Revision 1

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their localworkstation hard drives.Which of the following findings should be the IS auditor's GREATEST concern?. A. Mobile devices are not encrypted. B. Users are not required to sign updated acceptable use agreements. C. The business continuity plan (BCP) was not updated. D. Users have not been trained on the new system.

During the discussion of a draft audit report, IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective. Which of the following is the auditor's BEST action?. A. Explain to IT management that the new control will be evaluated during follow-up. B. Add comments about the action taken by IT management in the report. C. Change the conclusion based on evidence provided by IT management. D. Re-perform the audit before changing the conclusion.

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?. A. Logs are being collected in a separate protected host. B. Access to configuration files is restricted. C. Automated alerts are being sent when a risk is detected. D. Insider attacks are being controlled.

An IS auditor is informed that several spreadsheets are being used to generate key financial information. What should the auditor verify NEXT?. A. Whether adequate documentation and training is available for spreadsheet users. B. Whether the spreadsheets meet the minimum IT general controls requirements. C. Whether there is a complete inventory of end-user computing (EUC) spreadsheets. D. Whether the spreadsheets are being formally reviewed by the chief financial officer (CFO).

An advantage of object-oriented system development is that it: A. is easier to code than procedural languages. B. partitions systems into a client/server architecture. C. decreases the need for system documentation. D. is suited to data with complex relationships.

As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (BIA)?. A. Risk appetite. B. Completeness of critical asset inventory. C. Critical applications in the cloud. D. Recovery scenarios.

Which of the following is MOST important for an IS auditor to review when assessing the integrity of encryption controls for data at rest?. A. Protection of encryption keys. B. Encryption of test data. C. Frequency of encryption key changes. D. Length of encryption keys.

An IS auditor finds that a system receives identical information from two different upstream sources, even though redundancy is not required.Which of the following would BEST enable the organization to avoid this type of inefficiency?. A. Enterprise architecture (EA). B. Normalized relational databases. C. Centralized data warehouse. D. Cyber architecture review.

Which of the following is the BEST control to help prevent sensitive data leaving an organization via email?. A. Scanning outgoing emails. B. Blocking outbound emails sent without encryption. C. Conducting periodic phishing tests. D. Providing encryption solutions for employees.

The practice of periodic secure code reviews is which type of control?. A. Compensating. B. Detective. C. Preventive. D. Corrective.

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identify as the associated risk?. A. Lack of governance and oversight for IT infrastructure and applications. B. Increased need for user awareness training. C. The use of the cloud negatively impacting IT availability. D. Increased vulnerability due to anytime, anywhere accessibility.

Which of the following is the MOST important factor when an organization is developing information security policies and procedures?. A. Consultation with security staff. B. Alignment with an information security framework. C. Inclusion of mission and objectives. D. Compliance with relevant regulations.

An organization’s business continuity plan (BCP) should be: A. updated based on changes to personnel and environments. B. tested whenever new applications are implemented. C. updated before an independent audit review. D. tested after an intrusion attempt into the organization’s hot site.

When developing metrics to measure the contribution of IT to the achievement of business goals, the MOST important consideration is that the metrics: A. measure the effectiveness of IT controls in the achievement of IT strategy. B. provide quantitative measurement of IT initiatives in relation with business targets. C. are expressed in terms of how IT risk impacts the achievement of business goals. D. are used by similar industries to measure the effect of IT on business strategy.

An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following would be the MOST appropriate action for the auditor to take?. A. Discuss the concern with audit management. B. Recommend reverting to the previous application. C. Immediately conduct a review of the application. D. Discuss the concern with additional end users.

Which of the following should be the PRIMARY basis for procedures to dispose of data securely?. A. Type of media used for data storage. B. Environmental regulations. C. Classification of data. D. Data retention policy.

Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?. A. To operate third-party hosted applications. B. To install and manage operating systems. C. To establish a network and security architecture. D. To develop and integrate its applications.

An organization maintains an inventory of the IT applications used by its staff. Which of the following would pose the GREATEST concern with regard to the quality of the inventory data?. A. Inventory data is available on and downloadable from the corporate intranet. B. The inventory does not contain a formal risk ranking for all the IT applications. C. The application owner and contact information fields are not required to be completed. D. The organization has not established a formal recertification process for the inventory data.

An IS auditor is reviewing a data conversion project. Which of the following is the auditor's BEST recommendation prior to go-live?. A. Automate the test scripts. B. Conduct a mock conversion test. C. Review test procedures and scenarios. D. Establish a configuration baseline.

An IS auditor is evaluating controls for monitoring the regulatory compliance of a third party that provides IT services to the organization. Which of the following should be the auditor's GREATEST concern?. A. A gap analysis against regulatory requirements has not been conducted. B. The third-party disclosed a policy-related issue of noncompliance. C. The organization has not reviewed the third party's policies and procedures. D. The organization has not communicated regulatory requirements to the third party.

To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?. A. Include strategic objectives in IT staff performance objectives. B. Review IT staff job descriptions for alignment. C. Identify required IT skill sets that support key business processes. D. Develop quarterly training for each IT staff member.

Which of the following has the GREATEST potential impact on the independence of an IS auditor?. A. Prior experience in IS audit. B. Prior relationship with vendors. C. Prior knowledge of technology. D. Prior job responsibilities.

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery: A. channel access only through the public-facing firewall. B. channel access through authentication. C. communicate via Transport Layer Security (TLS). D. block authorized users from unauthorized activities.

During an exit meeting, an IS auditor highlights that backup cycles are being missed due to operator error and that these exceptions are not being managed.Which of the following is the BEST way to help management understand the associated risk?. A. Explain the impact to resource requirements. B. Explain the impact to disaster recovery. C. Explain the impact to backup scheduling. D. Explain the impact to incident management.

Which of the following is the BEST control to mitigate attacks that redirect Internet traffic to an unauthorized website?. A. Utilize a network-based firewall. B. Conduct regular user security awareness training. C. Enforce a strong password policy meeting complexity requirements. D. Perform domain name system (DNS) server security hardening.

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?. A. Display back of project detail after entry. B. Reconciliation of total amounts by project. C. Reasonableness checks for each cost type. D. Validity checks, preventing entry of character.

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?. A. Antivirus software was unable to prevent the attack even though it was properly updated. B. Backups were only performed within the local network. C. The most recent security patches were not tested prior to implementation. D. Employees were not trained on cybersecurity policies and procedures.

Which of the following is the MOST important issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?. A. Nonrepudiation. B. Identity management. C. Continuity of service. D. Homogeneity of the network.

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern is that: A. a clear business case has been established. B. the new hardware meets established security standards. C. a full, visible audit trail will be included. D. the implementation plan meets user requirements.

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?. A. Restricting evidence access to professionally certified forensic investigators. B. Engaging an independent third party to perform the forensic investigation. C. Performing investigative procedures on the original hard drives rather than images of the hard drives. D. Documenting evidence handling by personnel throughout the forensic investigation.

Which of the following would an IS auditor consider the GREATEST risk associated with a mobile workforce environment?. A. Loss or damage to the organization's assets. B. Lack of compliance with organizational policies. C. Decrease in employee productivity and accountability. D. Inability to access data remotely.

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's release management processes?. A. Some releases are carried out with no supporting release documentation. B. Some releases exceeded the agreed-upon outage window. C. Release documentation does not follow a consistent format for all systems. D. Release management policies have not been updated in the past two years.

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?. A. Report the security posture of the organization. B. Determine the risk of not replacing the firewall. C. Report the mitigating controls. D. Determine the value of the firewall.

Which of the following is the BEST source of information for an IS auditor to use when determining whether an organization's information security policy is adequate?. A. Risk assessment results. B. Penetration test results. C. Industry benchmarks. D. Information security program plans.

An IS auditor observes that exceptions have been approved for an organization's information security policy. Which of the following is MOST important for the auditor to confirm?. A. Exceptions do not change residual risk. B. Exceptions are approved for predefined periods. C. Exceptions require changes to the policy. D. Exceptions are approved by the board of directors.

Which of the following methods would BEST ensure that IT strategy is in line with business strategy?. A. Break-even point analysis. B. Business impact analysis (BIA). C. Critical path analysis. D. IT value analysis.

Which of the following should be the FIRST step to successfully implement a corporate data classification program?. A. Check for the required regulatory requirements. B. Select a data loss prevention (DLP) protocol. C. Confirm that adequate resources are available for the project. D. Approve a data classification policy.

During which phase of a system development project should key performance indicators (KPIs) be established?. A. Planning phase. B. Initiation phase. C. Execution phase. D. Closure phase.

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?. A. Identifying relevant roles for an enterprise IT governance framework. B. Providing independent and objective feedback to facilitate improvement of IT processes. C. Making decisions regarding risk response and monitoring of residual risk. D. Verifying that legal, regulatory, and contractual requirements are being met.

An organization is permanently transitioning from onsite to fully remote business operations. When should the existing business impact analysis (BIA) be reviewed?. A. At least one year after the transition. B. As soon as the new operating model is in place. C. During the next scheduled review. D. As soon as the decision about the transition is announced.

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center with in the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?. A. Risk reduction. B. Risk acceptance. C. Risk transfer. D. Risk avoidance.

Which of the following BEST enables an organization to control which software can be installed on a user’s computer?. A. Access list. B. Capabilities list. C. Baseline list. D. Blocked list.

During audit fieldwork, an IS auditor learns that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?. A. Verify the data loss prevention (DLP) tool is properly configured by the organization. B. Review compliance with data loss and applicable mobile device user acceptance policies. C. Verify employees have received appropriate mobile device security awareness training. D. Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program?. A. Scans are performed less frequently than required by the organization’s vulnerability scanning schedule. B. Steps taken to address identified vulnerabilities are not formally documented. C. Results are not approved by senior management. D. Results are not reported to individuals with authority to ensure resolution.

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?. A. Reviewing vacation patterns. B. Interviewing senior IT management. C. Mapping IT processes to roles. D. Reviewing user activity logs.

In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to "never expire." Which of the following recommendations would BEST address the risk with minimal disruption to the business?. A. Schedule downtime to implement password changes. B. Introduce database access monitoring into the environment. C. Modify the access management policy to make allowances for application accounts. D. Modify applications to no longer require direct access to the database.

A client/server configuration will: A. optimize system performance by having a server on a front-end and clients on a host. B. enhance system performance through the separation of front-end and back-end processes. C. keep track of all the clients using the IS facilities of a service organization. D. limit the clients and servers' relationship by limiting the IS facilities to a single hardware system.

Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?. A. Data leakage as a result of employees leaving to work for competitors. B. Physical theft of media on which information is stored. C. Unauthorized logical access to information through an application interface. D. Noncompliance fines related to storage of regulated information.

The MOST critical security weakness of a packet level firewall is that it can be circumvented by: A. deciphering the signature information of the packets. B. using a dictionary attack of encrypted passwords. C. intercepting packets and viewing passwords sent in clear text. D. changing the source address on incoming packets.

Which of the following would be of GREATEST concern to an IS auditor reviewing backup and recovery controls?. A. Backup procedures are not documented. B. Weekly and monthly backups are stored onsite. C. Backups are stored in an external hard drive. D. Restores from backups are not periodically tested.

Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?. A. Determine if the organization has a secure connection to the provider. B. Review the roles and responsibilities of the third- party provider. C. Evaluate the organization's third-party monitoring process. D. Review the third party's monitoring logs and incident handling.

Which of the following methods would BEST ensure that IT strategy is in line with business strategy?. A. Break-even point analysis. B. Business impact analysis (BIA). C. Critical path analysis. D. IT value analysis.

During an internal audit of automated controls, an IS auditor identifies that the integrity of data transfer between systems has not been tested since successful implementation two years ago. Which of the following should the auditor do NEXT?. A. Review previous system interface testing records. B. Document the finding in the audit report. C. Review relevant system changes. D. Review IT testing policies and procedures.

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?. A. Hardware change management policy. B. An up-to-date RACI chart. C. Vendor memo indicating problem correction. D. Service level agreement (SLA).

An organization has developed mature risk management practices that are followed across all departments. What is the MOST effective way for the audit team to leverage this risk management maturity?. A. Implementing risk responses on management's behalf. B. Providing assurances to management regarding risk. C. Facilitating audit risk identification and evaluation workshops. D. Integrating the risk register for audit planning purposes.

When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?. A. An information security governance audit was not conducted with in the past year. B. Information security policies are updated annually. C. The data center manager has final sign-off on security projects. D. The information security department has difficulty filling vacancies.

During an operational audit of a biometric system used to control physical access, which of the following should be of GREATEST concern to an IS auditor?. A. False positives. B. User acceptance of biometrics. C. False negatives. D. Lack of biometric training.

Which of the following is the BEST preventative control to ensure that database integrity is maintained?. A. Mandatory annual user access reviews. B. Biometric authentication. C. Role-based access. D. Mandatory password changes.

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to: A. verify completeness of user acceptance testing (UAT). B. verify results to determine validity of user concerns. C. review initial business requirements. D. review recent changes to the system.

1.     Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)?. o   Function point analysis. o   Earned value analysis. o   Cost budget. o   Program Evaluation and Review Technique.

Which of the following uses a prototype that can be updated continually to meet changing user or business requirements?. o   PERT. o   Rapid application development (RAD). o   Function point analysis (FPA). o   GANTT.

  What is a reliable technique for estimating the scope and cost of a software-development project?. o   Function point analysis (FPA). o   Feature point analysis (FPA). o   GANTT. o   PERT.

Which of the following is a program evaluation review technique that considers different scenarios for planning and control projects?. o   Function Point Analysis (FPA). o   GANTT. o   Rapid Application Development (RAD). o   PERT.

1.     Which of the following risks could result from inadequate software baselining?. o   Scope creep. o   Sign-off delays. o   Software integrity violations. o   inadequate controls.

In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table?. o   Foreign key. o   Primary key. o   Secondary key. o   Public key.

15. When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next: o   recommend that the database be normalized. o   review the conceptual data model. o   review the stored procedures. o   review the justification.

An IS auditor finds that client requests were processed multiple times when received from different independent departmental databases, which are synchronized weekly. What would be the BEST recommendation?. o   increase the frequency for data replication between the different department systems to ensure timely updates. o   Centralize all request processing in one department to avoid parallel processing of the same request. o   Change the application architecture so that common data is held in just one shared database for all departments. o   implement reconciliation controls to detect duplicates before orders are processed in the systems.

17. Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system’s database?. o   Authentication controls. o   Data normalization controls. o   Read/write access log controls. o   Commitment and rollback controls.

18. An IS auditor finds that, at certain times of the day, the data warehouse query performance decreases significantly. Which of the following controls would it be relevant for the IS auditor to review?. o   Permanent table-space allocation. o   Commitment and rollback controls. o   User spool and database limit controls. o   Read/write access log controls.

The database administrator (DBA) suggests that DB efficiency can be improved by denormalizing some tables. This would result in: o   loss of confidentiality. o   increased redundancy. o   unauthorized accesses. o   application malfunctions.

  Which of the following is an advantage of an integrated test facility (ITF)?. o   It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. o   Periodic testing does not require separate test processes. o   It validates application systems and tests the ongoing operation of the system. o   The need to prepare test data is eliminated.

Which of the following would contribute MOST to an effective busi-ness continuity plan (BCP)?. Document is circulated to all interested parties. Planning involves all user departments. Approval by senior management. Audit by an external IS auditor.

To develop a successful business continuity plan, end user involve-ment is critical during which of the following phases?. Business recovery strategy. Detailed plan development. Business impact analysis (BIA). Testing and maintenance.

The PRIMARY objective of business continuity and disaster recovery plans should be to. safeguard critical IS assets. provide for continuity of operations. minimize the loss to an organization. protect human life.

“Under the concept of “”defense in depth””, subsystems should be de-signed to:”. fail insecure”””. “”fail secure”””. “”react to attack”””. “”react to failure”””.

Which of the following testing procedure is used by the auditor during accounting audit to check errors in balance sheet and other financial documentation?. Compliance testing. Sanity testing. Recovery testing. Substantive testing.

Which of the following is a sophisticated computer based switch that can be thought of as essentially a small in-house phone company for the organization. Private Branch Exchange. Virtual Local Area Network. Voice over IP. Dial-up connection.

Private Branch Exchange(PBX) environment involves many security risks, one of which is the people both internal and external to an organi-zation. Which of the following risks are NOT associated with Private Branch Exchange? 1. Theft of service 2. Disclosure of information 3. Data Modifications 4. Denial of service 5. Traffic Analysis. 3 and 4. 4 and 5. 1-4. They are ALL risks associated with PBX.

Which of the following would be MOST useful when analyzing computer performance?. A. Tuning of system software to optimize resource usage. B. Operations report of user dissatisfaction with response time. C. Statistical metrics measuring capacity utilization. D. Report of off-peak utilization and response time.

Which of the following is the GREATEST risk if two users have concurrent access to the same database record. Entity integrity. Availability integrity. Referential integrity. Data integrity.

Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?. A. CCTV recordings are not regularly reviewed. B. CCTV records are deleted after one year. C. CCTV footage is not recorded 24 x 7. D. CCTV cameras are not installed in break rooms.

The use of control totals satisfies which of the following control objectives?. Transaction integrity. Processing integrity. Distribution control. System recoverability.

IT governance should be driven by: Business unit initiatives. Balanced scorecards. Policies and standards. Organizational strategies.

Which of the following is the MOST effective control over visitor access to highly secured areas?. Visitors are required to be escorted by authorized personnel. Visitors are required to use biometric authentication. Visitors are monitored online by security cameras. Visitors are required to enter through dead-man doors.

Which of the following is the MOST important responsibility of user departments associated with program changes?. Providing unit test data. Analyzing change requests. Updating documentation lo reflect latest changes. Approving changes before implementation.

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern is that: A. a clear business case has been established. B. the new hardware meets established security standards. C. a full, visible audit trail will be included. D. the implementation plan meets user requirements.

To confirm integrity for a hashed message, the receiver should use: A. the same hashing algorithm as the sender's to create a binary image of the file. B. a different hashing algorithm from the sender's to create a numerical representation of the file. C. a different hashing algorithm from the sender's to create a binary image of the file. D. the same hashing algorithm as the sender's to create a numerical representation of the file.

Which of the following should be the FIRST step in managing the impact of a recently discovered zero-day attack?. A. Estimating potential damage. B. Identifying vulnerable assets. C. Evaluating the likelihood of attack. D. Assessing the impact of vulnerabilities.

Which of the following is the BEST way to ensure that an application is performing according to its specifications?. A. Pilot testing. B. System testing. C. Integration testing. D. Unit testing.

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor. A. Conceal data devices and information labels. B. Issue an access card to the vendor. C. Monitor and restrict vendor activities. D. Restrict use of portable and wireless devices.

An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage?. A.Data encryption on the mobile device. B. The triggering of remote data wipe capabilities. C. Awareness training for mobile device users. D. Complex password policy for mobile devices.

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because central servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?. A. Comparing all servers included in the current central log repository with the listing used for the prior-year audit. B. Inspecting a sample of alerts generated from the central log repository. C. Comparing a list of all servers from the directory server against a list of all servers present in the central log repository. D. Inspecting a sample of alert settings configured in the central log repository.

During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate. A. cost-benefit analysis. B. acceptance testing. C. application test cases. D. project plans.

Upon completion of audit work, an IS auditor should: A. provide a report to the auditee stating the initial findings. B. provide a report to senior management prior to discussion with the auditee. C. distribute a summary of general findings to the members of the auditing team. D. review the working papers with the auditee.

During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same areas simultaneously, which of the following is the BEST approach to optimize resources?. A. Leverage the work performed by external audit for the internal audit testing. B. Ensure both the internal and external auditors perform the work simultaneously. C. Roll forward the general controls audit to the subsequent audit year. D. Request that the external audit team leverage the internal audit work.

The GREATEST benefit of using a prototyping approach in software development is that it helps to: A. improve efficiency of quality assurance (QA) testing. B. conceptualize and clarify requirements. C. decrease the time allocated for user testing and review. D. minimize scope changes to the system.

After an employee termination, a network account was removed, but the application account remained active. To keep this issue from recurring, which of the following is the BEST recommendation?. A. Integrate application accounts with network single sign-on. B. Perform periodic access reviews. C. Retrain system administration staff. D. Leverage shared accounts for the application.

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not: A. reflect current practices. B. be subject to adequate quality assurance (QA). C. include new systems and corresponding process changes. D. incorporate changes to relevant laws.

An emergency power-off switch should. A. not be in the computer room. B. not be identified. C. be protected. D. be illuminated.

Which of the following is the PRIMARY role of the IS auditor in an organization's information classification process. A.Securing information assets in accordance with the classification assigned. B. Validating that assets are protected according to assigned classification. C. Ensuring classification levels align with regulatory guidelines. D. Defining classification levels for information assets within the organization.

Which of the following is the MOST important reason for IS auditors to perform post-implementation reviews for critical IT projects?. A. To determine whether vendors should be paid for project deliverables. B. To provide the audit committee with an assessment of project team performance. C. To provide guidance on the financial return on investment (ROI) of projects. D. To determine whether the organization's objectives were met as expected.

Which of the following BEST indicates that an incident management process is effective?. A. Decreased number of calls to the help desk. B. Increased number of incidents reviewed by IT management. C. Decreased time for incident resolution. D. Increased number of reported critical incidents.

Which of the following would MOST effectively ensure the integrity of data transmitted over a network?. A. Message encryption?. B. Steganography. C. Certificate authority (CA). D. Message digest.

Which of the following would be MOST useful to an IS auditor assessing the effectiveness of IT resource planning?. A. Budget execution status. B. A capacity analysis of IT operations. C. A succession plan for key IT personnel. D. A list of new applications to be implemented.

An IS auditor is evaluating controls for monitoring the regulatory compliance of a third party that provides IT services to the organization. Which of the following should be the auditor's GREATEST concern?. A. A gap analysis against regulatory requirements has not been conducted. B. The third-party disclosed a policy-related issue of noncompliance. C. The organization has not reviewed the third party's policies and procedures. D. The organization has not communicated regulatory requirements to the third party.

When an intrusion into an organization's network is detected, which of the following should be done FIRST?. A. Contact law enforcement. B. Identify nodes that have been compromised. C. Block all compromised network nodes. D. Notify senior management.

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?. A. The quality of the data is not monitored. B. The transfer protocol does not require authentication. C. Imported data is not disposed frequently. D. The transfer protocol is not encrypted.

In a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the: A. application programmer. B. quality assurance (QA) personnel. C. computer operator. D. systems programmer.

A small startup organization does not have the resources to implement segregation of duties. Which of the following is the MOST effective compensating control?. A. Rotation of log monitoring and analysis responsibilities. B. Additional management reviews and reconciliations. C. Mandatory vacations. D. Third-party assessments.

When planning an audit to assess application controls of a cloud-based system, it is MOST important for the IS auditor to understand the: A. availability reports associated with the cloud-based system. B. architecture and cloud environment of the system. C. policies and procedures of the business area being audited. D. business process supported by the system.

Which of the following data would be used when performing a business impact analysis (BIA)?. A. Projected impact of current business on future business. B. Expected costs for recovering the business. C. Cost of regulatory compliance. D. Cost-benefit analysis of running the current business.

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?. A. Number of successful penetration tests. B. Percentage of protected business applications. C. Number of security vulnerability patches. D. Financial impact per security event.

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern? . A. Mobile devices are not encrypted. B. Users are not required to sign updated acceptable use agreements. C. The business continuity plan (BCP) was not updated. D. Users have not been trained on the new system.

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?. A. Data loss prevention (DLP) system. B. Perimeter firewall. C. Network segmentation. D.Web application firewall.

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery: A. channel access only through the public-facing firewall. B. channel access through authentication. C. communicate via Transport Layer Security (TLS). D. block authorized users from unauthorized activities.

During audit fieldwork, an IS auditor learns that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss? . A. Verify the data loss prevention (DLP) tool is properly configured by the organization. B. Review compliance with data loss and applicable mobile device user acceptance policies. C. Verify employees have received appropriate mobile device security awareness training. D. Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?. A. Implementation methodology. B. Test results. C. Purchasing guidelines and policies. D. Results of live processing.

Which of the following is an advantage of using agile software development methodology over the waterfall methodology?. A. Quicker end user acceptance. B. Clearly defined business expectations. C. Quicker deliverables. D. Less funding required overall.

In an online application, which of the following would provide the MOST information about the transaction audit trail?. A. File layouts. B. Data architecture. C. System/process flowchart. D. Source code documentation.

On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else?. A. Send a certificate that can be verified by a certification authority with the public key. B. Encrypt the message containing the sender's public key, using the recipient's public key. C. Send the public key to the recipient prior to establishing the connection. D. Encrypt the message containing the sender's public key, using a private-key cryptosystem.

The IS quality assurance (QA) group is responsible for: A. monitoring the execution of computer processing tasks. B. designing procedures to protect data against accidental disclosure. C. ensuring that program changes adhere to established standards. D. ensuring that the output received from system processing is complete.

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?. A. Performing a full interruption test. B. Performing a parallel test. C. Performing a tabletop test. D. Performing a cyber-resilience test.

Which audit approach is MOST helpful in optimizing the use of IS audit resources?. A. Agile auditing. B. Continuous auditing. C. Risk-based auditing. D. Outsourced auditing.

Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?. A. Results of a risk assessment. B. Policies including BYOD acceptable use statements. C. Findings from prior audits. D. An inventory of personal devices to be connected to the corporate network.

An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?. A. Failover power. B. Clustering. C. Parallel testing. D. Redundant pathways.

During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?. A. Request management wait until a final report is ready for discussion. B. Request the auditee provide management responses. C. Review working papers with the auditee. D. Present observations for discussion only.

Which of the following BEST demonstrates that IT strategy is aligned with organizational goals and objectives?. A. IT strategies are communicated to all business stakeholders. B. Organizational strategies are communicated to the chief information officer (CIO). C. The chief information officer (CIO) is involved in approving the organizational strategies. D. Business stakeholders are involved in approving the IT strategy.

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?. A. A separate copy of the spreadsheet is routinely backed up. B. Access to the spreadsheet is given only to those who require access. C. There is a reconciliation process between the spreadsheet and the finance system. D. The spreadsheet is locked down to avoid inadvertent changes.

Which of the following is the MOST important responsibility of user departments associated with program changes?. A. Analyzing change requests. B. Providing unit test data. C. Updating documentation to reflect latest changes. D. Approving changes before implementation.

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?. A. SIEM reporting is ad hoc. B. SIEM reporting is customized. C. SIEM configuration is reviewed annually. D. The SIEM is decentralized.

A manager identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor in this scenario?. A. Hacktivists. B. Deleted log data. C. Terminated staff. D. Unauthorized access.

An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?. A. Audit logging is not enabled. B. Single sign-on is not enabled. C. Complex passwords are not required. D. Security baseline is not consistently applied.

Which of the following findings from an IT governance review should be of GREATEST concern?. A. IT value analysis has not been completed. B. All IT services are provided by third parties. C. IT supports two different operating systems. D. The IT budget is not monitored.

What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?. A. Ensure the open issues are retained in the audit results. B. Recommend compensating controls for open issues. C. Evaluate the residual risk due to open issues. D. Terminate the follow-up because open issues are not resolved.

Which of the following is the BEST performance indicator for the effectiveness of an incident management program?. A. Incident alert meantime. B. Number of incidents reported. C. Average time between incidents. D. Incident resolution meantime.

Backups will MOST effectively minimize a disruptive incident's impact on a business if they are: A. taken according to recovery point objectives (RPOs). B. scheduled according to the service delivery objectives. C. performed by automated backup software on a fixed schedule. D. stored on write-once read-many media.

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?. A. Ensure the intrusion prevention system (IPS) is effective. B. Verify the disaster recovery plan (DRP) has been tested. C. Assess the security risks to the business. D. Confirm the incident response team understands the issue.

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial draft of the audit report. Which of the following findings should be ranked as the HIGHEST risk?. A. Network penetration tests are not performed. B. The network firewall policy has not been approved by the information security officer. C. Network firewall rules have not been documented. D. The network device inventory is incomplete.

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?. A. Assurance that the new system meets functional requirements. B. Significant cost savings over other system implementation approaches. C. More time for users to complete training for the new system. D. Assurance that the new system meets performance requirements.

During an internal audit of automated controls, an IS auditor identifies that the integrity of data transfer between systems has not been tested since successful implementation two years ago. Which of the following should the auditor do NEXT?. A. Review previous system interface testing records. B. Document the finding in the audit report. C. Review relevant system changes. D. Review IT testing policies and procedures.

The MAIN benefit of using an integrated test facility (ITF) as an online auditing technique is that it enables: A. the integration of financial and audit tests. B. auditors to test without impacting production data. C. a cost-effective approach to application controls audit. D. auditors to investigate fraudulent transactions.

Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?. A. Adherence to best practice and industry approved methodologies. B. Frequency of meetings where the business discusses the IT portfolio. C. Assignment of responsibility for each project to an IT team member. D. Controls to minimize risk and maximize value for the IT portfolio.

Which of the following would BEST facilitate the successful implementation of an IT-related framework?. A. Establishing committees to support and oversee framework activities. B. Documenting IT-related policies and procedures. C. Aligning the framework to industry best practices. D. Involving appropriate business representation within the framework.

What is the MAIN reason to use incremental backups?. A. To increase backup resiliency and redundancy. B. To reduce costs associates with backups. C. To improve key availability metrics. D. To minimize the backup time and resources.

When auditing the security architecture of an online application, an IS auditor should FIRST review the: A. location of the firewall within the network. B. firewall standards. C. firmware version of the firewall. D. configuration of the firewall.

An organization is planning an acquisition and has engaged an IS auditor to evaluate the IT governance framework of the target company. Which of the following would be MOST helpful in determining the effectiveness of the framework?. A. Recent third-party IS audit reports. B. Current and previous internal IS audit reports. C. IT performance benchmarking reports with competitors. D. Self-assessment reports of IT capability and maturity.

Which of the following is the PRIMARY basis on which audit objectives are established?. A. Audit risk. B. Consideration of risks. C. Assessment of prior audits. D. Business strategy.

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?. A. Note the exception in a new report as the item was not addressed by management. B. Interview management to determine why the finding was not addressed. C. Recommend alternative solutions to address the repeat finding. D. Conduct a risk assessment of the repeat finding.

The PRIMARY focus of a post-implementation review is to verify that: A. enterprise architecture (EA) has been complied with. B. user requirements have been met. C. acceptance testing has been properly executed. D. user access controls have been adequately designed.

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?. A. Privacy agreement. B. Statement of work (SOW). C. Nondisclosure agreement (NDA). D. Service level agreement (SLA).

During which process is regression testing MOST commonly used?. A. Unit testing. B. System modification. C. Stress testing. D. Program development.

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?. A. Business units are allowed to dispose printers directly to authorized vendors. B. Inoperable printers are stored in an unsecured area. C. Disposal policies and procedures are not consistently implemented. D. Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

Which of the following metrics is the BEST indicator of the performance of a web application?. A. Server thread count. B. Server uptime. C. HTTP server error rate. D. Average response time.

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action? . A. Contact the incident response team to conduct an investigation. C. Examine the computer to search for evidence supporting the suspicions. D. Notify local law enforcement of the potential crime before further investigation. B. Advise management of the crime after the investigation.

An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?. A. The attack could not be traced back to the originating person. B. The attack was not automatically blocked by the intrusion detection system (IDS). C. Appropriate response documentation was not maintained. D. The security weakness facilitating the attack was not identified.

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?. A. Knowledge of the IT staff regarding data protection requirements. B. Complete and accurate list of information assets that have been deployed. C. Segregation of duties between staff ordering and staff receiving information assets. D. Availability and testing of onsite backup generators.

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the: A. allocation of resources during an emergency. B. maintenance of hardware and software compatibility. C. differences in IS policies and procedures. D. frequency of system testing.

Which of the following BEST indicates the effectiveness of an organization's risk management program?. A. Residual risk is minimized. B. Inherent risk is eliminated. C. Control risk is minimized. D. Overall risk is quantified.

Providing security certification for a new system should include which of the following prior to the system's implementation?. A. End-user authorization to use the system in production. B. Testing of the system within the production environment. C. An evaluation of the configuration management practices. D. External audit sign-off on financial controls.

Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?. A. Create the DLP policies and templates. B. Conduct a threat analysis against sensitive data usage. C. Conduct a data inventory and classification exercise. D. Identify approved data workflows across the enterprise.

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control self-assessment (CSA)?. A. Implementing the remediation plan. B. Developing the remediation plan. C. Developing the CSA questionnaire. D. Partially completing the CSA.

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA) to automate routine business tasks?. A. A benchmarking exercise of industry peers who use RPA has been completed. B. The end-to-end process is understood and documented. C. A request for proposal (RFP) has been issued to qualified vendors. D. Roles and responsibilities are defined for the business processes in scope.