rather than images of the hard drives

D.

Engaging an independent third party to perform the forensic investigation

Buy Now
Questions 33

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

The cost of outsourcing is lower than in-house development.

B.

The vendor development team is located overseas.

C.

A training plan for business users has not been developed.

D.

The data model is not clearly documented.

Buy Now
Questions 34

Which of the following is a challenge in developing a service level agreement (SLA) for network services?

Options:

A.

Establishing a well-designed framework for network servirces.

B.

Finding performance metrics that can be measured properly

C.

Ensuring that network components are not modified by the client

D.

Reducing the number of entry points into the network

Buy Now
Questions 35

Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

Options:

A.

Program coding standards have been followed

B.

Acceptance test criteria have been developed

C.

Data conversion procedures have been established.

D.

The design has been approved by senior management.

Buy Now
Questions 36

An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:

Options:

A.

deleted data cannot easily be retrieved.

B.

deleting the files logically does not overwrite the files' physical data.

C.

backup copies of files were not deleted as well.

D.

deleting all files separately is not as efficient as formatting the hard disk.

Buy Now
Questions 37

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

Options:

A.

Unit testing

B.

Pilot testing

C.

System testing

D.

Integration testing

Buy Now
Questions 38

Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

Options:

A.

Testing incident response plans with a wide range of scenarios

B.

Prioritizing incidents after impact assessment.

C.

Linking incidents to problem management activities

D.

Training incident management teams on current incident trends

Buy Now
Questions 39

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

Options:

A.

Review of program documentation

B.

Use of test transactions

C.

Interviews with knowledgeable users

D.

Review of source code

Buy Now
Questions 40

Which of the following BEST describes an audit risk?

Options:

A.

The company is being sued for false accusations.

B.

The financial report may contain undetected material errors.

C.

Employees have been misappropriating funds.

D.

Key employees have not taken vacation for 2 years.

Buy Now
Questions 41

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Options:

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Buy Now
Questions 42

A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?

Options:

A.

IT operator

B.

System administration

C.

Emergency support

D.

Database administration

Buy Now
Questions 43

Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Options:

A.

Mobile device tracking program

B.

Mobile device upgrade program

C.

Mobile device testing program

D.

Mobile device awareness program

Buy Now
Questions 44

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Options:

A.

Temperature sensors

B.

Humidity sensors

C.

Water sensors

D.

Air pressure sensors

Buy Now
Questions 45

Which of the following presents the GREATEST challenge to the alignment of business and IT?

Options:

A.

Lack of chief information officer (CIO) involvement in board meetings

B.

Insufficient IT budget to execute new business projects

C.

Lack of information security involvement in business strategy development

D.

An IT steering committee chaired by the chief information officer (CIO)

Buy Now
Questions 46

Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?

Options:

A.

Improved disaster recovery

B.

Better utilization of resources

C.

Stronger data security

D.

Increased application performance

Buy Now
Questions 47

Which of the following should be the FIRST step in the incident response process for a suspected breach?

Options:

A.

Inform potentially affected customers of the security breach

B.

Notify business management of the security breach.

C.

Research the validity of the alerted breach

D.

Engage a third party to independently evaluate the alerted breach.

Buy Now
Questions 48

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

Options:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

report on the internal control weaknesses.

D.

provide solutions for control weaknesses.

Buy Now
Questions 49

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

Options:

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Buy Now
Questions 50

An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:

Options:

A.

reclassify the data to a lower level of confidentiality

B.

require the business owner to conduct regular access reviews.

C.

implement a strong password schema for users.

D.

recommend corrective actions to be taken by the security administrator.

Buy Now
Questions 51

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

Options:

A.

Process and resource inefficiencies

B.

Irregularities and illegal acts

C.

Noncompliance with organizational policies

D.

Misalignment with business objectives

Buy Now
Questions 52

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Options:

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Buy Now
Questions 53

An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Options:

A.

Installing security software on the devices

B.

Partitioning the work environment from personal space on devices

C.

Preventing users from adding applications

D.

Restricting the use of devices for personal purposes during working hours

Buy Now
Questions 54

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

Options:

A.

Information security program plans

B.

Penetration test results

C.

Risk assessment results

D.

Industry benchmarks

Buy Now
Questions 55

Which of the following BEST enables the timely identification of risk exposure?

Options:

A.

External audit review

B.

Internal audit review

C.

Control self-assessment (CSA)

D.

Stress testing

Buy Now
Questions 56

Which of the following documents should specify roles and responsibilities within an IT audit organization?

Options:

A.

Organizational chart

B.

Audit charier

C.

Engagement letter

D.

Annual audit plan

Buy Now
Questions 57

Which of the following is an example of a preventative control in an accounts payable system?

Options:

A.

The system only allows payments to vendors who are included In the system's master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

Buy Now
Questions 58

Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

Options:

A.

Ensure that the facts presented in the report are correct

B.

Communicate the recommendations lo senior management

C.

Specify implementation dates for the recommendations.

D.

Request input in determining corrective action.

Buy Now
Questions 59

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

Options:

A.

The certificate revocation list has not been updated.

B.

The PKI policy has not been updated within the last year.

C.

The private key certificate has not been updated.

D.

The certificate practice statement has not been published

Buy Now
Questions 60

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

Options:

A.

Use of stateful firewalls with default configuration

B.

Ad hoc monitoring of firewall activity

C.

Misconfiguration of the firewall rules

D.

Potential back doors to the firewall software

Buy Now
Questions 61

Which of the following would MOST effectively ensure the integrity of data transmitted over a network?

Options:

A.

Message encryption

B.

Certificate authority (CA)

C.

Steganography

D.

Message digest

Buy Now
Questions 62

Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

Options:

A.

An increase in the number of identified false positives

B.

An increase in the number of detected Incidents not previously identified

C.

An increase in the number of unfamiliar sources of intruders

D.

An increase in the number of internally reported critical incidents

Buy Now
Questions 63

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

Options:

A.

Reviewing the last compile date of production programs

B.

Manually comparing code in production programs to controlled copies

C.

Periodically running and reviewing test data against production programs

D.

Verifying user management approval of modifications

Buy Now
Questions 64

Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

Options:

A.

The organization's security policy

B.

The number of remote nodes

C.

The firewalls' default settings

D.

The physical location of the firewalls

Buy Now
Questions 65

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?

Options:

A.

Short key length

B.

Random key generation

C.

Use of symmetric encryption

D.

Use of asymmetric encryption

Buy Now
Questions 66

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

Options:

A.

Observing the execution of a daily backup run

B.

Evaluating the backup policies and procedures

C.

Interviewing key personnel evolved In the backup process

D.

Reviewing a sample of system-generated backup logs

Buy Now
Questions 67

An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?

Options:

A.

The standard is met as long as one member has a globally recognized audit certification.

B.

Technical co-sourcing must be used to help the new staff.

C.

Team member assignments must be based on individual competencies.

D.

The standard is met as long as a supervisor reviews the new auditors' work.

Buy Now
Questions 68

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

Options:

A.

Availability of IS audit resources

B.

Remediation dates included in management responses

C.

Peak activity periods for the business

D.

Complexity of business processes identified in the audit

Buy Now
Questions 69

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

Options:

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Buy Now
Questions 70

Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?

Options:

A.

Human resources (HR) sourcing strategy

B.

Records of actual time spent on projects

C.

Peer organization staffing benchmarks

D.

Budgeted forecast for the next financial year

Buy Now
Questions 71

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

Options:

A.

Ask management why the regulatory changes have not been Included.

B.

Discuss potential regulatory issues with the legal department

C.

Report the missing regulatory updates to the chief information officer (CIO).

D.

Exclude recent regulatory changes from the audit scope.

Buy Now
Questions 72

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?

Options:

A.

Redundant pathways

B.

Clustering

C.

Failover power

D.

Parallel testing

Buy Now
Questions 73

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

Options:

A.

Data migration is not part of the contracted activities.

B.

The replacement is occurring near year-end reporting

C.

The user department will manage access rights.

D.

Testing was performed by the third-party consultant

Buy Now
Questions 74

In an online application which of the following would provide the MOST information about the transaction audit trail?

Options:

A.

File layouts

B.

Data architecture

C.

System/process flowchart

D.

Source code documentation

Buy Now
Questions 75

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

Options:

A.

Preserving the same data classifications

B.

Preserving the same data inputs

C.

Preserving the same data structure

D.

Preserving the same data interfaces

Buy Now
Questions 76

Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

Options:

A.

Data from the source and target system may be intercepted.

B.

Data from the source and target system may have different data formats.

C.

Records past their retention period may not be migrated to the new system.

D.

System performance may be impacted by the migration

Buy Now
Questions 77

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

Options:

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization's staff to manage the new software

Buy Now
Questions 78

An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?

Options:

A.

A single point of failure for both voice and data communications

B.

Inability to use virtual private networks (VPNs) for internal traffic

C.

Lack of integration of voice and data communications

D.

Voice quality degradation due to packet toss

Buy Now
Questions 79

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

Options:

A.

Availability of the user list reviewed

B.

Confidentiality of the user list reviewed

C.

Source of the user list reviewed

D.

Completeness of the user list reviewed

Buy Now
Questions 80

Providing security certification for a new system should include which of the following prior to the system's implementation?

Options:

A.

End-user authorization to use the system in production

B.

External audit sign-off on financial controls

C.

Testing of the system within the production environment

D.

An evaluation of the configuration management practices

Buy Now
Questions 81

During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?

Options:

A.

Backup media are not reviewed before disposal.

B.

Degaussing is used instead of physical shredding.

C.

Backup media are disposed before the end of the retention period

D.

Hardware is not destroyed by a certified vendor.

Buy Now
Questions 82

Which of the following is MOST helpful for measuring benefits realization for a new system?

Options:

A.

Function point analysis

B.

Balanced scorecard review

C.

Post-implementation review

D.

Business impact analysis (BIA)

Buy Now
Questions 83

The IS quality assurance (OA) group is responsible for:

Options:

A.

ensuring that program changes adhere to established standards.

B.

designing procedures to protect data against accidental disclosure.

C.

ensuring that the output received from system processing is complete.

D.

monitoring the execution of computer processing tasks.

Buy Now
Questions 84

A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Establish key performance indicators (KPls) for timely identification of security incidents.

B.

Engage an external security incident response expert for incident handling.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Include the requirement in the incident management response plan.

Buy Now
Questions 85

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Options:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Buy Now
Questions 86

Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?

Options:

A.

IT strategies are communicated to all Business stakeholders

B.

Organizational strategies are communicated to the chief information officer (CIO).

C.

Business stakeholders are Involved In approving the IT strategy.

D.

The chief information officer (CIO) is involved In approving the organizational strategies

Buy Now
Questions 87

Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?

Options:

A.

Service management standards are not followed.

B.

Expected time to resolve incidents is not specified.

C.

Metrics are not reported to senior management.

D.

Prioritization criteria are not defined.

Buy Now
Questions 88

Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

Options:

A.

Findings from prior audits

B.

Results of a risk assessment

C.

An inventory of personal devices to be connected to the corporate network

D.

Policies including BYOD acceptable user statements

Buy Now
Questions 89

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.

Staging

B.

Testing

C.

Integration

D.

Development

Buy Now
Questions 90

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.

Statement of work (SOW)

B.

Nondisclosure agreement (NDA)

C.

Service level agreement (SLA)

D.

Privacy agreement

Buy Now
Questions 91

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

Options:

A.

document the exception in an audit report.

B.

review security incident reports.

C.

identify compensating controls.

D.

notify the audit committee.

Buy Now
Questions 92

Which of the following BEST Indicates that an incident management process is effective?

Options:

A.

Decreased time for incident resolution

B.

Increased number of incidents reviewed by IT management

C.

Decreased number of calls lo the help desk

D.

Increased number of reported critical incidents

Buy Now
Questions 93

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

Options:

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

Buy Now
Questions 94

The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:

Options:

A.

randomly selected by a test generator.

B.

provided by the vendor of the application.

C.

randomly selected by the user.

D.

simulated by production entities and customers.

Buy Now
Questions 95

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

Options:

A.

Reviewing the parameter settings

B.

Reviewing the system log

C.

Interviewing the firewall administrator

D.

Reviewing the actual procedures

Buy Now
Questions 96

IT disaster recovery time objectives (RTOs) should be based on the:

Options:

A.

maximum tolerable loss of data.

B.

nature of the outage

C.

maximum tolerable downtime (MTD).

D.

business-defined criticality of the systems.

Buy Now
Questions 97

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?

Options:

A.

Review sign-off documentation

B.

Review the source code related to the calculation

C.

Re-perform the calculation with audit software

D.

Inspect user acceptance lest (UAT) results

Buy Now
Questions 98

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

Options:

A.

Configure data quality alerts to check variances between the data warehouse and the source system

B.

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.

Include the data warehouse in the impact analysis (or any changes m the source system

D.

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

Buy Now
Questions 99

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Buy Now
Questions 100

In an online application, which of the following would provide the MOST information about the transaction audit trail?

Options:

A.

System/process flowchart

B.

File layouts

C.

Data architecture

D.

Source code documentation

Buy Now
Questions 101

An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?

Options:

A.

Discovery sampling

B.

Judgmental sampling

C.

Variable sampling

D.

Stratified sampling

Buy Now
Questions 102

The GREATEST benefit of using a polo typing approach in software development is that it helps to:

Options:

A.

minimize scope changes to the system.

B.

decrease the time allocated for user testing and review.

C.

conceptualize and clarify requirements.

D.

Improve efficiency of quality assurance (QA) testing

Buy Now
Questions 103

Which of the following are BEST suited for continuous auditing?

Options:

A.

Low-value transactions

B.

Real-lime transactions

C.

Irregular transactions

D.

Manual transactions

Buy Now
Questions 104

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

Options:

A.

the patches were updated.

B.

The logs were monitored.

C.

The network traffic was being monitored.

D.

The domain controller was classified for high availability.

Buy Now
Questions 105

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

Options:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Buy Now
Questions 106

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Options:

A.

Testing

B.

Replication

C.

Staging

D.

Development

Buy Now
Questions 107

An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

Options:

A.

The exact definition of the service levels and their measurement

B.

The alerting and measurement process on the application servers

C.

The actual availability of the servers as part of a substantive test

D.

The regular performance-reporting documentation

Buy Now
Questions 108

Which of the following is the GREATEST risk associated with storing customer data on a web server?

Options:

A.

Data availability

B.

Data confidentiality

C.

Data integrity

D.

Data redundancy

Buy Now
Questions 109

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Buy Now
Questions 110

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

Buy Now
Questions 111

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Options:

A.

Require written authorization for all payment transactions

B.

Restrict payment authorization to senior staff members.

C.

Reconcile payment transactions with invoices.

D.

Review payment transaction history

Buy Now
Questions 112

Which of the following is the BEST reason for an organization to use clustering?

Options:

A.

To decrease system response time

B.

To Improve the recovery lime objective (RTO)

C.

To facilitate faster backups

D.

To improve system resiliency

Buy Now
Questions 113

During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:

Options:

A.

Future compatibility of the application.

B.

Proposed functionality of the application.

C.

Controls incorporated into the system specifications.

D.

Development methodology employed.

Buy Now
Questions 114

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

Options:

A.

Implement overtime pay and bonuses for all development staff.

B.

Utilize new system development tools to improve productivity.

C.

Recruit IS staff to expedite system development.

D.

Deliver only the core functionality on the initial target date.

Buy Now
Questions 115

An IT balanced scorecard is the MOST effective means of monitoring:

Options:

A.

governance of enterprise IT.

B.

control effectiveness.

C.

return on investment (ROI).

D.

change management effectiveness.

Buy Now
Questions 116

Which of the following is the BEST method to safeguard data on an organization's laptop computers?

Options:

A.

Disabled USB ports

B.

Full disk encryption

C.

Biometric access control

D.

Two-factor authentication

Buy Now
Questions 117

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?

Options:

A.

Examine the computer to search for evidence supporting the suspicions.

B.

Advise management of the crime after the investigation.

C.

Contact the incident response team to conduct an investigation.

D.

Notify local law enforcement of the potential crime before further investigation.

Buy Now
Questions 118

Which of the following is MOST important to include in forensic data collection and preservation procedures?

Options:

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Buy Now
Questions 119

An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

Options:

A.

Percentage of new hires that have completed the training.

B.

Number of new hires who have violated enterprise security policies.

C.

Number of reported incidents by new hires.

D.

Percentage of new hires who report incidents

Buy Now
Questions 120

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Buy Now
Questions 121

Which of the following is the BEST data integrity check?

Options:

A.

Counting the transactions processed per day

B.

Performing a sequence check

C.

Tracing data back to the point of origin

D.

Preparing and running test data

Buy Now
Questions 122

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?

Options:

A.

Enterprise risk manager

B.

Project sponsor

C.

Information security officer

D.

Project manager

Buy Now
Questions 123

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Buy Now
Questions 124

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

Options:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Buy Now
Questions 125

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

Options:

A.

Assign responsibility for improving data quality.

B.

Invest in additional employee training for data entry.

C.

Outsource data cleansing activities to reliable third parties.

D.

Implement business rules to validate employee data entry.

Buy Now
Questions 126

Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

Options:

A.

Align service level agreements (SLAs) with current needs.

B.

Monitor customer satisfaction with the change.

C.

Minimize costs related to the third-party agreement.

D.

Ensure right to audit is included within the contract.

Buy Now
Questions 127

During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

Options:

A.

application test cases.

B.

acceptance testing.

C.

cost-benefit analysis.

D.

project plans.

Buy Now
Questions 128

Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

Options:

A.

Real-time audit software

B.

Performance data

C.

Quality assurance (QA) reviews

D.

Participative management techniques

Buy Now
Questions 129

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

Options:

A.

Modify applications to no longer require direct access to the database.

B.

Introduce database access monitoring into the environment

C.

Modify the access management policy to make allowances for application accounts.

D.

Schedule downtime to implement password changes.

Buy Now
Questions 130

Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Options:

A.

Lessons learned were implemented.

B.

Management approved the PIR report.

C.

The review was performed by an external provider.

D.

Project outcomes have been realized.

Buy Now
Questions 131

Which of the following would be a result of utilizing a top-down maturity model process?

Options:

A.

A means of benchmarking the effectiveness of similar processes with peers

B.

A means of comparing the effectiveness of other processes within the enterprise

C.

Identification of older, more established processes to ensure timely review

D.

Identification of processes with the most improvement opportunities

Buy Now
Questions 132

An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Options:

A.

Assessment of the personnel training processes of the provider

B.

Adequacy of the service provider's insurance

C.

Review of performance against service level agreements (SLAs)

D.

Periodic audits of controls by an independent auditor

Buy Now
Questions 133

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Options:

A.

Analyze whether predetermined test objectives were met.

B.

Perform testing at the backup data center.

C.

Evaluate participation by key personnel.

D.

Test offsite backup files.

Buy Now
Questions 134

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Options:

A.

Assurance that the new system meets functional requirements

B.

More time for users to complete training for the new system

C.

Significant cost savings over other system implemental or approaches

D.

Assurance that the new system meets performance requirements

Buy Now
Questions 135

An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:

Options:

A.

establish criteria for reviewing alerts.

B.

recruit more monitoring personnel.

C.

reduce the firewall rules.

D.

fine tune the intrusion detection system (IDS).

Buy Now
Questions 136

Which of the following would BEST facilitate the successful implementation of an IT-related framework?

Options:

A.

Aligning the framework to industry best practices

B.

Establishing committees to support and oversee framework activities

C.

Involving appropriate business representation within the framework

D.

Documenting IT-related policies and procedures

Buy Now
Questions 137

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

Options:

A.

Segregation of duties between staff ordering and staff receiving information assets

B.

Complete and accurate list of information assets that have been deployed

C.

Availability and testing of onsite backup generators

D.

Knowledge of the IT staff regarding data protection requirements

Buy Now
Questions 138

Which of the following is the BEST justification for deferring remediation testing until the next audit?

Options:

A.

The auditor who conducted the audit and agreed with the timeline has left the organization.

B.

Management's planned actions are sufficient given the relative importance of the observations.

C.

Auditee management has accepted all observations reported by the auditor.

D.

The audit environment has changed significantly.

Buy Now
Questions 139

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Options:

A.

Balanced scorecard

B.

Enterprise dashboard

C.

Enterprise architecture (EA)

D.

Key performance indicators (KPIs)

Buy Now
Questions 140

When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Options:

A.

Block all compromised network nodes.

B.

Contact law enforcement.

C.

Notify senior management.

D.

Identity nodes that have been compromised.

Buy Now
Questions 141

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

Options:

A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

Buy Now
Questions 142

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.

Identifying relevant roles for an enterprise IT governance framework

B.

Making decisions regarding risk response and monitoring of residual risk

C.

Verifying that legal, regulatory, and contractual requirements are being met

D.

Providing independent and objective feedback to facilitate improvement of IT processes

Buy Now
Questions 143

An organizations audit charier PRIMARILY:

Options:

A.

describes the auditors' authority to conduct audits.

B.

defines the auditors' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Buy Now
Questions 144

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

Options:

A.

Implementation plan

B.

Project budget provisions

C.

Requirements analysis

D.

Project plan

Buy Now
Questions 145

An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

Options:

A.

The number of users deleting the email without reporting because it is a phishing email

B.

The number of users clicking on the link to learn more about the sender of the email

C.

The number of users forwarding the email to their business unit managers

D.

The number of users reporting receipt of the email to the information security team

Buy Now
Questions 146

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Buy Now
Questions 147

During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

Options:

A.

Notify the chair of the audit committee.

B.

Notify the audit manager.

C.

Retest the control.

D.

Close the audit finding.

Buy Now
Questions 148

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

Options:

A.

Notify the cyber insurance company.

B.

Shut down the affected systems.

C.

Quarantine the impacted systems.

D.

Notify customers of the breach.

Buy Now
Questions 149

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

Options:

A.

Audit cycle defined in the audit plan

B.

Complexity of management's action plans

C.

Recommendation from executive management

D.

Residual risk from the findings of previous audits

Buy Now
Questions 150

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Buy Now
Questions 151

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

Options:

A.

firewall standards.

B.

configuration of the firewall

C.

firmware version of the firewall

D.

location of the firewall within the network

Buy Now
Questions 152

What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

Options:

A.

Full test results

B.

Completed test plans

C.

Updated inventory of systems

D.

Change management processes

Buy Now
Questions 153

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

Options:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

Buy Now
Questions 154

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Options:

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization's policies and procedures

Buy Now
Questions 155

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Options:

A.

Developing and communicating test procedure best practices to audit teams

B.

Developing and implementing an audit data repository

C.

Decentralizing procedures and Implementing periodic peer review

D.

Centralizing procedures and implementing change control

Buy Now
Questions 156

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Options:

A.

Invoking the disaster recovery plan (DRP)

B.

Backing up data frequently

C.

Paying the ransom

D.

Requiring password changes for administrative accounts

Buy Now
Questions 157

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

Options:

A.

Review system and error logs to verify transaction accuracy.

B.

Review input and output control reports to verify the accuracy of the system decisions.

C.

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.

Review system documentation to ensure completeness.

Buy Now
Questions 158

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

Options:

A.

Verify the disaster recovery plan (DRP) has been tested.

B.

Ensure the intrusion prevention system (IPS) is effective.

C.

Assess the security risks to the business.

D.

Confirm the incident response team understands the issue.

Buy Now
Questions 159

An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.

Options:

A.

phishing.

B.

denial of service (DoS)

C.

structured query language (SQL) injection

D.

buffer overflow

Buy Now
Questions 160

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

Options:

A.

Phishing

B.

Using a dictionary attack of encrypted passwords

C.

Intercepting packets and viewing passwords

D.

Flooding the site with an excessive number of packets

Buy Now
Questions 161

Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

Options:

A.

File level encryption

B.

File Transfer Protocol (FTP)

C.

Instant messaging policy

D.

Application-level firewalls

Buy Now
Questions 162

An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?

Options:

A.

Segregation of duties between issuing purchase orders and making payments.

B.

Segregation of duties between receiving invoices and setting authorization limits

C.

Management review and approval of authorization tiers

D.

Management review and approval of purchase orders

Buy Now
Questions 163

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Accept management's decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Buy Now
Questions 164

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

Options:

A.

Portfolio management

B.

Business plans

C.

Business processes

D.

IT strategic plans

Buy Now
Questions 165

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

Options:

A.

The system does not have a maintenance plan.

B.

The system contains several minor defects.

C.

The system deployment was delayed by three weeks.

D.

The system was over budget by 15%.

Buy Now
Questions 166

Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

Options:

A.

Encryption of the spreadsheet

B.

Version history

C.

Formulas within macros

D.

Reconciliation of key calculations

Buy Now
Questions 167

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Options:

A.

Walk-through reviews

B.

Substantive testing

C.

Compliance testing

D.

Design documentation reviews

Buy Now
Questions 168

Which of the following is a social engineering attack method?

Options:

A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Buy Now
Questions 169

During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?

Options:

A.

Review working papers with the auditee.

B.

Request the auditee provide management responses.

C.

Request management wait until a final report is ready for discussion.

D.

Present observations for discussion only.

Buy Now
Questions 170

Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?

Options:

A.

Carbon dioxide

B.

FM-200

C.

Dry pipe

D.

Halon

Buy Now
Questions 171

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

Options:

A.

recommend that the option to directly modify the database be removed immediately.

B.

recommend that the system require two persons to be involved in modifying the database.

C.

determine whether the log of changes to the tables is backed up.

D.

determine whether the audit trail is secured and reviewed.

Buy Now
Questions 172

An organization's senior management thinks current security controls may be excessive and requests an IS auditor's advice on how to assess the adequacy of current measures. What is the auditor's BEST recommendation to management?

Options:

A.

Perform correlation analysis between incidents and investments.

B.

Downgrade security controls on low-risk systems.

C.

Introduce automated security monitoring tools.

D.

Re-evaluate the organization's risk and control framework.

Buy Now
Questions 173

Which of the following presents the GREATEST risk of data leakage in the cloud environment?

Options:

A.

Lack of data retention policy

B.

Multi-tenancy within the same database

C.

Lack of role-based access

D.

Expiration of security certificate

Buy Now
Questions 174

Coding standards provide which of the following?

Options:

A.

Program documentation

B.

Access control tables

C.

Data flow diagrams

D.

Field naming conventions

Buy Now
Questions 175

A bank wants to outsource a system to a cloud provider residing in another country. Which of the following would be the MOST appropriate IS audit recommendation?

Options:

A.

Find an alternative provider in the bank's home country.

B.

Ensure the provider's internal control system meets bank requirements.

C.

Proceed as intended, as the provider has to observe all laws of the clients’ countries.

D.

Ensure the provider has disaster recovery capability.

Buy Now
Questions 176

Which of the following would present the GREATEST concern during a review of internal audit quality assurance (QA) and continuous improvement processes?

Options:

A.

The audit program does not involve periodic engagement with external assessors.

B.

Quarterly reports are not distributed to the audit committee.

C.

Results of corrective actions are not tracked consistently.

D.

Substantive testing is not performed during the assessment phase of some audits.

Buy Now
Questions 177

Which of the following helps to ensure the integrity of data for a system interface?

Options:

A.

System interface testing

B.

user acceptance testing (IJAT)

C.

Validation checks

D.

Audit logs

Buy Now
Questions 178

Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?

Options:

A.

Review data classification levels based on industry best practice

B.

Verify that current DLP software is installed on all computer systems.

C.

Conduct interviews to identify possible data protection vulnerabilities.

D.

Verify that confidential files cannot be transmitted to a personal USB device.

Buy Now
Questions 179

Which of the following BEST describes a digital signature?

Options:

A.

It is under control of the receiver.

B.

It is capable of authorization.

C.

It dynamically validates modifications of data.

D.

It is unique to the sender using it.

Buy Now
Questions 180

Which of the following would provide management with the MOST reasonable assurance that a new data warehouse will meet the needs of the

organization?

Options:

A.

Integrating data requirements into the system development life cycle (SDLC)

B.

Appointing data stewards to provide effective data governance

C.

Classifying data quality issues by the severity of their impact to the organization

D.

Facilitating effective communication between management and developers

Buy Now
Questions 181

Which type of attack poses the GREATEST risk to an organization's most sensitive data?

Options:

A.

Password attack

B.

Eavesdropping attack

C.

Insider attack

D.

Spear phishing attack

Buy Now
Questions 182

Which of the following should be the FIRST step in a data migration project?

Options:

A.

Reviewing decisions on how business processes should be conducted in the new system

B.

Completing data cleanup in the current database to eliminate inconsistencies

C.

Understanding the new system's data structure

D.

Creating data conversion scripts

Buy Now
Questions 183

A transaction processing system interfaces with the general ledger. Data analytics has identified that some transactions are being recorded twice in the general ledger. While management states a system fix has been implemented, what should the IS auditor recommend to validate the interface is working in the future?

Options:

A.

Perform periodic reconciliations.

B.

Ensure system owner sign-off for the system fix.

C.

Conduct functional testing.

D.

Improve user acceptance testing (UAT).

Buy Now
Questions 184

During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?

Options:

A.

The business case reflects stakeholder requirements.

B.

The business case is based on a proven methodology.

C.

The business case passed a quality review by an independent party.

D.

The business case identifies specific plans for cost allocation.

Buy Now
Questions 185

An IS auditor should be MOST concerned if which of the following fire suppression systems is utilized to protect an asset storage closet?

Options:

A.

Deluge system

B.

Wet pipe system

C.

Preaction system

D.

CO2 system

Buy Now
Questions 186

Which of the following BEST facilitates strategic program management?

Options:

A.

Implementing stage gates

B.

Establishing a quality assurance (QA) process

C.

Aligning projects with business portfolios

D.

Tracking key project milestones

Buy Now
Questions 187

The BEST way to evaluate the effectiveness of a newly developed application is to:

Options:

A.

perform a post-implementation review-

B.

analyze load testing results.

C.

perform a secure code review.

D.

review acceptance testing results.

Buy Now
Questions 188

IT governance should be driven by:

Options:

A.

business unit initiatives.

B.

balanced scorecards.

C.

policies and standards.

D.

organizational strategies.

Buy Now
Questions 189

Which of the following is MOST important for the successful establishment of a security vulnerability management program?

Options:

A.

A robust tabletop exercise plan

B.

A comprehensive asset inventory

C.

A tested incident response plan

D.

An approved patching policy

Buy Now
Questions 190

A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal

audit function to test its internal controls annually. Which of the following is the MOST significant benefit of

this approach?

Options:

A.

Compliance costs are reduced.

B.

Risks are detected earlier.

C.

Business owners can focus more on their core roles.

D.

Line management is more motivated to avoid control exceptions.

Buy Now
Questions 191

In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?

Options:

A.

Onsite disk-based backup systems

B.

Tape-based backup systems

C.

Virtual tape library

D.

Redundant array of independent disks (RAID)

Buy Now
Questions 192

Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?

Options:

A.

Review exception reports

B.

Review IT staffing schedules.

C.

Analyze help desk ticket logs

D.

Conduct IT management interviews

Buy Now
Questions 193

When physical destruction IS not practical, which of the following is the MOST effective means of disposing of sensitive data on a hard disk?

Options:

A.

Overwriting multiple times

B.

Encrypting the disk

C.

Reformatting

D.

Deleting files sequentially

Buy Now
Questions 194

Which of the following BEST enables an organization to improve the effectiveness of its incident response team?

Options:

A.

Conducting periodic testing and incorporating lessons learned

B.

Increasing the mean resolution time and publishing key performance indicator (KPI) metrics

C.

Disseminating incident response procedures and requiring signed acknowledgment by team members

D.

Ensuring all team members understand information systems technology

Buy Now
Questions 195

A bank performed minor changes to the interest calculation computer program. Which of the following techniques would provide the STRONGEST evidence to determine whether the interest calculations are correct?

Options:

A.

Source code review

B.

Parallel simulation using audit software

C.

Manual verification of a sample of the results

D.

Review of the quality assurance (QA) test results

Buy Now
Questions 196

An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality. Which of the following is the MOST important consideration when making this decision?

Options:

A.

Maximum tolerable downtime (MTD)

B.

Recovery time objective (RTO)

C.

Recovery point objective (RPO)

D.

Mean time to repair (MTTR)

Buy Now
Questions 197

Which of the following metrics is the BEST indicator of the performance of a web application

Options:

A.

HTTP server error rate

B.

Server thread count

C.

Average response time

D.

Server uptime

Buy Now
Questions 198

The PRIMARY objective of a control self-assessment (CSA) is to:

Options:

A.

educate functional areas on risks and controls.

B.

ensure appropriate access controls are implemented.

C.

eliminate the audit risk by leveraging management's analysis.

D.

gain assurance for business functions that cannot be audited.

Buy Now
Questions 199

Which of the following should be identified FIRST during the risk assessment process?

Options:

A.

Vulnerability to threats

B.

Existing controls

C.

Information assets

D.

Legal requirements

Buy Now
Questions 200

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

Options:

A.

Recipient's public key

B.

Sender's private key

C.

Sender's public key

D.

Recipient's private key

Buy Now
Questions 201

Which of the following controls is MOST important for ensuring the integrity of system interfaces?

Options:

A.

Periodic audits

B.

File counts

C.

File checksums

D.

IT operator monitoring

Buy Now
Questions 202

During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor's NEXT step should be to:

Options:

A.

recommend a control to automatically update access rights.

B.

determine the reason why access rights have not been revoked.

C.

direct management to revoke current access rights.

D.

determine if access rights are in violation of software licenses.

Buy Now
Questions 203

The use of which of the following would BEST enhance a process improvement program?

Options:

A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Buy Now
Questions 204

Which of the following is the PRIMARY basis on which audit objectives are established?

Options:

A.

Audit risk

B.

Consideration of risks

C.

Assessment of prior audits

D.

Business strategy

Buy Now
Questions 205

Which of the following is MOST critical to the success of an information security program?

Options:

A.

Management's commitment to information security

B.

User accountability for information security

C.

Alignment of information security with IT objectives

D.

Integration of business and information security

Buy Now
Questions 206

An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data

classification in this project?

Options:

A.

Information security officer

B.

Database administrator (DBA)

C.

Information owner

D.

Data architect

Buy Now
Questions 207

Which of the following is the MAIN responsibility of the IT steering committee?

Options:

A.

Reviewing and assisting with IT strategy integration efforts

B.

Developing and assessing the IT security strategy

C.

Implementing processes to integrate security with business objectives

D.

Developing and implementing the secure system development framework

Buy Now
Questions 208

An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following is the BEST way to prevent this vulnerability from being exploited?

Options:

A.

Implement security awareness training.

B.

Install vendor patches

C.

Review hardware vendor contracts.

D.

Review security log incidents.

Buy Now
Questions 209

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

Options:

A.

Installing security cameras at the doors

B.

Changing to a biometric access control system

C.

Implementing a monitored mantrap at entrance and exit points

D.

Requiring two-factor authentication at entrance and exit points

Buy Now
Questions 210

Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?

Options:

A.

To prevent confidential data loss

B.

To comply with legal and regulatory requirements

C.

To identify data at rest and data in transit for encryption

D.

To provide options to individuals regarding use of their data

Buy Now
Questions 211

Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?

Options:

A.

Attempt to submit new account applications with invalid dates of birth.

B.

Review the business requirements document for date of birth field requirements.

C.

Review new account applications submitted in the past month for invalid dates of birth.

D.

Evaluate configuration settings for the date of birth field requirements

Buy Now
Questions 212

Which of the following is MOST critical to the success of an information security program?

Options:

A.

User accountability for information security

B.

Management's commitment to information security

C.

Integration of business and information security

D.

Alignment of information security with IT objectives

Buy Now
Questions 213

What is the PRIMARY reason for an organization to classify the data stored on its internal networks?

Options:

A.

To determine data retention policy

B.

To implement data protection requirements

C.

To comply with the organization's data policies

D.

To follow industry best practices

Buy Now
Questions 214

An IS auditor is assigned to perform a post-implementation review of an application system. Which of the following would impair the auditor's independence?

Options:

A.

The auditor implemented a specific control during the development of the system.

B.

The auditor provided advice concerning best practices.

C.

The auditor participated as a member of the project team without operational responsibilities

D.

The auditor designed an embedded audit module exclusively for audit

Buy Now
Questions 215

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

Options:

A.

The method relies exclusively on the use of public key infrastructure (PKI).

B.

The method relies exclusively on the use of digital signatures.

C.

The method relies exclusively on the use of asymmetric encryption algorithms.

D.

The method relies exclusively on the use of 128-bit encryption.

Buy Now
Questions 216

Which of the following is MOST useful when planning to audit an organization's compliance with cybersecurity regulations in foreign countries?

Options:

A.

Prioritize the audit to focus on the country presenting the greatest amount of operational risk.

B.

Follow the cybersecurity regulations of the country with the most stringent requirements.

C.

Develop a template that standardizes the reporting of findings from each country's audit team

D.

Map the different regulatory requirements to the organization's IT governance framework

Buy Now
Questions 217

A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?

Options:

A.

Penetration testing results

B.

Management attestation

C.

Anti-malware tool audit logs

D.

Recent malware scan reports

Buy Now
Questions 218

Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

Options:

A.

Penetration testing

B.

Application security testing

C.

Forensic audit

D.

Server security audit

Buy Now
Questions 219

Stress testing should ideally be carried out under a:

Options:

A.

test environment with production workloads.

B.

test environment with test data.

C.

production environment with production workloads.

D.

production environment with test data.

Buy Now
Questions 220

Which of the following is MOST important to include in security awareness training?

Options:

A.

How to respond to various types of suspicious activity

B.

The importance of complex passwords

C.

Descriptions of the organization's security infrastructure

D.

Contact information for the organization's security team

Buy Now
Questions 221

Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?

Options:

A.

Access to change testing strategy and results is not restricted to staff outside the IT team.

B.

Some user acceptance testing (IJAT) was completed by members of the IT team.

C.

IT administrators have access to the production and development environment

D.

Post-implementation testing is not conducted for all system releases.

Buy Now
Questions 222

Which of the following is BEST used for detailed testing of a business application's data and configuration files?

Options:

A.

Version control software

B.

Audit hooks

C.

Utility software

D.

Audit analytics tool

Buy Now
Questions 223

Which of the following findings would be of GREATEST concern to an IS auditor assessing an organization's patch management process?

Options:

A.

The organization's software inventory is not complete.

B.

Applications frequently need to be rebooted for patches to take effect.

C.

Software vendors are bundling patches.

D.

Testing patches takes significant time.

Buy Now
Questions 224

Which of the following is the MOST significant risk when an application uses individual end-user accounts to access the underlying database?

Options:

A.

Multiple connects to the database are used and slow the process_

B.

User accounts may remain active after a termination.

C.

Users may be able to circumvent application controls.

D.

Application may not capture a complete audit trail.

Buy Now
Questions 225

Which of the following provides the MOST protection against emerging threats?

Options:

A.

Demilitarized zone (DMZ)

B.

Heuristic intrusion detection system (IDS)

C.

Real-time updating of antivirus software

D.

Signature-based intrusion detection system (IDS)

Buy Now
Questions 226

Which of the following is the MOST important consideration for a contingency facility?

Options:

A.

The contingency facility has the same badge access controls as the primary site.

B.

Both the contingency facility and the primary site have the same number of business assets in their inventory.

C.

The contingency facility is located a sufficient distance away from the primary site.

D.

Both the contingency facility and the primary site are easily identifiable.

Buy Now
Questions 227

Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?

Options:

A.

Detective control

B.

Preventive control

C.

Directive control

D.

Corrective control

Buy Now
Questions 228

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Options:

A.

Legacy data has not been purged.

B.

Admin account passwords are not set to expire.

C.

Default settings have not been changed.

D.

Database activity logging is not complete.

Buy Now
Questions 229

In a large organization, IT deadlines on important projects have been missed because IT resources are not prioritized properly. Which of the following is the BEST recommendation to address this problem?

Options:

A.

Revisit the IT strategic plan.

B.

Implement project portfolio management.

C.

Implement an integrated resource management system.

D.

Implement a comprehensive project scorecard.

Buy Now
Questions 230

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which of the following IS the BEST recommendation?

Options:

A.

Benchmark organizational performance against industry peers

B.

Implement key performance indicators (KPIs).

C.

Require executive management to draft IT strategy

D.

Implement annual third-party audits.

Buy Now
Questions 231

An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance. Which of the following is the GREATEST concern with this lack of structure?

Options:

A.

Software developers may adopt inappropriate technology.

B.

Project managers may accept technology risks exceeding the organization's risk appetite.

C.

Key decision-making entities for technology risk have not been identified

D.

There is no clear approval entity for organizational security standards.

Buy Now
Questions 232

An IS auditor is reviewing the service agreement with a technology company that provides IT help desk services to the organization. Which of the following monthly performance

metrics is the BEST indicator of service quality?

Options:

A.

The total number of users requesting help desk services

B.

The average call waiting time on each request

C.

The percent of issues resolved by the first contact

D.

The average turnaround time spent on each reported issue

Buy Now
Questions 233

While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:

Options:

A.

data classifications are automated.

B.

a data dictionary is maintained.

C.

data retention requirements are clearly defined.

D.

data is correctly classified.

Buy Now
Questions 234

A characteristic of a digital signature is that it

Options:

A.

is under control of the receiver

B.

is unique to the message

C.

is validated when data are changed

D.

has a reproducible hashing algorithm

Buy Now
Questions 235

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''

Options:

A.

Steps taken to address identified vulnerabilities are not formally documented

B.

Results are not reported to individuals with authority to ensure resolution

C.

Scans are performed less frequently than required by the organization's vulnerability scanning schedule

D.

Results are not approved by senior management

Buy Now
Questions 236

An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

Options:

A.

Biometrics

B.

Procedures for escorting visitors

C.

Airlock entrance

D.

Intruder alarms

Buy Now
Questions 237

Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly. Which of the following tests during the quality assurance (QA) phase would have identified this concern?

Options:

A.

Stress

B.

Regression

C.

Interface

D.

Integration

Buy Now
Questions 238

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.

Verify all patches have been applied to the software system's outdated version.

B.

Close all unused ports on the outdated software system.

C.

Monitor network traffic attempting to reach the outdated software system.

D.

Segregate the outdated software system from the main network.

Buy Now
Questions 239

An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?

Options:

A.

Backlog consumption reports

B.

Critical path analysis reports

C.

Developer status reports

D.

Change management logs

Buy Now
Questions 240

What should an IS auditor do FIRST when a follow-up audit reveals some management action plans have not been initiated?

Options:

A.

Confirm whether the identified risks are still valid.

B.

Provide a report to the audit committee.

C.

Escalate the lack of plan completion to executive management.

D.

Request an additional action plan review to confirm the findings.

Buy Now
Questions 241

Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

Options:

A.

Data owners are not trained on the use of data conversion tools.

B.

A post-implementation lessons-learned exercise was not conducted.

C.

There is no system documentation available for review.

D.

System deployment is routinely performed by contractors.

Buy Now
Questions 242

Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?

Options:

A.

Installation manuals

B.

Onsite replacement availability

C.

Insurance coverage

D.

Maintenance procedures

Buy Now
Questions 243

Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?

Options:

A.

Switch

B.

Intrusion prevention system (IPS)

C.

Gateway

D.

Router

Buy Now
Questions 244

Audit frameworks cart assist the IS audit function by:

Options:

A.

defining the authority and responsibility of the IS audit function.

B.

providing details on how to execute the audit program.

C.

providing direction and information regarding the performance of audits.

D.

outlining the specific steps needed to complete audits

Buy Now
Questions 245

The charging method that effectively encourages the MOST efficient use of IS resources is:

Options:

A.

specific charges that can be tied back to specific usage.

B.

total utilization to achieve full operating capacity.

C.

residual income in excess of actual incurred costs.

D.

allocations based on the ability to absorb charges.

Buy Now
Questions 246

Which of the following should an IS auditor review when evaluating information systems governance for a large organization?

Options:

A.

Approval processes for new system implementations

B.

Procedures for adding a new user to the invoice processing system

C.

Approval processes for updating the corporate website

D.

Procedures for regression testing system changes

Buy Now
Questions 247

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

Options:

A.

Business continuity plan (BCP)

B.

Test results for backup data restoration

C.

A comprehensive list of disaster recovery scenarios and priorities

D.

Roles and responsibilities for recovery team members

Buy Now
Questions 248

A disaster recovery plan (DRP) should include steps for:

Options:

A.

assessing and quantifying risk.

B.

negotiating contracts with disaster planning consultants.

C.

identifying application control requirements.

D.

obtaining replacement supplies.

Buy Now
Questions 249

An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?

Options:

A.

Determine exposure to the business

B.

Adjust future testing activities accordingly

C.

Increase monitoring for security incidents

D.

Hire a third party to perform security testing

Buy Now
Questions 250

Which of the following is the BEST performance indicator for the effectiveness of an incident management program?

Options:

A.

Average time between incidents

B.

Incident alert meantime

C.

Number of incidents reported

D.

Incident resolution meantime

Buy Now
Questions 251

The use of which of the following is an inherent risk in the application container infrastructure?

Options:

A.

Shared registries

B.

Host operating system

C.

Shared data

D.

Shared kernel

Buy Now
Questions 252

What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?

Options:

A.

Ensure the open issues are retained in the audit results.

B.

Terminate the follow-up because open issues are not resolved

C.

Recommend compensating controls for open issues.

D.

Evaluate the residual risk due to open issues.

Buy Now
Questions 253

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

Options:

A.

A significant increase in authorized connections to third parties

B.

A significant increase in cybersecurity audit findings

C.

A significant increase in approved exceptions

D.

A significant increase in external attack attempts

Buy Now
Questions 254

Which of the following is the BEST way to verify the effectiveness of a data restoration process?

Options:

A.

Performing periodic reviews of physical access to backup media

B.

Performing periodic complete data restorations

C.

Validating off ne backups using software utilities

D.

Reviewing and updating data restoration policies annually

Buy Now
Questions 255

An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services Which of the following would BEST enable the organization to resolve this issue?

Options:

A.

Problem management

B.

Incident management

C.

Service level management

D.

Change management

Buy Now
Questions 256

An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST

Options:

A.

Escalate to audit management to discuss the audit plan

B.

Notify the chief operating officer (COO) and discuss the audit plan risks

C.

Exclude IS audits from the upcoming year's plan

D.

Increase the number of IS audits in the clan

Buy Now
Questions 257

An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?

Options:

A.

Directive

B.

Detective

C.

Preventive

D.

Compensating

Buy Now
Questions 258

Which of the following technologies has the SMALLEST maximum range for data transmission between devices?

Options:

A.

Wi-Fi

B.

Bluetooth

C.

Long-term evolution (LTE)

D.

Near-field communication (NFC)

Buy Now
Questions 259

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

Options:

A.

The method relies exclusively on the use of asymmetric encryption algorithms.

B.

The method relies exclusively on the use of 128-bit encryption.

C.

The method relies exclusively on the use of digital signatures.

D.

The method relies exclusively on the use of public key infrastructure (PKI).

Buy Now
Questions 260

A financial group recently implemented new technologies and processes, Which type of IS audit would provide the GREATEST level of assurance that the department's objectives have been met?

Options:

A.

Performance audit

B.

Integrated audit

C.

Cyber audit

D.

Financial audit

Buy Now
Questions 261

Management has learned the implementation of a new IT system will not be completed on time and has requested an audit. Which of the following audit findings should be of GREATEST concern?

Options:

A.

The actual start times of some activities were later than originally scheduled.

B.

Tasks defined on the critical path do not have resources allocated.

C.

The project manager lacks formal certification.

D.

Milestones have not been defined for all project products.

Buy Now
Questions 262

Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?

Options:

A.

Document the security view as part of the EA

B.

Consider stakeholder concerns when defining the EA

C.

Perform mandatory post-implementation reviews of IT implementations

D.

Conduct EA reviews as part of the change advisory board

Buy Now
Questions 263

Which of following is MOST important to determine when conducting a post-implementation review?

Options:

A.

Whether the solution architecture compiles with IT standards

B.

Whether success criteria have been achieved

C.

Whether the project has been delivered within the approved budget

D.

Whether lessons teamed have been documented

Buy Now
Questions 264

When auditing the closing stages of a system development protect which of the following should be the MOST important consideration?

Options:

A.

Control requirements

B.

Rollback procedures

C.

Functional requirements documentation

D.

User acceptance lest (UAT) results

Buy Now
Questions 265

Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

Options:

A.

Readily available resources such as domains and risk and control methodologies

B.

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

C.

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

D.

Wide acceptance by different business and support units with IT governance objectives

Buy Now
Questions 266

An IS auditor is asked to review an organization's technology relationships, interfaces, and data. Which of the following enterprise architecture (EA) areas is MOST appropriate this review? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

Options:

A.

Reference architecture

B.

Infrastructure architecture

C.

Information security architecture

D.

Application architecture

Buy Now
Questions 267

Afire alarm system has been installed in the computer room The MOST effective location for the fire alarm control panel would be inside the

Options:

A.

computer room closest to the uninterruptible power supply (UPS) module

B.

computer room closest to the server computers

C.

system administrators’ office

D.

booth used by the building security personnel

Buy Now
Questions 268

During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?

Options:

A.

Report the deviation by the control owner in the audit report.

B.

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.

C.

Cancel the follow-up audit and reschedule for the next audit period.

D.

Request justification from management for not implementing the recommended control.

Buy Now
Questions 269

An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?

Options:

A.

Single sign-on is not enabled

B.

Audit logging is not enabled

C.

Security baseline is not consistently applied

D.

Complex passwords are not required

Buy Now
Questions 270

If enabled within firewall rules, which of the following services would present the GREATEST risk?

Options:

A.

Simple mail transfer protocol (SMTP)

B.

Simple object access protocol (SOAP)

C.

Hypertext transfer protocol (HTTP)

D.

File transfer protocol (FTP)

Buy Now
Questions 271

In response to an audit finding regarding a payroll application, management implemented a new automated control. Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?

Options:

A.

Approved test scripts and results prior to implementation

B.

Written procedures defining processes and controls

C.

Approved project scope document

D.

A review of tabletop exercise results

Buy Now
Questions 272

Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

Options:

A.

Re-partitioning

B.

Degaussing

C.

Formatting

D.

Data wiping

Buy Now
Questions 273

Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?

Options:

A.

Return on investment (ROI)

B.

Business strategy

C.

Business cases

D.

Total cost of ownership (TCO)

Buy Now
Questions 274

During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data any Internet-connected web browser. Which Of the following

is the auditor’s BEST recommendation to prevent unauthorized access?

Options:

A.

Implement an intrusion detection system (IDS),

B.

Update security policies and procedures.

C.

Implement multi-factor authentication.

D.

Utilize strong anti-malware controls on all computing devices.

Buy Now
Questions 275

An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process Which of the following is the MOST appropriate population to sample from when testing for remediation?

Options:

A.

All users provisioned after the finding was originally identified

B.

All users provisioned after management resolved the audit issue

C.

All users provisioned after the final audit report was issued

D.

All users who have followed user provisioning processes provided by management

Buy Now
Questions 276

Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?

Options:

A.

Unit the use of logs to only those purposes for which they were collected

B.

Restrict the transfer of log files from host machine to online storage

C.

Only collect logs from servers classified as business critical

D.

Limit log collection to only periods of increased security activity

Buy Now
Questions 277

Controls related to authorized modifications to production programs are BEST tested by:

Options:

A.

tracing modifications from the original request for change forward to the executable program.

B.

tracing modifications from the executable program back to the original request for change.

C.

testing only the authorizations to implement the new program.

D.

reviewing only the actual lines of source code changed in the program.

Buy Now
Questions 278

A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting. What would be MOST important to consider before including this audit in the program?

Options:

A.

Whether system delays result in more frequent use of manual processing

B.

Whether the system's performance poses a significant risk to the organization

C.

Whether stakeholders are committed to assisting with the audit

D.

Whether internal auditors have the required skills to perform the audit

Buy Now
Questions 279

An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?

Options:

A.

KPI data is not being analyzed

B.

KPIs are not clearly defined

C.

Some KPIs are not documented

D.

KPIs have never been updated

Buy Now
Questions 280

Which of the following would protect the confidentiality of information sent in email messages?

Options:

A.

Secure Hash Algorithm 1(SHA-1)

B.

Digital signatures

C.

Encryption

D.

Digital certificates

Buy Now
Questions 281

Which of the following management decisions presents the GREATEST risk associated with data leakage?

Options:

A.

There is no requirement for desktops to be encrypted

B.

Staff are allowed to work remotely

C.

Security awareness training is not provided to staff

D.

Security policies have not been updated in the past year

Buy Now
Questions 282

During which phase of the software development life cycle is it BEST to initiate the discussion of application controls?

Options:

A.

Business case development phase when stakeholders are identified

B.

Application design phase process functionalities are finalized

C.

User acceptance testing (UAT) phase when test scenarios are designed

D.

Application coding phase when algorithms are developed to solve business problems

Buy Now
Questions 283

Which of the following are used in a firewall to protect the entity's internal resources?

Options:

A.

Remote access servers

B.

Secure Sockets Layers (SSLs)

C.

Internet Protocol (IP) address restrictions

D.

Failover services

Buy Now
Questions 284

An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?

Options:

A.

Interview change management personnel about completeness.

B.

Take an item from the log and trace it back to the system.

C.

Obtain management attestation of completeness.

D.

Take the last change from the system and trace it back to the log.

Buy Now
Questions 285

When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the

Options:

A.

scope and methodology meet audit requirements

B.

service provider is independently certified and accredited

C.

report confirms that service levels were not violated

D.

report was released within the last 12 months

Buy Now
Questions 286

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

Options:

A.

The information security policy has not been approved by the chief audit executive (CAE).

B.

The information security policy does not include mobile device provisions

C.

The information security policy is not frequently reviewed

D.

The information security policy has not been approved by the policy owner

Buy Now
Questions 287

An IS auditor has been tasked to review the processes that prevent fraud within a business expense claim system. Which of the following stakeholders is MOST important to involve in this review?

Options:

A.

Information security manager

B.

Quality assurance (QA) manager

C.

Business department executive

D.

Business process owner

Buy Now
Questions 288

Which of the following is MOST effective for controlling visitor access to a data center?

Options:

A.

Visitors are escorted by an authorized employee

B.

Pre-approval of entry requests

C.

Visitors sign in at the front desk upon arrival

D.

Closed-circuit television (CCTV) is used to monitor the facilities

Buy Now
Questions 289

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

Options:

A.

Only new employees are required to attend the program

B.

Metrics have not been established to assess training results

C.

Employees do not receive immediate notification of results

D.

The timing for program updates has not been determined

Buy Now
Questions 290

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?

Options:

A.

Enable automatic encryption decryption and electronic signing of data files

B.

implement software to perform automatic reconciliations of data between systems

C.

Have coders perform manual reconciliation of data between systems

D.

Automate the transfer of data between systems as much as feasible

Buy Now
Questions 291

Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?

Options:

A.

Security policies are not applicable across all business units

B.

End users are not required to acknowledge security policy training

C.

The security policy has not been reviewed within the past year

D.

Security policy documents are available on a public domain website

Buy Now
Questions 292

Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

Options:

A.

Independence

B.

Integrity

C.

Materiality

D.

Accountability

Buy Now
Questions 293

Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides assurance that the BEST transactions were recovered successfully?

Options:

A.

Review transaction recovery logs to ensure no errors were recorded.

B.

Recount the transaction records to ensure no records are missing.

C.

Rerun the process on a backup machine to verify the results are the same.

D.

Compare transaction values against external statements to verify accuracy.

Buy Now
Questions 294

Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?

Options:

A.

End-user computing (EUC) systems

B.

Email attachments

C.

Data sent to vendors

D.

New system applications

Buy Now
Questions 295

Which of the following presents the GREATEST risk associated with end-user computing (EUC) applica-tions over financial reporting?

Options:

A.

Inability to quickly modify and deploy a solution

B.

Lack of portability for users

C.

Loss of time due to manual processes

D.

Calculation errors in spreadsheets

Buy Now
Questions 296

An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

Options:

A.

Decreased mean time between failures (MTBF)

B.

Degradation of services

C.

Limited tolerance for damage

D.

Single point of failure

Buy Now
Questions 297

Who should be the FIRST to evaluate an audit report prior to issuing it to the project steering committee?

Options:

A.

IS audit manager

B.

Audit committee

C.

Business owner

D.

Project sponsor

Buy Now
Questions 298

During an organization's implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?

Options:

A.

Configuring reports

B.

Configuring rule sets

C.

Enabling detection points

D.

Establishing exceptions workflow

Buy Now
Questions 299

How is nonrepudiation supported within a public key infrastructure (PKI) environment?

Options:

A.

Through the use of elliptical curve cryptography on transmitted messages

B.

Through the use of a certificate issued by a certificate authority (CA)

C.

Through the use of private keys to decrypt data received by a user

D.

Through the use of enterprise key management systems

Buy Now
Questions 300

An organization offers an e-commerce platform that allows consumer-to-consumer transactions. The platform now uses blockchain technology to ensure the parties are unable to deny the transactions. Which of the following attributes BEST describes the risk element that this technology is addressing?

Options:

A.

Integrity

B.

Nonrepudiation

C.

Confidentiality

D.

Availability

Buy Now
Questions 301

An IS auditor finds that a new network connection allows communication between the Internet and the internal enterprise resource planning (ERP) system. Which of the following is the PRIMARY business impact to include when presenting this observation to management?

Options:

A.

An increase to the threat landscape

B.

A decrease in data quality in the ERP system

C.

A decrease in network performance

D.

An increase in potential fines from regulators

Buy Now
Questions 302

An IS auditor reviewing an information processing environment decides to conduct external penetration testing. Which of the following is MOST appropriate to include in the audit scope for the organization to distinguish between the auditor's penetration attacks and actual attacks?

Options:

A.

Restricted host IP addresses of simulated attacks

B.

Testing techniques of simulated attacks

C.

Source IP addresses of simulated attacks

D.

Timing of simulated attacks

Buy Now
Questions 303

An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process. Which of the following is the MOST appropriate population to sample from

when testing for remediation?

Options:

A.

All users provisioned after the final audit report was issued

B.

All users who have followed user provisioning processes provided by management

C.

All users provisioned after management resolved the audit issue

D.

All users provisioned after the finding was originally identified

Buy Now
Questions 304

Which of the following controls helps to ensure that data extraction queries run by the database administrator (DBA) are monitored?

Options:

A.

Restricting access to DBA activities

B.

Performing periodic access reviews

C.

Storing logs of database access

D.

Reviewing activity logs of the DBA

Buy Now
Questions 305

Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?

Options:

A.

A high percentage of stakeholders satisfied with the quality of IT

B.

Ahigh percentage of incidents being quickly resolved

C.

Ahigh percentage of IT processes reviewed by quality assurance (QA)

D.

Ahigh percentage of IT employees attending quality training

Buy Now
Questions 306

Which of the following BEST addresses the availability of an online store?

Options:

A.

RAID level 5 storage devices

B.

A mirrored site at another location

C.

Online backups

D.

Clustered architecture

Buy Now
Questions 307

An organization's sensitive data is stored in a cloud computing environment and is encrypted. Which of the following findings should be of GREATEST concern to an IS auditor?

Options:

A.

The encryption keys are not kept under dual control.

B.

The cloud vendor does not have multi-regional presence.

C.

Symmetric keys are used for encryption.

D.

Data encryption keys are accessible to the service provider.

Buy Now
Questions 308

An organization has implemented a new data classification scheme and asks the IS auditor to evaluate its effectiveness. Which of the following would be of

GREATEST concern to the auditor?

Options:

A.

End-user managers determine who should access what information.

B.

The organization has created a dozen different classification categories.

C.

The compliance manager decides how the information should be classified.

D.

The organization classifies most of its information as confidential.

Buy Now
Questions 309

Which of the following is the MOST effective way to detect as many abnormalities as possible during an IS audit?

Options:

A.

Conduct a walk-through of the process.

B.

Perform substantive testing on sampled records.

C.

Perform judgmental sampling of key processes.

D.

Use a data analytics tool to identify trends.

Buy Now
Questions 310

Which of the following findings would be of GREATEST concern to an IS auditor reviewing firewall security for an organization's corporate network?

Options:

A.

The production configuration does not conform to corporate policy.

B.

Responsibility for the firewall administration rests with two different divisions.

C.

Industry hardening guidance has not been considered.

D.

The firewall configuration file is extremely long and complex.

Buy Now
Questions 311

During an information security review, an IS auditor learns an organizational policy requires all employ-ees to attend information security training during the first week of each new year. What is

the auditor's BEST recommendation to ensure employees hired after January receive adequate guid-ance regarding security awareness?

Options:

A.

Ensure new employees read and sign acknowledgment of the acceptable use policy.

B.

Revise the policy to include security training during onboarding.

C.

Revise the policy to require security training every six months for all employees.

D.

Require management of new employees to provide an overview of security awareness.

Buy Now
Questions 312

An IS auditor has been asked to review the quality of data in a general ledger system. Which of the following would provide the auditor with the MOST meaningful results?

Options:

A.

Discussion of the largest account values with business owners

B.

Integrity checks against source documentation

C.

System vulnerability assessment

D.

Interviews with system owners and operators

Buy Now
Questions 313

Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

Options:

A.

Data integrity

B.

Entity integrity

C.

Referential integrity

D.

Availability integrity

Buy Now
Questions 314

An IS auditor learns that a business owner violated the organization's security policy by creating a web page with access to production data. The auditor's NEXT step should be to:

Options:

A.

determine if sufficient access controls exist.

B.

assess the sensitivity of the production data.

C.

shut down the web page.

D.

escalate to senior management.

Buy Now
Questions 315

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

Options:

A.

A comprehensive list of disaster recovery scenarios and priorities

B.

Business continuity plan (BCP)

C.

Test results for backup data restoration

D.

Roles and responsibilities for recovery team members

Buy Now
Questions 316

Which of the following is the MOST appropriate testing approach when auditing a daily data flow between two systems via an automated interface to confirm that it is complete and accurate?

Options:

A.

Confirm that the encryption standard applied to the interface is in line with best practice.

B.

Inspect interface configurations and an example output of the systems.

C.

Perform data reconciliation between the two systems for a sample of 25 days.

D.

Conduct code review for both systems and inspect design documentation.

Buy Now
Questions 317

Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to existing server performance will be prevented?

Options:

A.

Reviewing results from simulated high-demand stress test scenarios

B.

Performing a root cause analysis for past performance incidents

C.

Anticipating current service level agreements (SLAs) will remain unchanged

D.

Duplicating existing disk drive systems to improve redundancy and data storage

Buy Now
Questions 318

Who is PRIMARILY responsible for the design of IT controls to meet control objectives?

Options:

A.

Business management

B.

Internal auditor

C.

Risk management

D.

ITC manager

Buy Now
Questions 319

Which of the following is an effective way to ensure the integrity of file transfers in a peer-to-peer (P2P) computing environment?

Options:

A.

Associate a message authentication code with each file transferred.

B.

Ensure the files are transferred through an intrusion detection system (IDS).

C.

Encrypt the packets shared between peers within the environment.

D.

Connect the client computers in the environment to a jump server.

Buy Now
Questions 320

Data from a system of sensors located outside of a network is received by the open ports on a server. Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?

Options:

A.

Route the traffic from the sensor system through a proxy server.

B.

Hash the data that is transmitted from the sensor system.

C.

Implement network address translation on the sensor system.

D.

Transmit the sensor data via a virtual private network (VPN) to the server.

Buy Now
Questions 321

Which of the following is the PRIMARY advantage of using an automated security log monitoring tool instead of conducting a manual review to monitor the use of privileged access?

Options:

A.

Reduced costs associated with automating the review

B.

Increased likelihood of detecting suspicious activity

C.

Ease of storing and maintaining log file

D.

Ease of log retrieval for audit purposes

Buy Now
Questions 322

Which of the following is the GREATEST risk related to the use of virtualized environments?

Options:

A.

The host may be a potential single point of failure within the system.

B.

There may be insufficient processing capacity to assign to guests.

C.

There may be increased potential for session hijacking.

D.

Ability to change operating systems may be limited.

Buy Now
Questions 323

Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?

Options:

A.

Performing independent reviews of responsible parties engaged in the project

B.

Shortlisting vendors to perform renovations

C.

Ensuring the project progresses as scheduled and milestones are achieved

D.

Implementing data center operational controls

Buy Now
Questions 324

Which of the following findings related to segregation of duties should be of GREATEST concern to an IS auditor?

Options:

A.

The person who tests source code also approves changes.

B.

The person who administers servers is also part of the infrastructure management team.

C.

The person who creates new user accounts also modifies user access levels.

D.

The person who edits source code also has write access to production.

Buy Now
Questions 325

Which of the following would be MOST useful to an IS auditor when making recommendations to enable continual improvement of IT processes over time?

Options:

A.

IT incident log

B.

Benchmarking studies

C.

Maturity model

D.

IT risk register

Buy Now
Questions 326

Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?

Options:

A.

Integration testing results

B.

Sign-off from senior management

C.

User acceptance testing (UAT) results

D.

Regression testing results

Buy Now
Questions 327

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

The transfer protocol does not require authentication.

B.

The quality of the data is not monitored.

C.

Imported data is not disposed of frequently.

D.

The transfer protocol is not encrypted.

Buy Now
Questions 328

Which of the following observations regarding change management should be considered the MOST serious risk by an IS auditor?

Options:

A.

There is no software used to track change management.

B.

The change is not approved by the business owners.

C.

The change is deployed two weeks after approval.

D.

The development of the change is not cost-effective.

Buy Now
Questions 329

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system. Which of the following is the IS

auditor's BEST recommendation?

Options:

A.

Enable automatic encryption, decryption, and electronic signing of data files.

B.

Automate the transfer of data between systems as much as is feasible.

C.

Have coders perform manual reconciliation of data between systems.D

D.

Implement software to perform automatic reconciliations of data between systems.

Buy Now
Questions 330

An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization's wider security threat and vulnerability management program.

Which of the following would BEST enable the organization to work toward improvement in this area?

Options:

A.

Implementing security logging to enhance threat and vulnerability management

B.

Maintaining a catalog of vulnerabilities that may impact mission-critical systems

C.

Using a capability maturity model to identify a path to an optimized program

D.

Outsourcing the threat and vulnerability management function to a third party

Buy Now
Questions 331

An IS auditor discovers that a developer has used the same key to grant access to multiple applications making calls to an application programming interface (API). Which of the following is the BEST recommendation to address this situation?

Options:

A.

Replace the API key with time-limited tokens that grant least privilege access.

B.

Authorize the API key to allow read-only access by all applications.

C.

Implement a process to expire the API key after a previously agreed-upon period of time.

D.

Coordinate an API key rotation exercise with all impacted application owners.

Buy Now
Questions 332

In an annual audit cycle, the audit of an organization's IT department resulted in many findings. Which of the following would be the MOST important consideration when planning the next audit?

Options:

A.

Postponing the review until all of the findings have been rectified

B.

Limiting the review to the deficient areas

C.

Verifying that all recommendations have been implemented

D.

Following up on the status of all recommendations

Buy Now
Questions 333

An organization's information security policies should be developed PRIMARILY on the basis of:

Options:

A.

enterprise architecture (EA).

B.

industry best practices.

C.

a risk management process.

D.

past information security incidents.

Buy Now
Questions 334

The PRIMARY reason to assign data ownership for protection of data is to establish:

Options:

A.

reliability.

B.

traceability.

C.

authority,

D.

accountability.

Buy Now
Questions 335

Which of the following is the PRIMARY reason for using a digital signature?

Options:

A.

Provide availability to the transmission

B.

Authenticate the sender of a message

C.

Provide confidentiality to the transmission

D.

Verify the integrity of the data and the identity of the recipient

Buy Now
Questions 336

Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?

Options:

A.

A high percentage of stakeholders satisfied with the quality of IT

B.

A high percentage of IT processes reviewed by quality assurance (QA)

C.

A high percentage of incidents being quickly resolved

D.

A high percentage of IT employees attending quality training

Buy Now
Questions 337

During the audit of an enterprise resource planning (ERP) system, an IS auditor found an applicationpatch was applied to the production environment. It is MOST

important for the IS auditor to verify approval from the:

Options:

A.

information security officer.

B.

system administrator.

C.

information asset owner.

D.

project manager.

Buy Now
Questions 338

External audits have identified recurring exceptions in the user termination process, despite similar internal audits having reported no exceptions in the past. Which of the following is the IS auditor's BEST course of action to improve the internal audit process in the future?

Options:

A.

Include the user termination process in all upcoming audits.

B.

Review user termination process changes.

C.

Review the internal audit sampling methodology.

D.

Review control self-assessment (CSA) results.

Buy Now
Questions 339

A telecommunications company has recently created a new fraud department with three employees and acquired a fraud detection system that uses artificial intelligence (AI) modules. Which of the following would be of GREATEST concern to an IS auditor reviewing the system?

Options:

A.

A very large number of true negatives

B.

A small number of false negatives

C.

A small number of true positives

D.

A large number of false positives

Buy Now
Questions 340

Which of the following would an IS auditor find to be the GREATEST risk associated with the server room in a remote office location?

Options:

A.

The server room is secured by a key lock instead of an electronic lock.

B.

The server room's location is known by people who work in the area.

C.

The server room does not have temperature controls.

D.

The server room does not have biometric controls.

Buy Now
Questions 341

Which of the following is the MOST important factor when an organization is developing information security policies and procedures?

Options:

A.

Alignment with an information security framework

B.

Compliance with relevant regulations

C.

Inclusion of mission and objectives

D.

Consultation with security staff

Buy Now
Questions 342

An organization has decided to purchase a web-based email service from a third-party vendor and eliminate its own email server infrastructure. What type of cloud computing environment would BEST meet the organization's objective?

Options:

A.

Platform as a Service (PaaS)

B.

Software as a Service (SaaS)

C.

Database as a Service (DBaaS)

D.

Infrastructure as a Service (laaS)

Buy Now
Questions 343

The business case for an information system investment should be available for review until the:

Options:

A.

information system investment is retired.

B.

information system has reached end of life.

C.

formal investment decision is approved.

D.

benefits have been fully realized.

Buy Now
Questions 344

Which of the following BEST reflects a mature strategic planning process?

Options:

A.

Action plans with IT requirements built into all projects

B.

An IT strategic plan with specifications of controls and safeguards

C.

An IT strategic plan that supports the corporate strategy

D.

IT projects from the strategic plan are approved by management

Buy Now
Questions 345

When auditing the adequacy of a cooling system for a data center, which of the following is MOST important for the IS auditor to review?

Options:

A.

Environmental performance metrics

B.

Geographical location of the data center

C.

Disaster recovery plan (DRP) testing results

D.

Facilities maintenance records

Buy Now
Questions 346

An organization is ready to implement a new IT solution consisting of multiple modules. The last module updates the processed data into the database. Which of the following findings should be of MOST concern to the IS auditor?

Options:

A.

Absence of a formal change approval process

B.

Lack of input validation

C.

Use of weak encryption

D.

Lack of a data dictionary

Buy Now
Questions 347

Which of the following should be an IS auditor's PRIMARY focus when auditing the implementation of a new IT operations performance monitoring system?

Options:

A.

Reviewing whether all changes have been implemented

B.

Validating whether baselines have been established

C.

Confirming whether multi-factor authentication (MFA) is deployed as part of the operational enhancements

D.

Determining whether there is a process for annual review of the maintenance manual

Buy Now
Questions 348

An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for placement of a firewall?

Options:

A.

Between each host and the local network switch/hub

B.

Between virtual local area networks (VLANs)

C.

Inside the demilitarized zone (DMZ)

D.

At borders of network segments with different security levels

Buy Now
Questions 349

A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:

Options:

A.

the audit committee.

B.

audit management.

C.

auditee line management.

D.

the police.

Buy Now
Questions 350

An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:

Options:

A.

indicate whether the organization meets quality standards.

B.

ensure that IT staff meet performance requirements.

C.

train and educate IT staff.

D.

assess IT functions and processes.

Buy Now
Questions 351

An IS auditor finds that a number of key patches have not been applied in a timely manner due to re-source constraints. Which of the following is the GREATEST risk to the organization in this

situation?

Options:

A.

Systems may not be supported by the vendor.

B.

Known security vulnerabilities may not be mitigated.

C.

Different systems may not be compatible.

D.

The systems may not meet user requirements.

Buy Now
Questions 352

Which of the following is an analytical review procedure for a payroll system?

Options:

A.

Performing reasonableness tests by multiplying the number of employees by the average wage rate

B.

Evaluating the performance of the payroll system using benchmarking software

C.

Performing penetration attempts on the payroll system

D.

Testing hours reported on time sheets

Buy Now
Questions 353

Which of the following is the GREATEST benefit of adopting an Agile audit methodology?

Options:

A.

Better ability to address key risks

B.

Less frequent client interaction

C.

Annual cost savings

D.

Reduced documentation requirements

Buy Now
Questions 354

Which of the following is an IS auditor's BEST recommendation for mitigating risk associated with inadvertent disclosure of sensitive information by employees?

Options:

A.

Intrusion prevention system (IPS) and firewalls

B.

Data loss prevention (DLP) technologies

C.

Cryptographic protection

D.

Email phishing simulation exercises

Buy Now
Questions 355

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Options:

A.

Limiting access to the data files based on frequency of use

B.

Obtaining formal agreement by users to comply with the data classification policy

C.

Applying access controls determined by the data owner

D.

Using scripted access control lists to prevent unauthorized access to the server

Buy Now
Questions 356

The PRIMARY benefit of information asset classification is that it:

Options:

A.

prevents loss of assets.

B.

helps to align organizational objectives.

C.

facilitates budgeting accuracy.

D.

enables risk management decisions.

Buy Now
Questions 357

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Options:

A.

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.

Review compliance with data loss and applicable mobile device user acceptance policies.

C.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.

Verify employees have received appropriate mobile device security awareness training.

Buy Now
Questions 358

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

Options:

A.

Separate authorization for input of transactions

B.

Statistical sampling of adjustment transactions

C.

Unscheduled audits of lost stock lines

D.

An edit check for the validity of the inventory transaction

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Dec 22, 2024
Questions: 1195

PDF + Testing Engine

$249

Testing Engine

$225

PDF (Q&A)

$199