CISA Practice Questions

ISACA.CISA.v2021-03-04.
q363
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Certification Provider: ISACA
Free Question Number: 363
Version: v2021-03-04
# of views: 114
# of Questions views: 3635
https://www.freecram.com/torrent/ISACA.CISA.v2021-03-04.q363.html
NEW QUESTION: 1
Which of the following reports can MOST effectively be used to analyze a systems
performance problem?
A. Database usage log
B. Synchronization report
C. Console log
D. Utilization report
Answer: C (LEAVE A REPLY)
NEW QUESTION: 2
Which of the following it BEST enabled by following a configuration management process
for new applications?
A. Maintaining adequate control over changes to production
B. Deploying approved emergence changes to production
C. Ensuring proper testing of code before deployment
D. Managing successful implementation of acquired software
Answer: A (LEAVE A REPLY)
NEW QUESTION: 3
Which of the following is the BEST way to help ensure the security of privacy-related data
stored by an organization?
A. Publish the data classification scheme.
B. Classify privacy-related data as confidential
C. Encrypt personally identifiable information.
D. Inform data owners of the purpose of collecting information.
Answer: B (LEAVE A REPLY)
NEW QUESTION: 4
Which of the following would be an auditor's GREATEST concern when reviewing data
inputs from spreadsheets into the core finance system?
A. Undocumented code formats data and transmits directly to the database
B. The department data protection policy has not been reviewed or updated for two years
C. There is not a complete inventory of spreadsheets, and file naming is inconsistent
D. Spreadsheets are accessible by all members of the finance department
Answer: D (LEAVE A REPLY)
NEW QUESTION: 5
Which of the following should be an IS auditor's GREATEST consideration when
scheduling follow-up activities for agreed-upon management responses to remediate audit
observations?
A. Availability of responsible IT personnel
B. Business interruption due to remediation
C. IT budgeting constraints
D. Risk rating of original findings
Answer: (SHOW ANSWER)
NEW QUESTION: 6
A recent audit identified duplicate software licenses and technologies Which of the
following would be MOST helpful to prevent this type of duplication in the future?
A. Centralizing IT procurement and approval practices
B. Conducting periodic inventory reviews
C. Establishing a project management office
D. Updating IT procurement policies and procedures
NEW QUESTION: 7
In an IS auditor's review of an organization s configuration management practices for
software, which of the following is MOST important?
A. Organizational policies related to release management
B. Service level agreements (SLAs) between the IT function and users
C. Post-implementation review reports from development efforts
D. Software rental contracts or lease agreements
NEW QUESTION: 8
Which of the following communication modes should be of GREATEST concern to an IS
auditor evaluating end user networking?
A. System-to-system
B. Client-to-server
C. Peer-to-peer
D. Host-to-host
NEW QUESTION: 9
At which stage of the software development life cycle should an organization identity
privacy considerations?
A. Design
B. Testing
C. Development
D. Requirements
NEW QUESTION: 10
A technology service organization has recently acquired a new subsidiary. What should be
the IS auditor's NEXT course of action when considering the impact on the development of
the IT audit plan?
A. Perform a risk assessment.
B. Include the new systems in the audit plan.
C. Proceed with the current audit plan.
D. Review the revised business impact analysis (BIA).
NEW QUESTION: 11
An IS auditor is reviewing an organization's method to transport sensitive data between
offices. Which of the following would cause the auditor MOST concern?
A. The method relies exclusively on the use of public key infrastructure.
B. The method relies exclusively on the use of symmetric encryption algorithms.
C. The method relies exclusively on the use of digital signatures.
D. The method relies exclusively on the use of asymmetric encryption algorithms.
NEW QUESTION: 12
Which of the following should an IS auditor recommend to facilitate the management of
baseline requirements for hardening of firewalls?
A. Capacity management
B. Release management
C. Patch management
D. Configuration management
NEW QUESTION: 13
Audit software designed to detect invalid data, extreme values, or linear correlations
between data elements can be classified as which type of data analytics tool?
A. Predictive
B. Descriptive
C. Diagnostic
D. Prescriptive
NEW QUESTION: 14
A start-up company acquiring for its order-taking system is unable to predict the volume of
transactions.
Which of the following is MOST important for the company to consider?
A. Compatibility
B. Scalability
C. Configuration
D. Optimization
NEW QUESTION: 15
An auditor is creating an audit program in which the objective is to establish the adequacy
of personal data privacy controls in a payroll process. Which of the following would be
MOST important to include?
A. User access provisioning
B. Audit logging of administrative user activity
C. Segregation of duties controls
D. Approval of data changes
NEW QUESTION: 16
A recent audit concluded that an organization's information security system was weak and
that monitoring would likely fail to detect penetration. Which of the following would be the
MOST appropriate recommendation?
A. Identify and periodically remove sensitive data that is no longer needed
B. Look continually for new criminal behaviour and attacks on sensitive data
C. Encrypt sensitive data while strengthening the system
D. Establish a clear policy related to security and the handling of sensitive data
Valid CISA Dumps shared by Prepawayexam.com for Helping Passing CISA Exam!
Prepawayexam.com now offer the newest CISA exam dumps, the
Prepawayexam.com CISA exam questions have been updated and answers have
been corrected get the newest Prepawayexam.com CISA dumps with Test Engine
here: https://www.prepawayexam.com/ISACA/braindumps.CISA.ete.file.html (855 Q&As
Dumps, 40%OFF Special Discount: freecram)
NEW QUESTION: 17
To help ensure the organization s information assets are adequately protected, which of
the following considerations is MOST important when developing an information
classification and handling policy?
A. The policy is owned by the head of information security, who has the authority to
enforce the policy.
B. The policy has been mapped against industry frameworks for classifying information
assets.
C. The policy specifies requirements to safeguard information assets based on their
importance to the organization
D. The policy is subject to periodic reviews to ensure its provisions are up to date
NEW QUESTION: 18
A post-implementation review of a system implementation has identified that the defined
objectives were changed several times without the approval of the project board. What
would the IS auditor do NEXT?
A. Determine whether the revised objectives are appropriate
B. Notify the project sponsor and request that the project be reopened.
C. Notify the project management office and raise a finding
D. Ask management to obtain retrospective approvals
NEW QUESTION: 19
An organization has agreed to perform remediation related to high-risk audit findings. The
remediation process involves a complex reorganization of user roles as well as the
Implementation of several compensating controls that may not be completed within the
next audit cycle Which of the following is the BEST way for an IS auditor to follow up on
their activities?
A. Schedule a review of the controls after the projected remediation date
B. Continue to audit the failed controls according to the audit schedule
C. Provide management with a remediation timeline and verity adherence
D. Review the progress of remediation on a regular basis
NEW QUESTION: 20
An audit group is conducting a risk assessment as part of a risk-based audit strategy. To
help ensure the risk assessment results are relevant to the organization, it is MOST
important to:
A. include operational departments and processes.
B. determine both the inherent risk and detection risk.
C. understand the organization's controls.
D. understand the organization's objectives and risk appetite.
NEW QUESTION: 21
An IS auditor learns that after each scheduled batch process runs, management performs
a reconciliation between upstream and downstream data. Which of the following is MOST
important for the auditor to investigate?
A. Job failure resolution controls
B. Access to the job scheduler
C. Results of user acceptance testing
D. Change management over job scheduling
NEW QUESTION: 22
An enterprise receiving email should have procedures to control:
A. insufficient connectivity,
B. insufficient end-points.
C. outdated protocols,
D. unsolicited executable code.
NEW QUESTION: 23
Of the following procedures for testing a disaster recovery plan (DRP), which should be
used MOST frequently?
A. Review of documented backup and recovery procedures
B. Preplanned shutdown of the computing facility during an off-peak period
C. Unannounced shutdown of the primary computing facility
D. Testing at a secondary site using offsite data backups
NEW QUESTION: 24
An organization was recently notified by its regulatory body of significant discrepancies in
its reporting data.
A preliminary investigation revealed that the discrepancies were caused problems with the
organization's data quality. Management has directed the data quality team to enhance
their program. The audit committee has asked internal audit to be visors to the process.
After the data quality team identifies the system data at fault which of the following should
internal audit recommend as the NEXT step m the process?
A. Identity the source data owners
B. Develop an improvement plan.
C. Create business rules that validate data quality
D. Identify the root cause of data quality problems
NEW QUESTION: 25
Which of the following should be restricted from a network administrator's privileges in an
adequately segregated H" environment?
A. Changing existing configurations for applications
B. Ensuring transmission protocols are functioning correctly
C. Opening and closing network ports
D. Monitoring network traffic and detecting anomalies
NEW QUESTION: 26
An IS auditor reviewing a new application for compliance with information privacy
principles should be MOST concerned with:
A. collection limitation.
B. nonrepudiation.
C. awareness.
D. availability.
NEW QUESTION: 27
Which of the following is MOST likely to improve the portability of an application connected
to a database?
A. Analyzing stored procedures and triggers
B. Using a structured query language (SQL)
C. Optimizing the database physical schema
D. Verifying database import and export procedures
NEW QUESTION: 28
An IS auditor reviewing a recently implemented virtual environment notices discrepancies
among similar machine setups. Which of the following should the auditor recommend to
minimize configuration risks?
A. Implement network best practice recommendations.
B. Implement templates to manage rapid deployment of virtual machines.
C. Perform architectural vulnerability analysis to compare current system attributes to a
D. Perform hypervisor software updates with available patches to minimize security
weaknesses.
NEW QUESTION: 29
When introducing a maturity model to the IT management process, it is BEST to align the
maturity level to a point that reflects which of the following?
A. Ideal business production level
B. Maximum risk tolerance level
C. Industry standard practice level
D. Minimum cost expenditure level
NEW QUESTION: 30
Which of the following would BEST enable an IS auditor to perform an audit that requires
testing the full population of data?
A. Experience in database administration
B. Proficiency in the use of data analytics tools
C. Proficiency in programming and coding
D. Expertise in statistical sampling of data
NEW QUESTION: 31
Which of the following would BEST deter the theft of corporate information from a laptop?
A. Encrypt all data on the hard drive.
B. Protect files with passwords.
C. Encrypt the file allocation table (FAT).
D. Install biometric access controls.
NEW QUESTION: 32
During an audit of information security procedures of a large retailer s online store, an IS
auditor notes that operating system (OS) patches are automatically deployed upon -.
Which of the following should be of GREATEST concern to the auditor?
A. Patches are not reflected in the configuration management database
B. Patches are in conflict with current licensing agreements
C. Patches are pushed from the vendor increasing Internet traffic
D. Patches are not tested before installation on critical servers.
NEW QUESTION: 33
Which the following is MOST critical for the effective implementation of IT governance?
A. Strong risk management practices
B. Supportive corporate culture
C. Documented policies
D. Internal auditor commitment
NEW QUESTION: 34
An IS auditor is assigned to review the IS department's quality procedures. Upon
contacting the IS manager, the auditor finds that there is an informal unwritten set of
standards. Which of the following should be the auditor's NEXT action?
A. Document and test compliance with the informal standards.
B. Make recommendations to IS management as to appropriate quality standards.
C. Finalize the audit and report the finding.
D. Postpone the audit until IS management implements written standards.
NEW QUESTION: 35
Which of the following is the MOST effective control for a utility program?
A. Installing the program on a separate server
B. Allowing only authorized personnel to use the program
C. Renaming the versions in the programmers libraries
D. Storing the program in a production library
NEW QUESTION: 36
Which of the following is the BEST recommendation for the establishment of an
information security policy?
A. The development and approval should be overseen by business area management.
B. The policy should be developed by the security administrator.
C. The policy and guidelines should bs developed by the human resources department.
D. The policy should be developed by IS management
NEW QUESTION: 37
Which of the following is the BEST guidance from an IS auditor to an organization planning
an initiative to improve the effectiveness of its IT processes?
A. The organization should use a capability maturity model to identify current maturity
levels for each IT process.
B. IT staff should be surveyed to identify current IT process weaknesses and suggest
improvements.
C. The organization should refer to poor audit reports to identify the specific IT processes
to be improved
D. IT management should include process improvement requirements in staff performance
objectives
NEW QUESTION: 38
Which of the following is the GREATEST risk associated with instant messaging?
A. Data logging is more difficult.
B. Data governance may become ineffective.
C. Data classification procedures may not be followed.
D. Data exfiltration is more likely to occur.
NEW QUESTION: 39
Which of the following is the PRIMARY reason for an IS auditor to map out the narrative of
a business process?
A. To ensure alignment with organizational objectives
B. To identify the resources required to perform the audit
C. To verify the business process is as described in the engagement letter
D. To gain insight into potential risks
NEW QUESTION: 40
A review of Internet security disclosed that users have individual user accounts with
Internet service providers (ISPs) and use these accounts for downloading business data.
The organization wants to ensure that only the corporate network is used. The organization
should FIRST:
A. monitor remote access activities.
B. include a statement in its security policy about Internet use.
C. keep a manual log of Internet access.
D. use a proxy server to filter out Internet sites that should not be accessed.
NEW QUESTION: 41
Which of the following will BEST protect the confidentiality of data stored on the hard drive
of a laptop computer?
A. Physical locks and alarms
B. A boot password
C. Encryption of the data
D. Biometric access control
NEW QUESTION: 42
Based on the Guidance of internal audit, an IT steering committee is considering the use of
a balanced scorecard to evaluate its project management process. Which of the following
is the GREATEST advantage to using this approach?
A. Information is provided m a consistent and timely manner.
B. Projects will be prioritized based on value
C. Performance is measured from different perspectives
D. Project scheduled and budget management will improve
NEW QUESTION: 43
Which of the following factors will BEST promote effective information security
management?
A. Security awareness training
B. Identification and risk assessment of sensitive resources
C. Senior management commitment
D. Security policy framework
NEW QUESTION: 44
While reviewing similar issues in an organization s help desk system, an IS auditor finds
that they were analyzed independently and resolved differently This situation MOST likely
indicates a deficiency in:
A. change management
B. IT service level management
C. problem management
D. configuration management
NEW QUESTION: 45
Before concluding that internal controls can be relied upon, the IS auditor should:
A. discuss the internal control weaknesses with the auditee
B. document application controls.
C. conduct tests of compliance
D. document the system of internal control.
NEW QUESTION: 46
Which of the following is the MOST important difference between end-user computing
(EUC) applications and traditional applications?
A. Traditional applications require periodic patching whereas EUC applications do not.
B. Traditional application input controls are typically more robust than EUC application
input controls.
C. Traditional applications require roll-back procedures whereas EUC applications do not.
D. Traditional application documentation is typically less comprehensive than EUC
application documentation.
NEW QUESTION: 47
Which of the following BEST ensures that only authorized software is moved into a
production environment?
A. Restricting read/write access to production code to computer programmers only
B. A librarian compiling source code into production after independent testing
C. Assigning programming managers to transfer tested programs to production
D. Requiring programming staff to move tested code into production
NEW QUESTION: 48
Which of the following is the MOST effective way to identify anomalous transactions when
performing a payroll fraud audit?
A. Observation of payment processing
B. Substantive testing of payroll files
C. Data analytics on payroll data
D. Sample-based review of pay stubs
NEW QUESTION: 49
Which of the following is the BEST way to evaluate the effectiveness of access controls to
an internal network?
A. Review access rights.
B. Review router configuration tables
C. Test compliance with operating procedures
D. Perform a system penetration rest
NEW QUESTION: 50
Which of the following controls MOST effectively reduces the risk associated with use of
instant messaging (IM) in the workplace?
A. Blocking peer-to-peer (P2P) clients
B. Session border controllers
C. Network address translation
D. Traffic encryption
NEW QUESTION: 51
The demilitarized zone (DMZ) is the part of a network where servers that are placed are:
A. External to the organization
B. Interacting with the public internet
C. Running internal department applications
D. Running-mission critical, non-web application
NEW QUESTION: 52
When an intrusion into an organizations network is detected, which of the foflomng should
be performed FIRST?
A. Identify nodes that have been compromised
B. Develop a response to the incident
C. Protect information in the compromised systems
D. Block all compromised network nodes
NEW QUESTION: 53
An IT governance body wants to determine whether IT service delivery is based on
consistently efficient and effective processes. Which of the following would be the BEST
approach?
A. Analyze current and future capacity.
B. Implement a balanced scorecard
C. Conduct a gap analysis.
D. Evaluate key performance indicators (KPis).
NEW QUESTION: 54
Which of the following would be considered the BEST compensating control to use when
an emergency process, rather than the established control procedures, is used for
database changes?
A. Using the administrator's own account to make out-of-hours changes
B. Logging user's ID and change details for later review by the administrator
C. Logging detailed before-and-after images for later review by the administrator
D. Using an emergency user account with the access to make changes to the database
NEW QUESTION: 55
To protect information assets, which of the following should be done FIRST?
A. Back up data.
B. Classify data.
C. Restrict access to data.
D. Encrypt data.
NEW QUESTION: 56
The grants management system is used to calculate grant payments. Once per day, a
batch interface extracts grant amounts and payee details from this system for import into
the once system so payments can be made overnight Which of the following controls
provides the GREATEST assurance of the accuracy and completeness of the imported
payment
A. Performing monthly bank reconciliations in a timely manner
B. Reviewing transaction logs for anomalies
C. Restricting access to the grants and finance systems
D. Reconciling data from both systems
NEW QUESTION: 57
Which of the following would BEST enable effective IT resource management?
A. Automating business processes
B. Outsourcing IT processes and activities
C. Assessing the risk associated with IT resources
D. Establishing business priorities
NEW QUESTION: 58
A PRIMARY benefit derived by an organization employing control self-assessment (CSA)
techniques s that CSA:
A. Allow management to relinquish responsibilities of control
B. Allows IS auditors 10 independently assess risk
C. Can be used as a replacement for traditional audits
D. Can identify high-risk areas for detailed review
NEW QUESTION: 59
Which of the following is the FIRST consideration when developing a data retention policy?
A. Designing an infrastructure storage strategy
B. Identifying the legal and contractual retention period for data
C. Determining the security access privileges to the data
D. Determining the backup cycle based on retention period
NEW QUESTION: 60
When planning for the implementation of a new system, an organization will opt for a
parallel run PRIMARILY to:
A. facilitate the training of new personnel
B. validate system processing.
C. ensure that the system meets required user response time.
D. verify that system interfaces were implemented.
NEW QUESTION: 61
Which of the following is the MOST likely cause of a successful firewall penetration?
A. Use of a Trojan to bypass the firewall
B. Loophole m firewall vendor's code
C. Virus infection
D. Firewall misconfiguration by the administrator
NEW QUESTION: 62
Which of the following is the PRIMARY objective of the IS audit function?
A. Perform reviews based on standards developed by professional organizations
B. Report to management on the functioning of internal controls.
C. Certify the accuracy of financial data
D. Facilitate extraction of computer-based data for substantive testing.
NEW QUESTION: 63
An IS auditor is planning to audit an organization's infrastructure for access, patching, and
change management. Which of the following is the BEST way to prioritize the systems?
A. System hierarchy within the infrastructure
B. Criticality of the system
C. Complexity of the environment
D. System retirement plan
NEW QUESTION: 64
An IS auditor is evaluating the risks and controls associated with a virtualized environment.
Which of the following observations should be of GREATEST concern?
A. The hypervisor's security settings are not reviewed on a regular basis.
B. The hypervisor's partitioning resources have not been modified from its default settings.
C. Offline and dormant virtual machine Images are not patched on the same cycle as
online ones.
D. The change management process has not been updated to include virtualized
environments.
NEW QUESTION: 65
An IS auditor reviewing security incident processes realizes incidents are resolved and
dosed, but root causes are not investigated Which of the following should be the MAJOR
concern with this situation?
A. Lessons earned have not been property documented.
B. Abuses by employees have not been reported
C. Vulnerabilities have not been properly addressed
D. Security incident policies are out of date
NEW QUESTION: 66
The MOST important reason for documenting all aspects of a digital forensic investigation
is that documentation:
A. provides traceability for independent investigation by third parties.
B. ensures compliance with corporate incident response policies.
C. ensures the process will be repeatable in future investigations.
D. meets IT audit documentation standards.
NEW QUESTION: 67
To confirm integrity for a hashed message, the receiver should use
A. a different hashing algorithm from me sender s to create a binary image of the file
B. the same hashing algorithm as the sender's to create a binary image of the file.
C. the same hashing algorithm as the tender s to create a numerical representation of the
file.
D. a different hashing algorithm from the sender s to create a numerical representation of
the file
NEW QUESTION: 68
Which of the following should be the MOST important consideration when establishing
data classification standards?
A. The standards comply with relevant regulations.
B. An education campaign is established upon rollout.
C. Management supports the newly developed standards
D. Reporting metrics are established.
NEW QUESTION: 69
The GREATEST risk of database renormalization is:
A. Loss of database integrity
B. Decreased performance
C. Incorrect metadata
D. Loss of data confidentiality
NEW QUESTION: 70
Outsourcing the development of business systems is MOST likely to result in the loss of:
A. control over strategic direction.
B. accountability for end products
C. in-house competencies.
D. responsibility for IT security
NEW QUESTION: 71
Which of the following is the BEST detective control for a job scheduling process involving
data transmission?
A. Job failure alerts are automatically generated and routed to support personnel
B. Jobs are scheduled to be completed daily end data is transmitted using a secure Fife
Transfer Protocol (FTP)
C. Metrics denoting the volume of monthly job failures are reported and reviewed by senior
management
D. Jobs are scheduled and a log of this activity n retained for subsequent review
NEW QUESTION: 72
Which of the following is the MOST important activity to undertake to avoid rework later in
a project?
A. Phase review
B. Control review
C. Acceptance testing
D. Risk assessment
NEW QUESTION: 73
An organization with high security requirements is evaluating the effectiveness of biometric
systems. Which of the following performance indicators is MOST important?
A. False-rejection rate (FRR)
B. Equal-error rate (EER)
C. False-acceptance rate (FAR)
D. False-identification rate (FIR)
NEW QUESTION: 74
Management decided to accept the residual risk of an audit finding and not take the
recommended actions. The internal. Audit team believes the acceptance is inappropriate
and has discussed the situation with executive management. After this discussion, there is
still disagreement regarding the decision. Which of the following is the BEST course of
action by internal audit.
A. Schedule another meeting with executive management to convince them of taking
action as recommended.
B. Report this matter to the audit committee without notifying executive management.
C. Report the issue to the audit committee in a joint with execute management for
resolution.
D. Document in the audit report that management has accepted the residual risk and take
no further action.
NEW QUESTION: 75
A new regulatory standard for data privacy requires an organization to protect personally
identifiable information (Pll). Which of the following is MOST important to include in the
audit engagement plan to assess compliance with the new standard?
A. Review of data protection procedures
B. Review of data loss risk scenarios
C. Identification of IT systems that host Pll
D. Identification of unencrypted Pll
NEW QUESTION: 76
Which of the following is the MAIN purpose of implementing an incident response process?
A. Comply with policies and procedures.
B. Provide substantial audit-trail evidence.
C. Assign roles and responsibilities
D. Manage impact due to breaches.
NEW QUESTION: 77
A manufacturing company is implementing application software for its sales and
distribution system. Which of the following is the MOST important reason for the company
to choose a centralized online database?
A. Enhanced integrity controls
B. Elimination of multiple points of failure
C. Enhanced data redundancy
D. Elimination of the need for data normalization
NEW QUESTION: 78
Which of the following is the BEST method to assess the adequacy of security awareness
in an organization?
A. Observing employee security behaviors
B. Interviewing employees about security responsibility
C. Confirming a security awareness program exists
D. Administering security survey questionnaires
NEW QUESTION: 79
To test the integrity of the data in the accounts receivable master file, an IS auditor
particularly interested in reviewing customers with balances over $400.000. the selection
technique the IS auditor would use to obtain such a sample is called:
A. Stratification
B. Discovery sampling
C. Systematic selection
D. Random selection
NEW QUESTION: 80
Which of the following is an advantage of using electronic data interchange (EDI)?
A. Contracts with the vendors are simplified.
B. Multiple inputs of the same document are allowed at different locations.
C. Transcription of information is reduced.
D. Data validation is provided by the service provider.
NEW QUESTION: 81
mission-critical applications with a low recovery time objective (RTO). which of the
following is the BEST backup strategy?
A. Frequent back-ups to tape
B. Archiving to conventional disk
C. Use of virtual tape libraries
D. Mirroring
NEW QUESTION: 82
Which of the following is the PRIMARY advantage of using virtualization technology for
corporate applications?
A. Improved disaster recovery
B. Stronger data security
C. Increased application performance
D. Better utilization of resources
NEW QUESTION: 83
Which of the following would be the MOST effective control to mitigate unintentional
misuse of authorized access?
A. Security awareness training
B. Annual sign-off of acceptable use policy
C. Regular monitoring of user access logs
D. Formalized disciplinary action
NEW QUESTION: 84
The quality assurance (QA) function should be prevented from
A. Establishing analysis techniques
B. Developing naming conventions
C. Amending review procedures
D. Changing programs for business functions
NEW QUESTION: 85
An IS auditor is analysing a sample of assesses recorded on the system log of an
application. The auditor intends to launch an intensive investigation if one exception is
found. Which sampling method would be appropriate?
A. Variable sampling
B. Judgemental sampling
C. Discovery sampling
D. Stratified sampling
NEW QUESTION: 86
When developing metrics to measure the contribution of IT to the achievement of business
goals, the MOST
A. measure the effectiveness of IT controls in the achievement of IT strategy.
B. are used by similar industries to measure the effect of IT on business strategy.
C. provide quantitative measurement of IT initiatives in relation with business targets,
D. are expressed in terms of how IT risk impacts the achievement of business goals.
NEW QUESTION: 87
During a vulnerability assessment, an IS auditor finds a high-risk vulnerability in a public-
facing web server used to process online customer orders via credit card. The IS auditor
could FIRST:
A. notify management.
B. redesign the customer order process.
C. suspend credit card processing.
D. document the finding in the report
NEW QUESTION: 88
In an online application, which of the following would provide the information about the
transaction audit trail?
A. File layouts
B. Source code documentation
C. System/process flowchart
D. Data architecture
NEW QUESTION: 89
The MOST efficient way to confirm that an ERP system being implemented satisfies
business expectations is to utilize which of the following types of testing?
A. Sociability
B. Pilot
C. Parallel
D. Alpha
NEW QUESTION: 90
During an audit of an organization s incident management process, an IS auditor teams
that the security operations team includes detailed reports of recent attacks in its
communications to employees. Which of the following is the GREATEST concern with this
situation?
A. There is not a documented procedure to communicate the reports
B. Employees may fail to understand the seventy of the threats.
C. The reports may be too complex for a nontechnical audience.
D. Employees may misuse the information in the reports.
NEW QUESTION: 91
Internal audit reports should be PRIMARILY written for and communicated to:
A. auditees, as they will eventually have to implement the recommendations
B. senior management as they should be informed about the identified risks.
C. external auditors, as they provide an opinion on the financial statements.
D. audit management as they are responsible for the quality of the audit.
NEW QUESTION: 92
The business owner's approval of software changes being moved into production is
PRIMARILY necessary to:
A. prevent unauthorized access to data.
B. ensure that an application functionality requirement is satisfied.
C. confirm there is a process to control system changes.
D. inform management of deployments of new functionality.
NEW QUESTION: 93
Which of the following provides for the GREATEST cost reduction in a large data center?
A. Staff rotation
B. Job-scheduling software
C. Server consolidation
D. Power conditioning
NEW QUESTION: 94
Which of the following is the MOST efficient solution for a multi-location healthcare
organization that wants to be able to access patient data wherever patients present
themselves for care?
A. Infrastructure as a Service (laaSJ provider
B. Dynamic localization
C. Network segmentation
D. Software as a Service (SaaS) provider
NEW QUESTION: 95
After the release of an application system, an IS auditor wants to verify that the system is
providing value to the organization. The auditor's BEST course of action would be to:
A. Review the results of compliance testing
B. Confirm that risk has declined since the application system release
C. Quantify improvements in client satisfaction
D. Perform a gap analysis against the benefits defined in the business case
NEW QUESTION: 96
What is the BEST population to select from when testing that programs are migrated to
production with proper approval?
A. Completed change request forms
B. Change advisory board meeting minutes
C. List of production programs
D. List of changes provided by application programming managers
NEW QUESTION: 97
What is the PRIMARY advantage of prototyping as part of systems development?
A. Eliminates the need for internal controls
B. Increases accuracy in reporting
C. Reduces the need for compliance testing
D. Maximizes user satisfaction
NEW QUESTION: 98
When evaluating the recent implementation of an intrusion detection system (IDS), an IS
auditor should be MOST concerned with inappropriate:
A. tuning
B. patching
C. training
D. encryption
NEW QUESTION: 99
During an audit, it is discovered that several suppliers with standing orders have been
deleted from the supplier master file Which of the following controls would have BEST
evented such an occurrence?
A. Referential integrity developed
B. Logical relationship check
C. Table look-ups
D. Existence check
NEW QUESTION: 100

Which of the following is the GREATEST benefit of implementing an IT governance
strategy within an organization?
A. Management is aware of IT-related risks.
B. Reporting and metrics become higher priority.
C. Employees understand roles and responsibilities
D. IT projects are delivered on time and under budget
NEW QUESTION: 101

Which of the following should be an IS auditor's FIRST action when assessing the risk
associated with unstructured data?
A. Implement strong encryption for unstructured data.
B. Identify repositories of unstructured data.
C. Identify appropriate tools for data classification.
D. Implement user access controls to unstructured data.
NEW QUESTION: 102

Which of the following should be reviewed as part of a data integrity test?
A. Confidentiality
B. Completeness
C. Redundancy
D. Data backup
NEW QUESTION: 103

Which of the following is the BEST point in time to conduct a post-implementation review
(PIR)?
A. Immediately after deployment
B. After a full processing cycle
C. To coincide with annual PIR cycle
D. Six weeks after deployment
NEW QUESTION: 104

Which of the following is the BEST reason to utilize blockchain technology to record
accounting transactions?
A. Integrity of records
B. Distribution of records
C. Confidentiality of records
D. Availability of records
NEW QUESTION: 105

An IS auditor notes that help desk personnel are required to make critical decisions during
major service disruptions. Which of the following is the auditor's BEST recommendation to
address this situation?
A. Implement an incident response plan
B. Establish shared responsibility among business peers.
C. Provide historical incident response information for the help desk
D. Introduce classification of disruptions by risk category.
NEW QUESTION: 106

Which of the following is MOST likely to be spoofed in an email transmission?
A. The path the message traveled through the Internet
B. The identity of the sending host
C. The identity of the sender
D. The identity of the receiving host
NEW QUESTION: 107

An IS auditor has discovered that unauthorized customer management software was
installed on a workstation.
The auditor determines the software has been uploading customer ita to an external party.
Which of the following is the IS auditor's BEST course of action?
A. Review other workstations to determine the extent of the incident
B. Notify the incident response team.
C. Present the issue at the next audit progress meeting
D. Determine the number of customer records that were uploaded
NEW QUESTION: 108

Which of the following audit procedures would assist an IS auditor in determining the
effectiveness of a business continuity plan (BCP)?
A. Performing an assessment of BCP test documentation
B. Performing a maturity assessment of BCP methodology against industry standards
C. Participating in BCP meetings held with user department managers
D. Observing tests of the BCP performed at the alternate processing site
NEW QUESTION: 109

When connecting to an organization's intranet from the Internet, security against
unauthorized access is BEST achieved by using:
A. encryption
B. virtual private networks (VPNs).
C. screening routers,
D. proxy servers.
NEW QUESTION: 110

An IS auditor is performing a post-implementation review of a system deployed two years
ago. Which of the following findings should be of MOST concern to the auditor?
A. Workarounds due to remaining defects had to be used longer than anticipated.
B. Benefits as stated in the business case have not been realized.
C. The system has undergone several change requests to further extend functionality.
D. Maintenance costs were not included in the project lifecycle costs.
NEW QUESTION: 111

What is an IS auditor's BEST course of action if informed by a business unit's
representatives that they are too busy to cooperate with a scheduled audit?
A. Begin the audit regardless and insist on cooperation from the business unit.
B. Reschedule the audit for a time more convenient to the business unit.
C. Notify the audit committee immediately and request they direct the audit begin on
schedule.
D. Notify the chief audit executive who can negotiate with the head of the business unit.
NEW QUESTION: 112

Which of the following are BEST suited for continuous auditing?
A. Manual transactions
B. Low-value transactions
C. Irregular transactions
D. Real-time transactions
NEW QUESTION: 113

Which of the following would provide management with the MOST reasonable assurance
that a new data warehouse will meet the needs of the organization?
A. Appointing data stewards to provide effective data governance
B. Facilitating effective communication between management and developers
C. Integrating data requirements into the system development life cycle (SDLC)
D. Classifying data quality issues by the severity of their impact to the organization
NEW QUESTION: 114

Which of the following is the GREATEST risk associated with in-house program
development and customization?
A. The lack of a quality assurance function
B. The lack of a test environment
C. The lack of secure coding expertise
D. The lack of documentation for programs developed
NEW QUESTION: 115
An IS auditor is evaluating the access controls at a multinational company with a shared
network infrastructure. Which of the following is MOST important?
A. Remote network administration
B. Simplicity of end-to-end communication paths
C. Common security policies
D. Logging of network information at user level
NEW QUESTION: 116

An organization has outsourced its data processing function to a service provider. Which of
the following would BEST determine whether the service provider continues to meet the
organization s objectives?
A. Adequacy of the service provider's insurance
B. Review of performance against service level agreements (SLAs)
C. Assessment of the personnel training processes of the provider
D. Periodic audits of controls by an independent auditor
NEW QUESTION: 117

Which of the following would be MOST important for an IS auditor to review during an audit
of an automated continuous monitoring process being used by the finance department.
A. Management sign-off of test documentation
B. Resiliency of the monitoring service
C. Configuration of the monitoring tool
D. Dual control and approvals embedded in processes
NEW QUESTION: 118

Which of the following is the MOST effective way to assess whether an outsourcer's
controls are following the service level agreement (SLA)?
A. Review the outsourcer's monthly service reports.
B. Perform an onsite review of the outsourcer.
C. Perform a review of penalty clauses for non-performance.
D. Review an internal audit report from the outsourcer's auditor.
NEW QUESTION: 119

Which of the following is an effective way to ensure the integrity of file transfers in a peer-
to-peer (P2P) computing environment?
A. Encrypt the packets shared between peers within the environment.
B. Connect the client computers in the environment to a jump server.
C. Associate a message authentication code with each file transferred.
D. Ensure the files transferred through an intrusion detection system (IDS).
NEW QUESTION: 120

Which of the following should be the PRIMARY consideration when developing an IT
strategy?
A. Alignment with overall business objectives
B. IT key performance indicators based on business objectives
C. Short and long-term plans for the enterprise IT architecture
D. Alignment with the IT investment portfolio
NEW QUESTION: 121

Which of the following is the MOST important determining factor when establishing
appropriate timeframes for follow-up activities related to audit findings?
A. Availability of IS audit resources
B. Remediation dates included m management responses
C. Peak activity periods for the business
D. Complexity of business processes identified in the audit
NEW QUESTION: 122

Which of the following is MOST important to ensure when planning a black box penetration
test?
A. The management of the client organization is aware of the testing.
B. The test results will be documented and communicated to management.
C. Diagrams of the organization s network architecture are available.
D. The environment and penetration test scope have been determined.
NEW QUESTION: 123
.. Implementing which of the following would BEST address issues relating to the aging of
IT systems?
A. IT project management
B. Release management
C. Application portfolio management
D. Configuration management
NEW QUESTION: 124

A previously agreed-upon recommendation was not implemented because the auditee no
longer agrees with the original finding. The IS auditor's FIRST course of action should be
to:
A. require implementation of the original recommendation.
B. exclude the finding in the follow-up audit report.
C. escalate the disagreement to the audit committee.
D. assess the reason for the disagreement.
NEW QUESTION: 125

An organization with high availability resource requirements is selecting a provider for
cloud computing.
Which of the following would cause the GREATEST concern to an IS auditor? The
provider:
A. deploys patches automatically without testing.
B. does not store backup media offsite.
C. hosts systems for the organization's competitor.
D. is not internationally certified for high availability.
NEW QUESTION: 126

Which of the following is the BEST way to help ensure new IT implementations align with
enterprise architecture principles and requirements?
A. Document the security view as part of the enterprise architecture.
B. Conduct enterprise architecture reviews as part of the change advisory board.
C. Perform mandatory post-implementation reviews of IT implementations.
D. Consider stakeholder concerns when defining the enterprise architecture.
NEW QUESTION: 127

Privileged account access is require to start an ad hoc batch job. Which of the following
would MOST effectively detect unauthorized job execution?
A. Introducing job execution request procedures
B. Executing the job through two-factor authentication
C. Requiring manual approval by an authorized users
D. Reconciling user activity logs against authorization
NEW QUESTION: 128

Which of the following is a detective control?
A. A router rule restricting a service
B. Programmed edit checks
C. Procedures for authorizing transactions
D. Echo checks m telecommunications
NEW QUESTION: 129

Loading of illegal software packages onto a network by an employee is MOST effectively
detected by:
A. regular scanning of hard drives
B. diskless workstations
C. maintaining current antivirus software
D. logging of activity on network drives
NEW QUESTION: 130

Which of the following would be considered a corrective control when designing the
security of a data center?
A. Security guards
B. Fire extinguisher
C. Closed-circuit television (CCTV)
D. Perimeter fence
NEW QUESTION: 131

An IS audit manager finds that data manipulation logic developed by the audit analytics
team leads to incorrect conclusions This inaccurate logic is MOST likely an indication of
lich of the following?
A. Poor change controls over data sets collected from the business
B. Incompatibility between data volume and analytics processing capacity
C. Poor security controls that grant inappropriate access to analysis produced
D. The team's poor understanding of the business process being analyzed
NEW QUESTION: 132

The MAIN objective of incident management is to:
A. permit the incident to go on and follow the trail back to the beginning.
B. have an external computer security incident response team assess damage.
C. keep the business going while the response is occurring.
D. test for readiness to respond when facing an incident.
NEW QUESTION: 133

The BEST reason for implementing a virtual private network (VPN) is that it:
A. allows for public use of private networks.
B. allows for private use of public networks.
C. enables use of existing hardware platforms.
D. eases the implementation of data encryption.
NEW QUESTION: 134

During a post-incident review of a security breach, what type of analysis should an IS
auditor expect to be performed by the organization's information security team?
A. Qualitative risk analysis
B. Gap analysis
C. Business impact analysis (BIA)
D. Root cause analysis
NEW QUESTION: 135

An IS audit report highlighting inadequate network internal controls is challenged because
no serious incident has ever occurred. Which of the following actions performed during the
audit would have BEST supported the findings?
A. Threat risk assessment
B. Compliance testing
C. Vulnerability assessment
D. Penetration testing
NEW QUESTION: 136

Stress testing should ideally be carried out under a:
A. production environment with production workloads.
B. test environment with production workloads.
C. production environment with test data.
D. test environment with test data.
NEW QUESTION: 137

An internal audit has revealed a large number of incidents for which root cause analysis
has not been performed. Which of the following is MOST important for the IS auditor to
verify to determine whether there is an audit issue?
A. Frequency of the incidents
B. Cost of resolving the incidents
C. Time required to resolve the incidents
D. Severity level of the incidents
NEW QUESTION: 138

Due to cost restraints, a company defers the replacement of hardware supporting core
applications. Which of the following represents the GREATEST risk?
A. Maintenance costs may rise
B. future upgrades may not be possible.
C. Systems availability may suffer.
D. Eventual replacement may be more expensive.
NEW QUESTION: 139

The information security function in a large organization is MOST effective when:
A. partnered with the IS development team to determine access rights
B. decentralized as close to the user as possible
C. established at a corporate-wide level.
D. the function reports directly to the IS operations manager.
NEW QUESTION: 140
Which of the following is the MOST important consideration when planning a penetration
test for a financial management system?
A. The tester does not have any conflicts of interest
B. The scanning will be cost efficient
C. The scope of the test was approved.
D. Vulnerability testing will also be performed.
NEW QUESTION: 141

An IS auditor is conducting a review of an organization s information systems and
discovers data that is no longer needed by business applications. Which of the following
would b IS auditor's BEST recommendation?
A. Ask the data custodian to remove it after confirmation from the business user
B. Assess the data according to the retention policy.
C. Keep the data and protect it using a data classification policy
D. Back up the data to removable media and store in a secure area.
NEW QUESTION: 142

An organization allows employees to use personally owned mobile devices to access
customer's personal information. An IS auditor's GREATEST concern should be whether
A. Devices have adequate storage and backup capabilities
B. Devices have the capability to segregate business and personal data.
C. Mobile device security policies have been implemented
D. Mobile devices are compatible with company infrastructure
NEW QUESTION: 143

An IS auditor identifies key controls that have been overridden by management. The next
step the IS auditor should take is to
A. Perform procedures to quantify the irregularities
B. Withdraw from the engagement
C. Recommend compensating controls
D. Report the absence of key controls to regulators
NEW QUESTION: 144

An operations manager has recently moved to internal audit Which of the following would
be of GREATEST concern when assigning audit projects to this individual?
A. A control within the audit scope was downgraded to low risk by the operations manager
six months ago.
B. A system within the audit scope is supported by an emerging technology for which the
operations manager lacks experience.
C. The owner of a process within the audit scope worked for the operations manager six
months ago.
D. A control within the audit scope was implemented by the operations manager six
months ago.
NEW QUESTION: 145

Which of the following should MOST concern an IS auditor reviewing an intrusion detection
system (IDS)?
A. Number of false negatives
B. Number of false positives
C. Legitimate traffic blocked by the system
D. Reliability of IDS logs
NEW QUESTION: 146

Which of the following would provide the BEST evidence for use in a forensic investigation
of an employee's hard drive?
A. Memory dump to an external hard drive
B. Bit-stream copy of the hard drive
C. A file level copy of the hard drive
D. Prior backups
NEW QUESTION: 147

Which of the following would be the MOST appropriate reason for an organization to
purchase fault-tolerant hardware?
A. Minimizing business loss
B. Improving system performance
C. Reducing hardware maintenance costs
D. Compensating for the lack of contingency planning
NEW QUESTION: 148

Documentation of workaround processes to keep a business function operational during
recovery of IT systems is a core part of a:
A. business continuity plan.
B. threat and risk assessment
C. business impact analysis.
D. disaster recovery plan
NEW QUESTION: 149

Which of the following should be performed immediately after a computer security incident
has been detected and analyzed by an incident response team?
A. Eradicate the component that caused the incident
B. Assess the impact of the incident on critical systems.
C. Categorize the incident
D. Contain the incident before it spreads.
NEW QUESTION: 150

What is an IS auditor's BEST recommendation for management if a network vulnerability
assessment confirms that critical patches have not been applied since the last
assessment?
A. Configure servers to automatically apply available patches
B. Remove unpatched devices from the network
C. Apply available patches and continue periodic monitoring
D. Implement a process to test and apply appropriate patches
NEW QUESTION: 151

Due to the small size of the payroll department, an organization is unable to segregate the
employee setup and payroll processing functions. Which of the following would be the
BEST compensating control for the lack of segregation of duties?
A. A review is conducted to verity that terminated employees, are removed from the
employee master file.
B. A payroll variance report is reviewed tor anomalies every pay period
C. The system is configured to require secondary approval for changes to the employee
master file
D. An independent payroll disbursement review is conducted
NEW QUESTION: 152

Which of the following is the BEST approach to help ensure evidence from a computer
forensics investigation is legally admissible?
A. The incident response team reviews and analyzes the evidence, and the evidence file is
then securely deleted to avoid further damage.
B. The computer suspected of storing the evidence Is isolated, and the Incident response
Mm is contacted for investigation.
C. The relevant data is extract from system, firewall and IDS logs then consolidated as
evidence.
D. The media involved is preserved using imaging, and further analysis is performed on
the image instead of The original.
NEW QUESTION: 153

An IS auditor notes that several of a client's servers are vulnerable to attack due to open
unused ports and protocols. The auditor recommends management implement minimum
security requirements. Which type of control has been recommended?
A. Preventive
B. Directive
C. Corrective
D. Compensating
NEW QUESTION: 154

During an audit of a reciprocal disaster recovery agreement between two companies, the
IS auditor would be MOST concerned with the:
A. allocation of resources during an emergency
B. differences in IS policies and procedures
C. maintenance of hardware and software compatibility
D. frequency of system testing
NEW QUESTION: 155

Which of the following control? MOST efficiently ensures that orders transmitted from a
sales office to a production warehouse are received accurately and completely?
A. Transaction totals and record counts should be sent and reconciled before transaction
processing.
B. Continuity of numerical sequences for all sales orders should be checked.
C. Data should be sent back to the originating site and compared to what was sent to
production.
D. Parity checking should be incorporated into all data transmissions.
NEW QUESTION: 156

Which of the following should an IS auditor expect to find in an organization s information
security policies?
A. Asset provisioning lifecycle
B. Authentication requirements
C. Security configuration settings
D. Secure coding procedures
NEW QUESTION: 157

An organization has recently acquired and implemented intelligent-agent software for
granting loans to customers. During the post implementation review, which of the following
would be the KEY procedure for the IS auditor to perform?
A. Review system documentation to ensure completeness.
B. Ensure that a detection system designed to verify transaction accuracy is included.
C. Review input and output control reports to verify the accuracy of the system decisions.
D. Review signed approvals to ensure responsibilities for decisions of the system are
welldefined.
NEW QUESTION: 158

Which of the following observations noted during a review of the organization s social
media practices should be of MOST concern to the IS auditor?
A. The organization does not have a documented social media policy.
B. The organization does not require approval for social media posts.
C. More than one employee is authorized to publish on social media on behalf of the
organization
D. Not all employees using social media have attended the security awareness program.
NEW QUESTION: 159

Which of the following is the BEST way to reduce the risk of vulnerabilities during the rapid
deployment of container-based applications to a hybrid cloud?
A. Conduct a post-deployment security audit to identify vulnerabilities.
B. Review development and operations (DevOps) policies and procedures.
C. Conduct security auditing during the development life cycle.
D. Review a sample of historical production changes to identify abnormalities.
NEW QUESTION: 160

An IS auditor is reviewing an organization's implementation of a bring your own device
(BYOD) program.
Which of the following would be the BEST recommendation to help ensure sensitive data
is protected if a device is in the possession of an unauthorized individual?
A. Enable remote wiping of critical data.
B. Enable the location service feature on devices.
C. Authenticate device users when accessing the corporate network.
D. Encrypt data on devices including storage media.
NEW QUESTION: 161

An IS auditor auditing the effectiveness of utilizing a hot site will MOST likely:
A. evaluate physical access control
B. review reciprocal agreements
C. analyze system restoration procedures
D. review logical access controls
NEW QUESTION: 162

During the procurement process which of the following would be the BEST indication that
prospective vendors will meet the organization's needs?
A. service catalog is documented.
B. An account transition manager has been identified.
C. Expected service levels are defined
D. The vendor's subcontractors have been identified
NEW QUESTION: 163

An organization's audit charter should:
A. detail the audit objectives.
B. define the auditors' right to access information.
C. include the IS audit plan.
D. set the enterprise strategic direction.
NEW QUESTION: 164

The BEST data backup strategy for mobile users is to:
A. synchronize data directories automatically over the network.
B. mirror all data to a portable storage device.
C. have them regularly go to branch offices to perform backups.
D. have them regularly back up data directories onto CD and courier the backups to the
head office.
NEW QUESTION: 165

When auditing the effectiveness of a biometric system, which of the following indicators
would be MOST important to review?
A. False acceptance rate
B. False negatives
C. System response time
D. Failure to enroll rate
NEW QUESTION: 166

A security administrator should have read-only access for which of the following?
A. Router configuration
B. Services/daemons configuration
C. Password policy
D. Security logs
NEW QUESTION: 167

During the evaluation of a firm's newly established whistleblower system, an auditor notes
several findings.
Which of the following should be the
auditor's GREATEST concern?
A. The whistleblower system does not track the time and date of submission.
B. The whistleblower's privacy is not protected.
C. The whistleblower system is only available during business hours.
D. New employees have not been informed of the whistleblower policy.
NEW QUESTION: 168

Which of the following is the BEST way for an IT forensics investigator to detect evidence
of steganography?
A. Identify and analyze emergent properties within a file system's metadata.
B. Recover deleted files from a suspected hard drive utilizing forensics software.
C. Scan computer operating systems using administrative tools.
D. Compare file hashes between original and modified image files.
NEW QUESTION: 169

At a project steering committee meeting, it is stated that adding controls to business
processes undergoing re-engineering is an unnecessary cost. The IS auditor's BEST
response is that the actual control overhead for a business process is:
A. usually difficult to ascertain but is justifiable, because controls are essential to doing
business.
B. usually less than the potential cost of failure caused by lack of controls.
C. usually considerable, but the benefits of good controls always exceed the cost,
D. the responsibility of the project manager, and the cost should have been included in the
budget.
NEW QUESTION: 170

Which of the following requires a consensus by key stakeholders on IT strategic goals and
objectives?
A. Benchmarking
B. Balanced scorecards
C. Maturity models
D. Peer reviews
NEW QUESTION: 171

What should be the PRIMARY basis for scheduling a follow-up audit?
A. The significance of reported findings
B. The availability of audit resources
C. The time elapsed after audit report submission
D. The completion of all corrective actions
NEW QUESTION: 172
After an external IS audit, which of the following should be IT management's MAIN
consideration when determining the prioritization of follow-up activities?
A. The availability of the external auditors
B. The amount of time since the initial audit was completed
C. The materiality of the reported findings
D. The scheduling of major changes in the control environment
NEW QUESTION: 173

Which of the following would represent an acceptable test of an organization s business
continuity plan?
A. Paper test involving functional areas
B. Benchmarking the plan against similar organizations
C. Walk-through of the plan with technology suppliers
D. Full test of computer operations at an emergency site
NEW QUESTION: 174

Which of the following is a directive control?
A. Implementing an information security policy
B. Configuring data encryption software
C. Establishing an information security operations team
D. Updating data loss prevention software
NEW QUESTION: 175

Which of the following types of controls would BEST facilitate a root cause analysis for an
information security incident?
A. Detective
B. Corrective
C. Preventive
D. Directive
NEW QUESTION: 176

Which of the following is the BEST source for describing the objectives of an organization s
information systems?
A. Business process owners
B. IT management
C. End users
D. Information security management
NEW QUESTION: 177

An organization is replacing a mission-critical system. Which of the following is the BEST
implementation strategy to mitigate and reduce the risk of system failure?
A. Stage
B. Big-bang
C. Phase
D. Parallel
NEW QUESTION: 178

The PRIMARY purpose of an internal audit department's quality assurance improvement
program is to evaluate which of the following?
A. The effectiveness of the internal audit function
B. The adequacy and qualifications of internal audit personnel
C. The efficiency of internal audit processes
D. The accuracy of prior-year internal audit results
NEW QUESTION: 179

An IS auditor plans to review all access attempts to a video-monitored and proximity card-
controlled communications room. Which of the following would be MOST useful to the
auditor?
A. Alarm system with CCTV
B. Security incident log
C. Manual sign-in and sign-out log
D. System electronic log
NEW QUESTION: 180

An IS auditor is planning on utilizing attribute sampling to determine the error rate for
health care claims processed. Which of the following factors will cause the sample size to
decrease?
A. Acceptable risk level decrease
B. Expected error rate increase
C. Tolerable error rate increase
D. Population size increase
NEW QUESTION: 181
An IS auditor conducting audit follow-up activities learns that some previously agreed-upon
corrective actions have not been taken and that the associated risk has been accepted by
senior management. If the auditor disagrees with management s decision what is the
BEST way to address the situation?
A. Take no action since management s decision has been made
B. Recommend new corrective actions to mitigate the accepted risk.
C. Report the issue to the chief audit executive for resolution
D. Repeat the audit with audit scope only covering areas with accepted risks.
NEW QUESTION: 182

Which of the following controls is MOST appropriate against brute force attacks at login?
A. Locking the account after three invalid passwords
B. Storing password files using one-way encryption
C. Storing passwords under a one-way hash function
D. Increasing the minimum password length to 10 characters
NEW QUESTION: 183

During a review of an application system, an IS auditor identifies automated controls
designed to prevent the entry of duplicate transactions. What is the BEST way to verify that
the controls work as designed?
A. Enter duplicate transactions in a copy of the live system.
B. Review quality assurance (QA) test results.
C. Use generalized audit software for seeking data corresponding to duplicate
transactions.
D. Implement periodic reconciliations.
NEW QUESTION: 184

Which of the following would be of GREATEST concern to an IS auditor when auditing a
small organization's purchasing department?
A. Purchases can be approved after expenses have already been incurred.
B. Purchasing procedures and processes have not been updated during the past two
years.
C. The organization lacks a purchasing officer with experience in purchasing activities.
D. Some members of the department can request and approve payments for purchase
requests.
NEW QUESTION: 185

Following a security breach, in which a hacker exploited a well-known vulnerability in the
domain controller, an IS auditor has been asked to conduct a control assessment. The
auditor's BEST course of action would be to determine it:
A. The network traffic was being monitored
B. The logs were monitored
C. The patches were updated
D. The domain controller was classified for high availability
NEW QUESTION: 186

Which of the following should be performed FIRST when preparing to deploy a major
upgrade to a critical online application?
A. Update the business impact analysis (BIA)
B. Review data backup procedures
C. Update the disaster recovery process
D. Test the rollback process
NEW QUESTION: 187

While executing follow-up activities, an IS auditor is concerned that management has
implemented corrective actions that are different from those originally discussed and
agreed the audit function. In order to resolve the situation, the IS auditor/, BEST course of
action would be to:
A. determine whether the alternative controls sufficiently mitigate the risk and record the
results
B. reject the alternative controls and re-prioritize the original issue as high risk.
C. postpone follow-up activities and escalate the alternative controls to senior audit
management
D. schedule another audit due to the implementation of alternative controls.
NEW QUESTION: 188
When reviewing a disaster recovery plan (DRP) an IS auditor should examine the:
A. Offsite data file storage
B. Access to the computer site by the backup staff
C. Fire-fighting equipment
D. Uninterruptible power supply (UPS)
NEW QUESTION: 189

A company has located its computer center on a moderate earthquake fault. Which of the
following is the MOST important consideration in establishing a contingency plan and an
alternate processing site?
A. The alternative site does not reside on the same fault no matter how far the distance
apart.
B. The contingency plan provides for backup tapes to be taken to the alternative site.
C. The contingency plan for high priority applications does not involve a shared cold site.
D. The alternative site is a hot site with equipment ready to resume processing
immediately.
NEW QUESTION: 190

When reviewing user access to an application containing sensitive company data, which of
the following should be the GREATEST concern with regard to segregation of duties?
A. The help desk performs application backups.
B. The network administrator performs security administrator functions.
C. The database administrator performs system analyst functions.
D. The application programmer performs quality assurance functions.
NEW QUESTION: 191

An IS auditor is reviewing the results of a business process improvement project. Which of
the following should be performed FIRST?
A. Ensure that lessons learned during the change process are documented.
B. Develop compensating controls.
C. Evaluate control gaps between the old and the new processes.
D. Document the impact of control weaknesses in the process.
NEW QUESTION: 192

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the
following should be the auditor s NEXT course of action?
A. Report the security posture of the organization.
B. Determine the risk of not replacing the firewall
C. Determine the value of the firewall.
D. Report the mitigating control
NEW QUESTION: 193

Which of the following is the MOST important consideration when developing an online
business architecture and recovery strategy?
A. Vendors financial stability
B. Immediate problem resolution
C. Vendors network security
D. Single points of failure
NEW QUESTION: 194

Which of the following roles combined with the role of a database administrator (DBA) will
create a segregation of duties conflict?
A. Systems analyst
B. Security administrator
C. Quality assurance
D. Application end user
NEW QUESTION: 195

Which of the following is MOST helpful in preventing a systems failure from occurring when
an application is replaced using the abrupt changeover technique?
A. Comprehensive documentation
B. Change management
C. Comprehensive testing
D. Threat and risk assessment
NEW QUESTION: 196

internal IS auditor recommends that incoming accounts payable payment files be
encrypted. Which type of control is the auditor recommending?
A. Directive
B. Preventive
C. Corrective
D. Detective
NEW QUESTION: 197

An IS auditor observed that most users do not comply with physical access controls. The
business manager has explained that the control design is inefficient. What is the auditor's
BEST course of action?
A. Recommend changing the access control process to increase efficiency.
B. Work with management to design and implement a better control.
C. Redesign and retest the physical access control.
D. Identify the impact of control failure and report the finding with a risk rating.
NEW QUESTION: 198

An IS auditor is observing transaction processing and notes that a high-priority update job
ran out of sequence.
What is the MOST significant risk from this observation'
A. Daily schedules may not be accurate
B. The job may not have run to completion.
C. The job completes with invalid data.
D. Previous jobs may have failed.
NEW QUESTION: 199

A new regulation in one country of a global organization has recently prohibited cross-
border transfer of personal data. An IS auditor has been asked to determine the
organization's level of exposure in the affected country. Which of the following would be
MOST helpful in making this assessment?
A. Identifying data security threats in the affected jurisdiction
B. Identifying business processes associated with personal data exchange with the
affected jurisdiction
C. Developing an inventory of all business entities that exchange personal data with the
affected jurisdiction
D. Reviewing data classification procedures associated with the affected jurisdiction
NEW QUESTION: 200

Which of the following is the BEST IS audit strategy?
A. Limit audits to new application system developments
B. Cycle general control and application audits over a two-year period
C. Perform audits based on Impact and probability of error and failure.
D. Conduct general control audits annually and application audits in alternating years
NEW QUESTION: 201

An IS auditor performing an application development review attends development team
meetings. The IS auditor's independence will be compromised if the IS auditor:
A. re-performs test procedures used by the development team.
B. assists in developing an integrated test facility on the system.
C. designs and executes the user's acceptance test plan.
D. reviews the result of systems tests that were performed by the development team.
NEW QUESTION: 202

What is the purpose of a hypervisor?
A. Cloning virtual machines
B. Deploying settings to multiple machines simultaneously
C. Monitoring the performance of virtual machines
D. Running the virtual machine environment
NEW QUESTION: 203

Which of the following is the MOST important reason to classify a disaster recovery plan
(DRP) as confidential?
A. Ensure compliance with the data classification policy.
B. Reduce the risk of data leakage that could lead to an attack.
C. Comply with business continuity best practice.
D. Protect the plan from unauthorized alteration.
NEW QUESTION: 204

An IS auditor is mapping controls to risk for an accounts payable system What is the BEST
control to detect errors in the system?
A. Management approval of payments
B. Alignment of the process to business objectives
C. Quality control review of new payments
D. Input validation
NEW QUESTION: 205

Which of the following is the MOST effective means of helping management and the IT
strategy committee to monitor IT performance?
A. Measurement of service levers against metrics
B. Infrastructure monitoring reports
C. Gap analysis
D. End-user satisfaction surveys
NEW QUESTION: 206

Which of the following should be of GREATEST concern to an IS auditor conducting an
audit of incident response procedures?
A. End users have not completed security awareness training.
B. Senior management is not involved in the incident response process.
C. Critical incident response events are not recorded in a centralized repository.
D. There is no procedure in place to learn from previous security incidents.
NEW QUESTION: 207

An IT service desk has recorded several incidents related to server downtime following the
failure of a network time protocol (NTP) server. Which of the following is the BEST
methodology to help identify the root cause?
A. Cause-and-effect diagram
B. Data flow diagram
C. Server architecture diagram
D. Crow-functional diagram
NEW QUESTION: 208

In attribute sampling, what is the relationship between expected error rate and sample
size?
A. The sample size is not affected by expected error rate.
B. The greater the expected error rate, the smaller the sample size.
C. The greater the sample size, the tower The expected error rate.
D. The greater the expected error rate. The greater the sample size.
NEW QUESTION: 209

Which of the following would provide the MOST assurance that an application will work in a
live environment?
A. Processing of test data to prove that data can passed between individual programs
B. Walking through the programs to view the results of processing copies of production
data
C. Walking through the programs to view the results of error processing
D. Processing of valid and erroneous data In an acceptance test environment
NEW QUESTION: 210

Which of the following should be of GREATEST concern to an IS auditor reviewing an
organization's initiative to adopt an enterprise governance framework?
A. The organization has not identified the business drivers for adopting the framework.
B. The organization's security department has not been involved with the initiative.
C. The organization has not provided employees with formal training on the framework.
D. The organization has tried to adopt the entire framework at once.
NEW QUESTION: 211

Which of the following would be the MOST effective method to address software license
violations on employee workstations?
A. Restricting administrative rights on employee workstations
B. Required automated installation of software.
C. Implementing real-time monitoring software on employee workstations
D. Scanning of workstation daily for unauthorized software use
NEW QUESTION: 212
An IS auditor discovered that a firewall has more services than needed The IS auditor's
FIRST recommendation should be to:
A. ensure logging is turned on.
B. deploy a network penetration team.
C. review configurations
D. Eliminate services except for HTTPS.
NEW QUESTION: 213

Which of the following is the BEST indication of an effective incident management
process?
A. Percentage of incidents where root cause has been identified
B. Number of calls to the help des
C. Number of incidents reviewed by IT management
D. Percentage of incidents closed without escalation
NEW QUESTION: 214

Which of the following is the BEST way to transmit documents classified as confidential
over the Internet?
A. Sending documents as multiple packets over different network routes
B. Converting documents to proprietary format before transmission
C. Hashing the document contents and destroying the hash value
D. Using a virtual private network (VPN)
NEW QUESTION: 215

Which of the following is MOST important for an IS auditor to consider when determining
an appropriate sample size in situations where selecting the entire population is not
feasible?
A. Data integrity
B. Tolerable error
C. Responsiveness of the auditee
D. Accessibility of the data
NEW QUESTION: 216

Which of the following control checks would utilize data analytics?
A. Evaluating configuration settings for the credit card application system
B. Reviewing credit card applications submitted in the past month for blank data fields
C. Attempting to submit credit card applications with blank data fields
D. Reviewing the business requirements document for the credit card application system
NEW QUESTION: 217

Which of the following is the BEST indication that an information security program is
effective?
A. The security team has performed a risk assessment to understand the organization's
risk appetite.
B. The security team is knowledgeable and uses the best available tools.
C. The number of reported and confirmed security incidents has increased after awareness
training.
D. The security awareness program was developed following industry best practices.
NEW QUESTION: 218

To create a digital signature in a message using asymmetric encryption, it is necessary to:
A. encrypt the authentication sequence using a public key.
B. transmit the actual digital signature in unencrypted clear text.
C. First use a symmetric algorithm for the authentication sequence.
D. encrypt the authentication sequence using a private key.
NEW QUESTION: 219

A large insurance company is about to replace a major financial application. Which of the
following is the IS auditor's PRIMARY focus when conducting the pre-implementation
review?
A. Procedure updates
B. System manuals
C. Migration of data
D. Unit testing
NEW QUESTION: 220

The risk that is created if a single sign-on is implemented for all systems is that a/an:
A. compromised password gives access to all systems.
B. user tan bypass current access security.
C. user has equivalent access on all systems.
D. authorized user can bypass the security layers.
NEW QUESTION: 221
Which of the following controls will MOST effectively detect inconsistent records resulting
from the lack of referential integrity in a database management system?
A. Performance monitoring tools
B. Incremental data backups
C. Periodic table link checks
D. Concurrent access controls
NEW QUESTION: 222

A vendor service level agreement (SLA) requires backup to be physically secured. An IS
audit of the backup system revealed a number of the backup media were missing. Which
of the following should be the auditor's NEXT step?
A. Recommend a review of the vendor's contract
B. Recommend identification of the data stored on the missing media
C. Include the missing backup media finding in the audit report
D. Notify executive management
NEW QUESTION: 223

Which of the following would be the MOST likely reason for an intrusion prevention system
(IPS) being unable to block an ongoing web attack?
A. Signatures are outdated
B. The network design contains flaws.
C. The firewall is not configured property.
D. Monitoring personnel are not proactive
NEW QUESTION: 224

The purpose of data migration testing is to validate data:
A. completeness.
B. availability.
C. retention.
D. confidentiality.
NEW QUESTION: 225

When auditing the IT governance of an organization planning to outsource a critical
financial application to a cloud vendor, the MOST important consideration for the auditor
should be:
A. alignment with business requirements.
B. the cost of the outsourced system.
C. the inclusion of a service termination clause.
D. alignment with industry standards.
NEW QUESTION: 226

Capacity management enables organizations to:
A. forecast technology trends.
B. establish the capacity of network communication links.
C. identify the extent to which components need to be upgraded.
D. determine business transaction volumes.
NEW QUESTION: 227

An IS auditor should ensure that an application's audit trail:
A. does not impact operational efficiency
B. is accessible online.
C. logs all database records.
D. has adequate security.
NEW QUESTION: 228

Which of the following is a distinguishing feature at the highest level of a maturity model?
D18912E1457D5D1DDCBD40AB3BF70D5D
A. Processes are monitored continuously.
B. Projects are controlled with management supervision.
C. A continuous improvement process is applied.
D. There are formal standards and procedures.
NEW QUESTION: 229

An IS auditor discovers that management has created a system interface to receive
financial data and store it in a data warehouse. Which of the following provides the BEST
assurance that data in the data warehouse is accurate?
A. Management, access reviews
B. Management reconciliations
C. Established risk management processes
D. A documented change management process
NEW QUESTION: 230

An IS auditor found that a company executive is encouraging employee use of social
networking sites for business purposes. Which of the following recommendations would
BEST help to reduce the risk of data leakage?
A. Monitoring employees social networking usage
B. Requiring policy acknowledgment and nondisclosure agreements signed by employees
C. Establishing strong access controls on confidential data
D. Providing education and guidelines to employees on use of social networking sites
NEW QUESTION: 231

Which of the following is the BEST sampling method to use when estimating the rate of
occurrence of a specific quality in a population?
A. Statistical sampling
B. Discovery sampling
C. Attribute sampling
D. Stop-or-go sampling
NEW QUESTION: 232

Which of the following access rights in the production environment should be granted to a
developer to maintain segregation of duties?
A. IT operations
B. Database administration
C. System administration
D. Emergency support
NEW QUESTION: 233

Which of the following is MOST important for an IS auditor to verify when reviewing a
critical business application that requires high availability?
A. Algorithms are reviewed to resolve process ineffictencies.
B. Users participate in offsite business continuity testing.
C. There is no single point of failure.
D. Service level agreements (SlAs) are monitored.
NEW QUESTION: 234

Which of the following will enable a customer to authenticate an online Internet vendor?
A. Vendor signs a reply using a hash function and the customer's public key.
B. Vendor decrypts incoming orders using its own private key.
C. Customer verifies the vendor is certificate with a certificate authority (CA).
D. Customer encrypts an order using the vendor s public key.
NEW QUESTION: 235

On a daily basis, an in-house development team moves duplicate copies of production
data containing personally identifiable information (Pll) to the test environment Which of the
following is the BEST way to mitigate the privacy risk involved?
A. Sanitize the data in the test environment
B. Encrypt the data file
C. Obtain customer opt-in acceptances.
D. Require data owners to sign off on production data
NEW QUESTION: 236

An IS auditor determines that a business continuity plan has not been reviewed and
approved by management.
Which of the following is the MOST significant risk associated with this situation?
A. The plan may not be aligned with industry best practice.
B. Continuity planning may be subject to resource constraints.
C. Critical business processes may not be addressed adequate.
D. The plan has not been reviewed by risk management
NEW QUESTION: 237

An IS auditor has been asked to advise on the design and implementation of IT
management best practices Which of the following actions would impair the auditor's
independence?
A. Implementing risk response on management's behalf
B. Designing an embedded audit module
C. Providing consulting advice for managing applications
D. Evaluating the risk management process
NEW QUESTION: 238

The drives of a tile server are backed up at a hot site. Which of the following is the BEST
way to duplicate the files stored on the server for forensic analysis?
A. Capture a bit-by-bit image of the file server's drives.
B. Replicate the server's volatile data to another drive.
D18912E1457D5D1DDCBD40AB3BF70D5D
C. Create a logical copy of the file server's drives.
D. Run forensic analysis software on the backup drive.
NEW QUESTION: 239

Which of the following poses the GREATEST risk to the enforceability of networking
policies in a virtualized environment?
A. Lack of visibility into the networks
B. Transmission of data on public networks
C. Lack of encryption for data at rest
D. Use of a public key infrastructure
NEW QUESTION: 240

Which of the following methodologies is MOST appropriate to use for developing software
with incomplete requirements?
A. Process-based
B. Waterfall
C. Critical chain
D. Agile
NEW QUESTION: 241

Both statistical and nonstatistical sampling techniques:
A. provide each item an equal opportunity of being selected.
B. permit the auditor to quantify and fix the level of risk
C. permit the auditor to quantity the probability of error,
D. require judgment when defining population characteristics
NEW QUESTION: 242

Which of the following is an IS auditor's recommendation for mitigating risk associated with
rapid expansion of hosts within a virtual environment?
A. Ensure quick access to updated images of a guest operating system for fast recovery
B. Limit access to the hypervisor operating system (OS) and administration console
C. Consider using a third-party service provider to share the virtual machine (VM) risk
D. Implement policies and processes to control virtual machine (VM) lifecycle management
NEW QUESTION: 243

Which of the following is an IS auditor's BEST course of action upon learning that
preventive controls have been replaced with detective and corrective controls'
A. Recommend the implementation of preventive controls in addition to the other controls.
B. Report the issue to management as the risk level has increased.
C. Evaluate whether new controls manage the risk at an acceptable level.
D. Verify the revised controls enhance the efficiency of related business processes.
NEW QUESTION: 244

Which of the following would be the MOST effective method to identify high risk areas in
the business to be included in the audit plan?
A. Review external audit reports of the business.
B. Validate current risk from poor internal audit findings.
C. Engage with management to understand the business.
D. Review industry reports to identify common risk areas
NEW QUESTION: 245

In a typical SDLC, which group is PRIMARILY responsible for confirming compliance with
requirements?
A. Steering committee
B. Risk management
C. Internal audit
D. Quality assurance
NEW QUESTION: 246

When developing a business continuity plan (BCP), which of the following steps should be
completed FIRST?
A. Carry out a risk assessment.
B. Review the business continuity insurance policy.
C. Ensure that offsite backups can be efficiently restored.
D. Identify alternatives to critical applications.
NEW QUESTION: 247

When initiating an IT project, which of the following should be completed FIRST:'
A. Requirements definition
B. Request for proposal
C. Feasibility study
D. Project plan
NEW QUESTION: 248

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to
fix the findings differs from the agreed-upon approach confirmed during the last audit.
Which of the following should be the auditor's NEXT course of action?
A. Evaluate the appropriateness of the remedial action taken.
B. Report results of the follow-up to the audit committee.
C. Inform senior management of the change in approach.
D. Conduct a risk analysis incorporating the change.
NEW QUESTION: 249

During a review of an insurance company s claims system, the IS auditor learns that
claims for specific medical procedures are acceptable only from females This is an
example of a:
A. completeness check.
B. key verification.
C. logical relationship check
D. reasonableness check
NEW QUESTION: 250

Which of the following is the BEST time for an IS auditor to perform a post-implementation
review?
A. When the system has stabilized
B. After the completion of user testing
C. Before decommissioning the legacy system
D. Immediately after the new system goes into production
NEW QUESTION: 251

An IS auditor would MOST likely recommend that IT management use a balanced
scorecard to:
A. Assess IT functions and processes
B. Indicate whether the organization meets quality standards
C. Train and educate IT staff
D. Ensure that IT staff meet performance requirements
NEW QUESTION: 252

Which of the following MOST efficiently protects computer equipment against short-term
reductions in electrical power?
A. Surge protection devices
B. Alternative power supplies
C. Power line conditioners
D. Generators
NEW QUESTION: 253

Which of the following poses the GREATEST risk to data security and integrity in a cloud
environment?
A. Data regulations are not clearly defined for the cloud provider.
B. Data backups are maintained with the cloud provider.
C. Data is not classified prior to transmission to the cloud provider.
D. Data is transmitted using hypertext transfer protocol (HTTP).
NEW QUESTION: 254

Following an acquisition, it was decided that legacy applications subject to compliance
requirements will continue to be used until they can be phased out. The IS auditor needs to
determine where there are control redundancies and where gaps may exist. Which of the
following activities would be MOST helpful in making this determination?
A. Control self-assessments
B. Control testing
C. Control mapping
D. Risk assessment
NEW QUESTION: 255

An IS auditor is conducting a review of a healthcare organization's IT policies for handling
medical records.
Which of the following is MOST important to verify?
A. Policy writing standards are consistent.
B. IT personnel receive ongoing policy training.
C. The polices comply with regulatory requirements.
D. A documented policy approval process is in place.
NEW QUESTION: 256

Which of the following should an IS auditor do FIRST when determining whether to employ
data analytics in an audit?
A. Determine if the data is accessible.
B. Review the data available in existing business reports
C. Review the results of prior audits in the same area.
D. Identify the business stakeholders.
NEW QUESTION: 257

When creating a new risk management program, it is CRITICAL to consider
A. risk mitigation techniques.
B. resource utilization
C. compliance measures.
D. the risk appetite.
NEW QUESTION: 258
An organization migrated most of its physical servers to virtual ones in its own data center.
Which of the following should be of GREATEST concern to an IS auditor reviewing the
virtual environment?
A. Hypervisors have not been updated with the most recent patches.
B. Virtual machine deployments are done without following an approved template.
C. The configuration management database (CMDB) does not include all virtual machines.
D. Hypervisor access control lists are outdated.
NEW QUESTION: 259

An IT steering committee assists the board of directors to fulfill IT governance duties by:
A. developing IT policies and procedures for project tracking.
B. implementing the IT strategy.
C. overseeing major projects and IT resource allocation.
D. focusing on the supply of IT services and products.
NEW QUESTION: 260

Which of the following validation techniques would BEST prevent duplicate electronic
vouchers?
A. Sequence check
B. Cyclic redundancy check
C. Edit check
D. Reasonless check
NEW QUESTION: 261

Which of the following is the MOST important reason for updating and retesting a business
continuity plan (BCP)7
A. Staff turnover
B. Emerging technology
C. Matching industry best practices
D. Significant business change
NEW QUESTION: 262

Following a breach, what is the BEST source to determine the maximum amount of time
before customers must be notified that their personal information may have been
compromised?
A. Information security policy
B. Industry regulations
C. Industry standards
D. Incident response plan
NEW QUESTION: 263

The prioritization of incident response actions should be PRIMARILY based on which of
the following?
A. Scope of disaster
B. Business impact
C. Escalation process
D. Availability of personnel
NEW QUESTION: 264

Which of the following should be of GREATEST concern to an IS auditor reviewing the
controls for a continuous software release process?
A. Developers are able to approve their own releases
B. Release documentation is not updated to reflect successful deployment
C. Testing documentation is not attached to production releases.
D. Test libraries have not been reviewed in over six months
NEW QUESTION: 265

Which of the following should be an IS auditor's FIRST activity when planning an audit?
A. Identify proper resources for audit activities.
B. Document specific questions in the audit program
C. Create a list of key controls to be reviewed.
D. Gain an understanding of the area to be audited.
NEW QUESTION: 266

Following an IT audit, management has decided to accept the risk highlighted in the audit
report. Which of the following would provide the MOST assurance to the IS auditor that
management is adequately balancing the needs of the business with the need to manage
risk?
A. A communication plan exists for informing parties impacted by the risk.
B. Potential impact and likelihood is adequately documented.
C. Established criteria exist for accepting and approving risk.
D. Identified risk is reported into the organization's risk committee.
NEW QUESTION: 267
Which of the following tools is MOST helpful in estimating budgets for tasks within a large
IT business application project?
A. Function point analysis (FPA)
B. Balanced scorecard
C. Ganttchart
D. Critical path methodology (CPM)
NEW QUESTION: 268

Which of the following is MOST important to helping incident response managers quickly
and accurately estimate the overall business impact of security incidents?
A. Develop a communication plan and identity key business stakeholders to be notified.
B. Engage senior business management in determining seventy levels for escalation.
C. Map IT infrastructure to the business processes and client services they support.
D. Ensure the security Incident management team Is staffed with qualified Individuals.
NEW QUESTION: 269

A stockbroker accepts orders over the Internet. Which of the following is the MOST
appropriate control to ensure confidentiality of the orders?
A. Data Encryption Standard (DES)
B. Virtual private network
C. Digital signature
D. Public key encryption
NEW QUESTION: 270

Which of the following is the MOST important benefit of involving IS audit when
implementing governance of enterprise IT?
A. Verifying that legal, regulatory and contractual requirements are being met
B. Providing independent and objective feedback to facilitate improvement of IT processes
C. Identifying relevant roles for an enterprise IT governance framework
D. Making decisions regarding risk response and monitoring of residual risk
NEW QUESTION: 271

Which of the following could be determined by an entity-relationship diagram?
A. How the system behaves as a consequence of external events
B. How data are transformed at they move through the system
C. Modes of behavior of data objects
D. Links between data objects
NEW QUESTION: 272

Which of the following would provide the important input during the planning phase for an
audit on the implementation of a bring your own device (BYOD) program?
A. Findings from prior audits
B. Policies including BYOD acceptable use statements
C. An inventory of personal devices to be connected to the corporate network
D. Results of a risk assessment
NEW QUESTION: 273

Which of the following is the MOST effective control to mitigate unintentional misuse of
authorised access?
A. Formalized disciplinary action
B. Annual sign-off of acceptable use policy
C. Regular monitoring of user access logs
D. Security awareness training
NEW QUESTION: 274

An IS auditor finds that periodic reviews of read-only users for a reporting system are not
being performed.
Which of the following should be the IS auditor's NEXT course of action?
A. Verify managements approval for this exemption.
B. Review the list of end-users and evaluate for authorization.
C. Report this control process weakness to senior management
D. Obtain a verbal confirmation from IT for this exemption.
NEW QUESTION: 275
An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the
organization's wider security threat and vulnerability management program. Which of the
following would BEST enable the organization to work toward improvement in this area?
A. Using a capability maturity model to identify a path to an optimized program
B. Outsourcing the threat and vulnerability management function to a third party
C. Implementing security logging to enhance threat and vulnerability management
D. Maintaining a catalog of vulnerability that may impact mission-critical systems
NEW QUESTION: 276

Which of the following should be of GREATEST concern to an organization's board when
reviewing the internal audit department's quality assurance and improvement program?
A. The program does not Include periodic external assessments.
B. Program metrics have not been updated in over two years.
C. The program does not incorporate recommendations from prior audits.
D. The program has not been approved by senior management.
NEW QUESTION: 277

Which of the following BEST helps to identify errors during data transfer?
A. Decrease the size of data transfer packets.
B. Test the integrity of the data transfer.
C. Review and verify the data transfer sequence numbers.
D. Enable a logging process for data transfer.
NEW QUESTION: 278

As part of business continuity planning. Which of the following is MOST important to
include in a business impact analyst (BIA)?
A. Assess threats to the organization
B. Assess risk of moving significant applications to the cloud
C. Assess recovery scenarios
D. Define a risk appetite.
NEW QUESTION: 279

When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor
should FIRST review;
A. Information security procedures.
B. the IT governance framework.
C. the IT processes and procedures.
D. the most recent audit results.
NEW QUESTION: 280

Which of the following is the BEST reason for an organization to develop a business
continuity plan?
A. To avoid the costs resulting from the failure of key systems and processes
B. To establish business uns prioritization of systems projects, and strategies
C. To identify the users of information systems and processes
D. To develop a detailed desertion of information systems and processes
NEW QUESTION: 281

Which of the following is MOST likely to be included in a post-implementation review?
A. Test results
B. Results of live processing
C. Current sets of test data
D. Development methodology
NEW QUESTION: 282

Which of the following sampling techniques is commonly used in fraud detection when the
expected occurrence rate is small and the specific controls are critical?
A. Discovery sampling
B. Stop-or-go sampling
C. Monetary unit sampling
D. Random sampling
NEW QUESTION: 283

Which of the following sampling methods is the BEST approach for drawing conclusions
based on frequency of occurrence?
A. Difference estimation sampling
B. Stratified sampling
D. Monetary estimation sampling
NEW QUESTION: 284

While reviewing a hot site, the IS auditor discovers that one type of hardware platform is
not installed. The IS auditor should FIRST
A. determine the business impact of the absence of the hardware.
B. report the finding immediately to senior IS management
C. recommend the purchase and installation of hardware at the hot site
D. establish the lead time for delivery of a new machine
NEW QUESTION: 285

A risk analysis is MOST useful when applied during which phase of the system
development process?
A. Design
B. Pre-implementation
C. Feasibility
D. Testing
NEW QUESTION: 286

During a review of a production schedule, an IS auditor observes that a staff member is not
complying with mandatory operational procedures-The auditor's NEXT step should be to:
A. determine why the procedures were not followed.
B. issue an audit memorandum identifying the noncompliance.
C. include the noncompliance in the audit report.
D. note the noncompliance in the audit working capers.
NEW QUESTION: 287

An IS auditor observes that an organization s critical IT systems nave experienced several
failures throughout the year. Which of the following is the BEST recommendation?
A. Contract for a hot site
B. Perform a disaster recovery test
C. Perform a root cause analysis.
D. Implement redundant systems.
NEW QUESTION: 288

Which of the following is the MOST effective mechanism for ensuring that critical IT
operational problems are reported to executive management in a timely manner?
A. Regular meetings
B. Service level monitoring
C. Periodic status reports
D. Escalation procedures
NEW QUESTION: 289

Which of the following would MOST effectively minimize the risk of unauthorized online
banking customer transactions due to phishing?
A. A customer awareness program
B. Clear audit trails
C. An intrusion prevention system OPS)
D. A strong authentication mechanism
NEW QUESTION: 290

Which of ihe following BEST indicates a need to review an organization's information
security policy?
A. Increasing complexity of business transactions
B. High number of low-risk findings in the audit report
C. Completion of annual IT risk assessment
D. Increasing exceptions approved by management
NEW QUESTION: 291

Which of the following BEST demonstrates to an IS auditor that an organization has
implemented effective risk management processes?
A. Critical business assets have additional controls.
B. The risk register is reviewed periodically.
C. The inventory of IT assets includes asset classification.
D. A business impact analysis (BIA) has been completed.
NEW QUESTION: 292

An organization is developing data classification standards and has asked internal audit for
advice on aligning the standards with best practices. Internal audit would MOST likely
recommend the standards should be:
A. aligned with the organization's segregation of duties requirements
B. based on the business requirements for authentication of the information.
C. based on the results of an organization-wide risk assessment
D. based on the business requirements for confidentiality of the information.
NEW QUESTION: 293

When using a wireless device, which of the following BEST ensures confidential access to
email via web mail?
A. Simple object access protocol (SOAP)
B. Extensible markup language (XML)
C. Hypertext transfer protocol secure (HTTPS)
D. Wired equivalent privacy (WEP)
NEW QUESTION: 294

An existing system is being replaced with a new application package. User acceptance
testing (UAT) should ensure that:
A. the new system is better than the old system.
B. data from the old system has been converted correctly
C. the new system functions as expected.
D. there is a business need for the new system.
NEW QUESTION: 295

While planning a security audit, an IS auditor is made aware of a security review carried
out by external consultants. It is MOST implement for the auditor to:
A. Asses the objectively and competence of the consultant
B. Review similar reports issued by the consultants.
C. Accept the finding and conclusion of the consultants
D. Re-perform the security review
NEW QUESTION: 296

Which of the following provides an IS auditor the MOST assurance that an organization is
compliant with legal and regulatory requirements?
A. The IT manager is responsible for the organization s compliance with legal and
regulatory requirements.
B. Controls associated with legal and regulatory requirements have been identified and
tested
C. Senior management has provided attestation of legal and regulatory compliance
D. There is no history of complaints or fines from regulators regarding noncompliance
NEW QUESTION: 297

An IS auditor has been asked to audit the proposed acquisition of new computer hardware.
The auditor's PRIMARY concern is that:
A. the new hardware meets established security standards.
B. a clear business case has been established,
C. the implementation plan meets user requirements.
D. a full visible audit trail will be included
NEW QUESTION: 298

When planning an application audit, it is MOST important to evaluate risk factors by
interviewing:
A. process owners
B. IT management
C. application users
D. application owners
NEW QUESTION: 299

The risk that the IS auditor will not find an error that has occurred is identified by which of
the following terms?
A. Control
B. Prevention
C. Inherent
D. Detection
NEW QUESTION: 300

As part of a post-implementation review, the BEST way to assess the realization of
outcomes is by:
A. obtaining feedback from the user community.
B. performing a comprehensive risk analysis.
C. evaluating the actual performance of the system.
D. comparing the business case benefits to the achieved benefits.
NEW QUESTION: 301
What should an IS auditor do when informed that some recommendations cannot be
implemented due to financial constraints?
A. Suggest management identify cost-effective alternatives.
B. Insist the recommendations be implemented.
C. Document management's response in the working papers.
D. Agree to waive the recommendations.
NEW QUESTION: 302

Which of the following should be of GREATEST concern when conducting an audit of
software inventory management?
A. Missing licensing paper contracts
B. Development libraries not included in inventory records
C. Anti-virus software not regularly upgraded
D. Unlicensed software
NEW QUESTION: 303

Which of the following is an example of audit risk?
A. Sampling methods may not detect a material error
B. Management may disagree with audit conclusions
C. Newer auditors may require additional supervision and training
D. Audit work may be lost due to a malware attack
NEW QUESTION: 304

An IS auditor has performed an agreed-upon procedures engagement for the
organization's IT steering committee. Which of the following would be the MOST important
element to include in the report?
A. An opinion on the effectiveness of controls
B. Complementary user entity controls
C. Statement that the engagement followed standards
D. Managements representation on the effectiveness of controls
NEW QUESTION: 305

Which of the following is the BEST method for uncovering shadow IT within an
organization?
A. Review business processes.
B. Analyze help desk tickets.
C. Use a cloud access security broker (CASB).
D. Review secondary approval thresholds.
NEW QUESTION: 306

Which of the following would BEST detect that a distributed-denial-of-service attack
(DDoS) is occurring?
A. Automated monitoring of logs
B. Penetration testing
C. Customer service complaints
D. Server crashes
NEW QUESTION: 307

A typical network architecture used for e-commerce, a load balancer is normally found
between the:
A. users and the external gateways.
B. mail servers and the mail repositories
C. databases and the external gateways,
D. routers and the web servers.
NEW QUESTION: 308

Which of the following activities provides an IS auditor with the insight regarding potential
single person dependencies that might exist withing the organization?
A. Reviewing vacation patterns
B. Mapping IT processes to roles
C. Reviewing user activity logs
D. Interviewing senior IT management
NEW QUESTION: 309
An IS auditor is evaluating a virtual server environment and learns that the production
server, development server, and management console are housed in the same physical
host. What should be the auditor's PRIMARY concern?
A. The development server and management console share the same host
B. The development and production servers share the same host
C. The physical host is a single point of failure
D. The management console is a single point of failure.
NEW QUESTION: 310

The recovery time objective (RTO) is normally determined on the basis of the:
A. cost of recovery of all systems.
B. criticality of the systems affected.
C. risk of occurrence.
D. acceptable downtime of the alternate site,
NEW QUESTION: 311

An IS auditor discovers that validation controls in a web application have been moved from
the server side into the browser to boost performance. This would MOST likely increase
the risk of a successful attack by:
A. denial of service (DoS).
B. buffer overflow.
C. structured query language (SQL) injection.
D. phishing.
NEW QUESTION: 312

Which of the following will BEST help to ensure that an in-house application in the
production environment is current?
A. Change management
B. Production access control
C. Version control procedures
D. Quality assurance
NEW QUESTION: 313

An IS auditor notes that the anticipated benefits from an ongoing infrastructure projects
have changed due to recent organizational restructuring. Which of the following is the IS
auditor's BEST recommendation?
A. Review and update the business impact analysis (BIA)
B. Conduct a new feasibility study
C. Review business goals and objectives
D. Review and reapprove the business case
NEW QUESTION: 314

An organization uses two data centers. Which of the following would BEST address the
organization's need for high resiliency?
A. The data centers act as mirrored sites.
B. A hot site is used for the second site.
C. Each data center is recoverable via tape backups.
D. There is data replication across the data centers.
NEW QUESTION: 315

What is the FIRST step an auditor should take when beginning a follow-up audit?
A. Review workpapers from the previous audit
B. Meet with the auditee to discuss remediation progress
C. Review previous findings and action plans
D. Gather evidence of remediation to conduct tests of controls
NEW QUESTION: 316

Which of the following controls is MOST effective in detecting spam?
A. Denying transmission control protocol (TCP) connections in the mail server
B. Registering the recipient with keepers of spam lists
C. Using heuristic filters based on the content of the message
C Refusing Internet protocol (IP) connections at the router
NEW QUESTION: 317

Prior to the migration of acquired software into production, it is MOST important that the IS
auditor review the:
A. user acceptance lest report.
B. vendor testing report.
C. system documentation.
D. source code escrow agreement.
NEW QUESTION: 318

An IS auditor finds that a mortgage origination team receives customer mortgage
applications via a shared repository. Which of the following test procedures is the BEST
way to assess whether there are adequate privacy controls over this process?
A. Validate whether the encryption is compliant with the organization's requirements.
B. Validate whether complex passwords are required.
C. Validate that data is entered accurately and timely.
D. Validate whether documents are deleted according to data retention procedures.
NEW QUESTION: 319

During a post-implementation review, a step in determining whether a project met user
requirements is to review the:
A. effectiveness of user training.
B. change requests initiated after go-live.
C. completeness of user documentation.
D. integrity of key calculations.
NEW QUESTION: 320

Which of the following is a benefit of requiring management to issue a report to
stakeholders regarding the internal controls over IT?
A. Focus on IT governance
B. Transparency of IT costs
C. Improved cost management
D. Improved portfolio management
NEW QUESTION: 321

Which of the following BEST indicates the effectiveness of an organization's risk
management program?
A. Overall risk is quantified.
B. Residual risk is minimized.
C. Control risk is minimized.
D. Inherent risk is eliminated.
NEW QUESTION: 322

While reviewing the project plan for a new system prior to go-live, an IS auditor notes that
the project team has not documented a fallback plan. Which of the following would be the
BEST go-live approach in this situation?
A. Load balancing
B. Immediate cutover
C. Real-time replication
D. Parallel processing
NEW QUESTION: 323

The CIO of an organization is concerned that the information security policies may not be
comprehensive.
Which of the following should an IS auditor recommend be performed FIRST?
A. Compare the policies against an industry framework.
B. Establish a governance board to track compliance with the policies
C. Determine if there is j process to handle exceptions to the policies
D. Obtain a copy of their competitor's policies
NEW QUESTION: 324

An IS auditor notes that several users have not logged into an application for more than
one year. Which of the following would be the BEST audit recommendation?
A. Delete the affected users' IDs.
B. Periodically review user access.
C. Periodically review the information security policy.
D. Update the termination procedures
NEW QUESTION: 325

The PRIMARY objective of parallel testing an application is to confirm that:
A. the results of calculations in the new system are as accurate as the old system.
B. the costs of running the new system are the same as running the old system.
C. system response times in the new system are better than the old system.
D. new system processing times are similar to those of the old system.
NEW QUESTION: 326
Which of the following presents the GREATEST security risk in a virtualized computing
environment?
A. Backups for sensitive data formats are not stored at an offsite location.
B. Some business users have not received appropriate training on the virtual desktop
environment.
C. Physical access to the data center that hosts hardware for virtual machines is not
logged.
D. Passwords for the software that controls the operations of virtual machines are set to
default.
NEW QUESTION: 327

Which of the following is the MOST appropriate document for granting authority to an
external IS auditor in an audit engagement with a client organization?
A. Request for proposal for audit services
B. Approved statement of work
C. An internal memo to all concerned parties
D. Formally approved audit charter
NEW QUESTION: 328

An IS auditor is assessing an organization's implementation of a virtual network. Which of
the following observations should be considered the MOST significant risk?
A. Physical and virtual network configurations are not managed by the same team.
B. Virtual network devices are replicated and stored in offline mode.
C. Traffic over the virtual network is not visible to security protection devices.
D. Communication performance over the virtual network is not monitored.
NEW QUESTION: 329

During a review of information security procedures for disabling user accounts, an IS
auditor discovers that IT is only disabling network access for terminated employees IT
management maintains if terminated users cannot access the network, they will not be
able to access any applications Which of the following is the GREATEST risk associated
with application access?
A. Lack of segregation of duties
B. Loss of non-repudiation
C. Unauthorized access to data
D. Inability to access data
NEW QUESTION: 330
An organization has implemented an automated match between purchase orders, goods
receipts, and invoices.
Which of the following risks will this control BEST mitigate?
A. Delay of purchase orders
B. A legitimate transaction being paid multiple times
C. Customer discounts not being applied
D. Invalid payments being processed by the system
NEW QUESTION: 331

Which of the following should be reviewed FIRST when planning an IS audit?
A. The business environment
B. Annual business unit budget
C. IS audit standards
D. Recent financial information
NEW QUESTION: 332

When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical
systems do not exceed which of the following?
A. Service level objective (SLO)
B. Maximum acceptable outage (MAO)
C. Recovery time objective (RTO)
D. Recovery point objective (RPO)
NEW QUESTION: 333

An advantage of installing a thin client architecture in a local area network (LAN) is that this
would:
A. facilitate the updating of software versions.
B. ensure application availability when the server is down.
C. reduce the risk of a single point of failure
D. stabilize network bandwidth requirements
NEW QUESTION: 334

Which of the following is the GREATEST cause for concern when an organization is
planning to migrate business-critical applications to the cloud using a Platform as a Service
(PaaS) model?
A. The organization will not manage operating system patches.
B. Compliance requirements are not being validated.
C. The cloud provider does not offer regional redundancy.
D. Application data will not be encrypted at rest.
NEW QUESTION: 335

What is the BEST indicator of successful implementation of an organization s information
security policy?
A. Reduced number of successful phishing incidents
B. Reduced number of noncompliance penalties incurred
C. Reduced number of false-positive security events
D. Reduced number of help desk calls
NEW QUESTION: 336

Which of the following would an IS auditor recommend as the MOST effective preventive
control to reduce the risk of data leakage'
A. Verify that application logs capture any changes made.
B. Validate that all data files contain digital watermarks
C. Ensure that paper documents arc disposed security.
D. Implement an intrusion detection system (IDS).
NEW QUESTION: 337

An organization using instant messaging to communicate with customers can prevent
legitimate customers from being impersonated by:
A. logging conversations.
B. authenticating users before conversations are initiated
C. using firewalls to limit network traffic to authorized ports.
D. using call monitoring
NEW QUESTION: 338
Which of the following BEST facilitates the ability to efficiently allocate time, effort, and
resources to address security incidents?
A. Incident classification
B. Incident definition
C. Incident monitoring
D. Incident escalation
NEW QUESTION: 339

Which of the following is the BEST type of backup to minimize the associated time and
media?
A. Differential
B. Incremental
C. Compressed full
D. Mirror
NEW QUESTION: 340

What would be an IS auditors GREATEST concern when using a test environment for an
application audit?
A. Test and production environments do not mirror each other
B. Retention period of test data has been exceeded
C. Test and production environments lack data encryptions
D. Developers have access to the best environment
NEW QUESTION: 341

Which of the following is the MOST important reason to periodically review data that has
already been classified?
A. Older data may need to be archived on removable media.
B. The associated risk may change over time.
C. Additional data may have been added to the inventory.
D. The classification nomenclature has changed.
NEW QUESTION: 342

During a help desk review, an IS auditor determines the call abandonment rate exceeds
agreed-upon service levels. What conclusion can be drawn from this finding?
A. There are insufficient telephone lines available to the help desk.
B. Users are finding solutions from alternative sources.
C. Help desk staff are unable to resolve a sufficient number of problems on the first call.
D. There is insufficient staff to handle the help desk call volume.
NEW QUESTION: 343

When conducting a requirements analysis for a project, the BEST approach would be to:
A. prototype the requirements,
B. consult key stakeholders
C. conduct a control self-assessment
D. test operational deliverable
NEW QUESTION: 344

The BEST way to assure an organization's board of directors that IT strategies support
business objectives is to:
A. confirm that IT strategies have been fully documented and disseminated.
B. provide regular assessments of emerging technologies.
C. identify and repent on the achievement of critical success factors (CSFs).
D. ensure that senior business managers review IT budgets.
NEW QUESTION: 345

An IS auditor s role in privacy and security is to:
A. verify compliance with applicable laws.
B. assist the governance steering committee with implementing a security policy.
C. assist in developing an IS security strategy.
D. implement risk management methodologies.
NEW QUESTION: 346

Which of the following is the PRIMARY reason for database optimization in an environment
with a high volume of transactions?
A. Improving performance
B. Improving availability
C. Preventing data leakage
D. Maintaining integrity
NEW QUESTION: 347

Which of the following is the MOST important consideration for building resilient systems?
A. Eliminating single points of failure
B. Defining recovery point objectives (RPOs)
C. Performing periodic backups
D. Creating disaster recovery plans
NEW QUESTION: 348

Which of the following is the PRIMARY advantage of single sign-on (SSO)?
A. Improves security
B. Ensures good password practices
C. Improves system performance
D. Reduces administrative work load
NEW QUESTION: 349

An IS auditor finds that a company is using a payroll provider hosted in a foreign country
Of the following the MOST important audit consideration is whether the provider s
operations;
A. are aligned with the company's culture
B. meet industry best practice and standards
C. comply with applicable laws and regulations
D. are shared with other companies using the provider
NEW QUESTION: 350

The PRIMARY reason an IS department should analyze past incidents and problems is to:
A. assess help desk performance
B. determine if all incidents and problems are reported
C. assign responsibility for problems.
D. identify the causes of recurring incidents and problems.
NEW QUESTION: 351
An IS auditor is following upon a finding that determined elevated administrator accounts
for servers were not being properly checked out and then back in after each use. Which of
the following is the MOST appropriate sampling technique to determine the scope of the
problem?
A. Random sampling
B. Statistical sampling
D. Stratified sampling
NEW QUESTION: 352

In a RAO model, which of the following roles must be assigned to only one individual?
A. Accountable
B. Consulted
C. informed
D. Responsible
NEW QUESTION: 353

To maintain the confidentiality of information moved between office and home on
removable media, which of the following is the MOST effective control?
A. Data encryption
B. Mandatory file passwords
C. Digitally signed media
D. Security awareness training
NEW QUESTION: 354

An IS auditor would be concerned if the quality assurance (QA) function were found to be
performing which of the following roles?
A. Submitting corrected code for issues identified through the testing process
B. Ensuring the development methods and standards are adhered to throughout the
process
C. Reviewing the code to ensure proper documentation and development practices were
followed
D. Evaluating whether the testing assumptions and developed code are aligned to the
design criteria
NEW QUESTION: 355
When an organization outsources a payroll system to a cloud service provider, the IS
auditor's PRIMARY concern should be the:
A. service provider s data center is on the ground floor.
B. service level agreement (SLA) is not reviewed annually.
C. service provider s platform is not compatible with legacy systems.
D. lack of independent assurance from a third party.
NEW QUESTION: 356

An organization plans to launch a social media presence as part of a new customer service
campaign. Which of the following is the MOST significant risk from the perspective of
potential litigation?
A. Approved employees can use personal devices to post on the company $ behalf
B. Access to corporate-sponsored social media accounts requires only single-factor
authentication.
C. There is a lack of dear procedures for responding to customers on social media outlets
D. The policy stating what employees can post on the organization s behalf is unclear.
NEW QUESTION: 357

Which of the following is the BCST way to determine the effectiveness of a recently
installed intrusion detection system (IDS)?
A. inspect IDS configuration
B. Review audit logs.
C. Conduct attack simulation.
D. Implement access control.
NEW QUESTION: 358

Which of the following is the BEST physical security solution for granting and restricting
access to individuals based on their unique access needs?
A. Bolting door locks
B. Electronic badge system
C. Closed-circuit television (CCTV)
D. Cipher locks
NEW QUESTION: 359

Which of the following is the PRIMARY benefit of using an integrated audit approach?
A. A holistic perspective of overall risk and a better understanding of controls
B. The avoidance of duplicated work and redundant recommendations
C. Enhanced allocation of resources and reduced audit costs
D. Higher acceptance of the findings from the audited business areas
NEW QUESTION: 360

Which of the following is MOST important for the IS auditor to verify when reviewing the
development process of a security policy?
A. Evidence of management approval
B. Identification of the control framework
C. Evidence of active involvement of key stakeholders
D. Output from the enterprise's risk management system
NEW QUESTION: 361

A configuration management audit identified that predefined automated procedures are
used when deploying and configuring application infrastructure in a cloud-based
environment. Which of the following is MOST important for the IS auditor to review?
A. Storage location of configuration management documentation
B. Processes for making changes to cloud environment specifications
C. Contracts of vendors responsible for maintaining provisioning tools
D. Number of administrators with access to cloud management consoles
NEW QUESTION: 362

An audit report notes that terminated employees have been retaining their access rights
after their departure.
Which of the following strategies would BEST ensure that obsolete access rights are
identified in a timely manner?
A. Require local supervisors to initiate connection.
B. Delete user IDs at a predetermined date after their creation.
C. Automatically delete user IDs after they are unused for a predetermined time.
D. Implement an automated interface with the organization's human resources system.
NEW QUESTION: 363

Which of the following provides the GREATEST assurance that any confidential
information on a disk is no longer accessible but the device is still usable by the other
internal users?
A. Password protecting the disk
B. Degaussing the disk
C. Reformatting the disk
D. Erasing the disk

CISA Practice Questions

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISA Practice Questions

Uploaded by

Copyright:

Available Formats

ISACA.CISA.v2021-03-04.

NEW QUESTION: 100

NEW QUESTION: 101

NEW QUESTION: 102

NEW QUESTION: 103

NEW QUESTION: 104

NEW QUESTION: 105

NEW QUESTION: 106

NEW QUESTION: 107

NEW QUESTION: 108

NEW QUESTION: 109

NEW QUESTION: 110

NEW QUESTION: 111

NEW QUESTION: 112

NEW QUESTION: 113

NEW QUESTION: 114

NEW QUESTION: 116

NEW QUESTION: 117

NEW QUESTION: 118

NEW QUESTION: 119

NEW QUESTION: 120

NEW QUESTION: 121

NEW QUESTION: 122

NEW QUESTION: 124

NEW QUESTION: 125

NEW QUESTION: 126

NEW QUESTION: 127

NEW QUESTION: 128

NEW QUESTION: 129

NEW QUESTION: 130

NEW QUESTION: 131

NEW QUESTION: 132

NEW QUESTION: 133

NEW QUESTION: 134

NEW QUESTION: 135

NEW QUESTION: 136

NEW QUESTION: 137

NEW QUESTION: 138

NEW QUESTION: 139

NEW QUESTION: 141

NEW QUESTION: 142

NEW QUESTION: 143

NEW QUESTION: 144

NEW QUESTION: 145

NEW QUESTION: 146

NEW QUESTION: 147

NEW QUESTION: 148

NEW QUESTION: 149

NEW QUESTION: 150

NEW QUESTION: 151

NEW QUESTION: 152

NEW QUESTION: 153

NEW QUESTION: 154

NEW QUESTION: 155

NEW QUESTION: 156

NEW QUESTION: 157

NEW QUESTION: 158

NEW QUESTION: 159

NEW QUESTION: 160

NEW QUESTION: 161

NEW QUESTION: 162

NEW QUESTION: 163

NEW QUESTION: 164