Cisa V2495 - 220623 - 075451

IT Certification Guaranteed, The Easy Way!
Exam : CISA
Title : Certified Information Systems

Auditor
Vendor : ISACA
Version : V24.95
1
NO.1 Which of the following should occur EARLIEST in a business continuity management lifecycle?
A. Defining business continuity procedures
B. Carrying out a threat and risk assessment
C. Developing a training and awareness program
D. Identifying critical business processes
Answer: D
NO.2 Which of the following should an IS auditor review FIRST during the audit of an organization's
business continuity plan (BCP)?
A. List of critical business processes
B. System recovery lime objectives (RTOs)
C. Frequency of business database replication
D. System recovery manuals and documentation
Answer: A
NO.3 Which of the following findings would be of GREATEST concern when auditing an
organization's end-user computing (EUC)?
A. Inability to monitor EUC audit logs and activities
B. Inconsistency of patching processes being followed
C. Reduced oversight by the IT department
D. Errors flowed through to financial statements
Answer: A
NO.4 Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
A. Re-keying of wire dollar amounts
B. Two-factor authentication control
C. Independent reconciliation
D. System-enforced dual control
Answer: D
NO.5 Which of the following is the MOST effective control to ensure electronic records beyond their
retention periods are deleted from IT systems?
A. Build in system logic to trigger data deletion at predefined times.
B. Perform a sample check of current data against the retention schedule.
C. Review the record retention register regularly to initiate data deletion.
D. Execute all data deletions at a predefined month during the year.
Answer: A
NO.6 Which of the following an IS auditor assurance that the interface between a point of sale (POS)
system and the general ledger is transferring sales data completely and accurately?
A. Monthly bank statements are reconciled without exception.
B. The data transferred over the POS interface is encrypted.
C. Nightly batch processing has been replaced with real-time processing
2
D. Electronic copies of customer sales receipts are maintained.

Answer: A
NO.7 Which of the following should be the PRIMARY objective of a migration audit?
A. Data integrity
B. Business continuity
C. System performance
D. Control adequacy
Answer: A
NO.8 An IS auditor is reviewing the key payroll interface that collects wage rates from various
business applications to process payroll. Which of the following is MOST likely to cause errors in
payroll processing?
A. User acceptance testing (UAT) has not been properly documented for all changes.
B. Data conversion procedures did not include all business applications and interfaces.
C. The payroll processing application does not follow a regularly scheduled patching cycle.
D. Changes to the interface configuration settings were not adequately tested and approved.
Answer: D
NO.9 Which of the following is the MOST important step in the development of an effective IT
governance action plan?
A. Setting up an IT governance framework for the process
B. Conducting a business impact analysis (BIA)
C. Measuring IT governance key performance indicators (KPIs)
D. Preparing a statement of sensitivity
Answer: A
NO.10 Which of the following metrics is MOST useful to an IS auditor when evaluating whether IT
investments are meeting business objectives?
A. Realized return on investment (ROI) versus projected ROI
B. Actual return on investment (ROI) versus industry average ROI.
C. Actual versus projected customer satisfaction
D. Budgeted spend versus actual spend
Answer: A
NO.11 A vulnerability in which of the following virtual systems would be of GREATEST concern to the
IS auditor?
A. The virtual application server
B. The virtual machine management server
C. The virtual antivirus server
D. The virtual file server
Answer: B
3
NO.12 The use of cookies constitutes the MOST significant security threat when they are used for:
A. obtaining a public key from a certification authority (CA)
B. authenticating using username and password
C. downloading files from the host server
D. forwarding email and Internet protocol (IP) addresses
Answer: B
NO.13 Which of the following a recent internal data breach, an IS auditor was asked to evaluate
information security practices within the organization. Which of the following findings would be
MOST important to report to senior management?
A. Desktop passwords do not require special characters
B. Employees are not required to sign a non-compete agreement.
C. Users lack technical knowledge related to security and data protection
D. Security education and awareness workshops have not been completed
Answer: B
NO.14 Of the following, who should approve a release to a critical application that would make the
application inaccessible for 24 hours?
A. Business process owner
B. Data custodian
C. Project manager
D. Chief information security officer (CISO)
Answer: A
NO.15 The information security function in a large organization is MOST effective when:
A. partnered with the IS development team to determine access rights
B. decentralized as close to the user as possible
C. established at a corporate-wide level.
D. the function reports directly to the IS operations manager.
Answer: B
NO.16 During which phase of the incident management life cycle should metrics such as "mean time
to incident discovery" and "cost of recovery" be reported?
A. Containment, analysis, tracking, and recovery
B. Post-incident assessment
C. Planning and preparation
D. Detection, triage, and investigation
Answer: B
NO.17 Which of the following is the MAIN advantage of using one-time passwords?
A. Passwords are hardware/software generated.
B. An intercepted password would be of no use
C. The user does not need to remember passwords
4
D. They are suitable for e-commerce authentication

Answer: C
NO.18 Which of the following Is a challenge in developing a service level agreement (SLA) for
network services?
A. Ensuring that network components are not modified by the client
B. Reducing the number of entry points into the network
C. Finding performance metrics that can be measured property
D. Establishing a well-designed framework for network services
Answer: C
NO.19 A bank is relocating its servers to a vendor that provides data center hosting services to
multiple clients. Which of the following controls would restrict other clients from physical access to
the bank servers?
A. Locking server cages
B. Biometric access at all data center entrances
C. 24-hour security guards
D. Closed-circuit television camera
Answer: A
NO.20 A month after a company purchased and implemented system and performance monitoring
software reports were too large and therefore were not reviewed or acted upon The MOST effective
plan of action would be to
A. evaluate replacement systems and performance monitoring software
B. re-install the system and performance monitoring software
C. restrict functionality of system monitoring software to security-related events
D. use analytical tools to produce exception reports from the system and performance monitoring
software
Answer: D
NO.21 The PRIMARY reason to follow up on prior-year audit reports is to determine if

A. prior-year recommendations have become irrelevant
B. significant changes to the control environment have occurred
C. identified control weaknesses have been addressed
D. inherent risks have changed
Answer: C
NO.22 When measuring the effectiveness of a security awareness program, the MOST helpful key
performance indicator (KPI) is the number of:
A. employees who have signed the information security policy.
B. employees passing a phishing exercise.
C. employees attending security awareness training.
D. security incidents detected by tools.
5
Answer: B
NO.23 Which of the following responsibilities of an organization's quality assurance (QA) function
should raise concern for an IS auditor?
A. Ensuring the test work supports observations
B. Updating development methodology
C. Ensuring standards are adhered to within the development process
D. Implementing solutions to correct defects
Answer: D
NO.24 An organization offers an online information security awareness program to employees on an

annual basis.
Which of the following from an audit of the program should be the auditor's GREATEST concern?
A. New employees are given three months to complete the training
B. Employees have complained about the length of the program
C. The post-training test content is two years old.
D. Training completions is not mandatory for staff.
Answer: D
NO.25 What should be the PRIMARY basis for scheduling a follow-up audit?
A. The significance of reported findings
B. The completion of all corrective actions
C. The availability of audit resources
D. The time elapsed after audit report submission
Answer: A
NO.26 Which of the following observations should be of GREATEST concern to an IS auditor

reviewing a large organization's virtualization environment?
A. An unused printer has been left connected to the host system.
B. Guest tools have been installed without sufficient access control,
C. A rootkit was found on the host operating system
D. Host inspection capabilities have been disabled
Answer: B
NO.27 An organization is migrating its human resources (HR) application to an Infrastructure as a

Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations
of the deployed application's operating system?
A. The organization
B. The operating system vendor
C. The cloud provider
D. The cloud provider's external auditor
Answer: C
6
NO.28 Which of the following development practices would BEST mitigate the risk associated with
theft erf user credentials transmitted between mobile devices and the corporate network?
A. Enforce the validation of digital certificates used in the communication sessions
B. Allow persistent sessions between mobile applications and the corporate network.
C. Release mobile applications in debugging mode to allow for easy troubleshooting.
D. Embed cryptographic keys within the mobile application source code.
Answer: B
NO.29 In an IT organization where many responsibilities are shared, which of the following would be
the BEST control for detecting unauthorized data changes?
A. Data changes are independently reviewed by another group.
B. Users are required to periodically rotate responsibilities.
C. Segregation of duties conflicts are periodically reviewed.
D. Data changes are logged in an outside application.
Answer: A
NO.30 Which of the following is the BEST way to address ongoing concerns with the quality and
accuracy of internal audits?
A. Require internal peer reviews of audit workspapers.
B. Improve training for IS audit personnel.
C. Engage an independent review of the audit function.
D. Implement performance management for IS auditor.
Answer: C
NO.31 An organization has outsourced its data leakage monitoring to an Internet service provider
(ISP). Which of the following is the BEST way for an IS auditor to determine the effectiveness of this
service?
A. Review the data leakage clause in the SLA.
B. verify the ISP has staff to deal with data leakage.
C. Simulate a data leakage incident.
D. Review the ISP's external audit report
Answer: C
NO.32 An organization seeks to control costs related to storage media throughout the information
life cycle while still meeting business and regulatory requirements. Which of the following is the BEST
way to achieve this objective?
A. Perform periodic tape backups.
B. Stream backups to the cloud.
C. Implement a data retention policy.
D. Utilize solid state memory.
Answer: C
NO.33 Which of the following is the GREATEST benefit of utilizing data analytics?
7
A. Improved communication with management due to more confidence with data results
B. Better risk assessments due to the identification of anomalies and trends
C. Higher-quality audit evidence due to more representative audit sampling
D. Expedient audit planning due to early identification of problem areas and incomplete data
Answer: B
NO.34 Which of the following observations noted during a review of the organization s social media
practices should be of MOST concern to the IS auditor?
A. The organization does not require approval for social media posts.
B. Not all employees using social media have attended the security awareness program.
C. The organization does not have a documented social media policy.
D. More than one employee is authorized to publish on social media on behalf of the organization
Answer: C
NO.35 Which of the following should be of GREATEST concern to an IS auditor reviewing a system
software development project based on agile practices?
A. Lack of user acceptance testing (UAT) sign off.
B. Lack of change management documentation
C. Lack of secure coding practices
D. Lack of weekly production releases
Answer: C
NO.36 Which of the following can help ensure that IT deliverables are linked to business goals and
that appropriate performance criteria are in place?
A. Business process reengineering (BPR)
B. Service level management
C. Quality assurance (QA) practices
D. Benchmarking
Answer: B
NO.37 Which of the following is the GREATEST concern associated with migrating computing
resources to a cloud virtualized environment?
A. An increase in inherent vulnerability
B. An increase in residual risk
C. An increase in the potential for data leakage
D. An increase in the number of e-discovery requests
Answer: C
NO.38 Which of the following is the MOST important factor when an organization is developing
information security policies and procedures?
A. Compliance with relevant regulations
B. Consultation with security staff
C. Alignment with an information security framework
8
D. Inclusion of mission and objectives

Answer: A
NO.39 In the case of a disaster where the data center is no longer available which of the following
tasks should be done FIRST?
A. Perform data recovery
B. Activate the call tree
C. Analyze risk
D. Arrange for a secondary site
Answer: A
NO.40 Which of the following features of a library control software package would protect against
unauthorized updating of source code?
A. Required approvals at each life cycle step
B. Date and time stamping of source and object code
C. Release-to-release comparison of source code
D. Access controls for source libraries
Answer: D
NO.41 An internal audit department reports directly to the chief financial officer (CFO) of an
organization This MOST likely leads to
A. audit findings becoming more business-oriented
B. biased audit findings and recommendations.
C. concern over the independence of the auditor
D. audit recommendations receiving greater attention.
Answer: C
NO.42 What is BEST for an IS auditor to review when assessing the effectiveness of changes recently
made to processes and tools related to an organization's business continuity plan (BCP)?
A. Updated Inventory of systems
B. Full test results
C. Completed test plans
D. Change management processes
Answer: B
NO.43 Which of the following is MOST likely to be included in computer operating procedures in a
large data center?
A. Guidance on setting security parameters
B. Procedures for resequencing source code
C. Procedures for utility configuration
D. Instructions for job scheduling
Answer: D
9
NO.44 Which of the following controls will MOST effectively detect inconsistent records resulting
from the lack of referential integrity in a database management system?
A. Concurrent access controls
B. Incremental data backups
C. Performance monitoring tools
D. Periodic table link checks
Answer: D
NO.45 Which of the following is MOST important for the successful establishment of a security
vunerability management program?
A. A comprehensive asset inventory
B. A tested incident response plan
C. An approved patching policy
D. A robust tabletop exercise plan
Answer: C
NO.46 Which of the following is the BEST source of information for an IS auditor when planning an
audit of a business application's controls?
A. Process flow diagrams
B. User documentation
C. Access control lists
D. Change control procedures
Answer: A
NO.47 Which of the following implementation strategies for new applications presents the
GREATEST risk during data conversion and migration from an old system to a new system?
A. Pilot implementation
B. Phased implementation
C. Direct cutover
D. Parallel simulation
Answer: C
NO.48 An organization's IT security policy requires annual security awareness training for all
employees. Which of the following would provide the BEST evidence of the training's effectiveness?
A. Results of a social engineering test
B. Interviews with employees
C. Decreased calls to the incident response team
D. Surveys completed by randomly selected employees
Answer: A
NO.49 In the risk assessment process, which of the following should be identified FIRST?
A. Impact
B. Threats
10
C. Assets
D. Vulnerabilities
Answer: C
NO.50 Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting
business process effectiveness?
A. To evaluate the cost-benefit of tools implemented to monitor control performance
B. To analyze workflows in order to optimize business processes and eliminate tasks that do not
provide value
C. To enable conclusions about the performance of the processes and target variances for follow-up
analysis
D. To assess the functionality of a software deliverable based on business processes
Answer: C
NO.51 A company is using a software developer for a project. At which of the following points
should the software quality assurance (QA) plan be developed?
A. Prior to acceptance testing
B. During the feasibility phase
C. As part of software definition
D. As part of the design phase
Answer: D
NO.52 An IS auditor finds that needed security patches cannot be applied to some of an
organization's network devices due to compatibility issues. The organization has not budgeted
sufficiently for security upgrades.
Which of the following should the auditor recommend be done FIRST?
A. Perform a risk analysis of the relevant security issues.
B. Prioritize funding for next year's budget.
C. Discuss adding compensating controls with the vendor.
D. Implement stronger security patch management processes.
Answer: A
NO.53 An online retailer is receiving customer complaints about receiving different items from what
they ordered on the organization's website. The root cause has been traced to poor data quality.
Despite efforts to clean erroneous data from the system, multiple data quality issues continue to
occur. Which of the following recommendations would be the BEST way to reduce the likelihood of
future occurrences?
A. Implement business rules to validate employee data entry.
B. Assign responsibility for improving data quality.
C. Outsource data cleansing activities to reliable third parties.
D. Invest in additional employee training for data entry.
Answer: A
NO.54 In a database management system (DBMS) normalization is used to:
11
A. standardize data names

B. reduce data redundancy
C. eliminate processing deadlocks
D. reduce access time
Answer: B
NO.55 An IS auditor reviewing a purchase accounting system notices several duplicate payments
made for the services rendered. Which of the following is the auditor's BEST recommendation for
preventing duplicate payments?
A. Implement a configuration control to enable sequential numbering of invoices.
B. Request vendors to attach service acknowledgment notices to purchase orders.
C. Implement a system control that determines if there are corresponding invoices for purchase
orders.
D. Perform additional supervisory reviews prior to the invoice payments.
Answer: C
NO.56 Which of the following is the MAIN risk associated with adding a new system functionality
during the development phase without following a project change management process?
A. The new functionality may not meet requirements
B. The added functionality has not been documented
C. The project may go over budget.
D. The project may fail to meet the established deadline
Answer: B
NO.57 Which of the following should be of concern to an IS auditor performing a software audit on
virtual machines?
A. Software licensing does not support virtual machines
B. Applications have not been approved by the chief financial officer (CFO) .
C. Multiple users can access critical applications
D. Software has been installed on virtual machines by privileged users.
Answer: A
NO.58 A post-implementation review of a development project concludes that several business

requirements were not reflected in the software requirement specifications. Which of the following
should an IS auditor recommend to reduce this problem in the future?
A. Appoint a business unit representative.
B. Write test cases from the user requirements.
C. Trace the changes to requirements back to all affected products.
D. Set up a configuration control board.
Answer: A
NO.59 Invoking a business continuity plan (BCP) is demonstrating which type of control?
A. Preventive
12
B. Detective
C. Corrective
D. Directive
Answer: C
NO.60 Data analytics tools and techniques are MOST helpful to an IS auditor during which of the
following audit activities?
A. Audit follow-up
B. Walk-through testing
C. Substantive testing
D. Audit and resource planning
Answer: C
NO.61 The use of which of the following would BEST enhance a process improvement program?
A. Capability maturity models
B. Model-based design notations
C. Project management methodologies
D. Balanced scorecard
Answer: A
NO.62 Which of the following should be of MOST concern to an IS auditor during the review of a
quality management system?
A. The quality management system includes training records for IT personnel.
B. Indicators are not fully represented in the quality management system.
C. There are no records to document actions for minor business processes.
D. Important quality checklists are maintained outside the quality management system.
Answer: B
NO.63 An organization processing high volumes of financial transactions has implemented log file
analysis on a central log server to continuously monitor compliance with its fraud policy. Which of the
following poses the GREATEST risk to this control?
A. IT operations staff have the right to restart the log server.
B. Data entry staff have privileged access to the log server.
C. IT operations staff are able to stop the payment processing system.
D. Software developers have read access to the log server.
Answer: B
NO.64 An existing system is being replaced with a new application package User acceptance testing
(UAT) should ensure that
A. there is a business need for the new system
B. the new system functions as expected.
C. the new system is better than the old system.
D. data from the old system has been converted correctly
13
Answer: A
NO.65 Which of the following is the PRIMARY risk when business units procure IT assets without IT
involvement?
A. Data security requirements are not considered.
B. The business units want IT to be responsible for maintenance costs
C. Corporate procurement standards are not followed
D. System inventory becomes inaccurate.
Answer: D
NO.66 During a routine check, a system administrator identifies unusual activity indicating an
intruder within a firewall. Which of the following controls has MOST likely been compromised?
A. Data integrity
B. Identification
C. Authentication
D. Data validation
Answer: C
NO.67 Which of the following is necessary for effective risk management in IT governance?
A. Risk management strategy is approved by the audit committee
B. Risk evaluation is embedded in management processes.
C. Local managers are solely responsible for risk evaluation
D. IT risk management is separate from corporate risk management
Answer: B
NO.68 Which of the following fire suppression systems needs to be combined with an automatic
switch to shut down the electricity supply in the event of activation?
A. Halon
B. FM-200
C. Carbon dioxide
D. Dry pipe
Answer: D
NO.69 Which of the following provides the MOST comprehensive understanding of an organizations
information security posture?
A. Risk management metrics
B. External audit findings
C. Results of vulnerability assessments
D. The organizationEtms security incident trends
Answer: A
NO.70 An organization wants to change its project methodology to address increasing costs and
process changes Which of the following is the BEST methodology to use?
14
A. Joint application development

B. Object-oriented application development
C. Waterfall application development
D. Agile application development
Answer: A
NO.71 Which of the following security risks can be reduced by a property configured network
firewall?
A. SQL injection attacks
B. Insider attacks
C. Phishing attacks
D. Denial of service (DoS) attacks
Answer: D
NO.72 Which type of control is being implemented when a biometric access device is installed at the
entrance to a facility?
A. Preventive
B. Deterrent
C. Corrective
D. Detective
Answer: C
NO.73 A CIO has asked an IS auditor to implement several security controls for an organization s IT
processes and systems. The auditor should:
A. obtain approval from executive management for the implementation
B. communicate the conflict of interest to audit management
C. perform the assignment and future audits with due professional care.
D. refuse due to independence issues.
Answer: B
NO.74 An organization has suffered a number of incidents in which USB flash drives with sensitive
data have been lost. Which of the following would be MOST effective in preventing loss of sensitive
data?
A. Issuing encrypted USB flash drives to staff
B. Implementing a check-in/check-out process for USB flash drives
C. Increasing the frequency of security awareness training
D. Modifying the disciplinary policy to be more stringent
Answer: A
NO.75 Which of the following would be an appropriate role of internal audit in helping to establish
an organization's privacy program?
A. Analyzing risks posed by new regulations
B. Developing procedures to monitor the use of personal data
15
C. Defining roles within the organization related to privacy

D. Designing controls to protect personal data
Answer: D
NO.76 An IS auditor evaluating a three-tier client/server architecture observes an issue with

graphical user interface (GUI) tasks. Which layer should the auditor recommend the client address?
A. Presentation layer
B. Application layer
C. Storage layer
D. Transport layer
Answer: A
NO.77 An IS auditor reviewing the system development life cycle (SDLC) finds there is no
requirement for business cases. Which of the following should be of GREATEST concern to the
organization?
A. Vendor selection criteria are not sufficiently evaluated
B. Project costs exceed established budgets
C. Business resources have not been optimally assigned o
D. Business impacts of projects are not adequately analyzed
Answer: A
NO.78 An organization is shifting to a remote workforce. In preparation, the IT department is

performing stress and capacity testing of remote access infrastructure and systems. What type of
control is being implemented?
A. Directive
B. Preventive
C. Compensating
D. Detective
Answer: B
NO.79 During a review, an IS auditor notes that an organization's marketing department has
purchased a cloud-based software application without following the procurement process. What
should the auditor do FIRST?
A. Perform a risk analysis.
B. Escalate to senior management.
C. Review the procurement process.
D. Review the business impact analysis (BIA).
Answer: A
NO.80 An organization's enterprise architecture (EA) department decides to change a legacy

system's components while maintaining its original functionality Which of the following is MOST
important for an IS auditor to understand when reviewing this decision?
A. The current business capabilities delivered by the legacy system.
16
B. The proposed network topology to be used by the redesigned system

C. The data flows between the components to be used by the redesigned system
D. The database entity relationships within the legacy system
Answer: D
NO.81 An organization is deciding whether to outsource its customer relationship management

systems to a provider located in another country. Which of the following should be the PRIMARY
influence in the outsourcing decision?
A. Time zone differences
B. The service provider's disaster recovery plan
C. Cross-border privacy laws
D. Current geopolitical conditions
Answer: C
NO.82 In an organization that has a staff-rotation policy, the MOST appropriate access control model
is:
A. discretionary.
B. lattice-based.
C. mandatory.
D. role-based.
Answer: D
NO.83 An IS auditor learns a server administration team regularly applies workarounds to address
repeated failures of critical data processing services. Which of the following would BEST enable the
organization to resolve this issue?
A. Service level management
B. Problem management
C. Change management
D. Incident management
Answer: B
NO.84 When deciding whether a third party can be used in resolving a suspected security breach,
which of the following should be the MOST important consideration for IT management?
A. Third-party cost
B. Incident priority rating
C. Data sensitivity
D. Audit approval
Answer: C
NO.85 Which of the following is MOST likely to enable a hacker to successfully penetrate a system?
A. Unpatched software
B. Decentralized dialup access
C. Lack of DoS protection
17
D. Lack of virus protection

Answer: A
NO.86 A financial institution has a system interface that is used by its branches to obtain applicable
currency exchange rates when processing transactions Which of the following should be the
PRIMARY control objective for maintaining the security of the system interface?
A. Preventing unauthorized access to the data via malicious activity
B. Preventing unauthorized access to the data via interception
C. Ensuring the integrity of the data being transferred
D. Ensuring the availability of the data being transferred
Answer: C
NO.87 An IS auditor performing an audit of backup procedures observes that backup tapes are
picked up weekly and stored offsite at a third-party hosting facility. Which of the following
recommendations would be the BEST way to protect the integrity of the data on the backup tapes?
A. Ensure that the transport company obtains signatures for all shipments
B. Ensure that data is encrypted before leaving the facility.
C. Confirm that data transfers are logged and recorded.
D. Confirm that data is transported in locked tamper-evident containers.
Answer: B
NO.88 An IS auditor notes that IT and the business have different opinions on the availability of their
application servers Which of the following should the IS auditor review FIRST in order to understand
the problem?
A. The regular performance-reporting documentation
B. The alerting and measurement process on the application servers
C. The actual availability of the servers as part of a substantive test
D. The exact definition of the service levels and their measurement
Answer: D
NO.89 During a post-implementation review, an IS auditor learns that while benefits were realized
according to the business case, complications during implementation added to the cost of the
solution. Which of the following is the auditor's BEST course of action?
A. Verify that lessons learned were documented for future projects.
B. Ensure costs related to the complications were subtracted from realized benefits.
C. Determine if project deliverables were provided on time
D. Design controls that will prevent future added costs.
Answer: A
NO.90 An organization has implemented periodic reviews of logs showing privileged user activity
production servers.
Which type of control has been established?
A. Protective
18
B. Detective
C. Preventive
D. Corrective
Answer: B
NO.91 In an environment that automatically reports all program changes. which of the following is
the MOST efficient way to detect unauthorized changes to production programs?
A. Manually comparing code in production programs to controlled copies
B. Verifying user management approval of modifications
C. Reviewing the last compile dale of production programs
D. Periodically running and reviewing test data against production programs
Answer: B
NO.92 An IS auditor previously worked in an organization s IT department and was involved with the
design of the business continuity plan (BCP). The IS auditor has now been asked to review this same
BCP. The auditor should FIRST.
A. document the conflict in the audit report.
B. decline the audit assignment.
C. communicate the conflict of interest to the audit manager prior to starting the assignment.
D. communicate the conflict of interest to the audit committee prior to starting the assignment
Answer: D
NO.93 Which of the following types of firewalls provide the GREATEST degree of control against
hacker intrusion?
A. Screening router
B. Circuit gateway
C. Application level gateway
D. Packet filtering router
Answer: C
NO.94 A data center's physical access log system captures each visitor's identification document
numbers along with the visitor's photo. Which of the following sampling methods would be MOST
useful to an IS auditor conducting compliance testing for the effectiveness of the system?
A. Haphazard sampling
B. Attribute sampling
C. Variable sampling
D. Quota sampling
Answer: B
NO.95 Which of the following would provide the BEST evidence for use in a forensic investigation of
an employee's hard drive?
A. Prior backups
B. Bit-stream copy of the hard drive
19
C. A file level copy of the hard drive

D. Memory dump to an external hard drive
Answer: B
NO.96 Which of the following is the MAIN risk associated with adding a new system functionality
during the development phase without following a project change management process?
A. The project may go over budget
B. The project may fail to meet the established deadline
C. The added functionality has been documented
D. The new functionality may not meet requirements
Answer: C
NO.97 An organization recently implemented a data loss prevention (DLP) solution to control data in
transit. Which of the following would be the GREATEST risk related to the DLP implementation?
A. Scanning end-points during peak hours
B. Inadequate data classification
C. Improperly configured DLP modules
D. DLP false positive alerts
Answer: B
NO.98 Which of the following encryption methods offers the BEST wireless security?
A. Secure Sockets Layer (SSL)
B. Wi-Fi Protected Access 2 (WPA2)
C. Wired equivalent privacy (WEP)
D. Data encryption standard (DES)
Answer: D
NO.99 During a privileged access review, an IS auditor observes many help desk employees have
privileges within systems not required for their job functions. Implementing which of the following
would have prevented this situation?
A. Multi-factor authentication
B. Separation of duties
C. Least privilege access
D. Privileged access reviews
Answer: C
NO.100 What is the MOST important business concern when an organization is about to migrate a
mission-critical application to a virtual environment?
A. Adequacy of the fallback procedures
B. Adequacy of the virtual architecture
C. The organization's experience with virtual applications
D. Confidentiality of network traffic
Answer: B
20
NO.101 Which of the following will MOST likely compromise the control provided by a digital
signature created using RSA encryption?
A. Obtaining the sender's private key
B. Reversing the hash function using the digest
C. Altering the plaintext message
D. Deciphering the receiver's public key
Answer: D
NO.102 An IS auditor is reviewing a banking mobile application that allows end users to perform
financial transactions. Which of the following poses a security risk to the organization?
A. Outdated mobile network settings
B. Application programming interface (API) logic faults
C. Lack of strong device passwords
D. Unpatched security vulnerabilities in the mobile operating system
Answer: D
NO.103 Which of the following key performance indicators (KPIs) provide stakeholders with the
MOST useful information about whether information security risk is being managed?
A. Time from security log capture to log analysis
B. The number of security controls implemented
C. Time from identifying security threats to implementing solutions
D. The number of entries in the security risk register
Answer: C
NO.104 An IS auditor is reviewing environmental controls and finds extremely high levels of
humidity in the data center. Which of the following is the PRIMARY risk to computer equipment from
this condition?
A. Corrosion
B. Static electricity
C. Brownout
D. Fire
Answer: A
NO.105 Which of the following is MOST important to ensure during computer forensics
investigations?
A. The contents of digital evidence are preserved in their original form.
B. The analysis is performed against the original digital evidence.
C. Personnel undertaking the investigation process are certified to collect digital evidence.
D. Effective backup schemes are in place to preserve digital evidence.
Answer: A
NO.106 Which of the following should be of GREATEST concern to an IS auditor reviewing project
21
documentation for a client relationship management (CRM) system migration project?

A. Employees are concerned that data representation in the new system is completely different from
the old system.
B. Five weeks prior to the target date, there are still numerous defects in the printing functionality.
C. A single implementation phase is planned and the legacy system will be immediately
decommissioned.
D. The technical migration is planned for a holiday weekend and end users may not be available.
Answer: C
NO.107 Which of the following would an IS auditor consider to be the MOST significant risk
associated with a project to reengineer a business process?
A. The project manager is inexperienced in information system.
B. Existing baseline processes may not be reported to management.
C. The negative of change may not be documented.
D. Existing controls mat be weakened or removed.
Answer: C
NO.108 Which of the following should be a concern to an IS auditor reviewing a digital forensic
process for a security incident?
A. The media with the original evidence was not write-blocked.
B. The forensic expert used open-source forensic tools.
C. The affected computer was not immediately shut down after the incident.
D. Analysis was performed using an image of the original media.
Answer: A
NO.109 An IS auditor finds that periodic reviews of read-only users for a reporting system are not
being performed.
Which of the following should be the IS auditor's NEXT course of action?
A. Report this control process weakness to senior management
B. Obtain a verbal confirmation from IT for this exemption.
C. Review the list of end-users and evaluate for authorization.
D. Verify managements approval for this exemption.
Answer: C
NO.110 Data anonymizabon helps to prevent which types of attacks in a big data environment?
A. Denial of service (DoS)
B. Man-in-the-middle
C. Correlation
D. Spoofing
Answer: C
NO.111 Which of the following should be included in a business impact analysis (BIA)
A. identification of IT resources that support key business processes
22
B. Recovery strategy for significant business interruptions

C. Support documentation for the recovery alternative
D. Roles and responsibilities for the business continuity process
Answer: A
NO.112 During a database security audit, an IS auditor is reviewing the process used to upload
source data Which of the following is the MOST significant risk area for the auditor to focus on?
A. Data resilience
B. Data normalization
C. Data integrity
D. Data sensitivity
Answer: C
NO.113 During a security audit, an IS auditor is tasked with reviewing log entries obtained from an
enterprise intrusion prevention system (IPS). Which type of risk would be associated with the
potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS
configuration?
A. Sampling risk
B. Inherent risk
C. Detection risk
D. Control risk
Answer: C
NO.114 Which of the following would be MOST useful to an IS auditor confirming thai an IS
department meets its service level agreements (SLAs)?
A. Capacity planning tools
B. IS strategic plan
C. System utilization reports
D. System downtime reports
Answer: B
NO.115 Due to a high volume of customer orders, an organization plans to implement a new
application for customers to use for online ordering Which type of testing is MOST important to
ensure the security of the application prior to go-live?
A. Stress testing
B. Vulnerability testing
C. Regression testing
D. User acceptance testing (UAT)
Answer: B
NO.116 An IS auditor Is reviewing an organization's business continuity plan (BCP) following a

change in organizational structure with significant impact to business processes Which of the
following findings should be me auditor's GREATEST concern?
23
A. Copies of the BCP have not been distributed to new business unit end users since the
reorganization
B. A test plan for the BCP has not been completed during the last two years.
C. Key business process end users did not participate in the business impact analysis (BIA)
D. The most recent business impact analysts (BIA) was performed two years before the
reorganization
Answer: A
NO.117 A bank recently experienced fraud where unauthorized payments were inserted into the
payments transaction process. An IS auditor has reviewed the application systems and databases
along the processing chain but has not identified the entry point of the fraudulent transactions.
Where should the auditor look NEXT?
A. Operating system patch levels
B. Interfaces between systems
C. Change management repository
D. System backup and archiving
Answer: B
NO.118 Which of the following physical controls will MOST effectively prevent breaches of
computer room security?
A. Photo IDs
B. CCTV monitoring
C. Retina scanner
D. RFID badge
Answer: C
NO.119 Which of the following is the BEST detective control for a job scheduling process involving
data transmission?
A. Jobs are scheduled to be completed daily end data is transmitted using a secure Fife Transfer
Protocol (SFTP)
B. Job failure alerts are automatically generated and routed to support personnel
C. Metrics denoting the volume of monthly job failures are reported and reviewed by senior
management
D. Jobs are scheduled and a log of this activity n retained for subsequent review
Answer: A
NO.120 An IS auditor finds a number of system accounts that do not have documented approvals
Which of the following should be performed FIRST by the auditor?
A. Have the accounts removed immediately
B. Obtain sign-off on the accounts from the application owner
C. Document a finding and report an ineffective account provisioning control
D. Determine the purpose and risk of the accounts
Answer: D
24
NO.121 Which of the following is the PRIMARY reason for an organization's procurement processes
to include an independent party who is not directly involved with business operations and related
decision-making'?
A. To ensure continuity of processes and procedures
B. To optimize use of business team resources
C. To avoid conflicts of interest
D. To ensure favorable price negotiations
Answer: C
NO.122 Which of the following would be of GREATEST concern to an IS auditor reviewing an

organization's security incident handling procedures?
A. Annual tabletop exercises are performed instead of functional incident response exercises.
B. Roles for computer emergency response learn (CERT) members have not been formally
documented.
C. Workstation antivirus software alerts are not regularly reviewed.
D. Guidelines for prioritizing incidents have not been identified.
Answer: D
NO.123 An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY
objective is to ensure that
A. security parameters are set in accordance with the organizations policies
B. security parameters are set in accordance with the manufacturer's standards
C. a detailed business case was formally approved prior to the purchase.
D. the procurement project invited tenders from at least three different suppliers.
Answer: A
NO.124 When is the BEST time to commence continuity planning for a new application system?
A. immediately after implementation
B. During the design phase
C. Following successful user testing
D. Just prior to the handover to the system maintenance group
Answer: B
NO.125 An organization decides to establish a formal incident response capability with clear roles
and responsibilities facilitating centralized reporting of security incidents. Which type of control is
being implemented?
A. Corrective control
B. Compensating control
C. Preventive control
D. Detective control
Answer: A
25
NO.126 Which of the following is MOST critical for the effective implementation of IT governance?
A. Documented policies
B. Internal auditor commitment
C. Strong risk management practices
D. Supportive corporate culture
Answer: D
NO.127 Which of the following should be included in emergency change control procedures?
A. Use an emergency ID to move production programs into development.
B. Request that the help desk make the changes.
C. Update production source libraries to reflect changes.
D. Obtain user management approval before implementing the changes.
Answer: D
NO.128 An IS auditor is assigned to review the development of a specific application. Which of the
following would be the MOST significant step following the feasibility study?
A. Attend project progress meetings to monitor timely implementation of the application.
B. Assist users in the design of proper acceptance-testing procedures.
C. Follow up with project sponsor for project's budgets and actual costs.
D. Review functional design to determine that appropriate controls are planned.
Answer: D
NO.129 An organization issues digital certificates to employees to enable connectivity to a web-

based application.
Which of the following public key infrastructure (PKI) components MUST be included in the
application architecture for determining the on-going validity of connections?
A. Secure hash algorithm (SHA)
B. Registration authority (RA)
C. Certificate authority (CA)
D. Certificate revocation list (CRL)
Answer: A
NO.130 Which of the following is the BEST indicator of the effectiveness of signature-based
intrusion detection systems (IDSs)?
A. An increase in the number of internally reported critical incidents
B. An increase in the number of detected incidents not previously identified
C. An increase in the number of identified false positives
D. An increase in the number of unfamiliar sources of intruders
Answer: A
NO.131 Which of the following should be done FIRST to effectively define the IT audit universe for
an entity with multiple business lines?
A. Identify aggregate residual IT risk for each business line.
26
B. Obtain a complete listing of the entity's IT processes

C. Obtain a complete listing of assets fundamental to the entity's businesses.
D. Identify key control objectives for each business line's core processes
Answer: C
NO.132 An IS auditor performing an audit of backup procedures observes that backup tapes are
picked up weekly and stored offsite at a deed party hosting faculty. Which of the following
recommendations would be the BEST way to maintain data integrity during transport?
A. Ensure the date is validated poor to transport
B. Ensure that logging and recording of data transport takes place
C. Ensure the transport company is licensed and assured.
D. Ensure the data is transported in locked tamper evident containers
Answer: D
NO.133 An organization has adopted a backup and recovery strategy that involves copying on-
premise virtual machine (VM) images to a cloud service provider Which of the following provides the
BEST assurance that VMs can be recovered in the event of a disaster?
A. Periodic on-site restoration of VM images obtained from the cloud provider
B. Inclusion of the right to audit in the cloud service provider contract
C. Procurement of adequate storage for the VM images from the cloud service provider
D. Existence of a disaster recovery plan (DRP) with specified roles for emergencies
Answer: A
NO.134 Which of the following is the PRIMARY advantage of using virtualization technology for
corporate applications?
A. Increased application performance
B. Improved disaster recovery
C. Stronger data security
D. Better utilization of resources
Answer: D
NO.135 During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor
finds that not all critical systems are covered. What should the auditor do NEXT?
A. Verify whether the systems are part of the business impact analysis (BIA).
B. Evaluate the impact of not covering the systems.
C. Evaluate the prior year's audit results regarding critical system coverage.
D. Escalate the finding to senior management.
Answer: A
NO.136 An IT organization's incident response plan is which type of control?

A. Detective
B. Directive
C. Preventive
27
D. Corrective
Answer: D
NO.137 An IS auditor has been asked to assess the security of a recently migrated database system
that contains personal and financial data for a bank's customers. Which of the following controls is
MOST important for the auditor to confirm is in place?
A. The default configurations have been changed.
B. The default administration account is used after changing the account password.
C. The service port used by the database server has been changed.
D. All tables in the database are normalized.
Answer: A
NO.138 Which of the following is the MOST effective control for protecting the confidentiality and
integrity of data stored unencrypted on virtual machines?
A. Restrict access to images and snapshots of virtual machines
B. Limit creation of virtual machine images and snapshots
C. Monitor access To stored images and snapshots of virtual machines
D. Review logical access controls on virtual machines regularly
Answer: C
NO.139 Which of the following should be an IS auditor's GREATEST consideration when scheduling
follow-up activities for agreed-upon management responses to remediate audit observations?
A. Business interruption due to remediation
B. IT budgeting constraints
C. Risk rating of original findings
D. Availability of responsible IT personnel
Answer: C
NO.140 Which of the following features can be provided only by asymmetric encryption?
A. Data confidentiality
B. Information privacy
C. Nonrepudiation
D. 128-bit key length
Answer: A
NO.141 Which of the following poses the GREATEST risk to a company that allows employees to use
personally owned devices to access customer files on the company's network?
A. The help desk might not be able to support all different types of personal devices.
B. The company's network might slow down, affecting response time.
C. Customer data may be compromised if the device is lost or stolen.
D. Employee productivity may suffer due to personal distractions
Answer: C
28
NO.142 When reviewing an organization's information security policies, an IS auditor should verify
that the policies have been defined PRIMARILY on the basis of
A. an information security framework
B. industry best practices
C. past information security incidents
D. a risk management process
Answer: A
NO.143 A company converted its payroll system from an external service to an internal package
Payroll processing in April was run in parallel. To validate the completeness of data after the
conversion, which of the following comparisons from the old to the new system would be MOST
effective?
A. Turnaround time for payroll processing
B. Employee counts and year-to-date payroll totals
C. Cut-off dates and overwrites for a sample of employees
D. Master file employee data to payroll journals
Answer: B
NO.144 An IS auditor finds that an organization's data toss prevention (DLP) system is configured to
use vendor default settings to identify violations. The auditor's MAIN concern should be that:
A. violations may not be categorized according to the organization's risk profile.
B. a significant number of false positive violations may be reported.
C. violation reports may not be retained according to the organization's risk profile.
D. violation reports may not be reviewed in a timely manner.
Answer: A
NO.145 The operations team of an organization has reported an IS security attack. Which of the
following should be the FIRST step for the security incident response team?
A. Document lessons learned.
B. Perform a damage assessment.
C. Report results to management.
D. Prioritize resources for corrective action.
Answer: B
NO.146 Internal audit is conducting an audit of customer transaction risk Which of the following
would be the BEST reason to use data analytics?
A. Anomalies and risk trends in the data set have yet to be defined
B. Transactional data is contained in multiple discrete systems that have varying levels of reliability
C. The audit is being performed to comply with regulations requiring periodic random sample testing
D. The audit focus is on a small number of predefined high-risk transactions
Answer: B
NO.147 After an external IS audit, which of the following should be IT management's MAIN
29
consideration when determining the prioritization of follow-up activities?

A. The availability of the external auditors
B. The scheduling of major changes in the control environment
C. The materiality of the reported findings
D. The amount of time since the initial audit was completed
Answer: C
NO.148 Which of the following would be the MOST appropriate reason for an organization to
purchase fault-tolerant hardware?
A. Improving system performance
B. Reducing hardware maintenance costs
C. Minimizing business loss
D. Compensating for the lack of contingency planning
Answer: C
NO.149 An IT governance body wants to determine whether IT service delivery is based on

consistently effective processes. Which of the following is the BEST approach?
A. Implement a control self-assessment (CSA).
B. Develop a maturity model.
C. Conduct a gap analysis.
D. Evaluate key performance indicators (KPIs).
Answer: D
NO.150 The maturity level of an organization s problem management support function is optimized
when the function
A. has formally documented the escalation process.
B. proactively provides solutions
C. resolves requests in a timely manner
D. analyzes critical incidents to identify root cause.
Answer: B
NO.151 The PRIMARY advantage of object-oriented technology is enhanced:

A. management of sequential program execution for data access
B. management of a restricted variety of data types for a data object
C. grouping of objects into methods for data access
D. efficiency due to the re-use of elements of logic
Answer: C
NO.152 Which of the following techniques would provide the BEST assurance to an IS auditor that
all necessary data has been successfully migrated from a legacy system to a modern platform?
A. Review of logs from the migration process
B. Data analytics
C. Interviews with migration staff
30
D. Statistical sampling
Answer: A
NO.153 Which of the following observations would an IS auditor consider the GREATEST risk when
conducting an audit of a virtual server farm for potential software vulnerabilities?
A. A variety of guest operating systems operate on one virtual server.
B. The hypervisor is updated quarterly.
C. Antivirus software has been implemented on the guest operating system only.
D. Guest operating systems are updated monthly
Answer: C
NO.154 Which of the following is the BEST data integrity check?

A. Tracing data back to the point of origin
B. Preparing and running test data
C. Counting the transactions processed per day
D. Performing a sequence check
Answer: A
NO.155 Prior to the migration of acquired software into production, it is MOST important that the IS
auditor review the:
A. system documentation.
B. vendor testing report.
C. user acceptance lest report.
D. source code escrow agreement.
Answer: A

reviewing a hosted virtualized environment where each guest operating system (OS) is r
A. There are file shares between the host OS and the guest OS
B. Access to virtualization utilities and tools in the host is not restricted
C. The test environment of the applications is in a separate guest OS
D. All virtual machines are launching an application backup job at the same time
Answer: B
NO.157 An IS auditor reviewed the business case for a proposed investment to virtualize an
organization's server infrastructure. Which of the following is MOST likely to be included among the
benefits in the project proposal?
A. Fewer operating system licenses
B. Better efficiency of logical resources
C. Less memory and storage space
D. Reduced hardware footprint
Answer: D
31
NO.158 An IS auditof notes the transaction processing times in an order processing system have
significantly increased after a major release Which of the following should the IS auditor review
FIRST?
A. Training plans
B. Stress testing results
C. Capacity management plan
D. Database conversion results
Answer: B
NO.159 The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
A. service level agreement (SLA).
B. balanced Scorecard.
C. risk management review.
D. control self-assessment (CSA).
Answer: D
NO.160 An IS auditor has assessed a payroll service provider's security policy and finds significant
topics are missing.
Which of the following is the auditor's BEST course of action?
A. Recommend the service provider update their policy
B. Report the risk to internal management
C. Notify the service provider of the discrepancies.
D. Recommend replacement of the service provider
Answer: B
NO.161 The PRIMARY role of a control self-assessment (CSA) facilitator Is to:

A. provide solutions for control weaknesses.
B. report on the internal control weaknesses.
C. focus the team on internal controls.
D. conduct interviews to gam background information
Answer: C
NO.162 An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported
technology in the scope of an upcoming audit. What should the auditor consider the MOST significant
concern?
A. There is a greater risk of system exploitation.
B. Technical specifications are not documented.
C. Disaster recovery plans (DRPs) are not in place.
D. Attack vectors are evolving for industrial control systems.
Answer: C
NO.163 An IS auditor concludes that an organization has a quality security policy. Which of the
following is MOST important to determine next? The policy must be:
32
A. based on industry standards.

B. well understood by all employees.
C. developed by process owners.
D. updated frequently.
Answer: B
NO.164 Which of the following is a benefit of increasing the use of data analytics in audits?
A. Less time spent on verifying completeness and accuracy of the total population
B. More time spent on analyzing the outers identified and the root cause
C. Less time spent on selecting adequate audit programs and scope
D. More time spent on select and reviewing samples for testing
Answer: A
NO.165 Which of the following is the PRIMARY protocol for protecting outbound content from
tampering and eavesdropping?
A. Transport Layer Security (TLS)
B. Secure Shell (SSH)
C. Point-to-Point Protocol (PPP)
D. Internet Key Exchange (IKE)
Answer: A
NO.166 Which audit approach is MOST helpful in optimizing the use of IS audit resources?
A. Outsourced auditing
B. Continuous auditing
C. Agile auditing
D. Risk-based auditing
Answer: D
NO.167 The BEST way to determine whether programmers have permission to alter data in the
production environment is by reviewing:
A. the access control system's configuration.
B. the access rights that have been granted
C. the access control system's log settings.
D. how the latest system changes were implemented
Answer: B
NO.168 Which of the following is the BEST IS audit strategy?

A. Limit audits to new application system developments
B. Conduct general control audits annually and application audits in alternating years
C. Perform audits based on Impact and probability of error and failure.
D. Cycle general control and application audits over a two-year period
Answer: C
33
NO.169 Regression testing should be used during a system development project to ensure that:
A. system testing will address high-probability errors.
B. the test plan is based on an analysis of the impact of past testing
C. the results of testing are statistically vsalid
D. errors have not been introduced to the system during modification
Answer: D
NO.170 As part of a follow-up of a previous year's audit, an IS auditor has increased the expected
error rate for a sample. The impact will be:
A. required sample size increases.
B. sampling risk decreases.
C. degree of assurance increases.
D. standard deviation decreases.
Answer: C
NO.171 Which of the following provides an IS auditor with the BEST evidence that a system has
been assessed for known exploits?
A. Patch cycle report
B. Vulnerability scanning report
C. Black box testing report
D. White box testing report
Answer: B
NO.172 When evaluating the ability of a disaster recovery plan (DRP) to enable the recovery of IT
processing capabilities, it is MOST important for the IS auditor to verify the plan is:
A. communicated to department heads,
B. regularly reviewed.
C. stored at an offsite location.
D. periodically tested.
Answer: D
NO.173 Which of the following should be the PRIMARY consideration for IT management when
selecting a new information security tool that monitors suspicious file access patterns?
A. Integration with existing architecture
B. Ease of support and troubleshooting
C. Data correlation and visualization capabilities
D. Ability to contribute to key performance indicator data
Answer: A
NO.174 An organization recently implemented a cloud document storage solution and removed the
ability for end users to save data to their local workstation hard drives Which of the following
findings should be the IS auditor's GREATEST concern?
A. Mobile devices are not encrypted.
34
B. Users have not been trained on the new system.

C. Users are not required to sign updated acceptable
D. The business continuity plan (BCP) was not updated.
Answer: D
NO.175 Which type of control is in place when an organization requires new employees to complete
training on applicable privacy and data protection regulations?
A. Preventive control
B. Directive control
C. Detective control
D. Corrective control
Answer: B
NO.176 Which of the following MOST effectively mitigates the risk of disclosure of sensitive data
stored on company-owned smartphones?
A. Secure containers
B. Data leakage prevention (DLP) tools
C. Mobile device management (MDM)
D. Physical device tagging
Answer: B
NO.177 Which of the following would be a result of utilizing a top-down maturity model process?
A. Identification of older, more established processes to ensure timely review
B. Identification of processes with the most improvement opportunities
C. A means of comparing the effectiveness of other processes within the enterprise
D. A means of benchmarking the effectiveness of similar processes with peers
Answer: B
NO.178 Which of the following is an objective of data transfer controls?

A. To ensure there are sufficient dedicated resources in place to facilitate data transfer
B. To ensure receiving data fields have been configured according to the structure of the transmitted
data
C. To ensure the data is backed up on a regular basis
D. To ensure access control lists are accurately and completely maintained
Answer: B
NO.179 The MOST important function of a business continuity plan (BCP) is to.
A. provide procedures for evaluating tests of the BCP
B. provide a schedule of events that has to occur if there is a disaster
C. ensure that the critical business functions can be recovered
D. ensure that all business functions are restored
Answer: C
35
NO.180 An organization plans to receive an automated data feed into its enterprise data warehouse
from a third-party service provider. Which of the following would be the BEST way to prevent
accepting bad data?
A. Appoint data quality champions across the organization
B. Obtain error codes indicating failed data feeds
C. Purchase data cleansing tools from a reputable vendor
D. Implement business rules to reject invalid data
Answer: D
NO.181 Which of the following would be the MOST useful metric for management to consider when
reviewing a project portfolio?
A. Cost of projects divided by total IT cost
B. Expected return divided by total project cost
C. Netpresent value (NPV) of the portfolio
D. Total cost of each project
Answer: C
NO.182 Using swipe cards to limit employee access to restricted areas requires implementing which
additional control?
A. Periodic review of access profiles by management
B. Physical sign-in of all employees for access to restricted areas
C. Initial escort of all new hires by a current employee
D. Employee-access criteria determined on the basis of IS experience
Answer: B
NO.183 Which of the following is the BEST compensating control when segregation of duties is
lacking in a small IS department?
A. Mandatory holidays
B. Background checks
C. Transaction log review
D. User awareness training
Answer: C
NO.184 A security company and service provider have merged and the CEO has requested one
comprehensive set of security policies be developed for the newly formed company. The IS auditor s
BEST recommendation would be to:
A. implement the service provider's policies
B. implement the security company s policies,
C. adopt an industry standard security policy
D. conduct a policy gap assessment
Answer: D
NO.185 When reviewing an organization's data protection practices, an IS auditor should be MOST
36
concerned with a lack of:

A. a security team.
B. data classification.
C. training manuals.
D. data encryption.
Answer: B
NO.186 Which of the following is the BEST way for an IS auditor to maintain visibility of a new
system implementation project when faced with resource limitations
A. Review the target control environment
B. Assess user acceptance test (UAT) results.
C. Attend steering committee meetings.
D. Evaluate the project plan and milestones
Answer: D
NO.187 An organization plans to eliminate pilot releases and instead deliver all functionality in a
single release. Which of the following is the GREATEST risk with this approach?
A. Likelihood of scope creep over time
B. Increased oversight required to track projects
C. Inability to track project costs
D. Releasing critical deficiencies into production
Answer: D
NO.188 After the merger of two organizations, which of the following is the MOST important task
for an IS auditor lo perform?
A. Updating the security policy
B. Verifying that access privileges have been reviewed
C. Investigating access rights for expiration dates
D. Updating the continuity plan for critical resources
Answer: B
NO.189 Which of the following is MOST important to consider when scheduling follow-up audits?
A. The efforts required for independent verification with new auditors
B. The amount of time the auditee has agreed to spend with auditors
C. The impact if corrective actions are not taken
D. Controls and detection risks related to the observations
Answer: C
NO.190 Which cloud deployment model is MOST likely to be limited in scalability?

A. Hybrid
B. Private
C. Public
D. Community
37
Answer: B
NO.191 An IS auditor reviewing a checkpoint/restart procedure should be MOST concerned if it is

applied after:
A. an incremental data backup is performed.
B. a temporary hardware failure.
C. power loss to the data center.
D. an incorrect version of the program is executed.
Answer: D
NO.192 Which of the following should be the FIRST step when planning an IS audit of a third-party
service provider that monitors network activities?
A. Evaluate the organization's third-party monitoring process.
B. Determine if the organization has a secure connection to the provider.
C. Review the roles and responsibilities of the third-party provider.
D. Review the third party's monitoring logs and incident handling.
Answer: C
NO.193 Which of the following would be of GREATEST concern to an IS auditor evaluating

governance over open source development components?
A. The software is not analyzed for compliance with organizational requirements
B. The open source development components do not meet industry best practices
C. Existing open source policies have not been approved in over a year
D. The development project has gone over budget and time
Answer: A
NO.194 Which of the following controls would BEST ensure that payroll system rate changes are
valid?
A. Only a payroll department manager can input the new rate.
B. Rate changes require visual verification before acceptance.
C. Rate changes must be entered twice to ensure that they are entered correctly.
D. Rate changes are reported to and independently verified by a manager.
Answer: D
NO.195 Which of the following is the BEST methodology to use for estimating the complexity of
developing a large business application?
A. Work breakdown structure
B. Critical path analysis
C. Software cost estimation
D. Function point analysis
Answer: D
NO.196 A database audit reveals an issue with the way data ownership for client data is defined.
38
Which of the following roles should be accountable for this finding?

A. Business management
B. Database administrator
C. Information security management
D. Privacy manager
Answer: A
NO.197 An audit of environmental controls at a data center could include a review of the
A. logs recording visitors to the data center
B. local alarms on emergency exits
C. list of employees authorized to enter the data center
D. ceiling space to ensure that there are no wet pipes
Answer: C
NO.198 During an audit of a data classification policy, an IS auditor finds that many documents are
inappropriately classified as confidential. Which of the following is the GREATEST concern?
A. Information may be underprotected.
B. Data integrity issues may occur.
C. Industry security best practices are violated.
D. Information may generally be overprotected.
Answer: D
NO.199 While reviewing an organization s business continuity plan (BCP) an IS auditor observes that
a recently developed application is not included. The IS auditor should:
A. ignore the observation as the application is not mission critical.
B. recommend that the application b# incorporated in the BCP.
C. ensure that the criticality of the application is determined
D. include m the audit findings that the BCP is incomplete
Answer: C
NO.200 An emergency power-off switch should:

A. not be identified.
B. be illuminated.
C. be protected
D. not be in the computer room
Answer: B
NO.201 During business process reengineering (BPR) of a bank's teller activities, an IS auditor should
evaluate:
A. the impact of changed business processes.
B. the cost of new controls.
C. BPR project plans
D. continuous improvement and monitoring plans.
39
Answer: A
NO.202 Audit management has just completed the annual audit plan for the upcoming year, which
consists entirely of high-risk processor. However it is determined that there are insufficient resources
to execute the plan. What should be done NEXT?
A. Remove audit from the annual plan to better match the number of resources available.
B. Review the audit plan and defer some audits to the subsequent year
C. Present the annual plan to the audit committee and ask for more resources
D. Reduce the scope of the audit to better match the number of resources available
Answer: C
NO.203 Which of the following is MOST important for an effective control self-assessment (CSA)
program?
A. Understanding the business process
B. Performing detailed test procedures
C. Evaluating changes to the risk environment
D. Determining the scope of the assessment
Answer: A
NO.204 Which of the following human resources management practices BEST leads to the detection
of fraudulent activity?
A. Background checks
B. Time reporting
C. Employee code of ethics
D. Mandatory time off
Answer: D
NO.205 A manufacturing company is implementing application software for its sales and distribution
system. Which of the following is the MOST important reason for the company to choose a
centralized online database?
A. Elimination of multiple points of failure
B. Elimination of the need for data normalization
C. Enhanced data redundancy
D. Enhanced integrity controls
Answer: D
NO.206 Which of the following is the MOST important prerequisite for Implementing a data loss
prevention (DLP) tool?
A. Developing a DLP policy and requiring signed acknowledgement by users.
B. Requiring users to save files in secured folders instead of company-wide shared drive
C. Identifying where existing data resides and establishing a data classification matrix.
D. Reviewing data transfer logs to determine historical patterns of data flow
Answer: A
40
NO.207 Which of the following is the BEST way to achieve high availability and fault tolerance for an
e-business system?
A. Secure offsite backup storage
B. Storage area network
C. Robust systems architecture
D. Network diversity
Answer: C
NO.208 What is the BEST population to select from when testing that programs are migrated to
production with proper approval?
A. List of changes provided by application programming managers
B. Change advisory board meeting minutes
C. Completed change request forms
D. List of production programs
Answer: D
NO.209 Which of the following is MOST important when creating a forensic image of a hard drive?
A. Requiring an independent third-party be present while imaging
B. Choosing an industry-leading forensics software tool
C. Securing a backup copy of the hard drive
D. Generating a content hash of the hard drive
Answer: D
NO.210 What is the PRIMARY purpose of performing a parallel run of a new system?
A. To provide a failover plan in case of system Issues.
B. To validate the operation of the new system against its predecessor.
C. To verify the new system can process the production load
D. To verify the new system provides required business functionality
Answer: D
NO.211 An IS auditor has completed an audit of an organization's accounts payable system. Which
of the following should be rated as the HIGHEST risk in the audit report and requires immediate
remediation?
A. Lack of segregation of duty controls for removal of vendor records
B. Lack of segregation of duty controls for reconciliation of payment transactions
C. Lack of segregation of duty controls for reversing payment transactions
D. Lack of segregation of duty controls for updating the vendor master file
Answer: D
NO.212 Which of the following provides the MOST useful information to an IS auditor reviewing the
relationships between critical business processes and IT systems?
A. IT Portfolio Management
41
B. Enterprise architecture (EA)

C. Configuration management database (CMDB)
D. IT Service Management
Answer: B
NO.213 An organization allows its employees to use personal mobile devices for work. Which of the
following would BEST maintain information security without compromising employee privacy?
A. Installing security software on the devices
B. Restricting the use of devices for personal purposes during working hours
C. Partitioning the work environment from personal space on devices
D. Preventing users from adding applications
Answer: C
NO.214 Which of the following is MOST important to include in a contract to outsource data
processing that involves customer personally identifiable information (Pit)?
A. The vendor must comply with the organization is legal and regulatory requirement.
B. The vendor must provide an independent report of its data processing facilities.
C. The vendor must compensate the organization if nonperformance occurs.
D. The vendor must sign a nondisclosure agreement with the organization.
Answer: A
NO.215 What would be an IS auditors GREATEST concern when using a test environment for an
application audit?
A. Test and production environments do not mirror each other
B. Developers have access to the best environment
C. Test and production environments lack data encryptions
D. Retention period of test data has been exceeded
Answer: A
NO.216 Which of the following should be done FIRST to develop an effective business continuity
plan (BCP)?
A. Secure an alternate processing site
B. Perform a business impact analysis (BIA).
C. Create a disaster recovery plan (DRP).
D. Create a business unit communications plan.
Answer: D
NO.217 During a follow-up audit, an IS auditor finds that some critical recommendations have not
been addressed as management has decided to accept the risk. Which of the following is the IS
auditor's BEST course of action?
A. Require the auditee to address the recommendations in full.
B. Adjust the annual risk assessment accordingly.
C. Evaluate senior management's acceptance of the risk.
42
D. Update the audit program based on management's acceptance of risk.

Answer: C
NO.218 Which of the following would be of GREATEST concern to an IS auditor reviewing backup
and recovery controls?
A. Backups are stored in an external hard drive
B. Restores from backups are not periodically tested
C. Backup procedures are not documented
D. Weekly and monthly backups are stored onsite
Answer: B
NO.219 Which of the following would be the BEST indicator of the effectiveness of an organization's
portfolio management program?
A. Percentage of investments achieving their forecasted value
B. Maturity levels of the value management processes
C. Experience of the portfolio management personnel
D. Stakeholders' perception of IT's value
Answer: A
NO.220 Which of the following represents a potential single point of failure in the virtualized
environment that could result in a compromise with greater scope and impact?
A. Underlying hardware on the guest operating system
B. Dual operating system
C. The host operating system
D. Applications installed on the guest operating system
Answer: C
NO.221 Which of the following is the GREATEST advantage of application penetration testing over
vulnerability scanning?
A. Penetration testing can be conducted in a relatively short time period.
B. Penetration testing creates relatively smaller risks to application availability and integrity
C. Penetration testing provides a more accurate picture of gaps in application controls
D. Penetration testing does not require a special skill set to be executed.
Answer: C
NO.222 planning an end-user computing (EUC) audit, it is MO ST important for the IS auditor to
A. evaluate the organization's EUC policy
B. evaluate EUC threats and vulnerabilities
C. obtains an inventory EUC applications
D. determine EUC materiality and complexity thresholds
Answer: D
NO.223 An IS auditor finds that terminated users have access to financial applications. Which of the
43
following is the auditor's MOST important course of action when assessing the impact?
A. Inquire of management whether the terminated users left the organization on good terms.
B. Inspect the logs to determine whether the users accessed the applications after termination.
C. Review requests In the ticketing tool for removal of identified access.
D. Inspect the terminated employees' corporate email accounts.
Answer: B
NO.224 An IS auditor finds that the process for removing access for terminated employee is not
documented. What is the MOST significant risk from this observation?
A. Access rights may not be removed in a timely manner
B. Unauthorized access cannot be identified
C. Procedures may not align with the practices
D. HR records may not match system access
Answer: A
NO.225 An e-commerce enterprise's disaster recovery (DR) site has 30% less processing capability
than the primary site. Based on this information, which of the following presents the GREATEST risk?
A. Network firewalls and database firewalls at the DR site do not provide high availability.
B. No disaster recovery plan (DRP) testing has been performed during the last six months.
C. The DR site is in a shared location that hosts multiple other enterprises.
D. The DR site has not undergone testing to confirm its effectiveness.
Answer: D
NO.226 When auditing the alignment of IT to the business strategy, it is MOST important (or the IS
auditor to:
A. evaluate deliverables of new IT initiatives against planned business services.
B. ensure an IT steering committee is appointed to monitor new IT projects.
C. compare the organization's strategic plan against industry best practice.
D. interview senior managers for their opinion of the IT function.
Answer: A
NO.227 Which of the following is the BEST indication of the completeness of interface control
documents used for the development of a new application?
A. All documents have been reviewed by end users.
B. All inputs and outputs for potential actions are included.
C. Both successful and failed interface data transfers are recorded.
D. Failed interface data transfers prevent subsequent processes.
Answer: C
NO.228 During a post-implementation review, a step in determining whether a project met user
requirements is to review the:
A. completeness of user documentation.
B. integrity of key calculations.
44
C. effectiveness of user training.

D. change requests initiated after go-live.
Answer: D
NO.229 An IS auditor is analysing a sample of assesses recorded on the system log of an application.
The auditor intends to launch an intensive investigation if one exception is found. Which sampling
method would be appropriate?
A. Stratified sampling
B. Variable sampling
C. Judgemental sampling
D. Discovery sampling
Answer: D
NO.230 During the implementation of an upgraded enterprise resource planning (ERP) system,
which of the following is the MOST important consideration for a go-live decision?
A. Post-implementation review objectives
B. Test cases
C. Rollback strategy
D. Business case
Answer: C
NO.231 On a public-key cryptosystem when there is no previous knowledge between parties, which
of the following will BEST help to prevent one person from using a fictitious key to impersonate
someone else?
A. Send the public key to the recipient prior to establishing the connection
B. Encrypt the message containing the sender's public key using a private-key
C. cryptosystem 1 Encrypt the message containing the sender's public key. using the recipient's
public key
D. Send a certificate that can be verified by a certification authority with the public key
Answer: D
NO.232 Which of the following projects would be MOST important to review in an audit of an
organizations financial statements?
A. Automation of operational risk management processes
B. Resource optimization of the enterprise resource planning (ERP) system
C. Security enhancements to the customer relationship database
D. Outsourcing of the payroll system to an external service provider
Answer: D
NO.233 An IS auditor is following up on prior period items and finds management did not address an
audit finding.
Which of the following should be the IS auditor's NEXT course of action?
A. Interview management to determine why the finding was not addressed
45
B. Recommend alternative solutions to address the repeat finding

C. Conduct a risk assessment of the repeat finding
D. Note the exception in a new report as the item was not addressed by management
Answer: A
NO.234 Upon completion of audit work, an IS auditor should:

A. provide a report to senior management prior to discussion with the auditee.
B. distribute a summary of general findings to the members of the auditing team.
C. provide a report to the auditee stating the initial findings.
D. review the working papers with the auditee.
Answer: B
NO.235 Which of the following is a preventive control related to change management?

A. Implementation of managed change approval processes
B. Log review of managed changes
C. Debugging of implemented changes
D. Audit of implemented changes for the period under review
Answer: A
NO.236 An incorrect version of source code was amended by a development team, This MOST likely
indicates a weakness in:
A. Incident management.
B. project management.
C. change management.
D. quality assurance (QA)
Answer: C
NO.237 An organization is using a single account shared by personnel for its social networking
marketing page. Which of the following is the BEST method to maintain accountability over the
account?
A. Reviewing access rights on a periodic basis
B. Integrating the account with single sign-on
C. Regular monitoring of proxy server logs
D. Implementing an account password check-out process
Answer: A
NO.238 The PRIMARY benefit of using secure shell (SSH) to access a server on a network is that it:
A. provides confidentiality of transmitted data
B. prevents man-in-the-middle attacks
C. provides better session reliability
D. facilitates communication across platforms.
Answer: A
46
NO.239 An organization is considering allowing users to conned personal devices to the corporate
network. Which of the following should be done FIRST?
A. Configure users on the mobile device management (MOM) solution.
B. Conduct security awareness training.
C. Implement an acceptable use policy.
D. Create inventory records of personal devices.
Answer: C
NO.240 Batch processes running in multiple countries are merged to one batch job to be executed
in a single data center. Which of the following is the GREATEST concern with this approach?
A. The knowledge base maintained by current staff may be lost.
B. Change management may become highly complex after job integration
C. The job execution approval process at the regional level may be compromised.
D. Restart of the batch job after disruption may impair the integrity of databases.
Answer: B
NO.241 Which of the following is the FIRST step in initiating a data classification program?
A. Risk appetite assessment
B. Inventory of data assets
C. Assignment of data ownership
D. Assignment of sensitivity levels
Answer: B
NO.242 Which of the following is the GREATEST threat to Voice-over Internet Protocol (VoIP) related
to privacy?
A. Call recording
B. Incorrect routing
C. Eavesdropping
D. Denial of service (DoS)
Answer: C
NO.243 During recent post-implementation reviews, an IS auditor has noted that several deployed
applications are not being used by the business. The MOST likely cause would be the lack of:
A. IT portfolio management.
B. IT resource management.
C. system support documentation.
D. change management.
Answer: C
NO.244 Which of the following would provide the BEST evidence of the effectiveness of mandated
annual security awareness training?
A. Number of security incidents
B. Trending of social engineering test results
47
C. Surveys completed by randomly selected employees

D. Results of a third-party penetration test
Answer: D
NO.245 Which of the following is the BEST way to enforce the principle of least privilege on a server
containing data with different security classifications?
A. Applying access controls determined by the data owner
B. Limiting access to the data files based on frequency of use
C. Using scripted access control lists to prevent unauthorized access to the server
D. Obtaining formal agreement by users to comply with the data classification policy
Answer: A
NO.246 During data migration, which of the following BEST prevents integrity issues when multiple
processes within the migration program are attempting to write to the same table in the databases?
A. Authentication controls
B. Concurrency controls
C. Normalization controls
D. Database limit controls
Answer: B
NO.247 Which of the following are examples of detective controls?

A. Use of access control software and deploying encryption software
B. Source code review and echo checks in telecommunications
C. Check points in production jobs and rerun procedures
D. Continuity of operations planning and backup procedures
Answer: B
NO.248 Which of the following are BEST suited for continuous auditing?
A. Manual transactions
B. Irregular transactions
C. Low-value transactions
D. Real-time transactions
Answer: D
NO.249 Which of the following is a directive control?

A. Establishing an information security operations team
B. Updating data loss prevention software
C. Implementing an information security policy
D. Configuring data encryption software
Answer: C
NO.250 Which of the following is the BEST way to loster continuous improvement of IS audit
processes and practices?
48
A. Frequently review IS audit policies, procedures, and instruction manuals

B. Implement rigorous management review and sign-off of IS audit deliverables.
C. Invite external auditors and regulators to perform regular assessments of the IS audit function.
D. Establish and embed quality assurance (QA) within the IS audit function.
Answer: D
NO.251 An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and
computer downtime This is BEST zed as an application of.
A. risk framework
B. balanced scorecard
C. value chain analysis
D. control self-assessment (CSA)
Answer: B
NO.252 An organization maintains an inventory of the IT applications used by its staff Which of the
following would pose the GREATEST concern with regard to the quality of the inventory data?
A. Inventory data is available on and downloadable from the corporate intranet
B. The application owner and contact information fields are not required to be completed
C. The inventory does not contain a formal risk ranking for all the IT applications
D. The organization has not established a formal recertification process for the inventory data
Answer: A
NO.253 An application used at a financial services organization transmits confidential customer data
to downstream applications using a batch process. Which of the following controls would protect this
information?
A. Header record with timestamp
B. Record count
C. Control file
D. Secure File Transfer Protocol (SFTP)
Answer: D
NO.254 An IS auditor is reviewing the perimeter security design of a network Which of the following
provides the GREATEST assurance that both incoming and outgoing Internet traffic is controlled?
A. Stateful firewall
B. Security information and event management (SIEM) system
C. Intrusion detection system (IDS)
D. Load balancer
Answer: B
NO.255 Which of the following is the BEST way for an IS auditor to reduce sampling risk when
performing audit sampling to verify the adequacy of an organization's internal controls?
A. Lower the sample standard deviation
B. Decrease the sampling size
49
C. Outsource the sampling process.

D. Use a statistical sampling method
Answer: A
NO.256 Which of the following controls will BEST ensure that the board of directors receives
sufficient information about IT?
A. The CIO reports on performance and corrective actions in a timely manner.
B. Board members are knowledgeable about IT and the CIO is consulted on IT issues.
C. The CIO regularly sends IT trend reports to the board.
D. Regular meetings occur between the board the CIO and a technology committee
Answer: B
NO.257 Which of the following is the BEST source for describing the objectives of an organization s
information systems?
A. IT management
B. Business process owners
C. Information security management
D. End users
Answer: B
NO.258 Which of the following is the BEST solution to minimize risk from security flaws introduced
by developers using open source libraries?
A. Dynamic application security testing tools
B. Security business impact analysis (BIA)
C. Checks of dependencies between code libraries
D. Technical documentation review policies
Answer: A
NO.259 An internal audit department recently established a quality assurance (QA) program as part
of its overall audit program. Which of the following activities is MOST important to include as part of
the QA program requirements?
A. Analyzing user satisfaction reports from business lines
B. Benchmarking the QA framework to international standards
C. Reporting OA program results to the audit committee
D. Conducting long-term planning for internal audit staffing
Answer: A
NO.260 Which of the following is the GREATEST concern when using a cold backup site?
A. Compatibility problems with existing equipment might exist.
B. Peripheral equipment might not be sufficient to handle critical applications.
C. It is difficult to test critical applications at the backup site
D. Physical security requirements at the backup site might not be met.
Answer: C
50
NO.261 Which of the following should an IS auditor review FIRST when evaluating a business
process for auditing?
A. Competence of the personnel performing the process
B. Design and implementation of controls
C. Evidence that IS-related controls are operating effectively
D. Assignment of responsibility for process management
Answer: B
NO.262 A new privacy regulation requires a customer's privacy information to be deleted within 72
hours, if requested.
Which of the following would be an IS auditor's GREATEST concern regarding compliance to this
regulation?
A. Outdated online privacy policies
B. Incomplete backup and retention policies
C. End user access to applications with customer information
D. Lack of knowledge of where customers' information is saved
Answer: D
NO.263 Due to budget restraints, an organization is postponing the replacement of an in-house

developed mission critical application. Which of the following represents the GREATEST risk?
A. Inability to virtualize the server
B. Eventual replacement may be more expensive
C. Inability to align to changing business needs
D. Maintenance costs may rise
Answer: C
NO.264 Which of the following BEST enables an IS auditor to combine and compare access control
lists from various applications and devices?
A. Snapshots
B. Audit hooks
C. Data analytics
D. Integrated test facility (ITF)
Answer: C
NO.265 An information systems security officer's PRIMARY responsibility for business process
applications is to:
A. ensure access rules agree with policies
B. create role-based rules for each business process
C. authorize secured emergency access,
D. approve the organization's security policy.
Answer: B
NO.266 Which of the following IS functions can be performed by the same group or individual while
51
still providing the proper segregation of duties?

A. Application programming and systems analysis
B. Computer operations and application Multiple versions of the same operating system
programming
C. Security administration and application programming
D. Database administration and computer operations
Answer: A
NO.267 When a firewall is subjected to a probing attack, the MOST appropriate first response is for
the firewall to:
A. alert the administrator.
B. break the Internet connection.
C. drop the packet
D. reject the packet.
Answer: C
NO.268 Which of the following will BEST help to ensure that an in-house application in the
production environment is current?
A. Version control procedures
B. Change management
C. Production access control
D. Quality assurance
Answer: A
NO.269 Which of the following would a digital signature MOST likely prevent?
A. Corruption
B. Unauthorized change
C. Repudiation
D. Disclosure
Answer: C
Explanation
Digital signature enforces non-repudiation. Thereby it prevents repudiation.
NO.270 Which of the following is an IS auditor s GREATEST concern when an organization does not
regularly update software on individual workstations in the internal environment?
A. The organization may be more susceptible to cyber-attacks.
B. The organization may not be in compliance with licensing agreement.
C. System functionality may not meet business requirements.
D. The system may have version control issues.
Answer: A
NO.271 Which of the following is the BEST approach to identify whether a vulnerability is actively
being exploited?
52
A. Conduct a penetration test

B. Perform log analysis.
C. Review service desk reports.
D. Implement key performance indicators (KPIs).
Answer: B
NO.272 An IS auditor is conducting a pre-implementation review to determine a new system's

production readiness.
The auditor's PRIMARY concern should be whether:
A. benefits realization has been evidenced
B. there are unresolved high-risk items
C. the project adhered to the budget and target date.
D. users were involved in the quality assurance (QA) testing.
Answer: B
NO.273 Which of the following is MOST important for an IS auditor to review when evaluating the
accuracy of a spreadsheet that contains several macros?
A. Formulas within macros
B. Reconciliation of key calculations
C. Version history
D. Encryption of the spreadsheet
Answer: B
NO.274 Which of the following factors constitutes a strength in regard to the use of a disaster
recovery planning reciprocal agreement?
A. Reciprocal agreements may not be formally established in a contract.
B. The two companies might share a need for a specialized piece of equipment
C. Changes to the hardware or software environment by one company could make the agreement
ineffective or obsolete.
D. A disaster could occur that would affect both companies.
Answer: B
NO.275 Which of the following practices BEST ensures that archived electronic information of
permanent importance is accessible over time?
A. Acquire applications that emulate old software.
B. Periodically test the integrity of the information.
C. Regularly migrate data to current technology.
D. Periodically backup the archived data.
Answer: C
NO.276 Tunneling provides additional security for connecting one host to another through the
Internet by:
A. providing end-to-end encryption.
53
B. facilitating the exchange of public key infrastructure (PKI) certificates

C. preventing password cracking and replay attacks
D. enabling the use of stronger encryption keys
Answer: C
NO.277 Following the discovery of inaccuracies in a data warehouse, an organization has

implemented data profiling, cleansing, and handling filters to enhance the quality of data obtained
from c
A. Detective control
B. Compensating control
C. Directive control
Answer: D
NO.278 Which of the following is the BEST way to confirm that a digital signature is valid?
A. Confirm that the sender's public key certificate is from a trusted certificate authority (CA).
B. Compare the hash value of the digital signature manually
C. Verify the digital signature by obtaining the senders public key
D. Request a valid private key from the sender and compare it with the public key
Answer: A
NO.279 Which of the following is the MOST effective way to minimize the risk of a SQL injection
attack?
A. Reconfiguring content filtering settings
B. Performing activity monitoring
C. Using secure coding practices
D. Implementing an intrusion detection tool
Answer: C
NO.280 An IS auditor identifies key controls that have been overridden by management. The next
step the IS auditor should take is to
A. Perform procedures to quantify the irregularities
B. Withdraw from the engagement
C. Recommend compensating controls
D. Report the absence of key controls to regulators
Answer: A
NO.281 In a virtualized environment, which of the following techniques effectively mitigates the risk
of network attacks?
A. Encryption
B. Containerization
C. Configuration assessment
D. Segmentation
54
Answer: D
NO.282 Which of the following IT service management activities is MOST likely to help with
identifying the root cause of repeated instances of Network latency?
A. Problem management
B. Configuration management
C. Incident management
D. Change management
Answer: A
NO.283 Which of the following is the MAIN purpose of an information security management
system?
A. To reduce the frequency and impact of information security incidents
B. To identify and eliminate the root causes of information security incidents
C. To keep information security policies and procedures up-to-date
D. To enhance the impact of reports used to monitor information security incidents
Answer: A
NO.284 Which of the following is the MOST important operational aspect for an IS auditor to
consider when assessing an assembly line with quality control sensors accessible via wireless techno
A. Known vulnerabilities
B. Resource utilization
C. Device security
D. Device updates
Answer: C
NO.285 Which of the following is MOST important for an IS auditor to consider during a review of
the IT governance of an organization?
A. Funding allocation
B. Defined service levels
C. Risk management methodology
D. Decision making responsibilities
Answer: D
NO.286 During an IT governance audit, an IS auditor notes that IT policies and procedures are not
regularly reviewed and updated. The GREATEST concern to the IS auditor is that p......
A. incorporate changes to relevant laws.
B. reflect current practices
C. include new systems and corresponding process changes
D. be subject to adequate quality assurance (QA).
Answer: A
NO.287 Which of the following controls BEST ensures appropriate segregation of duties within an
55
accounts payable department?

A. Restricting program functionality according to user security profiles
B. Restricting access to update programs to accounts payable staff only
C. Including the creators user ID as a field in every transaction record created
D. Ensuring that audit trails exist for transactions
Answer: A
NO.288 Which of the following is an example of a corrective control?

A. Generating automated batch job failure notifications
B. Employing only qualified personnel to execute tasks
C. Restoring system information from data backups
D. Utilizing processes that enforce segregation of duties
Answer: C
NO.289 As part of a recent business-critical initiative, an organization is re- purposing its customer
data. However, its customers are unaware that their data is being used for another purpose. What is
the BEST recommendation to address the associated data privacy risk to the organization?
A. Obtain customer consent for secondary use of the data.
B. Adjust the existing data retention requirements.
C. Ensure the data processing activity remains onshore.
D. Maintain an audit trail of the data analysis activity
Answer: A
NO.290 Which of the following validation techniques would BEST prevent duplicate electronic
vouchers?
A. Sequence check
B. Edit check
C. Cyclic redundancy check
D. Reasonless check
Answer: A
NO.291 When evaluating the management practices at a third-party organization providing

outsourced services, the IS auditor considers relying on an independent auditors report. The IS
auditor would first
A. determine if recommendations have been implemented
B. review the objectives of the audit
C. examine the independent auditor's workpapers.
D. discuss the report with the independent auditor
Answer: B
NO.292 Which of the following is the GREATEST concern when an organization allows personal
devices to connect to its network?
A. It is difficult To enforce the security policy on personal devices
56
B. It is difficult to maintain employee privacy.

C. IT infrastructure costs will increase.
D. Help desk employees will require additional training to support devices.
Answer: A
NO.293 An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited
Which of the following should be of GREATEST concern to the auditor?
A. The risk assessment methodology relies on subjective audit judgments at certain points of the
process
B. The risk assessment methodology does not permit the collection of financial audit data
C. The risk assessment database does not include a complete audit universe
D. The risk assessment approach has not been approved by the risk manager
Answer: A
NO.294 An IS auditor is reviewing a recent security incident and is seeking information about the
approval of a recent modification to a database system's security settings Where would the auditor
MOST likely find this information?
A. System event correlation report
B. Change log
C. Database log
D. Security incident and event management (SIEM) report
Answer: B
NO.295 Which of the following is the PRIMARY reason that asset classification is vital to an
information security program?
A. To ensure risk mitigation efforts are adetuee
B. To ensure sufficient resources are allocated for information security
C. To ensure asset protection efforts are in line with industry standards
D. To ensure the appropriate level of protection to assets
Answer: D
NO.296 Which of the following findings should be of GREATEST concern to an IS auditor conducting
a forensic analysis following incidents of suspicious activities on a server?
A. Audit logs are not enabled on the server.
B. The server is outside the domain.
C. The server's operating system is outdated.
D. Most suspicious activities were created by system IDs.
Answer: A
NO.297 Which of the following should the IS auditor do FIRST to ensure data transfer integrity for
Internet of Things (loT) devices?
A. Verify access control lists to the database where collected data is stored.
B. Determine how devices are connected to the local network.
57
C. Confirm that acceptable limits of data bandwidth are defined for each device.
D. Ensure that message queue telemetry transport (MQTT) is used.
Answer: B
NO.298 An IS auditor observes that a business-critical application does not currently have any level
of fault tolerance Which of the following is the GREATEST concern with this situation?
A. Single point of failure
B. Limited tolerance for damage
C. Degradation of services
D. Decreased mean time between failures (MTBF)
Answer: A
NO.299 Which of the following BEST enables an IS auditor to detect incorrect exchange rates applied
to outward remittance transactions at a financial institution?
A. Developing computer-assisted audit techniques (CAATs) during transaction audits
B. Performing sampling tests on transactions processed at the end of each day
C. Running continuous auditing scripts at the end of each day
D. Using supervised machine learning techniques to develop a regression model to predict incorrect
input
Answer: A
NO.300 To create a digital signature in a message using asymmetric encryption, it is necessary to:
A. First use a symmetric algorithm for the authentication sequence.
B. encrypt the authentication sequence using a public key.
C. transmit the actual digital signature in unencrypted clear text.
D. encrypt the authentication sequence using a private key.
Answer: D
NO.301 An IS auditor performing a review of a newly purchased software program notes that an
escrow agreement has been executed for acquiring the source code. What is MOST important for the
IS auditor to verify?
A. Product acceptance testing has been completed.
B. The source code is being held by an independent third party.
C. The vendor is financially viable.
D. The source code is being updated for each change.
Answer: D
NO.302 Which of the following is the BEST preventive control to ensure the integrity of server
operating systems?
A. Monitoring server performance
B. Protecting the server in a secure data center
C. Logging all activity on the server
D. Hardening the server configurations
58
Answer: D
NO.303 Which of the following BEST helps to identify errors during data transfer?
A. Decrease the size of data transfer packets.
B. Test the integrity of the data transfer.
C. Review and verify the data transfer sequence numbers.
D. Enable a logging process for data transfer.
Answer: C
NO.304 When reviewing past results of a recurring annual audit, an IS auditor notes that findings
may not have been reported and independence may not have been maintained Which of the
following is the auditor's BEST course of action?
A. Inform audit management
B. Re-perform past audits to ensure independence
C. Inform senior management
D. Reevaluate internal controls
Answer: A
NO.305 Which of the following provides the MOST assurance over the completeness and accuracy
of loan application processing with respect to the implementation of a new system?
A. Comparing code between old and new systems
B. Loading balance and transaction data to the new system
C. Running historical transactions through the new system
D. Reviewing quality assurance (QA) procedures
Answer: C
NO.306 At what point in software development should the user acceptance test plan be prepared?
A. Feasibility study
B. Transfer into production
C. Requirements definition
D. Implementation planning
Answer: C
NO.307 Which of the following is the MAIN purpose of data classification?

A. Defining parameter requirements for security labels
B. Ensuring integrity of sensitive information
C. Applying the appropriate protective measures
D. Ensuring the segregation of duties
Answer: C
NO.308 An organization has decided to implement a third-party system in its existing IT

environment Which of the following is MOST important for the IS auditor to confirm?
A. The organization has created a clone of the third party's IT infrastructure to host the IT system
59
B. The organization has maintained a clone of the existing infrastructure as backup.

C. The organization has analyzed the IT infrastructure to determine the feasibility of hosting the IT
system.
D. The organization has purchased a newly released IT infrastructure environment relevant to the IT
system
Answer: C
NO.309 In planning a major system development project, function point analysis would assist in:
A. determining the business functions undertaken by a system or program.
B. estimating the size of a system development task
C. estimating the elapsed time of the project
D. analyzing the functions undertaken by system users as an aid to job redesign
Answer: D
NO.310 Which of the following audit procedures would be MOST conclusive in evaluating the
effectiveness of an e-commerce application system's edit routine?
A. Review of program documentation
B. Use of test transactions
C. Interviews with knowledgeable users
D. Review of source code
Answer: B
NO.311 To ensure the integrity of a recovered database, which of the following would be MOST
useful?
A. Database defragmentation tools
B. Application transaction logs
C. A copy of the data dictionary
D. Before-and-after transaction images
Answer: D
NO.312 When reviewing a project to replace multiple manual data entry systems with an artificial
intelligence (Al) system, the IS auditor should be MOST concerned with the impact At will have on:
A. task capacity output
B. employee retention
C. future task updates
D. enterprise architecture (EA).
Answer: D
NO.313 While reviewing similar issues in an organization s help desk system, an IS auditor finds that
they were analyzed independently and resolved differently This situation MOST likely indicates a
deficiency in:
A. problem management
B. IT service level management
60
C. change management
D. configuration management
Answer: D
NO.314 Which of the following controls is BEST implemented through system configuration?
A. Application user access is reviewed every 180 days for appropriateness
B. Computer operations personnel initiate batch processing jobs daily
C. Financial data in key reports is traced to source systems for completeness and accuracy.
D. Network user accounts for temporary workers expire after 90 days.
Answer: D
NO.315 A banking organization has outsourced its customer data processing facilities to an external
service provider.
Which of the following roles is accountable for ensuring the security of customer data?
A. The service provider's data privacy officer
B. The bank's vendor risk manager
C. The service provider's data processor
D. The bank's senior management
Answer: D
NO.316 Which of the following should an IS auditor expect to find when reviewing IT security policy?
A. Virus protection Implementation strategies
B. An inventory of information assets
C. A risk-based classification of systems
D. Assigned responsibility for safeguarding company assets
Answer: C
NO.317 An IS auditor is verifying the adequacy of an organization's internal and is concerned about
potential circumvention of regulations. Which of the following is the BEST sampling method to use?
A. Attribute sampling
B. Variable Sampling
C. Random Sampling
D. Cluster sampling
Answer: A
NO.318 During which IT project phase is it MOST appropriate to conduct a benefits realization
analysis?
A. User acceptance testing (UAT) phase
B. Design review phase
C. Post-implementation review phase
D. Final implementation phase
Answer: B
61
NO.319 When evaluating a protect immediately prior to implementation, which of the following
would provide the BEST evidence that the system has the required functionality?
A. User acceptance testing (UAT) results
B. Quality assurance (QA) results
C. Integration testing results
D. Sign-off from senior management
Answer: B
NO.320 In which phase of penetration testing would host detection and domain name system (DNS)
interrogation be performed?
A. Attacks
B. Planning
C. Discovery
D. Reporting
Answer: C
NO.321 Which type of testing is MOST important to perform during a project audit to help ensure
business objectives are met?
A. Functional testing
B. System testing
C. Regression testing
D. Pilot testing
Answer: A
NO.322 What is the PRIMARY benefit of prototyping as a method of system development?

A. Reduces the need for testing.
B. Minimizes the time the IS auditor has to review the system.
C. Increases the likelihood of user satisfaction.
D. Eliminates the need for documentation.
Answer: C
NO.323 Which of the following should be of GREATEST concern to an IS auditor reviewing the
controls for a continuous software release process?
A. Release documentation is not updated to reflect successful deployment
B. Testing documentation is not attached to production releases.
C. Developers are able to approve their own releases
D. Test libraries have not been reviewed in over six months
Answer: C
NO.324 What is the BEST way (or an IS auditor to assess the adequacy of an expert consultant who
was selected to be involved in an audit engagement?
A. Review the independence and objectivity of the expert.
B. Verify that the engagement letter outlines the expert's responsibilities.
62
C. Obtain an understanding of the expert's relevant experience.

D. Review the industry reputation of the expert consultant's firm.
Answer: C
NO.325 servDuring an internal audit review of a human resources (HR) recruitment system
implementation the IS auditor notes that several defects were unresolved at the time the system
went live Which of the following is the auditor's MOST important task prior to formulating an audit
opinion?
A. Review the initial implementation plan for timelines.
B. Confirm the project plan was approved.
C. Review the user acceptance test (UAT) results for defects
D. Confirm the seventy of the identified defects.
Answer: D
NO.326 The GREATEST benefit of using a prototyping approach in software development is that it
helps to:
A. minimize scope changes to the system
B. conceptualize and clarify requirements
C. decrease the time allocated for user testing and review
D. improve efficiency of quality assurance (QA) testing.
Answer: B
NO.327 An IS auditor is reviewing the implementation of an international quality management

standard Which of the following provides the BEST evidence that quality management objectives
have been achieved?
A. Reduction in risk profile
B. Quality assurance (QA) documentation
C. Measurable processes
D. Enhanced compliance with laws and regulations
Answer: C
NO.328 Which of the following is the PRIMARY objective of implementing privacy-related controls
within an organization"?
A. To comply with legal and regulatory requirements
B. To provide options to individuals regarding use of their data
C. To prevent confidential data loss
D. To identify data at rest and data in transit for encryption
Answer: B
NO.329 Which of the following should be an IS auditor's GREATEST concern when a security audit
reveals the organization's vulnerability assessment approach is limited to running a vulnerability
scanner on its network?
A. A scanner does not exploit the vulnerability in the systems.
63
B. External risks in the organization's environment may go undetected.

C. Some of the vulnerabilities discovered may be false positives.
D. System performance may be degraded by the scanner.
Answer: B
NO.330 Which of the following would an IS auditor PRIMARILY review to understand key drivers of a
project?
A. Earned value analysis (EVA)
B. Project risk matrix
C. IT strategy and objectives
D. Business case
Answer: B
NO.331 Which of the following BEST enables alignment of IT with business objectives?
A. Completing an IT risk assessment
B. Leveraging an IT governance framework
C. Developing key performance indicators (KPIs)
D. Benchmarking against peer organizations
Answer: B
NO.332 An IS auditor reviewing a job scheduling tool notices performance and reliability problem.
Which of the following is MOST likely affecting the tool?
A. The number of support staff responsible for job scheduling has been reduced.
B. Maintaining patches and the latest enhancement upgrades are missing./
C. The scheduling tool was not classified as business-critical by the IT department.
D. Administrator passwords do not organizational security and complicity requirements.
Answer: B
NO.333 Which of the following communication modes should be of GREATEST concern to an IS

auditor evaluating end user networking?
A. Peer-to-peer
B. Client-to-server
C. Host-to-host
D. System-to-system
Answer: A
NO.334 Which of the following is the BEST way for an IS auditor to validate that employees have
been made aware of the organization's information security policy?
A. Interview employees to determine their level of understanding of the policy
B. Compare the employee roster against a list of those who attended security training
C. Review HR records for employee violations of the information security policy.
D. Review the training process to determine how policies are explained to employees
Answer: C
64
NO.335 Which of the following is a detective control that can be used to uncover unauthorized
access to information systems?
A. Requiring long and complex passwords for system access
B. Implementing a security information and event management (SIEM) system
C. Requiring internal audit to perform periodic reviews of system access logs
D. Protecting access to the data center with multif actor authentication
Answer: B
NO.336 An IS auditor determines that a business continuity plan has not been reviewed and
approved by management.
Which of the following is the MOST significant risk associated with this situation?
A. Continuity planning may be subject to resource constraints.
B. The plan may not be aligned with industry best practice.
C. Critical business processes may not be addressed adequate.
D. The plan has not been reviewed by risk management
Answer: C
NO.337 Data analytics Tools are BEST suited for which of the following purposes?
A. Identifying business process errors
B. Quantifying business impact analysis (BIA) results
C. Examining low-frequency business transactions
D. Analyzing the effectiveness of risk assessment processes
Answer: C
NO.338 When reviewing an organization's IT governance processes, which of the following provides
the BEST indication that information security expectations are being met at all levels?
A. Utilization of an internationally recognized security standard
B. Implementation of a comprehensive security awareness program
C. Achievement of established security metrics
D. Approval of the security program by senior management
Answer: B
NO.339 Which of the following is MOST likely to be detected by an IS auditor applying data analytic
techniques?
A. Potentially fraudulent invoice payments originating within the accounts payable department
B. Completion of inappropriate cross-border transmission of personally identifiable information (Pll)
C. Unauthorized salary or benefit changes to the payroll system generated by authorized users
D. Issues resulting from an unsecured application automatically uploading transactions to the general
ledger
Answer: A
NO.340 Which of the following sampling techniques is BEST to use when verifying the operating
65
effectiveness of internal controls during an audit of transactions?

B. Statistical sampling
C. Judgmental sampling
D. Stop-or-go sampling
Answer: B
NO.341 Which of the following governance functions is responsible for ensuring IT projects have
sufficient resources and are prioritized appropriately?
A. Executive management
B. IT management
C. IT steering committee
D. Board of directors
Answer: C
NO.342 During a review of operations, it is noted that during a batch update, an error was detected
and the database initiated a roll-back. An IT operator stopped the roll-back and re-initiated the
update. What should the operator have done PRIOR to re-initiating the update?
A. Determined the cause of the error
B. Obtained approval before re-initiating the update
C. Allowed the roll-back to complete
D. Scheduled the roll-back for a later time
Answer: C
NO.343 Which of the following would BEST provide executive management with current information
on IT related costs and IT performance indicators?
A. Risk register
B. IT service management plan
C. Continuous audit reports
D. IT dashboard
Answer: D
NO.344 Which of the following is the BEST guidance from an IS auditor to an organization planning
an initiative to improve the effectiveness of its IT processes?
A. IT management should include process improvement requirements in staff performance
objectives
B. IT staff should be surveyed to identify current IT process weaknesses and suggest improvements.
C. The organization should refer to poor audit reports to identify the specific IT processes to be
improved
D. The organization should use a capability maturity model to identify current maturity levels for
each IT process.
Answer: D
66
NO.345 Which of the following provides the MOST comprehensive description of Its role in an
organization?
A. IT job description
B. IT organizational chart
C. IT charter
D. IT project portfolio
Answer: D
NO.346 An airlines online booking system uses an automated script that checks whether fares are
within the defined threshold of what is reasonable before the fares are displayed on the website.
Which type of control is in place?
A. Preventer control
B. Corrective control
D. Compensating control
Answer: A
NO.347 The MOST important reason why an IT risk assessment should be updated on a regular basis
is to:
A. comply with risk management policies
B. comply with data classification changes.
C. react to changes in the IT environment.
D. utilize IT resources in a cost-effective manner.
Answer: C
NO.348 A checksum is classified as which type of control?

B. Administrative control
C. Corrective control
D. Preventive control
Answer: D
NO.349 An employee has accidentally posted confidential data to the company's social media page.
Which of the following is the BEST control to prevent this from recurring?
A. Perform periodic audits of social media updates.
B. Implement a moderator approval process.
C. Require all updates to be made by the marketing director.
D. Establish two-factor access control for social media accounts.
Answer: B
NO.350 After an employee termination, a network account was removed, but the application
account remained active.
To keep this issue from recurring, which of the following is the BEST recommendation?
67
A. Leverage shared accounts for the application.

B. Perform periodic access reviews.
C. Retrain system administration staff.
D. Integrate application accounts with network single sign-on.
Answer: D
NO.351 What is the BEST justification for allocating more funds to implement a control for an IT
asset than the actual cost of the IT asset?
A. To protect the associated intangible business value
B. To comply with information security best practices
C. To avoid future audit findings
D. To maintain the residual value of the asset
Answer: A
NO.352 A large insurance company is about to replace a major financial application. Which of the
following is the IS auditor's PRIMARY focus when conducting the pre-implementation review?
A. Procedure updates
B. Migration of data
C. System manuals
D. Unit testing
Answer: B
NO.353 The BEST way to validate whether a malicious act has actually occurred in an application is
to review.
A. change management logs.
B. segregation of duties
C. activity logs
D. access controls
Answer: C
NO.354 An IS auditor is evaluating the risk associated with moving from one database management
system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of
the system throughout the change?
A. Preserving the same data inputs
B. Preserving the same data interfaces
C. Preserving the same data classifications
D. Preserving the same data structure
Answer: C
NO.355 During the post-implementation review of an application that was implemented six months
ago which of the following would be MOST helpful in determining whether the application meets
business requirements?
A. Project closure report and lessons-learned documents from the project management office (PMO)
68
B. User acceptance testing (UAT) results and sign-off from users on meeting business requirements
C. Comparison between expected benefits from the business case and actual benefits after
implementation
D. Difference between approved budget and actual project expenditures determined post
implementation
Answer: C
NO.356 Post-implementation testing is an example of which of the following control types?

A. Directive
B. Deterrent
C. Preventive
D. Detective
Answer: D
NO.357 An organization considers implementing a system that uses a technology that is not in line
with the organization's IT strategy. Which of the following is the BEST justification for deviating from
the IT strategy?
A. The system makes use of state-of-the-art technology
B. The organization has staff familiar with the technology
C. The system has a reduced cost of ownership
D. The business benefits are achieved even with extra costs
Answer: D
NO.358 Which of the following falls within the scope of an information security governance
committee?
A. Selecting the organization's external security auditors
B. Approving access to critical financial systems
C. Reviewing content for information security awareness programs
D. Prioritizing information security technology initiatives
Answer: C
NO.359 An IS auditor finds that corporate mobile devices used by employees have varying levels of
password settings.
Which of the following would be the BEST recommendation?
A. Update the acceptable use policy for mobile devices.
B. Encrypt data between corporate gateway and devices.
C. Notify employees to set passwords to a specified length
D. Apply security policy to the mobile devices.
Answer: D
NO.360 Which of the following backup schemes is the BEST option when storage media is limited?
A. Virtual backup
B. Real-time backup
69
C. Full backup
D. backup Differential
Answer: D
NO.361 An IS auditor is reviewing an enterprise database platform. The review involves statistical
methods. Benford analysis, and duplicate checks. Which of the following computer-assisted audit
technique (CAAT) tools would be MOST useful for this review''
A. Continuous and intermittent simulation (CIS)
B. Generalized audit software (GAS)
C. Audit hooks
D. Integrated test facility (ITF)
Answer: B
NO.362 Which of the following is MOST important for an IS auditor to test when reviewing market
data received from external providers?
A. Data encryption configurations
B. Data transformation configurations
C. Data quality controls
D. Data loading controls
Answer: C
NO.363 Which of the following should an IS auditor validate FIRST when reviewing the security of an
organization's IT infrastructure as it relates to Internet of Things (loT) devices?
A. Identification and inventory of loT devices
B. Access control and network segmentation for loT devices
C. Strong password protection for loT devices
D. Physical security of loT devices
Answer: A
NO.364 Which of the following is MOST important to consider when assessing the scope of privacy
concerns for an IT project?
A. Applicable laws and regulations
B. End user access rights
C. Data ownership
D. Business requirements and data flows
Answer: A
NO.365 Which of the following concerns is BEST addressed by securing production source libraries?
A. Changes are applied to the wrong version of production source libraries.
B. Unauthorized changes can be moved into production.
C. Production source and object libraries may not be synchronized.
D. Programs are not approved before production source libraries are updated.
Answer: B
70
NO.366 When performing a post-implementation review, the adequacy of the data conversion
effort would BEST be evaluated by performing a thorough review of the:
A. functional conversion rules
B. go-live conversion results.
C. conversion user acceptance testing (UAT) results.
D. detailed conversion approach templates
Answer: B
NO.367 An IS auditor is evaluating a virtual server environment and teams that the production
server, development server and management console are housed in the same physical host. What
A. The physical host is a single point of failure.
B. The management console is a single point of failure
C. The development server and management console share the same host.
D. The development and production servers share the same host.
Answer: A
NO.368 A project team evaluated vendor responses to a request for proposal (RFP). An IS auditor
reviewing the evaluation process would expect the team to have considered each vendor's:
A. security policy.
B. acceptance test plan
C. financial stability
D. development methodology.
Answer: A
NO.369 Which of the following is MOST critical to include when developing a data loss prevention
(DIP) policy?
A. Identification of enforcement actions
B. Identification of the relevant network channels requiring protection
C. Identification of the users, groups, and roles to whom the policy will apply
D. Identification of the content to protect
Answer: D
NO.370 Which of the following is the BEST way to mitigate the risk associated with a document
storage application that has a syncing feature that could allow malware to spread to other machines
in the network?
A. User behavior modeling and analysis should be performed to discover anomalies in user behavior.
B. Content inspection technologies should be used to scan files for sensitive data.
C. All files should be scanned when they are uploaded to and downloaded from the application.
D. An audit should be conducted to detect shadow data and shadow IT in the network.
Answer: C
NO.371 When evaluating database management practices, which of the following controls would
71
MOST effectively support data integrity?

A. User access controls
B. System edit checks
C. System-generated duplicate transaction reports
D. System processing output balanced to control totals
Answer: B
NO.372 An IS auditor is planning on utilizing attribute sampling to determine the error rate for
health care claims processed. Which of the following factors will cause the sample size to decrease?
A. Tolerable error rate increase
B. Acceptable risk level decrease
C. Expected error rate increase
D. Population size increase
Answer: C
NO.373 An IS auditor is reviewing the change management process in a large IT service organization.
Which of the following observations would be the GREATEST concern?
A. Emergency software releases are not fully documented after implementation
B. User acceptance testing (UAT) can be waived in case of emergency software releases
C. Code is migrated manually into production during emergency software releases
D. A senior developer has permanent access to promote code for emergency software releases
Answer: D
NO.374 Which of the following is MOST important for an IS auditor to verify when evaluating an
organization's firewall?
A. Logs are being collected in a separate protected host.
B. Access to configuration files is restricted.
C. Insider attacks are being controlled.
D. Automated alerts are being sent when a risk is detected.
Answer: A
NO.375 Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts
payable system.
Which of the following is the IS auditor s BEST recommendation for a compensating control?
A. Restrict payment authorization to senior staff members
B. Review payment transaction history.
C. Require written authorization for all payment transactions.
D. Reconcile payment transactions with invoices.
Answer: C
NO.376 An IS auditor is reviewing security policies and finds no mention of the return of corporate-
owned smartphones upon termination of employment. The GREATEST risk arising from this situation
is that unreturned devices:
72
A. cause the asset inventory to be inaccurate.

B. have access to corporate resources
C. result in loss of customer contact details
D. generate excessive telecommunication costs.
Answer: C
NO.377 The CIO of an organization is concerned that the information security policies may not be
comprehensive.
Which of the following should an IS auditor recommend be performed FIRST?
A. Determine if there is j process to handle exceptions to the policies
B. Establish a governance board to track compliance with the policies
C. Obtain a copy of their competitor's policies
D. Compare the policies against an industry framework.
Answer: D
NO.378 Which of the following would BEST enable an IS auditor to perform an audit that requires
testing the full population of data?
A. Expertise in statistical sampling of data
B. Proficiency in the use of data analytics tools
C. Experience in database administration
D. Proficiency in programming and coding
Answer: B
NO.379 Of the following, who are the MOST appropriate staff for ensuring the alignment of user
authorization tables with approved authorization forms?
A. IT managers
B. Database administrators (DBAs)
C. System owners
D. Security administrators
Answer: D
NO.380 Which of the following is the BEST justification for deferring remediation testing until the
next audit?
A. The auditor who conducted the audit
B. Management's planned actions are sufficient given the relative importance of the observations
C. The audit environment has changed significantly
D. Auditee management has accepted all observations reported by the auditor.
Answer: D
NO.381 An IS auditor has obtained a large complex data set for analysis. Which of the following
activities will MOST improve the output from the use of data analytics tools?
A. Data classification
B. Data preparation
73
C. Data masking
D. Data anonymization
Answer: B
NO.382 Which of the following MOST efficiently protects computer equipment against short-term
reductions in electrical power?
A. Surge protection devices
B. Alternative power supplies
C. Power line conditioners
D. Generators
Answer: C
NO.383 During a systems development project, participation in which of the following activities
would compromise the IS auditor's independence?
A. Participating in weekly project management team presentations
B. Making design decisions related to automated controls
C. Recommending which reports are required to be converted
D. Reviewing process for each program specification
Answer: B
NO.384 Which of the following should be defined in an audit charter?

A. Audit methodology
B. Audit schedule
C. Audit results
D. Audit authority
Answer: A
NO.385 Which of the following is the PRIMARY reason an IS auditor should use an IT-related
framework as a basis for scoping and structuring an audit?
A. It provides a foundation to recommend certification of the organization's compliance with the
framework.
B. It simplifies audit planning and reduces resource requirements to complete an audit.
C. It demonstrates to management whether legal and regulatory requirements have been met.
D. It helps ensure comprehensiveness of the review and provides guidance on best practices.
Answer: D
NO.386 Which of the following is MOST important to have in place to build consensus among key
stakeholders on the cost-effectiveness of IT?
A. A uniform IT chargeback process
B. Standardized enterprise architecture (EA)
C. IT project governance and management
D. IT performance monitoring and reporting
Answer: D
74
NO.387 Which of the following analytical methods would be MOST useful when trying to identify
groups with similar behavior or characteristics in a large population?
A. Random sampling
B. Classification
C. Deviation detection
D. Cluster sampling
Answer: D
NO.388 Which of the following issues identified during a postmortem analysis of the IT security
incident response process should be of GREATEST concern?
A. The incident response team did not initiate actions to limit the impact of the incident
B. Incident response team members' contact details were not up to date.
C. The root cause of the incident was not properly identified and documented
D. The incident was caused by an attacker that exploited a zero-day vulnerability.
Answer: A
NO.389 Which of the following approaches would utilize data analytics to facilitate the testing of a
new account creation process?
A. Review new account applications submitted in the past month for invalid dates of birth
B. Evaluate configuration settings for the date of birth field requirements.
C. Review the business requirements document for date of birth field requirements.
D. Attempt to submit new account applications with invalid dates of birth
Answer: D
NO.390 Which of the following testing methods is MOST appropriate for assessing whether system
integrity has been maintained after changes have been made?
A. Regression testing
B. acceptance testing
C. Unit testing
D. Integration testing
Answer: A
NO.391 Segregation of duties would be compromised if:

A. application programmers moved programs into production.
B. application programmers accessed test data.
C. database administrators (DBAs) modified the structure of user tables.
D. operations staff modified batch schedules.
Answer: B
NO.392 Which of the following is the MOST important consideration for building resilient systems?
A. Eliminating single points of failure
B. Performing periodic backups
75
C. Creating disaster recovery plans (DRPs)

D. Defining recovery point objectives (RPOs)
Answer: C
NO.393 An organization is within a jurisdiction where new regulations have recently been
announced to restrict cross-border data transfer of personally identifiable information (PIl). Which of
the following IT decisions will MOST likely need to be assessed in the context of this?
A. Hiring IT consultants from overseas
B. Purchasing cyber insurance from an overseas insurance company
C. Applying encryption to databases hosting PII data
D. Hosting the payroll system at an external cloud service provider
Answer: D
NO.394 Which of the following should MOST concern an IS auditor reviewing an intrusion detection
system (IDS)?
A. Number of false negatives
B. Legitimate traffic blocked by the system
C. Number of false positives
D. Reliability of IDS logs
Answer: C
NO.395 Within the context of an IT-related governance framework, which type of organization
would be considered MOST mature?
A. An organization in which processes are repeatable and results periodically reviewed
B. An organization m a state of dynamic growth with continuously updated policies and procedures
C. An organization with established sets of documented standard processes
D. An organization with processes systematically managed by continuous improvement
Answer: D
NO.396 An IS auditor is using data analytics in an audit and has obtained the data to be used for
testing. Which of the following is the MOST important task before testing begins?
A. Verify data analytics test scripts
B. Select the analytical sampling model
C. Document the method used to obtain the data
D. Verify the completeness and accuracy of the data
Answer: C
NO.397 Which of the following is MOST important to ensure when reviewing a global organization's
controls to protect data held on its IT infrastructure across all of its locations?
A. Relevant data protection legislation and regulations for each location are adhered to.
B. Technical capabilities exist in each location to manage the data and recovery operations
C. The capacity of underlying communications infrastructure in the host locations is sufficient.
D. The threat of natural disasters in each location hosting infrastructure has been accounted for.
76
Answer: A
NO.398 Which of the following MUST be completed before selecting and deploying a biometric
system that uses facial recognition software?
A. Privacy impact analysts
B. Vulnerability assessment
C. Image interference review
D. False acceptance testing
Answer: D
NO.399 Which of the following should an IS auditor expect to see in a network vulnerability
assessment?
A. Misconfiguration and missing updates
B. Malicious software and spyware
C. Zero-day vulnerabilities
D. Security design flaws
Answer: A
NO.400 The BEST indicator of an optimized quality management system (QMS) is that it
A. is endorsed by senior management
B. is integrated and enforced in all IT activities
C. defines and monitors all IT QMS activities
D. aligns with an industry recognized framework
Answer: B
NO.401 Which sampling method should an IS auditor employ when the likelihood of exceptions
existing in the population is low?
A. Discovery sampling
B. Random sampling
C. Interval sampling
D. Unit sampling
Answer: A
NO.402 Which of the following is a determine security control that reduces the likelihood of an
insider threat event?
A. Removing malicious code
B. Creating contingency plans
C. Distributing disciplinary policies
D. Executing data recovery procedures
Answer: A
NO.403 During a review of the IT strategic plan, an IS auditor finds several IT initiatives focused on
delivering new systems and technology are not aligned with the organization's strategy. Which of the
77
following would be the IS auditor's BEST recommendation?

A. Modify IT initiatives that do not map to business strategies.
B. Reassess IT initiatives that do not map to business strategies.
C. Utilize a balanced scorecard to align IT initiatives to business strategies.
D. Reassess the return on investment (ROI) for the IT initiatives.
Answer: C
NO.404 Which of the following would BEST demonstrate that an effective disaster recovery plan
(DRP) is in place?
A. Periodic risk assessment
B. Full operational test
C. Frequent testing of backups
D. Annual walk-through testing
Answer: B
NO.405 Which of the following clauses is MOST important to include in a contract to help maintain
data privacy in the event a Platform as a Service (PaaS) provider becomes financially insolvent?
A. Intellectual property protection
B. Software escrow
C. Data classification
D. Secure data destruction
Answer: D
NO.406 To help ensure the accuracy and completeness of end-user computing output it is MOST
important to include strong:
A. documentation controls.
B. change management controls.
C. access management controls
D. reconciliation controls
Answer: D
NO.407 Secure code reviews as part of a conbnuous deployment program are which type of control
?
A. Logical
B. Detective
C. Preventive
D. Corrective
Answer: C
NO.408 Which of the following is MOST important for an IS auditor to confirm when conducting a
review of an active-active application cluster configuration?
A. The IT operations team maintains a version history of the cluster software.
B. Results from recent user satisfaction surveys meet operational targets.
78
C. The cluster switches between active-active and active-passive configurations.

D. The cluster configuration includes adequate network bandwidth.
Answer: D
NO.409 When reviewing a contract for a disaster recovery hot site, which of the following would be
the MOST significant omission?
A. Equipment provided
B. Testing procedures
C. Audit rights
D. Exposure coverage
Answer: C
NO.410 Which of the following should be an IS auditor's PRIMARY consideration when evaluating
the development and design of a privacy program?
A. Information security and incident management practices
B. Industry practice and regulatory compliance guidance
C. Data governance and data classification procedures
D. Policies and procedures consistent with privacy guidelines
Answer: D
NO.411 An IS auditor reviewing a high-risk business application has identified the need to
strengthen controls for reporting malfunctions to management Which of the following would BEST
facilitate timely reporting?
A. Change prioritization
B. Security event logging
C. Performance monitoring
D. Incident management procedures
Answer: C
NO.412 Which of the following would be MOST time and cost efficient when performing a control
self-assessment (CSA) for an organization with a large number of widely dispersed employees?
A. Facilitated workshops
B. Survey questionnaire
C. Face-to-face interviews
D. Top-down and bottom-up analysis
Answer: B
NO.413 When auditing the alignment of IT to the business strategy, it is MOST important (or the IS
auditor to:
A. evaluate deliverables of new IT initiatives against planned business services.
B. ensure an IT steering committee is appointed to monitor new IT projects.
C. interview senior managers (or their opinion of the IT function.
D. compare the organization's strategic plan against industry best practice.
79
Answer: A
NO.414 An IS auditor's PRIMARY objective when examining problem reports should be to help
ensure:
A. problems are resolved in a cost-effective manner.
B. every problem is classified appropriately.
C. problems are only escalated to senior management when necessary.
D. every problem is assigned to an individual for resolving.
Answer: B
NO.415 Which of the following is the PRIMARY purpose of conducting follow-up audits for material
observations?
A. To assess evidence for management reporting
B. To validate the correctness of reported findings
C. To validate remediation efforts
D. To assess the risk of the audit environment
Answer: C
NO.416 When implementing a new IT maturity model which of the following should occur FIRST?
A. Define the target IT maturity level
B. Develop performance metrics
C. Determine the model elements to be evaluated
D. Benchmark with industry peers
Answer: A
NO.417 An organization that has suffered a cyber attack is performing a forensic analysis of the
affected users' computers Which of the following should be of GREATEST concern for the IS editor
reviewing this process?
A. Audit was only involved during extraction of the information.
B. The legal department has not been engaged.
C. The chain of custody has not been documented
D. An imaging process was used to obtain a copy of the data from each computer.
Answer: C
NO.418 Which of the following provides an IS auditor the MOST assurance that an organization is
compliant with legal and regulatory requirements?
A. Senior management has provided attestation of legal and regulatory compliance
B. Controls associated with legal and regulatory requirements have been identified and tested
C. There is no history of complaints or fines from regulators regarding noncompliance
D. The IT manager is responsible for the organization s compliance with legal and regulatory
requirements.
Answer: B
80
NO.419 What is the BEST control to address SQL injection vulnerabilities?

A. Input validation
B. Unicode translation
C. Secure Sockets Layer (SSL) encryption
D. Digital signatures
Answer: C
NO.420 Which of the following is the MAIN benefit of using data analytics when testing the
effectiveness of controls?
A. Analytics can be applied to any type of control
B. Analytics remove the need to focus on areas of higher risk
C. The demand for IS auditors is reduced over time
D. The full population can be tested.
Answer: D
NO.421 Which of the following reports would provide the GREATEST assurance to an IS auditor
about the controls of a third party that processes critical data for the organization?
A. Independent control assessment
B. Black box penetration test report
C. Vulnerability scan report
D. The third party's control self-assessment (CSA)
Answer: A
NO.422 Which of the following control checks would utilize data analytics?
A. Evaluating configuration settings for the credit card application system
B. Reviewing credit card applications submitted in the past month for blank data fields
C. Attempting to submit credit card applications with blank data fields
D. Reviewing the business requirements document for the credit card application system
Answer: B
NO.423 Which of the following would be the GREATEST risk associated with a new chat feature on a
retailer's website?
A. Productivity loss
B. Reputational damage
C. System downtime
D. Data loss
Answer: D
NO.424 The PRIMARY objective of IT service level management is to.

A. satisfy customer requirements.
B. manage computer operations activities.
C. improve IT cost control
D. increase awareness of IT services
81
Answer: A
NO.425 Which of the following technologies has the SMALLEST maximum range for data
transmission between devices?
A. Near-field communication (NFC)
B. Long-term evolution (LTE)
C. Bluetooth
D. Wi-Fi
Answer: A
NO.426 When of the following is to MOST important consideration when prioritizing IT system for
penetration testing?
A. Threat intelligence relevant to the systems
B. Network topology or architecture of the systems
C. Accessibility of the systems via the Internet
D. Upstream and downstream data flows of the systems
Answer: A
NO.427 An IS auditors independence with respect to the audit of an application system is MOST
likely to be impaired if the auditor
A. designed an embedded audit module for the application
B. knows that the application contains the auditors personal transactions
C. reports to an individual responsible ta the application
D. performed a development review of the application.
Answer: C
NO.428 Which of the following cloud deployment models would BEST meet the needs of a startup
software development organization with limited initial capital?
A. Community
B. Public
C. Hybrid
D. Private
Answer: B
NO.429 An organization is developing data classification standards and has asked internal audit for
advice on aligning the standards with best practices. Internal audit would MOST likely recommend
the standards should be:
A. based on the results of an organization -wide risk assessment.
B. based on the business requirements for authentication of the information.
C. aligned with the organization's segregation of duties requirements.
D. based on the business requirements for confidentiality of the information.
Answer: A
82
NO.430 Which of the following is the BEST recommendation to prevent fraudulent electronic funds
transfers by accounts payable employees?
A. Independent reconciliation
B. Periodic vendor reviews
C. Dual control
D. Re-keying of monetary amounts
Answer: C
NO.431 An organization s audit charter PRIMARILY:

A. formally records the annual and quarterly audit plans
B. documents the audit process and reporting standards
C. describes the auditors' authority to conduct audits
D. defines the auditors' code of conduct
Answer: C
NO.432 Which of the following is found in an audit charter?

A. Audit objectives and scope
B. Required training for audit staff
C. The process of developing the annual audit plan
D. The authority given to the audit function
Answer: A
NO.433 Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
A. Complexity of management's action plans
B. Recommendation from executive management
C. Audit cycle defined in the audit plan
D. Residual risk from the findings of previous audits
Answer: D
NO.434 A new application will require multiple interfaces. Which of the following testing methods
can be used to detect interface errors early in the development life cycle1?
A. Bottom up
B. Acceptance
C. Top down
D. Sociability
Answer: D
NO.435 Which of the following would lead an IS auditor to conclude that the evidence collected
during a digital forensic investigation would not be admissible in court?
A. The evidence was not fully backed up using a cloud-based solution prior to the trial.
B. The evidence was collected by the Internal forensics team.
C. The logs failed to identify the person handling the evidence.
D. The person who collected the evidence is not qualified to represent the case.
83
Answer: C
NO.436 An organization wants to replace its suite of legacy applications with a new, in-house
developed solution.
Which of the following is the BEST way to address concerns associated with migration of all mission-
critical business functionality?
A. Strengthen governance by hiring certified and qualified project managers for the migration.
B. Expedite go-live by migrating in a single release to allow more time for testing in production.
C. Plan multiple releases to gradually migrate subsets of functionality to reduce production risk.
D. Increase testing efforts so that all possible combinations of data have been tested prior to go-live.
Answer: C
NO.437 During a review, an IS auditor discovers that corporate users are able to access cloud-based
applications and data (rom any Internet-connected web browser. Which of the following is the
auditor's BEST recommendation to help prevent unauthorized access?
A. Update security policies and procedures.
B. Implement multi-factor authentication.
C. Utilize strong anti-malware controls on all computing devices.
D. Implement an intrusion detection system (IDS).
Answer: B
NO.438 Which of the following BEST enables system resiliency for an e-commerce organization that
requires a low recovery time objective (RTO) ana a few recovery point objective (RPO)?
A. Remote backups
B. Redundant arrays
C. Nightly backups
D. Mirrored sites
Answer: D
NO.439 A financial institution is launching a mobile banking service utilizing multi-factor

authentication. This access control is an example of which of the following?
A. Corrective control
D. Preventive control
Answer: D
NO.440 An IS audit reveals an organization's IT department reports any deviations from its security
standards to an internal IT risk committee involving IT senior management. Which of the following
should be the IS auditor's GREATEST concern?
A. The list of IT risk committee members does not include the board member responsible for IT.
B. The IT risk committee has no reporting line to any governance committee outside IT.
C. The IT risk committee meeting minutes are not signed off by all participants.
84
D. The chief information officer (CIO) did not attend a number of IT risk committee meetings during
the past year.
Answer: B
NO.441 Code changes are compiled and placed in a change folder by the developer. An
implementation learn migrates changes to production from the change folder. Which of the following
BEST indicates separation of duties is in place during the migration process?
A. A second individual performs code review before the change is released to production.
B. The implementation team does not have access to change the source code.
C. The implementation team does not have experience writing code.
D. The developer approves changes prior to moving them to the change folder.
Answer: B
NO.442 Management has decided to include a compliance manager in the approval process for a
new business that may require changes to tie IT infrastructure. Which of the following is the
GREATEST benefit of this approach?
A. Process accountabilities to external stakeholders are improved
B. Security breach incidents can be identified in early stages
C. Fewer views are needed when updating the IT compliance process
D. Regulatory risk exposures can be identified before they materialize
Answer: D
NO.443 An organization has established hiring policies and procedures designed specifically to
ensure network administrators are well qualified. Which type of control is in place?
A. Detective
B. Directive
C. Corrective
D. Preventive
Answer: A
NO.444 Which of the following is MOST important to include within a business continuity plan (BCP)
so that backup and replication is configured in a way that ensures data availability?
A. Recovery time objective (RTO)
B. Resource management plan
C. Disaster recovery location site
D. Recovery point objective (RPO)
Answer: D
NO.445 The use of control totals reduces the risk of

A. posting to the wrong record
B. improper authorization
C. incomplete processing
D. improper backup.
85
Answer: C
NO.446 The IS quality assurance (OA) group is responsible for

A. ensuring that program changes adhere to established standards.
B. monitoring the execution of computer processing tasks
C. designing procedures to protect data against accidental disclosure.
D. ensuring that the output received from system processing is complete.
Answer: A
NO.447 After the release of an application system, an IS auditor wants to verify that the system is
providing value to the organization. The auditor's BEST course of action would be to:
A. Quantify improvements in client satisfaction
B. Perform a gap analysis against the benefits defined in the business case
C. Review the results of compliance testing
D. Confirm that risk has declined since the application system release
Answer: B
NO.448 When conducting a requirements analysis for a project the BEST approach would be to
A. consult key stakeholders
B. prototype the requirements
C. test operational deliverables
D. conduct a control self-assessment (CSA)
Answer: D
NO.449 An organization recently switched vendors to perform hardware service and maintenance.
The new contract specifies a longer response time than the organization's requirement's. Which of
the following is the GREATEST risk of this change?
A. Disaster recovery plans (DRPs) may have increased dependence on the new vendor.
B. There may be an increase of shadow IT occurrences.
C. Unexpected downtime may impact key business processes.
D. Business data may be lost in the event of system failure.
Answer: D
NO.450 The BEST way to prevent fraudulent payments is to implement segregation of duties
between the vendor setup and:
A. product registration
B. payroll processing
C. payment processing
D. procurement
Answer: C
NO.451 To develop a robust data security program, the FIRST course of action should be to:
A. perform an inventory of assets.
86
B. implement data loss prevention controls.

C. interview IT senior management.
D. implement monitoring, controls
Answer: A
NO.452 A third-party service provider is hosting a private cloud for an organization. Which of the
following findings during an audit of the provider poses the GREATEST risk to the organization?
A. 2% of backups had to be rescheduled due to backup media failures.
B. The organization's virtual machines share the same hypervisor with virtual machines of other
clients.
C. Two different hypervisor versions are used due to the compatibility restrictions of some virtual
machines.
D. 5% of detected incidents exceeded the defined service level agreement (SLA) for escalation.
Answer: B
NO.453 During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has
not been performed The auditor should FIRST.
A. evaluate the impact on current disaster recovery capability.
B. issue an intermediate report to management
C. conduct additional compliance testing
D. perform business impact analysis
Answer: B
NO.454 An organization has recently implemented a Voice-over IP (VoIP) communication system.

Which of the following should be the IS auditor's PRIMARY concern?
A. Lack of integration of voice and data communications
B. A single point of failure for both voice and data communications
C. Voice quality degradation due to packet loss
D. Inability to use virtual private networks (VPNs) for internal traffic
Answer: A
NO.455 Which of the following is the MAJOR advantage of automating internal controls?
A. To enable the review of large value transactions
B. To help identify transactions with no segregation of duties
C. To assist in performing analytical reviews
D. To efficiently test large volumes of data
Answer: D
NO.456 When developing customer-tearing IT applications, in which stage of the system

development the cycle (SDLC) is it MOST beneficial to consider data privacy principles?
A. Requirements definition
B. User acceptance testing (UAT)
C. Systems design and architecture
87
D. Software selection and acquisition

Answer: D
NO.457 Coding standards provide which of the following?

A. Field naming conventions
B. Access control tables
C. Data flow diagrams
D. Program documentation
Answer: A
NO.458 Which of the following provides the MOST useful information for performing a business
impact analysis (BIA)?
A. Documentation of application configurations
B. Inventory of relevant business processes
C. Results of business resumption planning efforts
D. Policies for business procurement
Answer: B
NO.459 For a company that outsources payroll processing, which of the following is the BEST way to
ensure that only authorized employees are paid?
A. Only payroll employees should be given the password for data entry and report retrieval.
B. Employees should receive pay statements showing gross pay, net pay. and deductions.
C. The company's bank reconciliations should be independently prepared and checked.
D. Electronic payroll reports should be independently reviewed.
Answer: D
NO.460 Which of the following should be of GREATEST concern to an IS auditor planning to employ
data analytics in an upcoming audit?
A. Data fields are used for multiple purposes
B. There is no documented data model.
C. Data is from the previous reporting period
D. Available data is incomplete
Answer: C
NO.461 Which of the following would MOST likely impair the independence of the IS auditor when
performing a post-implementation review of an application system?
A. The IS auditor implemented a specific control during the development of the application system.
B. The IS auditor designed an embedded audit module exclusively for auditing the application
system.
C. The IS auditor participated as a member of the application system pro)ecl team.
but did not have operational responsibilities.
D. The IS auditor provided consulting advice concerning application system best practices.
Answer: B
88
NO.462 To protect information assets, which of the following should be done FIRST?
A. Encrypt data.
B. Restrict access to data.
C. Back up data.
D. Classify data.
Answer: D
NO.463 An organization is in the process of deciding whether to allow a bring your own device
(BYOD) program. If approved, which of the following should be the FIRST control required before
implementation''
A. Device registration
B. An acceptable use policy
C. Device baseline configurations
D. An awareness program
Answer: B
NO.464 Which of the following would be MOST important to update once a decision has been made
to outsource a critical application to a cloud service provider?
A. IT budget
B. Business impact analysis (BIA)
C. IT resource plan
D. Project portfolio
Answer: B
NO.465 In a situation where the recovery point objective (RPO) is 0 for an online transaction
processing system, which of the following is MOST important for an IS auditor to verify?
A. The application has a clustered architecture to ensure high availability
B. Synchronous data mirroring is implemented between the data centers
C. IT is able to recover system functionality in the shortest possible time frame
D. Daily backups are created and backup media are verified
Answer: B
NO.466 Which of the following is the MOST effective sampling method for an IS auditor to use for
identifying fraud and circumvention of regulations?
A. Discovery sampling
B. Stop-or-go sampling
C. Statistical sampling
D. Variable sampling
Answer: A
NO.467 Which of the following is the MOST appropriate role for an IS auditor assigned as a team
member for a software development project?
89
A. Developing user acceptance testing (UAT) scripts

B. Implementing controls within the software
C. Monitoring assessed risk for the project
D. Performing a mid-term evaluation of the project management process
Answer: C
NO.468 An organization transmits large amount of data from one internal system to another. The IS
auditor is reviewing quality of the data at the originating point. Which of the following should the
auditor verify first?
A. The data has been encrypted
B. The data extraction process is completed
C. The data transformation is accurate
D. The source data is accurate
Answer: D
NO.469 Which of the following security testing techniques is MOST effective in discovering unknown
malicious attacks?
A. Penetration testing
B. Sandboxing
C. Vulnerability testing
D. Reverse engineering
Answer: A
NO.470 Which of the following is MOST important to ensure when planning a black box penetration
test?
A. The test results will be documented and communicated to management.
B. Diagrams of the organization s network architecture are available.
C. The environment and penetration test scope have been determined.
D. The management of the client organization is aware of the testing.
Answer: C
NO.471 Which of the following is the BEST control to mitigate the malware risk associated with an
instant messaging (IM) system1?
A. Allowing only corporate IM solutions
B. Encrypting IM traffic
C. Blocking external IM traffic
D. Blocking attachments in IM
Answer: A
NO.472 A user of a telephone banking system has forgotten his personal identification number
(PIN), after the user has been authenticated, the BEST method of issuing a new pin is to have:
A. A randomly generated pin communicated by banking personnel
B. Banking personnel assign the user a new PIN via email
90
C. The user enter a new PIN twice

D. Banking personnel verbally assign a new PIN
Answer: C
NO.473 Which of the following demonstrates the use of data analytics for a loan origination
process?
A. Evaluating whether loan records are included in the batch file and are validated by the servicing
system
B. Validating whether reconciliations between the two systems are performed and discrepancies are
investigated
C. Reviewing error handling controls to notify appropriate personnel in the event of a transmission
failure
D. Comparing a population of loans input in the origination system to loans booked on the servicing
system
Answer: B
NO.474 Which of the following areas of responsibility would cause the GREATEST segregation of
duties conflict if the individual who performs the related tasks also has approval authority?
A. Purchase requisitions and purchase orders
B. Vendor selection and statements of work
C. Invoices and reconciliations
D. Goods receipts and payments
Answer: D
NO.475 When an organization introduces virtualization into its architecture, which of the following
should be an IS auditor's PRIMARY area of focus to verify adequate protection?
A. Shared storage space
B. Host operating system configuration
C. Maintenance cycles
D. Multiple versions of the same operating system
Answer: B
NO.476 An organization has replaced all of the storage devices at its primary data center with new
higher capacity units The replaced devices have been installed at the disaster recovery site to replace
older units An IS auditor s PRIMARY concern would be whether.
A. the recovery site devices can handle the storage requirements
B. a hardware maintenance contract is in place for both old and new storage devices
C. the relocation plan has been communicated to all concerned parties
D. the procurement was in accordance with corporate policies and procedures
Answer: D
NO.477 Which of the following is MOST important to ensure that electronic evidence collected
during a forensic investigation will be admissible in future legal proceeding?
91
A. Documentation evidence handling by personnel throughout the forensic investigation

B. Engaging an independent third party to perform the forensic investigation
C. Restricting evidence access to professionally certified forensic investigation
D. Performing investigate procedures on the original hard drives rather than images of the hard
drives
Answer: C
NO.478 Due to a global pandemic, a health organization has instructed its employees to work from
home as much as possible. The employees communicate using instant messaging Which of the
following is the GREATEST risk in this situation?
A. Home office setups may not be compliant with workplace health and safety requirements.
B. Employee productivity may decrease when working from home.
C. The capacity of servers may not allow all users to connect simultaneously
D. Employees may exchange patient information through less secure methods.
Answer: D
NO.479 An IS auditor is assessing the results of an organization's post-implementation review of a

newly developed information system. Which of the following should be the auditor's MAIN focus?
A. Benefits realization analysis has been completed
B. The disaster recovery plan (DRP) has been updated
C. The procurement contract has been closed
D. Lessons learned have been identified
Answer: A
NO.480 What would be of GREATEST concern to an IS auditor observing shared key cards being
utilized to access an organization's data center?
A. The lack of a multi-factor authentication system
B. The lack of enforcement of organizational policy and procedures
C. The inability to identify who has entered the data center
D. The inability to track the number of misplaced cards
Answer: C
NO.481 Which of the following should be reviewed FIRST when assessing the effectiveness of an
organization's network security procedures and controls?
A. Vulnerability remediation
B. Inventory of authorized devices
C. Malware defenses
D. Data recovery capability
Answer: B
NO.482 A senior auditor is reviewing work papers prepared by a junior auditor indicating that a
finding was removed after the auditee said they corrected the problem. Which of the following is the
senior auditor's MOST appropriate course of action?
92
A. Have the finding reinstated

B. Ask the auditee to retest
C. Refer the issue to the audit director
D. Approve the work papers as written
Answer: B
NO.483 When planning an end-user computing (EUC) audit, it is MOST important for the IS auditor
to:
A. determine EUC materiality and complexity thresholds.
B. evaluate EUC threats and vulnerabilities.
C. obtain an inventory of EUC applications.
D. evaluate the organization's EUC policy.
Answer: D
NO.484 Spreadsheets are used to calculate project cost estimates Totals for each cost category are
then keyed into the job-costing system. What is the BIST control to ensure that data are accurately
entered into the system?
A. Validity checks preventing entry of character data
B. Reconciliation total amounts by project
C. Display back of project detail after entry
D. Reasonableness checks for each cost type
Answer: B
NO.485 MOST effective way to determine if IT is meeting business requirements is to establish:

A. a capability model.
B. industry benchmarks
C. key performance indicators (KPls).
D. organizational goals.
Answer: C
NO.486 An IS auditor observes that exceptions have been approved (or an organization's
information security policy.
Which of the following is MOST important for the auditor to confirm?
A. Exceptions are approved by the board of directors.
B. Exceptions are approved for predefined periods.
C. Exceptions require changes to the policy.
D. Exceptions do not change residual risk.
Answer: D
NO.487 Which of the following should be of GREATEST concern to an IS auditor testing interface
controls for an associated bank wire transfer process?
A. Data is not independently verified by a third party.
B. Data in the bank's wire transfer system does not reconcile with transferred data.
93
C. Customer-provided information does not appear to be accurate.

D. The wire transfer was not completed with the most recent secure protocol.
Answer: B
NO.488 Which of the following is the MOST important process to ensure planned IT system changes
are completed in an efficient manner?
A. Incident management
B. Demand management
C. Release management
D. Configuration management
Answer: C
NO.489 Which of the following should be of GREATEST concern to an IS auditor conducting an audit
of an organization that recently experienced a ransomware attack?
A. Backups were only performed within the local network.
B. Employees were not trained on cybersecurity policies and procedures.
C. The most recent security patches were not tested prior to implementation.
D. Antivirus software was unable to prevent the attack even though it was properly updated.
Answer: A
NO.490 Which of the following is MOST useful for determining whether the goals of IT are aligned
with the organization's goals?
A. Enterprise architecture (EA)
B. Key performance indicators (KPIs)
C. Enterprise dashboard
D. Balanced scorecard
Answer: B
NO.491 Which of the following is an example of a preventative control in an accounts payable

system?
A. The system produces daily payment summary reports that staff use to compare against invoice
totals.
B. Policies and procedures are clearly communicated to all members of the accounts payable
department.
C. The system only allows payments to vendors who are included in the system's master vendor list.
D. Backups of the system and its data are performed on a nightly basis and tested periodically.
Answer: C
NO.492 An organization is experiencing a large number of phishing attacks targeting employees and
executives following a press release announcing an acquisition Which of the following would provide
the BEST defense against these attacks?
A. Require signed acknowledgment of the organization's security policy
B. Conduct organization-wide awareness training
94
C. Install spam filters on the acquired systems

D. Deploy intrusion detection and prevention systems
Answer: A
NO.493 During a review of a production schedule, an IS auditor observes that a staff member is not
complying with mandatory operational procedures. The auditor's NEXT step should be to:
A. Issue an audit memorandum identifying the incompliance
B. Include the noncompliance in the audit report
C. Determine why the procedures were not followed
D. Note the noncompliance in the audit working papers
Answer: D
NO.494 The decision to accept an IT control risk related to data quality should be the responsibility
of the:
A. information security team.
B. chief information officer (CIO).
C. business owner.
D. IS audit manager.
Answer: C
NO.495 A recent audit identified duplicate software licenses and technologies. Which of the
following would be MOST helpful to prevent this type of duplication in the future?
A. Centralizing IT procurement and approval practices
B. Updating IT procurement policies and procedures
C. Conducting periodic inventory reviews
D. Establishing a project management office
Answer: A
NO.496 Which of the following would BEST enable an organization to address the security risks
associated with a recently implemented bring your own device (BYOD) strategy?
A. Mobile device testing program
B. Mobile device tracking program
C. Mobile device awareness program
D. Mobile device upgrade program
Answer: C
NO.497 When evaluating an IT organizational structure, which of the following is MOST important to
ensure has been documented?
A. Human resources (HR) policy on organizational changes
B. Provisions for cross-training
C. Succession and promotion plans
D. Job functions and duties
Answer: C
95
NO.498 What would be an IS auditor's BEST recommendation upon finding that a third-party IT
service provider hosts the organization's human resources (HR) system in a foreign country?
A. Perform background verification checks.
B. Implement change management review.
C. Conduct a privacy impact analysis.
D. Review third-party audit reports.
Answer: C
NO.499 Which of the following BEST determines if a batch update job was successfully executed?
A. Obtaining process owner confirmation that the job was completed
B. Verifying the timestamp from the job log
C. Reviewing a copy of the script for the job
D. Testing a sample of transactions to confirm updates were applied
Answer: C
NO.500 A multinational organization is integrating its existing payroll system with a human resource
information system. Which of the following should be of GREATEST concern to the IS auditor?
A. Application interfaces
B. Scope creep
C. System documentation
D. Currency conversion
Answer: C
NO.501 During a review of IT service desk practices, an IS auditor notes that help desk personnel are
spending more time fulfilling user requests (or password resets than resolving critical incidents.
Which of the following recommendations to IT management would BEST address this situation?
A. Implement a self-service solution and redirect users to access frequently requested services.
B. Incentivize service desk personnel to close incidents within agreed service levels.
C. Calculate the age of incident tickets and alert senior IT personnel when they exceed service level
agreements (SLAs).
D. Provide annual password management training to end users to reduce the number of instances
requiring password resets.
Answer: A
NO.502 An IS auditor is assessing an organization's data loss prevention (DLP) solution for protecting
intellectual property from insider theft. Which of the following would the auditor consider MOST
important for effective data protection?
A. Creation of DLP policies and procedures
B. Encryption of data copied to flash drives
C. Employee training on information handling
D. Identification and classification of sensitive data
Answer: D
96
NO.503 Which of the following provides the BEST method for maintaining the security of corporate
applications pushed to employee-owned mobile devices?
A. Disabling unnecessary network connectivity options
B. Implementing mobile device management (MDM)
C. Enabling remote data destruction capabilities
D. Requiring security awareness training for mobile users
Answer: C
NO.504 Which of the following is MOST effective in detecting an intrusion attempt?

A. Installing biometrics-based authentication
B. Using smart cards with one-time passwords
C. Analyzing system logs
D. Using packer finer software
Answer: C
NO.505 Capacity management enables organizations to:

A. establish the capacity of network communication links.
B. forecast technology trends.
C. determine business transaction volumes.
D. identify the extent to which components need to be upgraded.
Answer: C
NO.506 Which of the following is the GREATEST risk associated with the use of instant messaging
(IM)?
A. Data leakage
B. Loss of employee productivity
C. Internet Protocol (IP) address spoofing
D. Excess bandwidth consumption
Answer: A
NO.507 A company laptop has been stolen and all photos on the laptop have been published on
social media. Which of the following is the IS auditor's BEST course of action?
A. Determine if the laptop had the appropriate level of encryption
B. Verify the organization's incident reporting policy was followed
C. Ensure that the appropriate authorities have been notified
D. Review the photos to determine whether they were for business or personal purposes
Answer: B
NO.508 An IS auditor is evaluating a virtual server environment and learns that the production
server, development server, and management console are housed in the same physical host. What
should be the auditor's PRIMARY concern?
A. The physical host is a single point of failure
B. The management console is a single point of failure.
97
C. The development server and management console share the same host
D. The development and production servers share the same host
Answer: B
NO.509 Which of the following is the BEST way to mitigate the risk associated with technology
obsolescence?
A. Invest in current technology
B. Create a technology watch team that evaluates emerging trends.
C. Make provisions In the budgets for potential upgrades.
D. Create tactical and strategic IS plans
Answer: D
NO.510 During an audit of an access control system an IS auditor finds that RFID card readers are
not connected via the network to a central server Which of the following is the GREATEST risk
associated with this finding?
A. Incidents cannot be investigated without a centralized log file
B. Card reader firmware updates cannot be rolled out automatically.
C. Lost or stolen cards cannot be disabled immediately.
D. The system is not easily scalable to accommodate a new device
Answer: C
NO.511 Which of the following is the BEST point in time to conduct a post-implementation review
(PIR)?
A. After a full processing cycle
B. Immediately after deployment
C. To coincide with annual PIR cycle
D. Six weeks after deployment
Answer: B
NO.512 An IS auditor was involved in the design phase for a new system's security architecture. For
the planned post-implementation audit which of the following would be the MOST appropriate
course of action for the auditor?
A. Have another auditor review the security architecture.
B. Disclose the independence Issues in the audit report.
C. Change the audit scope to exclude security architecture.
D. Postpone the post-implementation audit to a later date.
Answer: A
NO.513 Following the sale of a business division, employees will be transferred to a new
organization, but they will retain access to IT equipment from the previous employer. An IS auditor
has recommended that both organizations agree to and document an acceptable use policy for the
equipment. What type of control has been recommended?
98
C. Preventive control
Answer: A
NO.514 Which of the following is the PRIMARY purpose of quality assurance (QA) within an IS audit
department?
A. To ensure conclusions are reliable and no false assurance is given
B. To regularly assess and improve audit methodology
C. To enforce audit policies and identify any deviations
D. To confirm audit practice is aligned with industry standards and benchmarks
Answer: B
NO.515 Which of the following is the role of audit leadership in ensuring the quality of audit and
engagement performance?
A. Ensuring audit customers remain highly satisfied with the quality of audit performance
B. Reviewing identified risks to ensure associated processes are included in the audit program
C. Reviewing key performance results to ensure process improvements are implemented
D. Ensuring the scope of peer quality assurance (QA) reviews is sufficient to address board concerns
Answer: C
NO.516 Which of the following is MOST helpful in preventing a systems failure from occurring when
an application is replaced using the abrupt changeover technique?
A. Comprehensive testing
B. Comprehensive documentation
C. Threat and risk assessment
D. Change management
Answer: D
NO.517 To help determine whether a controls-reliant approach to auditing financial systems r a

company should be used which sequence of IS audit work is MOST appropriate'
A. Review of application controls followed by a test of key business process controls
B. Review of major financial applications followed by a review of IT governance processes
C. Review of the general IS controls followed by a review of the application controls
D. Detailed examination of financial transactions followed by review of the general ledger
Answer: A
NO.518 An employee transfers from an organization's risk management department to become the
lead IS auditor.
While in the risk management department, the employee helped developed the key performance
indicators (KPIs) now used by the organization. Which of the following would pose the GREATEST
threat to the independence of this auditor?
A. Evaluating the effectiveness of IT risk management process
99
B. Developing KPIs to measure the internal audit team

C. Recommending controls to address the IT risks identified by KPIs
D. Training the IT audit team on IT risk management process
Answer: A
NO.519 An IS auditor is reviewing documentation of application systems change control and

identifies several patches that were not tested before being put into production. Which of the
following is the MOST significant risk from this situation?
A. Lack of system integrity
B. Outdated system documentation
C. Loss of application support
D. Developer access to production
Answer: A
NO.520 Which of the following should be of GREATEST concern to an IS auditor reviewing actions
taken during a forensic investigation?
A. The investigation report does not indicate a conclusion.
B. An image copy of the attacked system was not taken.
C. The proper authorities were not notified.
D. The handling procedures of the attacked system are not documented.
Answer: C
NO.521 Which of the following BEST ensures the quality and integrity of test procedures used in
audit analytics?
A. Developing and communicating test procedure best practices to audit teams
B. Centralizing procedures and implementing change control
C. Developing and implementing an audit data repository
D. Decentralizing procedures and implementing periodic peer review
Answer: B
NO.522 The use of symmetric key encryption controls to protect sensitive data transmitted over a
communications network requires that.
A. public keys be stored in encrypted form.
B. encryption keys at one end be changed on a regular basis
C. primary keys for encrypting the data be stored in encrypted form
D. encryption keys be changed only when a compromise is detected at both ends
Answer: C
NO.523 Disciplinary policies are BEST classified as.

A. compensating controls
B. preventive controls.
C. directive controls
D. corrective controls
100
Answer: C
NO.524 An employee approaches an IS auditor and expresses concern about a critical security issue
in a newly installed application. Which of the following would be the MOST appropriate action for the
auditor to take?
A. Discuss the concern with additional end users.
B. Immediately conduct a review of the application.
C. Discuss the concern with audit management.
D. Recommend reverting to the previous application.
Answer: A
NO.525 Which of the following is the BEST sampling method when performing an audit test to
determine the number of access requests without approval signatures?
B. Judgment sampling
C. Stratified sampling
D. Stop-or-go sampling
Answer: A
NO.526 An IS auditor has been asked to perform a post-Implementation assessment of a new

corporate human resources (HR) system. Which of the following control areas would be MOST
important to review for the protection of employee information?
A. Data retention practices
B. Authentication mechanisms
C. Logging capabilities
D. System architecture
Answer: C
NO.527 An auditor is creating an audit program in which the objective is to establish the adequacy
of personal data privacy controls in a payroll process. Which of the following would be MOST
important to include?
A. Approval of data changes
B. User access provisioning
C. Segregation of duties controls
D. Audit logging of administrative user activity
Answer: D
NO.528 Which of the following application input controls would MOST likely detect data input errors
in the customer account number field during the processing of an accounts receivable transaction?
A. Reasonableness check
B. Validity check
C. Parity check
D. Limit check
101
Answer: A
NO.529 An IS auditor discovers an option in a database that allows the administrator to directly
modify any table This option is necessary to overcome Dugs in the software, but is rarefy used
Changes to tables are automatically logged The IS auditors FIRST action should be to:
A. recommend that the option to directly modify the database be removed immediately
B. determine whether the audit trail is secured and reviewed
C. determine whether the log of changes lo the tables is backed up
D. recommend that the system require two persons to be involved in modifying the database
Answer: B
NO.530 Which of the following yields the HIGHEST level of system availability?
A. Cloud storage
B. Hot swaps
C. Backups
D. Real-time replication
Answer: D
NO.531 Which of the following evidence-gathering techniques will provide the GREATEST assurance
that procedures are understood and practiced?
A. Survey end users.
B. Review procedures for alignment to policies.
C. Interview process owners.
D. Observe processes.
Answer: D
NO.532 What is the purpose of a hypervisor?

A. Monitoring the performance of virtual machines
B. Cloning virtual machines
C. Deploying settings to multiple machines simultaneously
D. Running the virtual machine environment
Answer: D
NO.533 An effective implementation of security roles and responsibilities is BEST evidenced across
an enterprise when:
A. reviews and updates of policies are regularly performed
B. policies are signed off by users.
C. operational activities are aligned with policies.
D. policies are rolled out and disseminated
Answer: C
NO.534 The practice of periodic secure code reviews is which type of control?
A. Preventive
102
B. Compensating
C. Corrective
D. Detective
Answer: D
NO.535 An organization is disposing of a system containing sensitive data and has deleted all files
from the hard disk.
An IS auditor should be concerned because:
A. backup copies of files were not deleted as well.
B. deleting all files separately is not as efferent as formatting the hard disk,
C. deleting the files logically does not overwrite the files' physical data,
D. deleted data cannot easily be retrieved.
Answer: C
NO.536 Which of the following should be the FIRST step when drafting an incident response plan for
a new cyber-attack scenario?
A. Create a new incident response team.
B. Identify relevant stakeholders.
C. Schedule response testing.
D. Create a reporting template.
Answer: B
NO.537 internal IS auditor recommends that incoming accounts payable payment files be encrypted.
Which type of control is the auditor recommending?
A. Directive
B. Detective
C. Preventive
D. Corrective
Answer: C
NO.538 Which of the following BEST describes the relationship between vulnerability scanning and
penetration testing?
A. The scope of both is determined primarily by the likelihood of exploitation
B. For entities with regulatory drivers, the two tests must be the same.
C. Both utilize a risk-based analysis that considers threat scenarios
D. Both are labor-intensive in preparation, planning and execution
Answer: C
NO.539 Which of the following is the BEST sampling method to ensure only active users have access
to critical systems?
A. Substantive testing
B. Difference estimation
C. Unstratified mean per unit
103
D. Compliance testing
Answer: D
NO.540 Which of the following would BEST facilitate the detection of internal fraud perpetrated by
an individual?
A. Mandatory leave
B. Flexible time
C. Corporate fraud hotline
D. Segregation of duties
Answer: A
NO.541 An IS auditor is testing employee access to a large financial system and must select a sample
from the current employee list provided by the auditee. Which of the following is the MOST reliable
sample source to support this testing1?
A. Previous audit reports generated by a third party
B. A system-generated list of accounts with access levels
C. Human resources (HR) documents signed by employees' managers
D. A system access spreadsheet provided by the system administration.
Answer: B
NO.542 Which of the following BEST demonstrates the degree of alignment between IT and business
strategy?
A. Number of IT projects driven by business requirements
B. Percentage of users aware of information security policies
C. Number of IT policies that refer directly to business goals
D. Percentage of IT value drivers mapped to business value drivers
Answer: D
NO.543 Which of the following is an IS auditor's BEST recommendation to mitigate the risk of
eavesdropping associated with an application programming interface (API) integration
implementation?
A. Implement Transport Layer Security (TLS)
B. Implement Simple Object Access Protocol (SOAP)
C. Encrypt the extensible markup language (XML) file
D. Mask the API endpoints
Answer: A
NO.544 Which of the following is the MOST effective way to reduce risk to an organization from
widespread use of unauthorized web-based communication technologies?
A. Incorporate web-based communications into the enterprise security architecture.
B. Block access from user devices to unauthorized sites that allow web-based
C. Monitor unauthorized staff usage of web-based communication and notify the IT security
department of violations.
104
D. Publish an enterprise-wide policy outlining acceptable use of web-based communication

technologies
Answer: D
NO.545 The members of an emergency incident response team should be:

A. appointed by the CISO.
B. selected from multiple departments.
C. restricted to IT personnel.
D. assigned at the time of each incident.
Answer: B
NO.546 Following an IS audit, which of the following types of risk would be MOST critical to
communicate to key stakeholders?
A. Residual
B. Audit
C. Inherent
D. Control
Answer: A
NO.547 The BEST way to prevent fraudulent payments is to implement segregation of duties
between payment processing and:
A. payment approval.
B. requisition creation.
C. vendor setup.
D. check creation.
Answer: A
NO.548 An IS auditor will be testing accounts payable controls by performing data analytics on the
entire population of transactions. Which of the following is MOST important for the auditor to
confirm when sourcing the population data?
A. There is no privacy information in the data.
B. The data is taken directly from the system.
C. The data can be obtained in a timely manner.
D. The data analysis tools have been recently updated.
Answer: B
NO.549 Which of the following should an IS auditor recommend to reduce the likelihood of
potential intruders using social engineering?
A. Prohibit the use of social networking platforms
B. Deploy a security awareness program
C. Perform simulated attacks
D. Implement an intrusion detection system (IDS)
Answer: B
105
NO.550 Both statistical and nonstatistical sampling techniques:

A. permit the auditor to quantify and fix the level of risk
B. permit the auditor to quantity the probability of error,
C. provide each item an equal opportunity of being selected.
D. require judgment when defining population characteristics
Answer: D
NO.551 Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
A. Availability of the site in the event of multiple disaster declarations
B. Coordination with the site staff in the event of multiple disaster declarations
C. Reciprocal agreements with other organizations
D. Complete testing of the recovery plan
Answer: A
NO.552 Which of the following findings should be of GREATEST concern to an IS auditor reviewing
system deployment tools for a critical enterprise application system?
A. Change requests do not contain backout plans.
B. There are no documented instructions for using the tool.
C. Access to the tool is not approved by senior management.
D. Access to the tool is not restricted.
Answer: A
NO.553 Which of the following indicates that an internal audit organization is structured to support
the independence and clarity of the reporting process?
A. Auditors are responsible for assessing and operating a system of internal controls.
B. The internal audit manager reports functionally to a senior management official
C. The internal audit manager has a reporting line to the audit committee.
D. Auditors are responsible for performing operational duties or activities.
Answer: B
NO.554 Which of the following is the PRIMARY reason an IS auditor should discuss observations with
management before delivering a final report?
A. Identify business risks associated with the observations
B. Validate the audit observations.
C. Assist the management with control enhancements.
D. Record the proposed course of corrective action.
Answer: A
NO.555 A software development organization with offshore personnel has implemented a third-
party virtual workspace to allow the teams to collaborate. Which of the following should be of
GREATEST concern?
A. Team collaboration sessions are not monitored.
106
B. The team's work products are not properly classified as intellectual property.
C. The virtual workspace is configured to interface with other applications.
D. Exfiltration of data could occur through the virtual workspace.
Answer: D
NO.556 Which of the following is the BEST reason to utilize blockchain technology to record
accounting transactions?
A. Integrity of records
B. Confidentiality of records
C. Availability of records
D. Distribution of records
Answer: A
NO.557 During a review of an application system, an IS auditor identifies automated controls

designed to prevent the entry of duplicate transactions. What is the BEST way to verify that the
controls work as designed?
A. Implement periodic reconciliations.
B. Review quality assurance (QA) test results.
C. Use generalized audit software for seeking data corresponding to duplicate transactions.
D. Enter duplicate transactions in a copy of the live system.
Answer: D
NO.558 What is the MOST critical finding when reviewing an organization's information security
management?
A. No periodic assessments to identify threats and vulnerabilities
B. No dedicated security officer
C. No employee awareness training and education program
D. No official charter for the information security management system
Answer: C
NO.559 Which of the following is the PRIMARY purpose for external assessments of internal audit's
quality assurance (OA) systems and frameworks?
A. To confirm the internal audit department has adequate budget to perform its duties
B. To provide assurance that the internal audit function conforms with established professional
practices
C. To confirm the accuracy and reliability of prior internal audit results
D. To provide assurance that internal audit staff are qualified to perform their responsibilities
Answer: B
NO.560 Which of the following is MOST important when planning a network audit?
A. Isolation of rogue access points
B. Analysis of traffic content
C. Identification of existing nodes
107
D. Determination of IP range in use

Answer: C
NO.561 Which of the following would be an IS auditor's GREATEST concern when reviewing the early
stages of a software development project?
A. The lack of a detailed unit and system test plan
B. The lack of acceptance criteria behind user requirements
C. The lack of completion of all requirements at the end of each sprint
D. The lack of technical documentation to support the program code
Answer: B
NO.562 Which of the following should an IS auditor review FIRST when planning a customer data
privacy audit?
A. Legal and compliance requirements
B. Customer agreements
C. Organizational policies and procedures
D. Data classification
Answer: C
NO.563 Which of the following measures BEST mitigates the risk of exfiltration during a cyber
attack?
A. Perimeter firewall
B. Data loss prevention (DLP) system
C. Network access controls (NAC)
D. Hashing of sensitive data
Answer: C
NO.564 When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor

should FIRST review:
A. the IT governance framework.
B. the IT processes and procedures.
C. Information security procedures.
D. the most recent audit results.
Answer: A
NO.565 Which of the following should be the PRIMARY audience for a third-party technical security
assessment report?
A. Operational IT management
B. Board of directors
C. Legal counsel
D. External regulators
Answer: B
108
NO.566 An organization is running servers with critical business application that are in an area
subject to frequent but brief power outages. Knowledge of which of the following would allow the
organization's management to monitor the ongoing adequacy of the uninterruptable power supply
(UPS)?
A. Number of servers supported by the ups
B. Duration and interval of the power outages
C. Business impact of server downtime
D. Mean time to recover servers after failure
Answer: C
NO.567 Which of the following should be of MOST concern lo an IS auditor reviewing the public key
infrastructure (PKI) for enterprise email?
A. The certificate revocation list has not been updated.
B. The private key certificate has not been updated.
C. The PKI policy has not been updated within the last year.
D. The certificate practice statement has not been published.
Answer: A
NO.568 An IS auditor finds the log management system is overwhelmed with false positive alerts.
The auditor's BEST recommendation would be to:
A. reduce the firewall rules.
B. establish criteria for reviewing alerts.
C. line tune the intrusion detection system (IDS).
D. recruit more monitoring personnel.
Answer: C
NO.569 An organization's security policy mandates that all new employees must receive appropriate
security awareness training. Which of the following metrics would BEST assure compliance with this
policy?
A. Percentage of new hires who report incidents
B. Number of reported incidents by new hires
C. Percentage of new hires that have completed the training .
D. Number of new hires who have violated enterprise security policies
Answer: D
NO.570 Which of the following is the MOST important aspect of an information security policy
approved by the board of directors?
A. The policy must be modified periodically for relevance.
B. The policy must be communicated to all stakeholders.
C. The policy must provide guidance for information classification.
D. The policy must address the privacy of stakeholder information.
Answer: B
109
NO.571 Which of the following control testing approaches is BEST used to evaluate a control's
ongoing effectiveness by comparing processing results to independently calculated data?
A. Embedded audit modules
B. Sample-based re-performance
C. Integrated test facility (ITF)
D. Statistical sampling
Answer: D
NO.572 Which of the following is the GREATEST concern with conducting penetration testing on an
internally developed application in the production environment?
A. The testing could create application availability issues.
B. The testing may identify only known operating system vulnerabilities.
C. The issues identified during the testing may require significant remediation efforts.
D. Internal security staff may not be qualified to conduct application penetration testing.
Answer: A
NO.573 Which of the following group is MOST likely responsible for the implementation of IT
projects?
A. IT steering committee
B. IT strategy committee
C. IT compliance committee
D. IT governance committee
Answer: A
NO.574 To ensure efficient and economic use of limited resources in supporting a local area network
(LAN) infrastructure, it is advisable to:
A. periodically rotate vendors to obtain the best price-to-performance ratio
B. standardize on a limited number of device models and software applications.
C. quickly upgrade to the latest hardware and software versions to take advantage of new features
D. recommend a variety of products so that user effectiveness and flexibility can be maximized.
Answer: B

reviewing a large organization's IT steering committee?
A. Resource and priority conflict resolution has been delegated to the project management office
B. The committee does not include any current system administrators.
C. Business executives are not represented on the committee.
D. The committee has not formally approved the enterprise's IT architecture.
Answer: C
NO.576 The PRIMARY objective of value delivery in reference to IT governance is to:

A. optimize investments
B. ensure compliance,
110
C. promote best practices.

D. increase efficiency.
Answer: A
NO.577 An audit of the quality management system (QMS) begins with an evaluation of the:
A. organization's QMS policy
B. sequence and interaction of QMS processes
C. QMS processes and their application
D. QMS document control procedures
Answer: A
NO.578 An IS auditor reviewing the use of encryption finds that the symmetric key is sent by an
email message between the parties. Which of the following audit responses is correct in this
situation?
A. No audit finding is recorded as it is normal to distribute a key of this nature in this manner
B. An audit finding is recorded as the key should be asymmetric and therefore changed
C. No audit finding is recorded as the key can only be used once
D. An audit finding is recorded as the key should be distributed in a secure manner
Answer: D
NO.579 Which of the following would be the MOST effective method to identify high risk areas in
the business to be included in the audit plan?
A. Review external audit reports of the business.
B. Review industry reports to identify common risk areas
C. Validate current risk from poor internal audit findings.
D. Engage with management to understand the business.
Answer: D
NO.580 The GREATEST risk of database denormalization is:

A. loss of database integrity.
B. decreased performance.
C. loss of data confidentiality.
D. incorrect metadata.
Answer: A
NO.581 An IS auditor reviewing a project to acquire an IT-based solution learns the risk associated
with project failure has been assessed as high. What is the auditor's BEST course of action?
A. Reassess project costs to ensure they are within the organization's risk tolerance.
B. Review the risk monitoring process during project execution.
C. Review benefits realization against the business case.
D. Inform management about potential losses due to project failure.
Answer: C
111
NO.582 Which of the following is MOST important for an IS auditor to assess during a post-
implementation review of a newly modified IT application developed in-house?
A. Resource management plan
B. Updates required for end user manuals
C. Sufficiency of implemented controls
D. Rollback plans for changes
Answer: D
NO.583 During an IT operations audit multiple unencrypted backup tapes containing sensitive credit
card information cannot be found Which of the following presents the GREATEST risk to the
organization?
A. Reputational damage due to potential identity theft
B. Business disruption if a data restore cannot be completed
C. The cost of recreating the missing backup tapes
D. Human resource cost of responding to the incident
Answer: A
NO.584 The PRIMARY focus of audit follow-up reports should be to:

A. assess if new risks have developed.
B. determine if audit recommendations have been implemented.
C. verify the completion date of the implementation.
D. determine if past findings are still relevant.
Answer: B
NO.585 Which of the following is a corrective control?

A. Reviewing user access rights for segregation of duties
B. Executing emergency response plans
C. Verifying duplicate calculations in data processing
D. Separating equipment development, testing, and production
Answer: C
NO.586 An IS auditor is reviewing an organization's information asset management process. Which

of the following would be of GREATEST concern to the auditor'?
A. Process ownership has not been established
B. Identification of asset value is not included in the process
C. The process does not include asset review.
D. The process does not require specifying the physical locations of assets
Answer: B
NO.587 Which of the following development practices would BEST mitigate the risk associated with
theft of user credentials transmitted between mobile devices and the corporate network?
A. Release mobile applications in debugging mode to allow for easy troubleshooting.
B. Enforce the validation of digital certificates used in the communication sessions.
112
C. Embed cryptographic keys within the mobile application source code.

D. Allow persistent sessions between mobile applications and the corporate network.
Answer: D
NO.588 Which of the following would an IS auditor recommend as the MOST effective preventive
control to reduce the risk of data leakage?
A. Ensure that paper documents arc disposed security.
B. Implement an intrusion detection system (IDS).
C. Verify that application logs capture any changes made.
D. Validate that all data files contain digital watermarks
Answer: D
NO.589 Which of the following is the MOST significant operational risk associated with the use of
virtualization?
A. Inadequate backup procedures
B. Performance issues of hosts
C. Insufficient network bandwidth
D. Single point of failure
Answer: B
NO.590 Which of the following is MOST important for an IS auditor to review when evaluating the
effectiveness of an organization's incident response process?
A. Past incident response actions
B. Results from management testing of incident response procedures
C. Incident response staff experience and qualifications
D. Incident response roles and responsibilities
Answer: B
NO.591 The PRIMARY benefit to using a dry-pipe fire-suppression system rather than a wet-pipe
system is that a dry-pipe system
A. is more effective at suppressing flames.
B. allows more time to abort release of the suppressant
C. has a decreased risk of leakage.
D. disperses dry chemical suppressants exclusively.
Answer: C
NO.592 Following an internal audit of a database, management has committed to enhance

password management controls. Which of the following provides the BEST evidence that
management has remediated the audit finding?
A. Screenshots from end users showing updated password settings
B. Observation of updated password settings with database administrators (DBAs)
C. Change tickets of recent password configuration updates
D. Interviews with management about remediation completion
113
Answer: A
NO.593 Which of the following is MOST important for an IS auditor to review when assessing the
integrity of encryption controls for data at rest?
A. Frequency of encryption key changes
B. Length of encryption keys
C. Protection of encryption keys
D. Encryption of test data
Answer: D
NO.594 Which of the following provides the BEST evidence of the effectiveness of an organization s
audit quality management procedures?
A. Quality of independent review scores
B. Number of resources dedicated to quality control procedures
C. Quality of auditor performance reviews
D. Number of audits completed within the annual audit plan
Answer: A
NO.595 Malicious program code was found in an application and corrected prior to release into
production. After the release, the same issue was reported. Which of the following is the IS auditor's
BEST recommendation?
A. Ensure change management reports are independently reviewed.
B. Ensure the business signs off on end-to-end user acceptance test (UAT) results.
C. Ensure programmers cannot access code after the completion of program edits.
D. Ensure corrected program code is compiled in a dedicated server.
Answer: D
NO.596 Which of the following BEST measures project progress?

A. Earned-value analysis (EVA)
B. Project plan
C. SWOT analysis
D. Gantt chart
Answer: A
NO.597 in a small IT web development company where developers must have write access to
production the BEST recommendation of an IS auditor would be to
A. hire another person to perform migration to production
B. remove production access from the developers
C. perform a user access review (or the development team
D. implement continuous monitoring controls
Answer: B
NO.598 Which of the following is MOST important for an IS auditor to consider when reviewing
114
documentation for an organization's forensics policy?

A. Assigned roles and responsibilities
B. Notification processes
C. Access controls
D. Evidence preservation
Answer: D
NO.599 Which of the following would BEST protect the confidentiality of sensitive data in transit
between multiple offices?
A. Public key infrastructure (PKI)
B. Hash algorithms
C. Kerberos
D. Digital signatures
Answer: B
NO.600 Which of the following provides for the GREATEST cost reduction in a large data center?
A. Power conditioning
B. Job-scheduling software
C. Server consolidation
D. Staff rotation
Answer: C
NO.601 An IS auditor notes that application super-user activity was not recorded in system logs.
What is the auditor's BEST course of action?
A. Investigate the reason for the lack of logging
B. Recommend a least privilege access model
C. Recommend activation of super user activity logging
D. Report the issue to the audit manager
Answer: C
NO.602 Which of the following should be done FIRST when planning a penetration test?
A. Execute nondisclosure agreements (NDAs).
B. Define the testing scope.
C. Determine reporting requirements for vulnerabilities
D. Obtain management consent for the testing
Answer: D
NO.603 Which of the following is the GREATEST risk associated with the lack of an effective data
privacy program?
A. Inability to obtain customer confidence
B. Inability to manage access to private or sensitive data
C. Failure to comply with data-related regulations
D. Failure to prevent fraudulent transactions
115
Answer: C
NO.604 An IT governance framework provides an organization with:

A. assurance that there are surplus IT investments
B. assurance that there will be IT cost reductions
C. a basis for directing and controlling IT.
D. organizational structures to enlarge the market share through IT
Answer: C
NO.605 A sales representative is reviewing the organization's feedback blog and gets redirected to a
site that sells illegal prescription drugs. The blog site is MOST likely susceptible to which of the
following types of attacks?
A. Directory harvesting
B. Phishing attack
C. Cross-site scripting
D. SQL injection
Answer: C
NO.606 Which of the following should be the FIRST step in a data migration project?
A. Creating data conversion scripts.
B. Reviewing decisions on how processes should be conducted in the new system
C. Completing data cleanup in the current database to eliminate inconsistencies
D. Understanding the new system's data structure
Answer: D
NO.607 A review of an organization's IT portfolio revealed several applications that are not in use.
The BEST way to prevent this situation from recurring would be to implement.
A. A formal request for proposal (RFP) process
B. Business case development procedures
C. An information asset acquisition policy
D. Asset life cycle management.
Answer: C
NO.608 An internal audit department recently established a quality assurance (QA) program. Which
of the following activities is MOST important to include as part of the OA program requirements?
A. Periodic external assessments of the program
B. Analysis of user satisfaction reports from business lines
C. Long-term internal audit resource planning for the program
D. Feedback from internal audit staff
Answer: A
NO.609 Which of the following control techniques BEST ensures the integrity of system interface
transmissions?
116
A. Validity check
B. Completeness check
C. Parity check
D. Reasonableness check
Answer: B
NO.610 Which of the following BEST facilitates the management of assets during the
implementation of an information system?
A. Decision support system
B. Quality management controls
C. Configuration management database (CMDB)
D. Asset procurement system
Answer: C
NO.611 Which of the following approaches provides the BEST assurance and user confidence when
an organization migrates data to a more complex enterprise resource planning (ERP) system?
A. Pilot testing
B. User acceptance testing
C. Phased changeover
D. Parallel processing
Answer: B
NO.612 Which type of attack poses the GREATEST risk to an organization's most sensitive data?
A. Insider attack
B. Eavesdropping attack
C. Spear phishing attack
D. Password attack
Answer: A
NO.613 An organization's IT security policy states that user ID's must uniquely identify individual's
and that user should not disclose their passwords. An IS auditor discovers that several generic user
ID's are being used.
Which of the following is the MOST appropriate course of action for the auditor?
A. Recommend a change in security policy.
B. Include the finding in the final audit report.
C. Investigate the noncompliance.
D. Recommend disciplinary action.
Answer: A
NO.614 The PRIMARY purpose of running a new system In parallel is to:

A. Determine which of the two system is more efficient and effective
B. Validate the operation of the new system against its predecessor.
C. Resolve any errors in the program and file interfaces.
117
D. Provide the basis for comprehensive unit and system testing.

Answer: B
NO.615 One advantage of monetary unit sampling is the fact that:

A. it increases the likelihood of selecting material items from the population,
B. large-value population items are segregated and audited separately
C. it can easily be applied manually when computer resources are not available
D. results are stated in terms of the frequency of items in error
Answer: A
NO.616 Which of the following is the MOST important consideration when incorporating data
analytics into an audit?
A. Ability of the auditor to perform complex analysis
B. Availability and cost of the tools
C. Complexity of the data and related audit process
D. Availability and quality of data
Answer: C
NO.617 A data Dreach has occurred due to malware. Which of the following should be the FIRST
course of action?
A. Notify the cyber insurance company.
B. Notify customers of the breach.
C. Shut down the affected systems.
D. Quarantine the impacted systems.
Answer: D
NO.618 Which of the following provides the MOST reliable audit evidence on the validity of
transactions in a financial application?
A. Design documentation reviews
B. Walk-through reviews
C. Substantive testing
D. Compliance testing
Answer: C
NO.619 To lest the integrity of the data in the accounts receivable master file, an IS auditor is
particularly interested in reviewing customers with balances over 400,000. The selection technique
the IS auditor would use to obtain such a sample is called:
A. variable sampling
B. stop-or-go sampling
C. random selection
D. stratification.
Answer: A
118
NO.620 An IS auditor is conducting a post-implementation review of an enterprise resource planning

(ERP) system End users indicated concerns with the accuracy of critical automatic calculations made
by the system. The auditor's FIRST course of action should be to:
A. review recent changes to the system
B. verify completeness of user acceptance testing
C. verify results to determine validity of user concerns
D. review initial business requirements
Answer: D
NO.621 An IS auditor is performing a follow-up audit for findings identified In an organization's user
provisioning process Which of the Mowing is the MOST appropriate population to sample from when
testing for remediation?
A. All users provisioned after the final audit report was issued
B. All users provisioned after management resolved the audit issue
C. All users who have followed user provisioning processes provided by management
D. All users provisioned after the finding was originally identified
Answer: C
NO.622 When removing a financial application system from production, which of the following is
MOST important?2E1457D5D1DDCBD40AB3BF70D5D
A. Media used by the retired system has been sanitized.
B. Data retained for regulatory purposes can be retrieved.
C. End-user requests for changes are recorded and tracked.
D. Software license agreements are retained.
Answer: B
NO.623 Which of the following is an example of a control that is both detective and preventive at
the same lime?
A. A payment order to a sanctioned country is detected in the system before the payment is actually
made.
B. Detective fraud controls performed on past transactions prevent legal action being taken against
the organization.
C. Detection of unauthorized activity in a database prevents further manipulation by the database
administrator (DBA).
D. A misconfiguration of an operating system is detected and future recurrence can successfully be
prevented.
Answer: C
NO.624 Which of the following is the GREATEST advantage of vulnerability scanning over
penetration testing'?
A. The testing process can be automated to cover large groups of assets
B. Network bandwidth is utilized more efficiently.
C. Custom-developed applications can be tested more accurately
119
D. The testing produces a lower number of false positive results

Answer: B
NO.625 Which of the following is a preventive control that can be used to mitigate insider threats?
A. Penetration testing
B. Backup procedures
C. Role-based access
D. User activity monitoring
Answer: C
NO.626 While conducting a system architecture review, an IS auditor learns of multiple complaints
from field agents about the latency of a mobile thin client designed to provide information during site
inspections Which of the following is the BEST way to address this situation?
A. Upgrade the processors in the field agents' mobile devices
B. Deploy a middleware application to improve messaging between application components.
C. Switch to a thick-client architecture that does not require a persistent fetwork connectio.
D. Upgrade the thin-client software to provide more informative error messages during application
loading
Answer: B
NO.627 Which of the following situations would impair the independence of an IS auditor involved
in a software development project?
A. Determining the nature of implemented controls
B. Programming embedded audit modules
C. Being an expert advisor to the project sponsor
D. Defining end-user requirements
Answer: D
NO.628 An IS auditor reviewing the database controls for a new e-commerce system discovers a
security weakness in the database configuration. Which of the following should be the IS auditor's
NEXT course of action?
A. Assist in drafting corrective actions
B. Attempt to exploit the weakness
C. Identify existing mitigating controls
D. Disclose the findings to senior management
Answer: B
NO.629 Which of the following is the PRIMARY reason to adopt a capability model?
A. To increase the organization's level of security
B. To guide improvement of organizational processes
C. To decrease the organization's level of risk
D. To ensure compliance with laws and regulation
Answer: B
120
NO.630 An IS auditor is planning an audit of an organization's accounts payable processes. Which of

the following controls is Most important to assess in the audit?
A. Segregation of duties between receiving invoices and setting authorization limits
B. Management review and approval of purchase orders
C. Segregation of duties between issuing purchase orders and making payments
D. Management review and approval of authorization tiers
Answer: C
NO.631 Which of the following is the MOST important issue for an IS auditor to consider with regard
to Voice-over IP (VoIP) communications?
A. Nonrepudiation
B. Continuity of service
C. Homogeneity of the network
D. Identity management
Answer: C
NO.632 Several unattended laptops containing sensitive customer data were stolen from personnel
offices Which of the following would be an IS auditor's BEST recommendation to protect data in case
of recurrence?
A. Enhance physical security
B. Encrypt the disk drive
C. Require two-factor authentication
D. Require the use of cable locks
Answer: B
NO.633 An organization uses multiple offsite data center facilities Which of the following is MOST
important to consider when choosing related backup devices and media?
A. Standardization
B. Backup media capacity
C. Restoration speed
D. Associated costs
Answer: A
NO.634 Which of the following BEST guards against the risk of attack by hackers?
A. Tunneling
B. Message validation
C. Encryption
D. Firewalls
Answer: A
NO.635 When evaluating the recent implementation of an intrusion detection system (IDS), an IS
auditor should be MOST concerned with inappropriate:
121
A. training
B. encryption
C. tuning
D. patching
Answer: C
NO.636 Which of the following is the MOST effective means of helping management and the IT
strategy committee to monitor IT performance?
A. Gap analysis
B. Measurement of service levels against metrics
C. End-user satisfaction surveys
D. Infrastructure monitoring reports
Answer: B
NO.637 Which of the following is the PRIMARY reason for using a digital signature?
A. Provide confidentiality to the transmission
B. Authenticate the sender of a message
C. Verify the integrity of the data and the identity of the recipient
D. Provide availability to the transmission
Answer: C
NO.638 Which of the following is MOST important for an IS auditor to examine when reviewing an
organization's privacy policy?
A. The encryption mechanism selected by the organization for protecting personal data
B. Whether there is explicit permission from regulators to collect personal data
C. The organization's legitimate purpose for collecting personal data
D. Whether sharing of personal information with third-party service providers is prohibited
Answer: C
NO.639 An organization's software developers need access to personally identifiable information

(Pll) stored in a particular data format. Which of the following is the BEST way to protect this
sensitive information while allowing the developers to use it in development and test environments?
A. Data encryption
B. Data tokenization
C. Data abstraction
D. Data masking
Answer: D
NO.640 Which of the following is the BEST compensating control for a lack of proper segregation of
duties in an IT department?
A. Audit trail reviews
B. System activity logging
C. Authorization forms
122
D. Control self-assessment (CSA)

Answer: A
NO.641 An IS auditor noted that a change to a critical calculation was placed into the production
environment without being tested. Which of the following is the BEST way to obtain assurance that
the calculation functions correctly?
A. Check regular execution of the calculation batch job.
B. Obtain post-change approval from management.
C. Perform substantive testing using computer-assisted audit techniques (CAATs).
D. Interview the lead system developer.
Answer: A
NO.642 An IS auditor notes that help desk personnel are required to make critical decisions during
major service disruptions. Which of the following is the auditor's BEST recommendation to address
this situation?
A. Introduce classification of disruptions by risk category.
B. Provide historical incident response information for the help desk
C. Implement an incident response plan
D. Establish shared responsibility among business peers.
Answer: C
NO.643 To BEST evaluate the effectiveness of a disaster recovery plan, the IS auditor should review
the:
A. test plan and results of past tests.
B. plans and procedures in the business continuity plan
C. capacity of backup facilities.
D. hardware and software inventory.
Answer: A
NO.644 An IS auditor is a member of an application development team that is selecting software.

Which of the following would impair the auditor's independence?
A. Approving the vendor selection methodology
B. verifying the weighting of each selection criteria
C. Reviewing the request for proposal (RFP)
D. Witnessing the vendor selection process
Answer: A
NO.645 The application systems quality assurance (QA) function should:

A. assist programmers in designing and developing applications.
B. design and develop quality applications by employing system development methodology.
C. ensure adherence of programs to standards.
D. compare programs to approved system changes.
Answer: C
123
NO.646 The BEST way to preserve data integrity through all phases of application containerization is
to ensure which of the following?
A. Developers are educated about how their roles relate to application security best practices.
B. The development team performs regular patching of application containers.
C. Segregation of duties is developed and maintained in the application container environment.
D. Information security roles are defined and communicated in the information security policy.
Answer: C
NO.647 During an audit of a financial application, it was determined thai many terminated users'
accounts were not disabled. Which of the following should be the IS auditors NEXT step?
A. Conclude that IT general controls are ineffective.
B. Perform a review of terminated users' account activity.
C. Communicate risks to the application owner.
D. Perform substantive testing of terminated users' access rights.
Answer: B
NO.648 Which of the following BEST demonstrates that IT strategy is aligned with organizational
goals and objectives?
A. Business stakeholders are involved in approving the IT strategy.
B. IT strategies are communicated to all business stakeholders
C. Organizational strategies are communicated to the chief information officer (CIO)
D. The chief information officer (CIO) is involved in approving the organizational strategies
Answer: A
NO.649 Which of the following is the MOST effective way to verify an organization's ability to
continue its essential business operations after a disruption event?
A. Analysis of recovery point objectives (RPOs)
B. Analysis of call trees
C. Analysis of end-to-end recovery flow
D. Analysis of business impact
Answer: A
NO.650 An IS auditor assessing the controls within a newly implemented call center would FIRST
A. test the technical infrastructure at the call center.
B. review the manual and automated controls in the call center.
C. gather information from the customers regarding response times and quality of service.
D. evaluate the operational risk associated with the call center.
Answer: D
NO.651 Which of the following poses the GREATEST security risk when implementing acquired
application systems?
A. Default logon IDs
124
B. Social engineering
C. Lack of audit logs
D. Password length
Answer: A
NO.652 Which of the following processes BEST addresses the risk associated with the deployment of
a new production system?
A. Release management
B. Configuration management
C. Change management
D. Incident management
Answer: C
NO.653 A small financial institution is preparing to implement a check image processing system to
support planned mobile banking product offerings Which of the following is MOST critical to the
successful implementation of the system?
A. Integration testing
B. Control design
C. End user training
D. Feasibility studies
Answer: A
NO.654 The BEST method an organization can employ to align its business continuity plan (BCP) and
disaster recovery plan (DRP) with core business needs is to:
A. include BCP and disaster recovery plan responsibilities as a part of new employee training,
B. execute periodic walk-throughs of the plans.
C. update the business impact analysis (BIA) for significant business changes.
D. outsource the maintenance of the BCP and disaster recovery plan to a third party.
Answer: C
NO.655 What is the PRIMARY reason for conducting a risk assessment when developing an annual IS
audit plan?
A. Decide which audit procedures and techniques to use
B. Determine the existence of controls in audit areas
C. Identify and prioritize audit areas
D. Provide assurance material items will be covered
Answer: C
NO.656 Which of the following should be an IS auditor's BEST recommendation to prevent

installation of unlicensed software on employees' company-provided devices?
A. Enforce audit logging of software installation activities.
B. Remove unlicensed software from end-user devices.
C. Implement software blacklisting.
125
D. Restrict software installation authority to administrative users only.

Answer: D
NO.657 During an audit of an organization's financial statements, an IS auditor finds that the IT
general controls are deficient. What should the IS auditor recommend?
A. Increase the substantive testing of the financial balances.
B. Place greater reliance on the framework of control.
C. Place greater reliance on the application controls.
D. Increase the compliance testing of the application controls.
Answer: D
NO.658 Which of the following would BEST help prioritize various projects in an organization's IT
portfolio?
A. Business cases
B. Industry trends
C. Enterprise architecture (EA)
D. Total cost of ownership (TCO)
Answer: A
NO.659 A 5 year audit plan provides for general audits every year and application audits on
alternating years. To achieve higher efficiency, the IS audit manager would MOST likely:
A. Alternate between control self-assessment (CSA) and general audits every year.
B. Have control self-assessments (CSAs) and formal audits of application on alternating years
C. Implement risk assessment criteria to determine audit priorities
D. Proceed with the plan and integrate all new applications
Answer: C
NO.660 Which of the following security risks can be reduced by a properly configured network
firewall?
A. Phishing attacks
B. Insider attacks
C. Denial of service (DoS) attacks
D. SQL injection attacks
Answer: C
NO.661 Which of the following is the BEST way to detect system security breaches?
A. Conducting frequent vulnerability scans
B. Conducting continuous monitoring with an automated system security tool
C. Ensuring maximum interoperability among systems throughout the organization
D. Performing intrusion tests on a regular basis
Answer: B
NO.662 Which of the following is the BEST indication that an information security program is aligned
126
with organizational objectives?

A. The information security steering committee sets organizational security priorities.
B. Senior management conducts regular reviews of information security policies.
C. Information security processes are in place throughout the system development life cycle (SDLC).
D. Risk is managed to within organizational tolerances.
Answer: B
NO.663 Which of the following is the BEST way to mitigate risk to an organization's network
associated with devices permitted under a bring your own device (BYOD) policy?
A. Enable port security on all network switches
B. Ensure the policy requires antivirus software on devices
C. Require personal devices to be reviewed by IT staff
D. Implement a network access control system
Answer: B
NO.664 An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix
the findings differs from the agreed-upon approach confirmed during the last audit. Which of the
following should be the auditor's NEXT course of action?
A. Evaluate the appropriateness of the remedial action taken.
B. Conduct a risk analysis incorporating the change.
C. Inform senior management of the change in approach.
D. Report results of the follow-up to the audit committee.
Answer: A
NO.665 An organization needs to comply with data privacy regulations forbidding the display of
personally identifiable information (Pll) on customer bills or receipts However it is a business
requirement to display at least one attribute so that customers can verify the bills or receipts are
intended for them What is the BEST recommendation?
A. Data encryption
B. Data tokenization
C. Data masking
D. Data sanitization
Answer: A
NO.666 Compared to developing a system in-house, acquiring a software package means that the
need for testing by end users is:
A. eliminated.
B. increased.
C. reduced.
D. unchanged.
Answer: B
NO.667 Which of the following is the BEST way to ensure that business continuity plans (BCPs) will
127
work effectively in the event of a major disaster?

A. Regularly update business impact assessments
B. Prepare detailed plans for each business function.
C. Involve staff at all levels in periodic paper walk-through exercises
D. Make senior managers responsible for their plan sections.
Answer: C
NO.668 When using a wireless device, which of the following BEST ensures confidential access to
email via web mail?
A. Wired equivalent privacy (WEP)
B. Hypertext transfer protocol secure (HTTPS)
C. Simple object access protocol (SOAP)
D. Extensible markup language (XML)
Answer: A
NO.669 Which of the following would BEST help to ensure the availability of data stored with a cloud
provider?
A. Confirming the cloud provider has a disaster recovery site
B. Defining the reporting process and format
C. Requiring the provider to conduct daily backups
D. Defining service level agreements (SLAs) in the contract
Answer: D
NO.670 Which of the following presents the GREATEST concern when implementing data flow
across borders?
A. Equipment incompatibilities
B. National privacy laws
C. Political unrest
D. Software piracy laws
Answer: B
NO.671 An IS auditor learns the organization has experienced several server failures in its
distributed environment.
Which of the following is the BEST recommendation to limit the potential Impact of server failures in
the future?
A. Failover power
B. Clustering
C. Parallel testing
D. Redundant pathways
Answer: C
NO.672 When an IS auditor evaluates key performance indicators (KPls) (or IT initiatives, it is MOST
important that the KPIs indicate.
128
A. IT solutions are within budget

B. IT objectives are measured
C. IT resources are fully utilized
D. IT deliverables are process driven.
Answer: B
NO.673 Demonstrated support from which of the following roles in an organization has the MOST
influence over information security governance?
A. Board of directors
B. Chief information officer (CID)
C. Information security steering committee
D. Chief information security officer (CISO)
Answer: A
NO.674 Which of the following BEST minimizes performance degradation of servers used to
authenticate users of an e-commerce website?
A. Configure each authentication server and ensure that the disks of each server form part of a
duplex.
B. Configure each authentication server and ensure that each disk of its RAID is attached to the
primary controller.
C. Configure a single server as a primary authentication server and a second server as a secondary
authentication server.
D. Configure each authentication server as belonging to a cluster of authentication servers.
Answer: D
NO.675 An organization has recently converted its infrastructure to a virtualized environment. The
GREATEST benefit related to disaster recovery is that virtualized servers:
A. eliminate the manpower necessary to restore the server.
B. decrease the recovery time objective (RTO).
C. reduce the time it takes to successfully create backups.
D. can be recreated on similar hardware faster than restoring from backups.
Answer: A
NO.676 An IS auditor is reviewing a network diagram. Which of the following would be the BEST
location for placement of a firewall?
A. Between virtual local area networks (VLANs)
B. At borders of network segments with different security levels
C. Between each host and the local network switch/hub
D. Inside the demilitarized zone (DMZ)
Answer: D
NO.677 When aligning IT projects with organizational objectives, it is MOST important to ensure
that the:
129
A. percentage of growth in project intake is reviewed.

B. overall success rate of projects is high.
C. business cases have been clearly defined for all projects.
D. project portfolio database is updated when new systems are acquired.
Answer: C
NO.678 Which of the following is a PRIMARY role of an IS auditor in a control self-assessment (CSA)
workshop?
A. Assisting participants in evaluating risks and relevant controls
B. Gathering background information prior to the CSA workshop
C. Reporting results of the workshop and recommendations to management
D. Analyzing gaps between control design and control framework
Answer: A
NO.679 An IS auditor is reviewing security controls related to collaboration to unit responsible for
intellectual property and patents. Which of the following observations should be of MOST concern to
the auditor?
A. Logging and monitoring for content filtering is not enabled.
B. Employees can share files with users outside the company through collaboration tools
C. The collaboration tool is hosted and can only be accessed via an Internet browser.
D. Training was not provided to the department that handles intellectual property and patents
Answer: D
NO.680 Following a breach, what is the BEST source 10 determine the maximum amount of time
before customers must be notified that their personal information may have been compromised?
A. Industry regulations
B. Incident response plan
C. Information security policy
D. Industry standards
Answer: B
NO.681 Which of the following attacks would MOST likely result in the interception and modification
of traffic for mobile phones connecting to potentially insecure public Wi-Fi networks?
A. Man-in-the-middle
B. Phishing
C. Vishing
D. Brute force
Answer: A
NO.682 Which of the following is MOST helpful for an IS auditor to review when determining the
appropriateness of controls relevant to a specific audit area?
A. Control implementation methods
B. Control self-assessment (CSA)
130
C. Enterprise architecture (EA) design

D. Business impact analysis (BIA)
Answer: C
NO.683 A review of IT interface controls finds an organization does not have a process to identify
and correct records that do not get transferred to the receiving system. Which of the following
is.........
A. Implement software to perform automatic reconciliations of data between systems
B. Automate the transfer of data between systems as much as feasible.
C. Enable automatic encryption, decryption and electronic signing of data files
D. Have coders perform manual reconciliation of data between systems
Answer: B
NO.684 An IS auditor plans to review all access attempts to a video-monitored and proximity card-
controlled communications room. Which of the following would be MOST useful to the auditor?
A. Alarm system with CCTV
B. Security incident log
C. Manual sign-in and sign-out log
D. System electronic log
Answer: B
NO.685 Which of the following would be MOST helpful in ensuring security procedures are followed
by employees in a multinational organization?
A. Comprehensive end-user training
B. Security architecture review
C. Regular clean desk reviews
D. Regular policy updates by management
Answer: A
NO.686 The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which
type of audit risk?
A. Technology risk
B. Inherent risk
C. Control risk
D. Detection risk
Answer: B
NO.687 End users have been demanding the ability to use their own devices for work, but want to
keep personal information out of corporate control. Which of the following would be MOST effective
at reducing the risk of security incidents while satisfying end user requirements?
A. Enable remote wipe capabilities for the devices.
B. Encrypt corporate data on the devices.
C. Implement an acceptable use policy.
131
D. Require complex passwords.

Answer: C
NO.688 When reviewing a data classification scheme, it is MOST important for an IS auditor to
determine if
A. the information owner is required to approve access to the asset
B. the security criteria are clearly documented for each classification
C. each information asset is assigned to a different classification
D. senior IT managers are identified as information owners
Answer: B
NO.689 Which of the following is an IS auditor's BEST guidance regarding the use of IT frameworks?
A. To ensure consistency throughout the organization, management should adopt a single
comprehensive framework.
B. Frameworks provide standards that enable management to benchmark against peer organizations
.
C. Frameworks encourage efficiency, provide a way to measure effectiveness, and allow for
improvements
D. Industry-specific frameworks, when available, are preferred over the more generic comprehensive
frameworks.
Answer: C
NO.690 During an incident management audit, an IS auditor finds that several similar incidents were
logged during the audit period Which of the following is the auditor's MOST important course of
action?
A. Determine if a root cause analysis was conducted
B. Document the finding and present it to management.
C. Confirm the resolution time of the incidents.
D. Validate whether all incidents have been actioned.
Answer: A
NO.691 Which of the following is the client organization's responsibility in a Software as a Service
(SaaS) environment?
A. Ensuring the data is available when needed
B. Ensuring that users are properly authorized
C. Detecting unauthorized access
D. Preventing insertion of malicious code
Answer: B
NO.692 Which of the following is MOST important to review when evaluating the performance of a
critical web application?
A. Business-defined application response times
B. Strategy for application performance monitoring in the cloud
132
C. Feedback from customer satisfaction surveys

D. Roles and responsibilities for reporting
Answer: C
NO.693 Which of the following should be the FIRST step to help ensure the necessary regulatory
requirements are addressed in an organization's cross-border data protection policy?
A. Perform a business impact analysis (BIA).
B. Conduct stakeholder interviews.
C. Perform a gap analysis.
D. Conduct a risk assessment.
Answer: C
NO.694 Which of the following is the BEST source of information for an IS auditor to use as a
baseline to assess the adequacy of an organization's privacy policy?
A. Local privacy standards and regulations
B. Benchmark studies of similar organizations
C. Historical privacy breaches and related root causes
D. Globally accepted privacy best practices
Answer: A
NO.695 An organization is developing a web portal using some external components. Which of the
following should be of MOST concern to an IS auditor?
A. Some of the developers are located in another country.
B. The organization has not reviewed the components for known exploits.
C. Open-source components were integrated during development.
D. Staff require additional training in order to perform cede review.
Answer: B
NO.696 When developing metrics to measure the contribution of IT to the achievement of business
goals, the MOST important consideration is that the metrics:
A. are used by similar industries to measure the effect of IT on business strategy.
B. measure the effectiveness of IT controls in the achievement of IT strategy.
C. provide quantitative measurement of IT initiatives in relation with business targets,
D. are expressed in terms of how IT risk impacts the achievement of business goals.
Answer: D
NO.697 Which of the following should be an IS auditor's PRIMARY focus when developing a risk-
based IS audit program?
A. Business plans
B. IT strategic plans
C. Portfolio management
D. Business processes
Answer: D
133
NO.698 Which of the following should be an IS auditor's PRIMARY focus when developing a risk-
banned IS audit program?
A. Business processes
B. IT strategic plans
C. Portfolio management
D. Business plans
Answer: A
NO.699 Which of the following conditions would be of MOST concern to an IS auditor assessing the
risk of a successful brute force attack against encrypted data at rest?
A. Use of asymmetric encryption
B. Random key generation
C. Use of symmetric encryption
D. Short key length
Answer: D
NO.700 When determining whether a project in the design phase will meet organizational
objectives, what is BEST to compare against the business case?
A. Requirements analysis
B. Project budget provisions
C. Implementation
D. plan Project plan
Answer: A
NO.701 Which of the following would an IS auditor consider the GREATEST risk associated with a
mobile workforce environment?
A. Lack of compliance with organizational policies
B. Decrease in employee productivity and accountability
C. Loss or damage to the organization's assets
D. Inability to access data remotely
Answer: D
NO.702 Which of the following should an IS auditor do FIRST when assessing the level of compliance
for an organization in the banking industry?
A. Review internal documentation to evaluate adherence to external requirements.
B. Determine whether the organization has established benchmarks against industry peers for
compliance.
C. Confirm there are procedures in place to ensure organizational agreements address legal
requirements.
D. Identify industry-specific requirements that apply to the organization.
Answer: D
134
NO.703 While conducting a review of project plans related to a new software development, an IS
auditor finds the project initiation document (PID) is incomplete. What is the BEST way for the
auditor to proceed?
A. Meet with the project sponsor to discuss the incomplete document.
B. Prepare a finding for the audit report.
C. Inform audit management of possible risks associated with the deficiency.
D. Escalate to the project steering committee.
Answer: A
NO.704 Which of the following is the GREATEST risk associated with data conversion and migration
during implementation of a new application?
A. Lack of data transformation rules
B. Inadequate audit trails and logging
C. Absence of segregation of duties
D. Obsolescence and data backup compatibility
Answer: D
NO.705 An IS audit manager finds that data manipulation logic developed by the audit analytics
team leads to incorrect conclusions This inaccurate logic is MOST likely an indication of lich of the
following?
A. Poor change controls over data sets collected from the business
B. The team's poor understanding of the business process being analyzed
C. Poor security controls that grant inappropriate access to analysis produced
D. Incompatibility between data volume and analytics processing capacity
Answer: B
NO.706 When deploying an application that was created using the programming language and tools
supported by the cloud provider, the MOST appropriate cloud computing model for an organization
to adopt is:
A. Platform as a Service (PaaS).
B. Software as a Service (SaaS).
C. Infrastructure as a Service (laaS).
D. Identity as a Service (IDaaS).
Answer: A
NO.707 Which of the following is the MOST likely cause of a successful firewall penetration?
A. Use of a Trojan to bypass the firewall
B. Loophole m firewall vendor's code
C. Virus infection
D. Firewall misconfiguration by the administrator
Answer: D
NO.708 When determining which IS audits to conduct during the upcoming year, internal audit has
135
received a request from management for multiple audits of the contract division due to fraud
findings during the prior year Which of the following is the BEST basis for selecting the audits to be
performed?
A. Select audits based on management's suggestion
B. Select audits based on the skill sets of the IS auditors.
C. Select audits based on collusion risk
D. Select audits based on an organizational risk assessment.
Answer: D
NO.709 Which of the following is the BEST indicator for measuring performance of the IT help desk
function?
A. Number of reopened tickets
B. Percentage of problems raised from incidents
C. Number of incidents reported
D. Mean time to categorize tickets
Answer: A
NO.710 Which of the following would BEST indicate the effectiveness of a security awareness
training program?
A. Increased number of employees completing training
B. Reduced unintentional violations
C. Results of third-parry social engineering tests
D. Employee satisfaction with trailing
Answer: B
NO.711 Which of the following is the BEST incident of an effective problem management process?
A. The time to close an incident is reduced.
B. Incident are logged in a centralized system.
C. Incidents are assigned to engineers immediately.
D. The number of repeat incidents is reduced.
Answer: D
NO.712 Which of the following is the BEST way for an IS auditor to ensure the completeness of data
collected for advanced analytics during an audit?
A. Perform additional quality control steps after selecting the samples
B. Review the query or parameters used to download the data before selecting samples
C. Obtain access to the quality assurance (QA) system to independently download the information
D. Request the data owner to verify and approve the information
Answer: B
NO.713 An IS auditor intends to accept a management position in the data processing department
within the same organization. However, the auditor is currently working on an audit of a major
application and has not yet finished the report. Which of the following would be the BEST step tor
136
the IS auditor to take?

A. Start in the position immediately.
B. Start in the position and inform the application owner of the job change.
C. Complete the audit without disclosure and then start in the position.
D. Disclose this issue to the appropriate parties.
Answer: D
NO.714 An organization has agreed to perform remediation related to high-risk audit findings. The
remediation process involves a complex reorganization of user roles as well as the Implementation of
several compensating controls that may not be completed within the next audit cycle Which of the
following is the BEST way for an IS auditor to follow up on their activities?
A. Provide management with a remediation timeline and verity adherence
B. Schedule a review of the controls after the projected remediation date
C. Review the progress of remediation on a regular basis
D. Continue to audit the failed controls according to the audit schedule
Answer: A
NO.715 Which of the following would be the MOST significant factor when choosing among several
backup system alternatives with different restoration speeds?
A. Recovery point objective (RPO)
B. Mean time between failures (MTBFs)
C. Maximum tolerable outages (MTOs)
D. Recovery time objective (RTO)
Answer: D
NO.716 IT disaster recovery lime objectives (RTOs) should be based on [he:

A. maximum tolerable loss of data.
B. business-defined critically of the systems.
C. maximum tolerable downtime (MTD).
D. nature of the outage.
Answer: B
NO.717 During the design phase of a software development project, the PRIMARY responsibility of
an IS auditor is to evaluate the:
A. future compatibility of the design.
B. controls incorporated into the system specifications.
C. proposed functionality of the application.
D. development methodology employed.
Answer: B
NO.718 The FIRST course of action an investigator should take when a computer is being attacked is
to:
A. copy the contents of the hard drive.
137
B. disconnect it from the network.

C. terminate all active processes
D. disconnect the power source.
Answer: C
NO.719 Following a significant merger and acquisition, which of the following should the chief audit
executive (CAE) do FIRST to evaluate the performance of the combined internal audit function?
A. Conduct performance benchmarking.
B. Identify key performance indicators (KPIs).
C. Set process maturity levels.
D. Review internal audit department procedures.
Answer: D
NO.720 An organization recently decided to send the backup of its customer relationship
management (CRM) system to its cloud provider for recovery. Which of the following should be of
GREATEST concern to an IS auditor reviewing this process?
A. Validation of backup data has not been performed.
B. The cloud provider is located in a different country.
C. Testing of restore data has not been performed.
D. Backups are sent and stored in unencrypted format.
Answer: B
NO.721 Which control type would provide the MOST useful input to a root cause analysis?
A. Compensating
B. Detective
C. Directive
D. Corrective
Answer: B
NO.722 The PRIMARY reason an IS department should analyze past incidents and problems is to:
A. determine if all incidents and problems are reported
B. assess help desk performance
C. assign responsibility for problems.
D. identify the causes of recurring incidents and problems.
Answer: D
NO.723 The PRIMARY benefit of information asset classification is that it:

A. facilitates budgeting accuracy.
B. enables risk management decisions.
C. prevents loss of assets.
D. helps to align organizational objectives.
Answer: B
138
NO.724 A warehouse employee of a retail company has been able to conceal the theft of inventory
items by entering adjustments of either damaged or lost stock items to the inventory system Which
control would have BEST prevented this type of fraud in a retail environment?
A. Statistical sampling of adjustment transactions
B. Unscheduled audits of lost stock lines
C. An edit check for the validity of the inventory transaction
D. Separate authorization for input of transactions
Answer: D
NO.725 An organization performs both full and incremental database backups Which of the
following will BEST enable full restoration in the event of the destruction of the data center?
A. Transmit incremental backups to an offsite location daily.
B. Rotate all backups to an offsite location daily
C. Maintain full and incremental backups in a secure server room
D. Move full backups to an offsite location weekly
Answer: B
NO.726 Which of the following is the GREATEST risk associated with lack of IT involvement in the
organization's strategic planning initiatives?
A. Business strategies may not consider emerging technologies
B. IT strategic goals may not be considered by the business.
C. IT strategies may not align with business strategies
D. Business strategies may not align with IT capabilities.
Answer: D
NO.727 Which of the following weaknesses would have the GREATEST impact on the effective
operation of a perimeter firewall?
A. Potential back doors to the firewall software
B. Use of stateful firewalls with default configuration
C. Ad hoc monitoring of firewall activity
D. Misconfiguration of the firewall rules
Answer: D
NO.728 Which of the following is the PRIMARY purpose of using data analytics when auditing an
enterprise resource planning (ERP) system for a large organization?
A. To determine recovery point objectives (RPOs)
B. To identify business processing errors
C. To select sampling methods
D. To identify threats to the ERP
Answer: B
NO.729 An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the
following should be the auditor s NEXT course of action?
139
A. Report the security posture of the organization.

B. Report the mitigating control
C. Determine the value of the firewall.
D. Determine the risk of not replacing the firewall
Answer: D
NO.730 During a business process re-engineering (BPR) program, IT can assist with:
A. segregation of duties
B. streamlining of tasks
C. total cost of ownership,
D. focusing on value-added tasks.
Answer: B
NO.731 Which of the following documents would be MOST useful in detecting a weakness in
segregation of duties?
A. Data flow diagram
B. Entity-relationship diagram
C. Process flowchart
D. Systems flowchart
Answer: C
NO.732 Which of the following is the MOST important benefit of involving IS audit when
implementing governance of enterprise IT?
A. Identifying relevant roles for an enterprise IT governance framework
B. Verifying that legal, regulatory and contractual requirements are being met
C. Providing independent and objective feedback to facilitate improvement of IT processes
D. Making decisions regarding risk response and monitoring of residual risk
Answer: C
NO.733 An IS auditor should ensure that an application's audit trail:

A. does not impact operational efficiency
B. is accessible online.
C. has adequate security,
D. logs all database records.
Answer: C
NO.734 An IS auditor is performing a follow-up audit for findings identified in an organization's user
provisioning process. Which of the following is the MOST appropriate population to sample from
when testing for remediation?
A. All users who have followed user provisioning processes provided by management
B. All users provisioned after the finding was originally identified
C. All users provisioned after management resolved the audit issue
D. All users provisioned after the final audit report was issued
140
Answer: C
NO.735 Which of the following establishes the role of the internal audit function?
A. Audit objectives
B. Audit project
C. plan Audit charter
D. Audit governance
Answer: C
NO.736 An IS auditor is planning to audit an organization's infrastructure for access, patching, and
change management. Which of the following is the BEST way to prioritize the systems?
A. Complexity of the environment
B. Criticality of the system
C. System hierarchy within the infrastructure
D. System retirement plan
Answer: B
NO.737 An organization with high availability resource requirements is selecting a provider for cloud
computing.
Which of the following would cause the GREATEST concern to an IS auditor? The provider:
A. hosts systems for the organization's competitor.
B. does not store backup media offsite.
C. is not internationally certified for high availability.
D. deploys patches automatically without testing.
Answer: D
NO.738 Which of the following is MOST important for an IS auditor to do during an exit meeting
with an auditee?
A. Ensure that the facts presented in the report are correct.
B. Specify implementation dates for the recommendations.
C. Request input in determining corrective action.
D. Communicate the recommendations to senior management
Answer: D
NO.739 Which of the following is MOST influential when defining disaster recovery strategies?
A. Annual loss expectancy
B. Maximum tolerable downtime
C. Data classification scheme
D. Existing server redundancies
Answer: A
NO.740 Which of the following is the MOST significant risk associated with peer-to-peer networking
technology?
141
A. Reduction in staff productivity

B. Loss of information during transmission
C. Lack of reliable internet network connections
D. Lack of central monitoring
Answer: D
NO.741 An IS audit manager has been asked to perform a quality review on an audit that the same
manager also supervised. Which of the following is (he manager's BEST response to this situation?
A. Discuss with the audit team to understand how conclusions were reached.
B. Determine whether audit evidence supports audit conclusions.
C. Escalate the situation to senior audit leadership.
D. Notify the audit committee of the situation.
Answer: D
NO.742 Which of the following is the PRIMARY reason for an IS auditor to select a statistical
sampling method?
A. Statistical sampling methods enable the auditor to objectively quantify the probability of error.
B. Statistical sampling methods are the most effective way to avoid sampling risk.
C. Statistical sampling methods must be used to mitigate audit risk.
D. Statistical sampling methods help the auditor to determine the tolerable error rate.
Answer: B
NO.743 Which of the following is the BEST development methodology to help manage project
requirements in a rapidly changing environment?
A. Prototyping
B. Iterative development process
C. Object-oriented system development
D. Waterfall development process
Answer: B
NO.744 The objective of a vulnerability identification step in a risk assessment process is to.
A. determine the impact of compromise
B. develop a list of weaknesses
C. identify the compensating controls
D. determine the likelihood of a threat
Answer: B
NO.745 Which of the following is the MOST important difference between end-user computing
(EUC) applications and traditional applications?
A. Traditional application documentation is typically less comprehensive than EUC application
documentation.
B. Traditional applications require roll-back procedures whereas EUC applications do not.
C. Traditional applications require periodic patching whereas EUC applications do not.
142
D. Traditional application input controls are typically more robust than EUC application input
controls.
Answer: D
NO.746 An IS auditor is reviewing database log settings and notices that only INSERT and DELETE
operations are being monitored in the database. What is the MOST significant risk?
A. Metadata may not be logged.
B. Purged records may not be logged.
C. Newly added records may not be logged.
D. Changes to existing records may not be logged.
Answer: D
NO.747 Stress testing should ideally be carried out under a:

A. production environment with test data.
B. test environment with test data.
C. production environment with production workloads.
D. test environment with production workloads.
Answer: B
NO.748 Which of the following should be the PRIMARY role of an internal audit function in the
management of identified business risks?
A. Validating enterprise risk management (ERM)
B. Establishing a risk management framework
C. Operating the risk management framework
D. Establishing a risk appetite
Answer: A
NO.749 An IS auditor wants to understand the collective effect of the preventive, detective, and
corrective controls for a specific business process. Which of the following should the auditor focus on
FIRST?
A. The formal documentation of the process and how adherence is measured
B. Whether the existence of preventive controls causes corrective controls to become unnecessary
C. Whether segregation of duties is in place when two controls are applied simultaneously
D. The various points in the process where controls are exercised
Answer: D
NO.750 In a high-volume, real-time system, the MOST effective technique by which to continuously
monitor and analyze transaction processing is:
A. transaction tagging
B. parallel simulation.
C. integrated test facility (ITF)
D. embedded audit modules.
Answer: C
143
NO.751 Which of the following BEST enables an organization to quantify acceptable data loss in the
event of a disaster?
A. Availability of backup software
B. Recovery point objective (RPO)
C. Recovery time objective (RTO)
D. Mean time to recover (MTTR)
Answer: B
NO.752 An IS auditor attempts to sample for variables in a population of items with wide differences
in values but determines that an unreasonably large number of sample items must be selected to
produce the desired confidence level. In this situation, which of the following is the BEST audit
decision?
A. Allow more time and test the required sample
B. Select a judgmental sample
C. Select a stratified sample
D. Lower the desired confidence level
Answer: C
NO.753 During an operational audit of a biometric system used to control physical access, which of
the following should be of GREATEST concern to an IS auditor?
A. False positives
B. Lack of biometric training
C. False negatives
D. User acceptance of biometrics
Answer: A
NO.754 An IS audit manager was temporarily tasked with supervising a project manager assigned to
the organization's payroll application upgrade Upon returning to the audit department, the audit
manager has been asked to perform an audit to validate the implementation of the payroll
application The audit manager Is the only one in the audit department with IT project management
experience. What is the BEST course of action?
A. Manage the audit since there is no one else with the appropriate experience
B. Outsource the audit to independent and qualified resources
C. Have a senior IS auditor manage the project with the IS audit manager performing final review
D. Transfer the assignment to a different audit manager despite lack of IT project management
experience
Answer: B
NO.755 An IS auditor is reviewing the business requirements 'or the deployment of a new website
Which of the following cryptographic systems would provide the BEST evidence of secure
communications on the internet?
A. Secure Shell (SSH)
B. Wi-Fi Protected Access 2 (WPA2)
144
C. IP Security (IPSEC)
D. Transport Layer Security (TLS)
Answer: D
NO.756 An organization has outsourced its data processing function to a service provider. Which of
the following would BEST determine whether the service provider continues to meet the
organization's objectives?
A. Adequacy of the service provider's insurance
B. Periodic audits of controls by an independent auditor
C. Assessment of the personnel training processes of the provider
D. Review of performance against service level agreements (SLAs)
Answer: D
NO.757 chain management processes Customer orders are not being fulfilled in a timely manner,
and the inventory in the warehouse does not match the quantity of goods in the sales orders. Which
of the following is the auditor's BEST recommendation?
A. Require the sales representative to verify inventory levels prior to finalizing sales orders.
B. Require the warehouse manager to send updated inventory levels on a periodic basis.
C. Revise the order fulfillment procedures in collaboration with the e-commerce team.
D. Implement an automated control to verify inventory levels prior to finalizing sales orders.
Answer: D
NO.758 An IS auditor has found that an organization is unable to add new servers on demand in a
cost-efficient manner Which of the following is the auditor s BEST recommendation?
A. Upgrade hardware to newer technology.
B. Increase the capacity of existing systems.
C. Build a virtual environment
D. Hire temporary contract workers for the IT function.
Answer: C
NO.759 An organization plans to launch a social media presence as part of a new customer service
campaign. Which of the following is the MOST significant risk from the perspective of potential
litigation?
A. Approved employees can use personal devices to post on the company $ behalf
B. There is a lack of dear procedures for responding to customers on social media outlets
C. Access to corporate-sponsored social media accounts requires only single-factor authentication.
D. The policy stating what employees can post on the organization s behalf is unclear.
Answer: D
NO.760 An organization is disposing of a system containing sensitive data and has deleted ail files
from the hard disk.
An IS auditor should be concerned because:
A. backup copies of files were not deleted as well.
145
B. deleting all files separately is not as efficient as formatting the hard disk.
C. deleting the files logically does not overwrite the files' physical data.
D. deleted data cannot easily be retrieved.
Answer: C
NO.761 Which of the following network management toots should an IS auditor use to review the
type of packets flowing along a monitored link'?
A. Response time reports
B. Network monitors
C. Protocol analyzers
D. Online monitors
Answer: B
NO.762 Which of the following procedures for testing a disaster recovery plan (DRP) is MOST
effective7
A. Reviewing documented backup and recovery procedures
B. Performing an unannounced shutdown of the computing facility after hours
C. Testing at a secondary site using offsite data backups
D. Performing a quarterly tabletop exercise
Answer: C
NO.763 Which of the following is MOST important lo have in place for he continuous improvement
of process maturity within a large IT support function?
A. Performance metrics dashboard
B. Control self-assessments (CSAs)
C. Regular internal audits
D. Project management
Answer: A
NO.764 Which of the following is the MOST reliable way for an IS auditor to evaluate the operational
effectiveness of an organization's data loss prevention (DLP) controls?
A. Review data classification levels based on industry best practice.
B. Verify that confidential files cannot be transmitted to a personal USB device.
C. Conduct interviews to identify possible data protection vulnerabilities.
D. Verify that current DLP software is installed on all computer systems.
Answer: D
NO.765 Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted
audit techniques (CAATs)?
A. To efficiently test an entire population
B. To perform direct testing of production data
C. To conduct automated sampling for testing
D. To enable quicker access to information
146
Answer: A
NO.766 Which of the following is the MOST effective control against injection attacks on a web
application?
A. Setting up the application and database on different servers
B. Validation of data provided by application users
C. Modern application firewalls
D. Strong identity controls for application users
Answer: D
NO.767 What is the MAIN purpose of an organization's internal IS audit function?

A. Review the organization's polices and procedures against industry best practice and standards.
B. Identify and initiate necessary changes in the control environment to help ensure sustainable
improvement.
C. Provide assurance to management about the effectiveness of the organization's risk management
and internal controls.
D. Independently attest the organization's compliance with applicable legal and regulatory
requirements.
Answer: D
NO.768 An organization's business function wants to capture customer data and must comply with
global data protection regulations. Which of the following should be considered FIRST?
A. The location of data storage
B. The encryption method for the data
C. The attributes of collected data
D. The legal basis for collecting the data
Answer: D
NO.769 An IS auditor finds that one employee has unauthorized access to confidential data. The IS
auditor's BEST recommendation should be to:
A. recommend corrective actions to be taken by the security administrator.
B. reclassify the data to a lower level of confidentiality.
C. implement a strong password schema for users,
D. require the business owner to conduct regular access reviews.
Answer: D
NO.770 Which of the following BEST enables and IS auditor to review system logs for unusual
activity by users?
A. Integrated test facility (ITF)
B. Data analytics
C. Audit hooks
D. Snapshots
Answer: C
147
NO.771 The recovery time objective (RTO) is normally determined on the basis of the:
A. acceptable downtime of the alternate site,
B. risk of occurrence.
C. criticality of the systems affected.
D. cost of recovery of all systems.
Answer: C
NO.772 Which of the following should be an IS auditor's GREATEST concern when reviewing an
outsourcing arrangement with a third-party cloud service provider to host personally identifiable
data?
A. The data is not adequately segregated on the host platform.
B. Fees are charged based on the volume of data stored by the host.
C. The outsourcing contract does not contain a right-to-audit clause.
D. The organization's servers are not compatible with the third party's infrastructure
Answer: A
NO.773 Which of the following is an IS auditor's BEST recommendation to help an organization

increase the efficiency of computing resources?
A. Overclocking the central processing unit (CPU)
B. Virtualization
C. Real-time backups
D. Hardware upgrades
Answer: B
NO.774 An organization has begun using social media to communicate with current and potential
clients. Which of the following should be of PRIMARY concern to the auditor?
A. Reduced productivity of staff using social media
B. Using a third-party provider to host and manage content
C. Lack of guidance on appropriate social media usage and monitoring
D. Negative posts by customers affecting the organization's image
Answer: B
NO.775 In an environment where most IT services have been outsourced, continuity planning is
BEST controlled by:
A. IT management,
B. continuity planning specialists.
C. business management.
D. outsourced service provider management
Answer: B
NO.776 Which of the following BEST indicates that an organization has effective governance in
place?
148
A. The organization regularly updates governance-related policies and procedures

B. The organizations board of directors executes on the management strategy
C. The organization is compliant with local government regulations
D. The organization's board of directors reviews metrics for strategic initiatives
Answer: C
NO.777 While planning a review of IT governance, the IS auditor is MOST likely to.
A. examine audit committee minutes for IS-related matters and their control.
B. review compliance with policies and procedures issued by the board of directors.
C. assess whether business process owner responsibilities are consistent across the organization.
D. obtain information about the framework of control adopted by management
Answer: D
NO.778 Which of the following strategies BEST optimizes data storage without compromising data
retention practices?
A. Moving emails to a virtual email vault after 30 days
B. Limiting the size of file attachments being sent via email
C. Automatically deleting emails older than one year
D. Allowing employees to store large emails on flash drives
Answer: B
NO.779 The implementation of an IT governance framework requires that the board of directors of
an organization:
A. address technical IT issues.
B. be informed of all IT initiatives.
C. approve the IT strategy.
D. have an IT strategy committee.
Answer: B
NO.780 A legacy application is running on an operating system that is no longer supported by

vendor, if the organization continues to use the current application, which of the application should
be the IS auditor's GREATEST concern?
A. Inability to use the operating system due to potential licence issues
B. Increased cost of maintaining the system
C. Inability to update the legacy application database
D. Potential exploitation of zero-day vulnerabilities in the system
Answer: D
NO.781 Which of the following is the PRIMARY objective of baselining the IT control environment?
A. Align IT strategy with business strategy.
B. Detect control deviations.
C. Define process and control ownership.
D. Ensure IT security strategy and policies are effective.
149
Answer: B
NO.782 An organization's information security department has recently created a centralized

governance model to ensure that network-related findings are remediated within the service level
agreement (SLA). What should the IS auditor use to assess the maturity and capability of this
governance model?
A. Key performance indicators (KPIs)
B. Key data elements
C. Key risk indicators (KRIs)
D. Key process controls
Answer: A
NO.783 An IS audit team s evaluating the documentation related to the most recent application
user-access review performed by IT and business management. It is determined that the user list was
not system-generated. Which of the following: should be the GREATEST concern?
A. Source of the user list reviewed
B. Availability of the user list reviewed
C. Completeness of the user list reviewed
D. Confidentiality of the user list reviewed
Answer: A
NO.784 Which of the following findings should hr of GREATEST concern for an IS auditor when
auditing the effectiveness of a phishing simulation test administered for staff members?
A. Test results were not communicated to staff members
B. Staff members who failed the test did not receive follow-up education
C. Security awareness training was not provided poor to the test
D. Staff members were not notified about the test beforehand
E. B
Answer: E
NO.785 A bank has implemented a new accounting system. Which of the following is the BEST lime
for an IS auditor to perform a post-implementation review?
A. After user acceptance testing (UAT) is completed
B. One full year after go-live
C. As close to go-live as possible
D. After the first reporting cycle
Answer: C
NO.786 Which of the following is the BEST way to mitigate the impact of ransomware attacks?
A. Backing up data frequently
B. Requiring password changes for administrative accounts
C. Invoking the disaster recovery plan (DRP)
D. Paying the ransom
150
Answer: A
NO.787 A financial institution suspects that a manager has been crediting customer accounts
without authorization.
Which of the following is the MOST effective method to validate this concern?
A. Variable sampling
B. Attribute sampling
C. Stop or go sampling
D. Discovery sampling
Answer: B
NO.788 When responding to an ongoing denial of service (DoS) attack, an organization's FIRST
course of action should be to
A. investigate damage
B. analyze the attack path
C. minimize impact
D. restore service
Answer: B
NO.789 Which of the following would provide an IS auditor with the MOST assurance when auditing
the implementation of a new application system?
A. Substantive testing
B. Statistical sampling
C. Sign-off by system owner
D. Attribute sampling
Answer: A
NO.790 The risk of communication failure in an e-commerce environment is BEST minimized

through the use of
A. a packet filtering firewall to reroute messages.
B. alternative or diverse routing
C. functional or message acknowledgments
D. compression software to minimize transmission duration.
Answer: C
NO.791 Which of the following should be the PRIMARY concern of an IS auditor during a review of
an external IT service level agreement (SLA) for computer operations?
A. Changes in services are not tracked
B. Vendor has exclusive control of IT resources
C. Lack of software escrow provisions
D. No employee succession plan
Answer: A
151
NO.792 An IS auditor has completed an audit on the organization's IT strategic planning process
Which of the following findings should be given the HIGHEST priority?
A. Assumptions in the IT strategic plan have not been communicated to business stakeholders
B. The IT strategic plan was formulated based on the current IT capabilities.
C. The IT strategic plan was completed prior to the formulation of the business strategic plan
D. The IT strategic plan does not include resource requirements for implementation.
Answer: C
NO.793 Which of the following should be of GREATEST concern to an IS auditor conducting a

security review of a point-of-sale (POS) system?
A. POS systems are not integrated with accounting applications for data transfer
B. Management of POS systems is outsourced to a vendor based in another country.
C. An optical scanner is not used to read bar codes for generating sales invoices
D. Credit card verification value (CW) information is stored on local POS systems
Answer: D
NO.794 Which of the following should be defined in an audit chatter?

A. Audit schedule
B. Audit methodology
C. Audit results
D. Audit authority
Answer: D
NO.795 During an audit, the client learns that the IS auditor has recently completed a similar
security review at a competitor. The client inquires about the competitor's audit results. What is the
BEST way for the auditor to address this inquiry?
A. Explain that it would be inappropriate to discuss the results of another audit client
B. Escalate the question to the audit manager for further action.
C. Discuss the results of the audit, omitting specifics related to names and products.
D. Obtain permission from the competitor to use the audit results as examples for future clients.
Answer: A
NO.796 Which of the following is MOST important for an organization to complete prior to
developing its disaster recovery plan (DRP)?
A. Risk assessment
B. Business impact analysis (BIA)
C. Comprehensive IT inventory
D. Support staff skills gap analysis
Answer: B
NO.797 Which of the following focus areas is a responsibility of IT management rather than IT
governance?
A. IT controls implementation
152
B. Risk optimization
C. IT resource optimization
D. Benefits realization
Answer: A
NO.798 What information within change records would provide an IS auditor with the MOST
assurance that configuration management is operating effectively?
A. Affected configuration items and associated impacts
B. Implementation checklist for release management
C. Post-implementation review documentation
D. Configuration management plan and operating procedures
Answer: A
NO.799 Which of the following must be in place before an IS auditor initiates audit follow-up
activities?
A. A heat map with the gaps and recommendations displayed in terms of risk
B. Available resources for the activities included in the action plan
C. Supporting evidence for the gaps and recommendations mentioned in the audit report
D. A management response in the final report with a committed implementation date
Answer: D
NO.800 Which of the following is the BEST way to minimize the impact of a ransomware attack?
A. Perform more frequent system backups.
B. Maintain a regular schedule for patch updates.
C. Provide user awareness training on ransomware attacks.
D. Grant system access based on least privilege.
Answer: A
NO.801 Which of the following is the GREATEST security risk associated with data migration from a
legacy human resources (HR) system to a cloud-based system''
A. Data from the source and target system may be intercepted
B. Records past their retention period may not be migrated to the new system
C. System performance may be impacted by the migration
D. Data from the source and target system may have different data formats
Answer: A
NO.802 An IS audit manager is preparing the starling plan for an audit engagement of a cloud service
provider What should be the manager's PRIMARY concern when made aware that a new auditor in
the department previous worked for this provider?
A. Integrity
B. Professional conduct
C. Independence
D. Competency
153
Answer: A
NO.803 When developing a business continuity plan (BCP), which of the following should be
performed FIRST?
A. Classify operations.
B. Conduct a business impact analysis (BIA)
C. Develop business continuity training.
D. Establish a disaster recovery plan (DRP)
Answer: B
NO.804 Which of the following is a corrective control that reduces the impact of a threat event?
A. Business process analysis
B. Security policy
C. Business continuity plan (BCP)
D. Segregation of duties (SoD)
Answer: C
NO.805 Which of the following is the BEST control to help prevent sensitive data leaving an
organization via email?
A. Providing encryption solutions for employees
B. Conducting periodic phishing tests
C. Blocking outbound emails sent without encryption
D. Scanning outgoing emails
Answer: C
NO.806 After delivering an audit report, the audit manager discovers that evidence was overlooked
during the audit This evidence indicates that a procedural control may have failed and could
contradict a conclusion of the audit. Which of the following risks is MOST affected by the oversight?
A. Operational
B. Audit
C. Inherent
D. Financial
Answer: C
NO.807 Which of the following BEST facilitates the management of assets dunng the
implementation of an information system?
A. Configuration management database (CMDB)
B. Quality management controls
C. Decision support system
D. Asset procurement system
Answer: A
NO.808 An external IS auditor has been engaged to determine the organization's cybersecurity
154
posture. Which of the following is MOST useful for this purpose?

A. Control self-assessment (CSA)
B. Compliance reports
C. Industry benchmark
D. Capability maturity assessment.
Answer: B
NO.809 Which of the following BEST facilitates detection of zero-day exploits?

A. Intrusion detection systems (IDS)
B. Anti-malware software
C. Intrusion prevention systems (IPS)
D. User behavior analytics
Answer: D
NO.810 In a 24/7 processing environment, a database contains several privileged application

accounts with passwords set to "never expire.' Which of the following recommendations would BEST
address the risk with minimal disruption to the business?
A. Modify applications to no longer require direct access to the database.
B. Modify the access management policy to make allowances for application accounts
C. Schedule downtime to implement password changes
D. Introduce database access monitoring into the environment
Answer: B
NO.811 An organization developed a comprehensive three-year IT strategic plan Halfway into the
plan a major legislative change impacting the organization is enacted. Which of the following should
be management's NEXT course of action?
A. Develop specific procedural documentation related to the changed legislation
B. Perform a risk assessment of the legislative changes
C. Assess the legislation to determine whether changes are required to the strategic
D. IT plan Develop a new IT strategic plan that encompasses the new legislation
Answer: C
NO.812 Which of the following would BEST manage the risk of changes in requirements after the
analysis phase of a business application development project?
A. Quality assurance (QA) review
B. Expected deliverables meeting project deadlines
C. Sign-off from the IT team
D. Ongoing participation by relevant stakeholders
Answer: D
NO.813 When engaging services from external auditors, which of the following should be
established FIRST?
A. Termination conditions agreements
155
B. Nondisclosure agreements
C. Service level agreements
D. Operational level agreements
Answer: B
NO.814 An organization is acquiring a new customer relationship management (CRM) system In

which of the following would the IS auditor find the MOST relevant information on projected cost
savings?
A. Request for proposal (RFP)
B. Business case
C. Feasibility study document
D. Results of prototype testing
Answer: B
NO.815 A maturity model can be used to aid the implementation of IT governance by identifying:
A. improvement opportunities.
B. accountabilities.
C. performance drivers.
D. critical success factors.
Answer: A
NO.816 Which of the following is the MOST important reason to use statistical sampling?
A. The results can reduce error rates.
B. It reduces time required for testing.
C. The results are more defensible *
D. It ensures that all relevant cases are covered.
Answer: D
NO.817 An IS auditor begins an assignment and identifies audit components for which the auditor is
not qualified to assess. Which of the following is the BEST course of anion?
A. Exclude the related tests from the audit plan and continue the assignment.
B. Notify audit management for a decision on how to proceed
C. Complete the audit and give full disclosure in the final audit report
D. Complete the work assignment to the best of the auditor's Ability
Answer: B
NO.818 The activation of a pandemic response plan has resulted in a remote workforce situation.
Which of the following technologies poses the GREATEST risk to data confidentiality?
A. Remotely managed network switches
B. Rapid increase in the number of virtual private network (VPN) users
C. On-premise employee workstations left unattended
D. BYOD devices without adequate endpoint protection
Answer: D
156
NO.819 Which of the following would BEST detect that a distributed-denial-of-service attack (DDoS)
is occurring?
A. Server crashes
B. Penetration testing
C. Automated monitoring of logs
D. Customer service complaints
Answer: C
NO.820 Which of the following information security requirements BEST enables the tracking of
organizational data in a bring your own device {BYOD) environment?
A. Employees must enroll their personal devices in the organization's mobile device management
program.
B. Employees must use auto-lock features and complex passwords on personal devices.
C. Employees must sign acknowledgment of the organization's mobile device acceptable use policy
D. Employees must immediately report lost or stolen mobile devices containing organizational data.
Answer: A
NO.821 Which of the following is the PRIMARY benefit of using a capability maturity model?
A. It provides detailed changes management strategies for performance improvement.
B. It helps the organization estimate how long it will lake to reach the highest level of maturity in
each area
C. It provides a way to compare against similar organizations' maturity levels
D. It helps the organization develop a roadmap toward its desired level of n each area
Answer: D
NO.822 Which of the following should be the PRIMARY basis for procedures to dispose of data
securely?
A. Type of media used for data storage
B. Data retention policy
C. Classification of data
D. Environmental regulations
Answer: B
NO.823 Which of the following is a benefit of the DevOps development methodology?

A. It leads to a well-defined system development life cycle (SDLC)
B. It enforces segregation of duties between code developers and release migrators.
C. It enables increased frequency of software releases to production.
D. It restricts software releases to a fixed release schedule
Answer: A
NO.824 A manager identifies active privileged accounts belonging to staff who have left the
organization. Which of the following is the threat actor In this scenario?
157
A. Hacktivists
B. Terminated staff
C. Deleted log data
D. Unauthorized access
Answer: B
NO.825 A USB device containing sensitive production data was lost by an employee and its contents
were subsequently found published online Which of the following controls is the BEST
recommendation to prevent a similar recurrence?
A. Training users on USB device security
B. Monitoring data being downloaded on USB devices
C. Electronically tracking portable devices
D. Using a strong encryption algorithm
Answer: A
NO.826 What is the PRIMARY benefit of an audit approach which requires reported findings to be
issued together with related action plans, owners, and target dates?
A. it facilitates easier audit follow-up
B. it enforces action plan consensus between auditors and auditees
C. it establishes accountability for the action plans
D. it helps to ensure factual accuracy of findings
Answer: C
NO.827 An IS auditor finds that a document related to a client has been leaked. Which of the
following should be the auditor's NEXT step?
A. Report data leakage finding to regulatory authorities
B. Determine the classification of data leaked
C. Report data leakage finding to senior management
D. Notify appropriate law enforcement.
Answer: B
NO.828 IS management has recently disabled certain referential integrity controls in the database
management system (DBMS) software to provide users increased query performance Which of the
following controls win MOST effectively compensate for the lack of referential integrity?
A. Periodic table link checks
B. Concurrent access controls
C. Performance monitoring tools
D. More frequent data backups
Answer: A
NO.829 Which of the following is the BEST way to ensure payment transaction data is restricted to
the appropriate users?
A. Implementing two-factor authentication
158
B. Using a single menu for sensitive application transactions

C. Implementing role-based access at the application level
D. Restricting access to transactions using network security software
Answer: C
NO.830 Which of the following is MOST important for an IS auditor to verify during a disaster
recovery audit?
A. Regular backups are made and stored offsite
B. Tabletop disaster recovery tests are conducted
C. The disaster recovery plan (DRP) is updated on a regular basis.
D. Roles and responsibilities are documented.
Answer: C
NO.831 During an audit, which of the following would be MOST helpful in establishing a baseline for
measuring data quality?
A. Built-in data error prevention application controls
B. Industry standard business definitions
C. Input from customers
D. Validation of rules by the business
Answer: D
NO.832 When conducting a post-implementation review of a new software application, an IS

auditor should be MOST concerned with an increasing number of
A. updates required for the end-user operations manual
B. change requests approved to add new services
C. operational errors impacting service delivery
D. help desk calls requesting future enhancements
Answer: A
NO.833 In assessing the priority given to systems covered in an organization's business continuity
plan (BCP), an IS auditor should FIRST:
A. Review the backup and restore process
B. Verify the criteria for disaster recovery site selection
C. Validate the recovery time objectives and recovery point objectives
D. Review results of previous business continuity plan (BCP) tests
Answer: C
NO.834 The PRIMARY purpose for an IS auditor to review previous audit reports during the planning
phase of a current audit is to:
A. identify applicable regulatory requirements for the current audit.
B. become informed about the auditees business processes.
C. ensure that previously identified risks are addressed in the audit program.
D. adjust audit scope to reduce testing in areas related to previous findings.
159
Answer: C
NO.835 Which of the following access rights presents the GREATEST risk when granted to a new
member of the system development staff?
A. Write access to development data libraries
B. Execute access to development program libraries
C. Write access to production program libraries
D. Execute access to production program libraries
Answer: A
NO.836 Which of the following findings should be of GREATEST concern to an IS auditor reviewing
the effectiveness of an organization's problem management practices?
A. Problem records are prioritized based on the impact of incidents
B. Some incidents are closed without problem resolution.
C. Root causes are not adequately identified
D. Problems are frequently escalated to management for resolution
Answer: C
NO.837 An organization plans to implement a virtualization strategy enabling multiple operating

systems on a single host. Which of the following should be the GREATEST concern with this strategy?
A. Licensing costs of the host
B. Adequate storage space
C. Application performance
D. Network bandwidth
Answer: A
NO.838 An organization allows employees to retain confidential data on personal mobile devices
Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or
stolen devices?
A. Password protect critical data files.
B. Require employees to attend security awareness training.
C. Enable device auto-lock function.
D. Configure to auto-wipe after multiple failed access attempts.
Answer: A
NO.839 Which of the following is an example of a preventive control?

A. Purchase orders in the system being checked by a supervisor prior to execution to identify errors
during entry
B. An online retailer's daily review of transactions processed to identify trends and changes in
customer demand
C. Regular assessments of the sales department to identify the most profitable sales strategies used
by sales staff
D. Continuous operation of a screening system to identify fraudulent patterns in recent transactions
160
Answer: A
NO.840 What is the MOST difficult aspect of access control in a multiplatform, multiple-site
client/server environment?
A. Restricting a local user to necessary resources on a local platform
B. Maintaining consistency throughout all platforms
C. Restricting a local user to necessary resources on the host server
D. Creating new user IDs valid only on a few hosts
Answer: B
NO.841 An algorithm in an email program analyzes traffic to quarantine emails identified as spam
The algorithm in the program is BEST characterized as which type of control?
A. Directive
B. Preventive
C. Corrective
D. Detective
Answer: B
NO.842 For an organization that has plans to implement web-based trading, it would be MOST
important for an IS auditor to verify the organization's information security plan includes:
A. security training prior to implementation.
B. security requirements for the new application.
C. the firewall configuration for the web server.
D. attributes for system passwords.
Answer: B
NO.843 Which of the following is a PRIMARY role of an IT steering committee?

A. Acting an liaison between the organization's assurance and senior management teams
B. Determining the acceptability of residual risk arising from the IT risk strategy
C. Providing insight and advice on the progress of major IT projects
D. Communicating organizational business objectives to the IT department
Answer: A
NO.844 An organization experienced a domain name system (DNS) attack caused by default user
accounts not being removed from one of the servers. Which of the following would have been the
BEST way to mitigate the risk of this DNS attack1?
A. Configure the servers from an approved standard configuration
B. Require all employees to attend training for secure configuration management
C. Have a third party configure the virtual servers
D. Configure the intrusion prevention system (IPS) to identify DNS attacks
Answer: A
NO.845 The purpose of data migration testing is to validate data:
161
A. retention.
B. completeness.
C. availability.
D. confidentiality.
Answer: B
NO.846 A client/server configuration will:

A. keep track of all the clients using the IS facilities of a service organization.
B. limit the clients and servers relationship by limiting the IS facilities to a single hardware system.
C. enhance system performance through the separation of front-end and back-end processes.
D. optimize system performance by having a server on a front-end and clients on a host.
Answer: C
NO.847 Which of the following is MOST likely to result from compliance testing?
A. Comparison of data with physical counts
B. Confirmation of data with outside sources
C. Identification of errors due to processing mistakes
D. Discovery of controls that have not been applied
Answer: A
NO.848 To address issues related to privileged users identified in an IS audit, management

implemented a security information and event management (SIEM) system. Which type of control is
in place?
A. Directive
B. Corrective
C. Preventive
D. Detective
Answer: D
NO.849 Which of the following is the MOST likely reason an organization would use Platform as a
Service (PaaS)?
A. To develop and integrate its applications
B. To install and manage operating systems
C. To establish a network and security architecture
D. To operate third-party hosted applications
Answer: A
NO.850 An IS auditor conducting a follow-up audit learns that previously funded recommendations
have not been implemented due to recent budget restrictions. Which of the following should the
A. Report the matter to the chief financial officer (CFO) and recommend funding be reinstated
B. Report to the audit committee that the recommendations are still open
C. Close the audit recommendations in the tracking register
D. Start an audit of the project funding allocation process
162
Answer: B
NO.851 Which of the following is an IS auditor's BEST course of action upon learning that preventive
controls have been replaced with detective and corrective controls'
A. Report the issue to management as the risk level has increased.
B. Evaluate whether new controls manage the risk at an acceptable level.
C. Verify the revised controls enhance the efficiency of related business processes.
D. Recommend the implementation of preventive controls in addition to the other controls.
Answer: B
NO.852 Which of the following would BEST prevent the potential leakage of sensitive corporate data
from personal mobile devices accessing corporate applications?
A. Creating a separate secure partition on the devices
B. Monitoring employee connections to the corporate network
C. Requiring employees to sign acknowledgment of an acceptable use policy
D. Limiting access and capabilities when connecting to the Internet
Answer: C
NO.853 An accounts receivable data entry routine prevents the entry of the same customer with
different account numbers. Which of the following is the BEST way to test if this programmed control
is effective?
A. Implement a computer-assisted audit technique (CAAT).
B. Compare source code against authorized software.
C. Review a sorted customer list for duplicates.
D. Attempt to create a duplicate customer.
Answer: D
NO.854 Which of the following should an IS auditor be MOST concerned with when reviewing the IT
asset disposal process?
A. Data migration to the new asset
B. Data stored on the asset
C. Monetary value of the asset
D. Certificate of destruction
Answer: B
NO.855 Which of the following Is the MOST effective way for an IS auditor to evaluate whether an
organization is well positioned to defend against an advanced persistent threat (APT)?
A. Verify that the organization has adequate levels of cyber insurance
B. Verify that the organization is using correlated data for security monitoring
C. Review the validity of external Internet Protocol (IP) addresses accessing the network
D. Assess the skill set within the security function
Answer: B
163
NO.856 An internal audit department recently established a quality assurance (QA) program as part
of its overall audit program. Which of the following activities is MOST important to rlude as part of
the QA program requirements?
A. Implementing corrective action plans
B. Creating a long-term plan for internal audit staffing
C. Analyzing user satisfaction reports from business lines
D. Reviewing audit standards periodically
Answer: A
NO.857 When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical
systems do not exceed which of the following?
A. Service level objective (SLO)
B. Recovery time objective (RTO)
C. Maximum acceptable outage (MAO)
D. Recovery point objective (RPO)
Answer: D
NO.858 An IS auditor s role in privacy and security is to:

A. implement risk management methodologies.
B. verify compliance with applicable laws.
C. assist in developing an IS security strategy.
D. assist the governance steering committee with implementing a security policy.
Answer: B
NO.859 An IS auditor is asked to provide feedback on the systems options analysis for a new project
The BEST course of action for the IS auditor would be to:
A. retain comments as findings for the audit report.
B. comment on the criteria used to assess the alternatives.
C. identify the best alternative.
D. request at least one other alternative.
Answer: B
NO.860 Which of the following should be the FIRST step in an organization's forensics process to
preserve evidence?
A. Create the forensics analysis reporting template
B. Determine which forensic tools to use
C. Perform analytics on digital evidence obtained using forensic methods
D. Duplicate digital evidence and validate it using a hash function
Answer: D
NO.861 An IS audit reveals that many of an organization's Internet of Things (loT) devices have not
been patched.
Which of the following should the auditor do FIRST when determining why these devices have not
164
received the required patches?

A. Determine the physical location of the deployed devices
B. Review the organization's patching policy and process documentation
C. Ensure the devices are listed in the asset inventory database
D. Review the organization's most recent risk assessment on loT devices
Answer: B
NO.862 A new regulation in one country of a global organization has recently prohibited cross-
border transfer of personal data. An IS auditor has been asked to determine the organization's level
of exposure in the affected country. Which of the following would be MOST helpful in making this
assessment?
A. Reviewing data classification procedures associated with the affected jurisdiction
B. Developing an inventory of all business entities that exchange personal data with the affected
jurisdiction
C. Identifying business processes associated with personal data exchange with the affected
jurisdiction
D. Identifying data security threats in the affected jurisdiction
Answer: C
NO.863 A system development project is experiencing delays due to ongoing staff shortages Which
of the following strategies would provide the GREATEST assurance of system quality at
implementation?
A. Recruit IS staff to expedite system development
B. Deliver only the core functionality on the initial target date
C. Implement overtime pay and bonuses for all development staff
D. Utilize new system development tools to improve productivity
Answer: B
NO.864 As part of business continuity planning, which of the following is MOST important to assess
when conducting a business impact analysis (BIA)?
A. Recovery scenarios
B. Completeness of critical asset inventory
C. Risk appetite
D. Critical applications in the cloud
Answer: B
NO.865 An IS auditor is examining a front-end subledger and a main ledger. Which of the following
would be the GREATEST concern if there are flaws in the mapping of accounts between the two
systems?
A. Unauthorized alteration of account attributes
B. Double-posting of a single journal entry
C. Inaccuracy of financial reporting
D. Inability to support new business transactions
165
Answer: C
NO.866 Which of the following would be an IS auditor's GREATEST concern when reviewing an
organization's security controls for policy compliance?
A. End users are not required to acknowledge security policy training.
B. Security policy documents are available on a public domain website.
C. The security policy has no! been reviewed within the past year
D. Security policies are not uniformly applicable across the organization
Answer: C
NO.867 An audit has identified that business units have purchased cloud-based applications without
ITs support. What is [he GREATEST risk associated with this situation?
A. The applications could be modified without advanced notice.
B. The application purchases did not follow procurement policy.
C. The applications are not included in business continuity plans (BCPs).
D. The applications may not reasonably protect data.
Answer: C
NO.868 Which of the following is the MOST reliable network connection medium in an environment
where there is strong electromagnetic interface?
A. Fiber optic cable
B. Coaxial cable
C. Shielded twisted-pair cable
D. Wireless link
Answer: A
NO.869 Which of the following is MOST appropriate for measuring a batch processing application's
system performance over time?
A. System utilization
B. Idle time
C. Throughput
D. Uptime
Answer: C
NO.870 Which of the following is the GREATEST benefit of implementing an incident management
process?
A. Reduction in security threats
B. Opportunity for frequent reassessment of incidents
C. Reduction in the business impact of incidents
D. Reduction of cost by the efficient use of resources
Answer: C
NO.871 Which of the following is the MOST effective way to identify anomalous transactions when
166
performing a payroll fraud audit?

A. Substantive testing of payroll files
B. Data analytics on payroll data
C. Observation of payment processing
D. Sample-based review of pay stubs
Answer: B
NO.872 Which of the following is the BEST way to reduce sampling risk?
A. Plan the audit in accordance with generally accepted auditing principles
B. Ensure each item has an equal chance to be selected
C. Assign experienced auditors to the sampling process.
D. Align the sampling approach with the one used by external auditors
Answer: B
NO.873 An IS auditor performing an application development review attends development team

meetings. The IS auditor's independence will be compromised if the IS auditor:
A. designs and executes the user's acceptance test plan.
B. assists in developing an integrated test facility on the system.
C. reviews the result of systems tests that were performed by the development team.
D. re-performs test procedures used by the development team.
Answer: A
NO.874 An organization is planning to re-purpose workstations mat were used to handle

confidential information.
Which of the following would be the IS auditor's BEST recommendation to dispose of this
information?
A. Overwrite the disks with random data
B. Erase the disks by degaussing.
C. Delete the disk partitions.
D. Reformat the disks.
Answer: A
NO.875 An IS auditor finds the timeliness and depth of information regarding the organization's IT
projects varies based on which project manager is assigned. Which of the following
recommendations would be A MOST helpful in achieving predictable and repeatable project
management processes?
A. Alignment of project performance to pay incentives
B. Adoption of business case and earned value templates
C. Use of Gantt charts and work breakdown structures
D. Measurement against defined and documented procedures
Answer: B
NO.876 During an exit interview senior management disagrees with some of the facts presented in
167
the draft audit report and wants them removed from the report Which of the following would be the
auditor's BEST course of action?
A. Gather evidence to analyze senior management's objections
B. Finalize the draft audit report without changes
C. Revise the assessment based on senior management's objections.
D. Escalate the issue to audit management
Answer: A
NO.877 Which of the following is the MOST important consideration for an IS auditor when
assessing the adequacy of an organizations information security policy?
A. Business objectives
B. Alignment with the IT tactical plan
C. Compliance with industry best practice
D. IT steering committee minutes
Answer: A
NO.878 Which of the following is the MOST important determining factor when establishing
appropriate timeframes for follow-up activities related to audit findings?
A. Complexity of business processes identified in the audit
B. Remediation dates included m management responses
C. Availability of IS audit resources
D. Peak activity periods for the business
Answer: B
NO.879 Which of the following is MOST important for an IS auditor to verify when reviewing a
critical business application that requires high availability?
A. Algorithms are reviewed to resolve process ineffictencies.
B. Users participate in offsite business continuity testing.
C. There is no single point of failure.
D. Service level agreements (SlAs) are monitored.
Answer: C
NO.880 To develop meaningful recommendations for findings, which of the following is MOST
important for an IS auditor to determine and understand?
A. Root cause
B. Criteria
C. Responsible party
D. Impact
Answer: A
NO.881 A company uses a standard form to document and approve all changes in production
programs. To ensure that the forms are properly authorized, which of the following is the MOST
effective sampling method?
168
A. Random
B. Stratified
C. Attribute
D. Variable
Answer: C
NO.882 Reconciliations have identified data discrepancies between an enterprise data warehouse
and a revenue system for key financial reports. What is the GREATEST risk to the organization in this
situation?
A. Financial reports may be delayed.
B. Undetected fraud may occur.
C. The key financial reports may no longer be produced.
D. Decisions may be made based on incorrect information
Answer: D
NO.883 Which of the following is a concern associated with virtualization?

A. Performance issues with the host could impact the guest operating systems.
B. One host have multiple versioning of the same operating system.
C. The physical footprint of servers could decrease within the data center.
D. Processing capacity may be shared across multiple operating systems.
Answer: A
169

Cisa V2495 - 220623 - 075451

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisa V2495 - 220623 - 075451

Uploaded by

Copyright:

Available Formats

IT Certification Guaranteed, The Easy Way!

Title : Certified Information Systems

D. Electronic copies of customer sales receipts are maintained.

D. They are suitable for e-commerce authentication

NO.21 The PRIMARY reason to follow up on prior-year audit reports is to determine if

NO.24 An organization offers an online information security awareness program to employees on an

NO.26 Which of the following observations should be of GREATEST concern to an IS auditor

NO.27 An organization is migrating its human resources (HR) application to an Infrastructure as a

D. Inclusion of mission and objectives

NO.54 In a database management system (DBMS) normalization is used to:

A. standardize data names

NO.58 A post-implementation review of a development project concludes that several business

A. Joint application development

C. Defining roles within the organization related to privacy

NO.76 An IS auditor evaluating a three-tier client/server architecture observes an issue with

NO.78 An organization is shifting to a remote workforce. In preparation, the IT department is

NO.80 An organization's enterprise architecture (EA) department decides to change a legacy

B. The proposed network topology to be used by the redesigned system

NO.81 An organization is deciding whether to outsource its customer relationship management

D. Lack of virus protection

C. A file level copy of the hard drive

documentation for a client relationship management (CRM) system migration project?

B. Recovery strategy for significant business interruptions

NO.116 An IS auditor Is reviewing an organization's business continuity plan (BCP) following a

NO.122 Which of the following would be of GREATEST concern to an IS auditor reviewing an

NO.129 An organization issues digital certificates to employees to enable connectivity to a web-

B. Obtain a complete listing of the entity's IT processes

NO.136 An IT organization's incident response plan is which type of control?

consideration when determining the prioritization of follow-up activities?

NO.149 An IT governance body wants to determine whether IT service delivery is based on

NO.151 The PRIMARY advantage of object-oriented technology is enhanced:

NO.154 Which of the following is the BEST data integrity check?

NO.156 Which of the following observations should be of GREATEST concern to an IS auditor

NO.161 The PRIMARY role of a control self-assessment (CSA) facilitator Is to:

A. based on industry standards.

NO.168 Which of the following is the BEST IS audit strategy?

B. Users have not been trained on the new system.

NO.178 Which of the following is an objective of data transfer controls?

concerned with a lack of:

NO.190 Which cloud deployment model is MOST likely to be limited in scalability?

NO.191 An IS auditor reviewing a checkpoint/restart procedure should be MOST concerned if it is

NO.193 Which of the following would be of GREATEST concern to an IS auditor evaluating

Which of the following roles should be accountable for this finding?

NO.200 An emergency power-off switch should:

B. Enterprise architecture (EA)

D. Update the audit program based on management's acceptance of risk.

C. effectiveness of user training.

B. Recommend alternative solutions to address the repeat finding

NO.234 Upon completion of audit work, an IS auditor should:

NO.235 Which of the following is a preventive control related to change management?

C. Surveys completed by randomly selected employees

NO.247 Which of the following are examples of detective controls?

NO.249 Which of the following is a directive control?

A. Frequently review IS audit policies, procedures, and instruction manuals

C. Outsource the sampling process.

NO.263 Due to budget restraints, an organization is postponing the replacement of an in-house

still providing the proper segregation of duties?

A. Conduct a penetration test

NO.272 An IS auditor is conducting a pre-implementation review to determine a new system's

B. facilitating the exchange of public key infrastructure (PKI) certificates

NO.277 Following the discovery of inaccuracies in a data warehouse, an organization has

accounts payable department?