PDF Only
$35.00 Free Updates Upto 90 Days
- CISA Dumps PDF
- 1195 Questions
- Updated On November 18, 2024
PDF + Test Engine
$60.00 Free Updates Upto 90 Days
- CISA Question Answers
- 1195 Questions
- Updated On November 18, 2024
Test Engine
$50.00 Free Updates Upto 90 Days
- CISA Practice Questions
- 1195 Questions
- Updated On November 18, 2024
How to pass Isaca CISA exam with the help of dumps?
DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest Isaca CISA Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.
How Do I Know Isaca CISA Dumps are Worth it?
Did we mention our latest CISA Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.
You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just Isaca Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!
IT Students Are Using our Certified Information Systems Auditor Dumps Worldwide!
It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using Certified Information Systems Auditor Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.
How to Get CISA Real Exam Dumps?
Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the CISA exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!
ISACA CISA Exam Overview:
Aspect | Details |
---|---|
Exam Name | CISA (Certified Information Systems Auditor) |
Exam Cost | $575 (for ISACA members) |
Total Time | 4 hours |
Available Languages | English |
Passing Marks | Scaled score of 450 or higher out of 800 |
Prerequisites | A minimum of five years of professional information systems auditing, control, or security work experience |
ISACA Certified Information Systems Auditor (CISA) Exam Topics Breakdown
Domain | Percentage | Description |
---|---|---|
Domain 1 - Information System Auditing Process | 21% | Covers IS audit standards, guidelines, and best practices, and the audit process |
Domain 2 - Governance and Management of IT | 17% | Focuses on IT governance and management principles and practices, including IT strategy, policies, and organizational structure |
Domain 3 - Information Systems Acquisition, Development, and Implementation | 12% | Examines the process of acquiring, developing, testing, and implementing information systems and infrastructure |
Domain 4 - Information Systems Operations and Business Resilience | 23% | Covers IT operations, support, and service management, as well as business continuity and disaster recovery |
Domain 5 - Protection of Information Assets | 27% | Focuses on information asset security and control, including data privacy, confidentiality, integrity, and availability |
Frequently Asked Questions
Question # 1
Which of the following is the MAIN purpose of an information security management system?
A. To identify and eliminate the root causes of information security incidents
B. To enhance the impact of reports used to monitor information security incidents
C. To keep information security policies and procedures up-to-date
D. To reduce the frequency and impact of information security incidents
Question # 2
Which of the following occurs during the issues management process for a system development project?
A. Contingency planning
B. Configuration management
C. Help desk management
D. Impact assessment
Question # 3
In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?
A. Reviewing the last compile date of production programs
B. Manually comparing code in production programs to controlled copies
C. Periodically running and reviewing test data against production programs
D. Verifying user management approval of modifications
Question # 4
To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?
A. Root cause
B. Responsible party
C. impact
D. Criteria
Question # 5
Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?
A. Ensure compliance with the data classification policy.
B. Protect the plan from unauthorized alteration.
C. Comply with business continuity best practice.
D. Reduce the risk of data leakage that could lead to an attack.
Question # 6
Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?
A. Water sprinkler
B. Fire extinguishers
C. Carbon dioxide (CO2)
D. Dry pipe
Question # 7
Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?
A. Use of stateful firewalls with default configuration
B. Ad hoc monitoring of firewall activity
C. Misconfiguration of the firewall rules
D. Potential back doors to the firewall software
Question # 8
An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back inhouse. Which of the following findings should be the IS auditor's GREATEST concern?
A. The cost of outsourcing is lower than in-house development.
B. The vendor development team is located overseas.
C. A training plan for business users has not been developed.
D. The data model is not clearly documented.
Question # 9
Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?
A. Logs are being collected in a separate protected host
B. Automated alerts are being sent when a risk is detected
C. Insider attacks are being controlled
D. Access to configuration files Is restricted.
Question # 10
Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?
A. Information security program plans
B. Penetration test results
C. Risk assessment results
D. Industry benchmarks
Question # 11
An IS auditor should ensure that an application's audit trail:
A. has adequate security.
B. logs ail database records.
C. Is accessible online
D. does not impact operational efficiency
Question # 12
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
A. Data with customer personal information
B. Data reported to the regulatory body
C. Data supporting financial statements
D. Data impacting business objectives
Question # 13
Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?
A. Implementing two-factor authentication
B. Restricting access to transactions using network security software
C. implementing role-based access at the application level
D. Using a single menu tor sensitive application transactions
Question # 14
An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?
A. Availability of the user list reviewed
B. Confidentiality of the user list reviewed
C. Source of the user list reviewed
D. Completeness of the user list reviewed
Question # 15
An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?
A. Users are not required to sign updated acceptable use agreements.
B. Users have not been trained on the new system.
C. The business continuity plan (BCP) was not updated.
D. Mobile devices are not encrypted.
Question # 16
Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?
A. The design of controls
B. Industry standards and best practices
C. The results of the previous audit
D. The amount of time since the previous audit
Question # 17
In an online application which of the following would provide the MOST information about the transaction audit trail?
A. File layouts
B. Data architecture
C. System/process flowchart
D. Source code documentation
Question # 18
An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:
A. violation reports may not be reviewed in a timely manner.
B. a significant number of false positive violations may be reported.
C. violations may not be categorized according to the organization's risk profile.
D. violation reports may not be retained according to the organization's risk profile.
Question # 19
An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?
A. Conduct security awareness training.
B. Implement an acceptable use policy
C. Create inventory records of personal devices
D. Configure users on the mobile device management (MDM) solution
Question # 20
An employee loses a mobile device resulting in loss of sensitive corporate data. Which o( the following would have BEST prevented data leakage?
A. Data encryption on the mobile device
B. Complex password policy for mobile devices
C. The triggering of remote data wipe capabilities
D. Awareness training for mobile device users
Question # 21
Providing security certification for a new system should include which of the following prior to the system's implementation?
A. End-user authorization to use the system in production
B. External audit sign-off on financial controls
C. Testing of the system within the production environment
D. An evaluation of the configuration management practices
Question # 22
The PRIMARY focus of a post-implementation review is to verify that:
A. enterprise architecture (EA) has been complied with.
B. user requirements have been met.
C. acceptance testing has been properly executed.
D. user access controls have been adequately designed.
Question # 23
An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
A. Installing security software on the devices
B. Partitioning the work environment from personal space on devices
C. Preventing users from adding applications
D. Restricting the use of devices for personal purposes during working hours
Question # 24
Which of the following MUST be completed as part of the annual audit planning process?
A. Business impact analysis (BIA)
B. Fieldwork
C. Risk assessment
D. Risk control matrix
Question # 25
Which of the following application input controls would MOST likoly detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
A. Limit check
B. Parity check
C. Reasonableness check
D. Validity check
Question # 26
An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?
A. Long-term Internal audit resource planning
B. Ongoing monitoring of the audit activities
C. Analysis of user satisfaction reports from business lines
D. Feedback from Internal audit staff
Question # 27
A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?
A. Terminated staff
B. Unauthorized access
C. Deleted log data
D. Hacktivists
Question # 28
Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?
A. CCTV recordings are not regularly reviewed.
B. CCTV cameras are not installed in break rooms
C. CCTV records are deleted after one year.
D. CCTV footage is not recorded 24 x 7.
Question # 29
During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?
A. Review sign-off documentation
B. Review the source code related to the calculation
C. Re-perform the calculation with audit software
D. Inspect user acceptance lest (UAT) results
Question # 30
The IS quality assurance (OA) group is responsible for:
A. ensuring that program changes adhere to established standards.
B. designing procedures to protect data against accidental disclosure.
C. ensuring that the output received from system processing is complete.
D. monitoring the execution of computer processing tasks.
Question # 31
Which of the following are BEST suited for continuous auditing?
A. Low-value transactions
B. Real-lime transactions
C. Irregular transactions
D. Manual transactions
Question # 32
Which of the following is MOST important to consider when scheduling follow-up audits?
A. The efforts required for independent verification with new auditors
B. The impact if corrective actions are not taken
C. The amount of time the auditee has agreed to spend with auditors
D. Controls and detection risks related to the observations
Question # 33
In order to be useful, a key performance indicator (KPI) MUST
A. be approved by management.
B. be measurable in percentages.
C. be changed frequently to reflect organizational strategy.
D. have a target value.
Question # 34
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?
A. Obtain error codes indicating failed data feeds.
B. Purchase data cleansing tools from a reputable vendor.
C. Appoint data quality champions across the organization.
D. Implement business rules to reject invalid data.
Question # 35
Which of the following BEST Indicates that an incident management process Is effective?
A. Decreased time for incident resolution
B. Increased number of incidents reviewed by IT management
C. Decreased number of calls lo the help desk
D. Increased number of reported critical incidents
Question # 36
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?
A. Service management standards are not followed.
B. Expected time to resolve incidents is not specified.
C. Metrics are not reported to senior management.
D. Prioritization criteria are not defined.
Question # 37
Upon completion of audit work, an IS auditor should:
A. provide a report to senior management prior to discussion with the auditee.
B. distribute a summary of general findings to the members of the auditing team.
C. provide a report to the auditee stating the initial findings.
D. review the working papers with the auditee.
Question # 38
Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?
A. Historical privacy breaches and related root causes
B. Globally accepted privacy best practices
C. Local privacy standards and regulations
D. Benchmark studies of similar organizations
Question # 39
IT disaster recovery time objectives (RTOs) should be based on the:
A. maximum tolerable loss of data.
B. nature of the outage
C. maximum tolerable downtime (MTD).
D. business-defined criticality of the systems.
Question # 40
During the implementation of an upgraded enterprise resource planning (ERP) system, which of Ihe following is the MOST important consideration for a go-live decision?
A. Business case
B. Rollback strategy
C. Test cases
D. Post-implementation review objectives
Question # 41
Which of the following business continuity activities prioritizes the recovery of critical functions?
A. Business continuity plan (BCP) testing
B. Business impact analysis (BIA)
C. Disaster recovery plan (DRP) testing
D. Risk assessment
Question # 42
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?
A. Evaluate the appropriateness of the remedial action taken.
B. Conduct a risk analysis incorporating the change.
C. Report results of the follow-up to the audit committee.
D. Inform senior management of the change in approach.
Question # 43
Which of the following will MOST likely compromise the control provided By a digital signature created using RSA encryption?
A. Reversing the hash function using the digest
B. Altering the plaintext message
C. Deciphering the receiver's public key
D. Obtaining the sender's private key
Question # 44
An information systems security officer's PRIMARY responsibility for business process applications is to:
A. authorize secured emergency access
B. approve the organization's security policy
C. ensure access rules agree with policies
D. create role-based rules for each business process
Question # 45
In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?
A. Configure data quality alerts to check variances between the data warehouse and the source system
B. Require approval for changes in the extract/Transfer/load (ETL) process between the two systems
C. Include the data warehouse in the impact analysis (or any changes m the source system
D. Restrict access to changes in the extract/transfer/load (ETL) process between the two systems
Question # 46
For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:
A. attributes for system passwords.
B. security training prior to implementation.
C. security requirements for the new application.
D. the firewall configuration for the web server.
Question # 47
While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
A. Use automatic document classification based on content.
B. Have IT security staff conduct targeted training for data owners.
C. Publish the data classification policy on the corporate web portal.
D. Conduct awareness presentations and seminars for information classification policies.
Question # 48
An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which ol the following is MOST important to meet the IS audit standard for proficiency?
A. The standard is met as long as one member has a globally recognized audit certification.
B. Technical co-sourcing must be used to help the new staff.
C. Team member assignments must be based on individual competencies.
D. The standard is met as long as a supervisor reviews the new auditors' work.
Question # 49
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
A. compare the organization's strategic plan against industry best practice.
B. interview senior managers for their opinion of the IT function.
C. ensure an IT steering committee is appointed to monitor new IT projects.
D. evaluate deliverables of new IT initiatives against planned business services.
Question # 50
A new regulation in one country of a global organization has recently prohibited crossborder transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?
A. Developing an inventory of all business entities that exchange personal data with the affected jurisdiction
B. Identifying data security threats in the affected jurisdiction
C. Reviewing data classification procedures associated with the affected jurisdiction
D. Identifying business processes associated with personal data exchange with the affected jurisdiction
Question # 51
Which of the following should an IS auditor consider FIRST when evaluating firewall rules?
A. The organization's security policy
B. The number of remote nodes
C. The firewalls' default settings
D. The physical location of the firewalls
Question # 52
An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?
A. The exact definition of the service levels and their measurement
B. The alerting and measurement process on the application servers
C. The actual availability of the servers as part of a substantive test
D. The regular performance-reporting documentation
Question # 53
Which of the following is the MOST important activity in the data classification process?
A. Labeling the data appropriately
B. Identifying risk associated with the data
C. Determining accountability of data owners
D. Determining the adequacy of privacy controls
Question # 54
Which of the following metrics would BEST measure the agility of an organization's IT function?
A. Average number of learning and training hours per IT staff member
B. Frequency of security assessments against the most recent standards and guidelines
C. Average time to turn strategic IT objectives into an agreed upon and approved initiative
D. Percentage of staff with sufficient IT-related skills for the competency required of their roles
Question # 55
A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?
A. Compare the agile process with previous methodology.
B. Identify and assess existing agile process control
C. Understand the specific agile methodology that will be followed.
D. Interview business process owners to compile a list of business requirements
Question # 56
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
A. Require written authorization for all payment transactions
B. Restrict payment authorization to senior staff members.
C. Reconcile payment transactions with invoices.
D. Review payment transaction history
Question # 57
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
A. reflect current practices.
B. include new systems and corresponding process changes.
C. incorporate changes to relevant laws.
D. be subject to adequate quality assurance (QA).
Question # 58
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
A. The security of the desktop PC is enhanced.
B. Administrative security can be provided for the client.
C. Desktop application software will never have to be upgraded.
D. System administration can be better managed
Question # 59
Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
A. Audit charier
B. IT steering committee
C. Information security policy
D. Audit best practices
Question # 60
Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?
A. Improved disaster recovery
B. Better utilization of resources
C. Stronger data security
D. Increased application performance
Question # 61
Which of the following documents should specify roles and responsibilities within an IT audit organization?
A. Organizational chart
B. Audit charier
C. Engagement letter
D. Annual audit plan
Question # 62
Which of the following BEST enables the timely identification of risk exposure?
A. External audit review
B. Internal audit review
C. Control self-assessment (CSA)
D. Stress testing
Question # 63
A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?
A. IT operator
B. System administration
C. Emergency support
D. Database administration
Question # 64
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
A. Implementing the remediation plan
B. Partially completing the CSA
C. Developing the remediation plan
D. Developing the CSA questionnaire
Question # 65
The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed Which of the following should the audit manager do FIRST?
A. Determine where delays have occurred
B. Assign additional resources to supplement the audit
C. Escalate to the audit committee
D. Extend the audit deadline
Question # 66
Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?
A. Findings from prior audits
B. Results of a risk assessment
C. An inventory of personal devices to be connected to the corporate network
D. Policies including BYOD acceptable user statements
Question # 67
The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
A. risk management review
B. control self-assessment (CSA).
C. service level agreement (SLA).
D. balanced scorecard.
Question # 68
The GREATEST benefit of using a polo typing approach in software development is that it helps to:
A. minimize scope changes to the system.
B. decrease the time allocated for user testing and review.
C. conceptualize and clarify requirements.
D. Improve efficiency of quality assurance (QA) testing
Question # 69
Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
A. Expected deliverables meeting project deadlines
B. Sign-off from the IT team
C. Ongoing participation by relevant stakeholders
D. Quality assurance (OA) review
Question # 70
Which of the following is MOST helpful for measuring benefits realization for a new system?
A. Function point analysis
B. Balanced scorecard review
C. Post-implementation review
D. Business impact analysis (BIA)
Question # 71
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
A. the access control system's log settings.
B. how the latest system changes were implemented.
C. the access control system's configuration.
D. the access rights that have been granted.
Question # 72
Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?
A. Ensure that the facts presented in the report are correct
B. Communicate the recommendations lo senior management
C. Specify implementation dates for the recommendations.
D. Request input in determining corrective action.
Question # 73
An organization that has suffered a cyber attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
A. An imaging process was used to obtain a copy of the data from each computer.
B. The legal department has not been engaged.
C. The chain of custody has not been documented.
D. Audit was only involved during extraction of the Information
Question # 74
An organization that has suffered a cyber attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
A. An imaging process was used to obtain a copy of the data from each computer.
B. The legal department has not been engaged.
C. The chain of custody has not been documented.
D. Audit was only involved during extraction of the Information
Question # 75
Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?
A. Short key length
B. Random key generation
C. Use of symmetric encryption
D. Use of asymmetric encryption
Question # 76
Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?
A. The certificate revocation list has not been updated.
B. The PKI policy has not been updated within the last year.
C. The private key certificate has not been updated.
D. The certificate practice statement has not been published
Question # 77
Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?
A. An increase in the number of identified false positives
B. An increase in the number of detected Incidents not previously identified
C. An increase in the number of unfamiliar sources of intruders
D. An increase in the number of internally reported critical incidents
Question # 78
During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?
A. Ask management why the regulatory changes have not been Included.
B. Discuss potential regulatory issues with the legal department
C. Report the missing regulatory updates to the chief information officer (CIO).
D. Exclude recent regulatory changes from the audit scope.
Question # 79
Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?
A. Circuit gateway
B. Application level gateway
C. Packet filtering router
D. Screening router
Question # 80
Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?
A. Prepare detailed plans for each business function.
B. Involve staff at all levels in periodic paper walk-through exercises.
C. Regularly update business impact assessments.
D. Make senior managers responsible for their plan sections.
Question # 81
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
A. Availability of IS audit resources
B. Remediation dates included in management responses
C. Peak activity periods for the business
D. Complexity of business processes identified in the audit
Question # 82
Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?
A. Number of successful penetration tests
B. Percentage of protected business applications
C. Financial impact per security event
D. Number of security vulnerability patches
Question # 83
An organization has recently implemented a Voice-over IP (VoIP) communication system. Which ot the following should be the IS auditor's PRIMARY concern?
A. A single point of failure for both voice and data communications
B. Inability to use virtual private networks (VPNs) for internal traffic
C. Lack of integration of voice and data communications
D. Voice quality degradation due to packet toss
Question # 84
Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?
A. Staff members who failed the test did not receive follow-up education
B. Test results were not communicated to staff members.
C. Staff members were not notified about the test beforehand.
D. Security awareness training was not provided prior to the test.
Question # 85
Capacity management enables organizations to:
A. forecast technology trends
B. establish the capacity of network communication links
C. identify the extent to which components need to be upgraded
D. determine business transaction volumes.
Question # 86
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
A. Review IT staff job descriptions for alignment
B. Develop quarterly training for each IT staff member.
C. Identify required IT skill sets that support key business processes
D. Include strategic objectives m IT staff performance objectives
Question # 87
An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?
A. Implementing risk responses on management's behalf
B. Integrating the risk register for audit planning purposes
C. Providing assurances to management regarding risk
D. Facilitating audit risk identification and evaluation workshops
Question # 88
An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?
A. There are conflicting permit and deny rules for the IT group.
B. The network security group can change network address translation (NAT).
C. Individual permissions are overriding group permissions.
D. There is only one rule per group with access privileges.
Question # 89
Which of the following is the BEST reason for an organization to use clustering?
A. To decrease system response time
B. To Improve the recovery lime objective (RTO)
C. To facilitate faster backups
D. To improve system resiliency
Question # 90
Which of the following represents the HIGHEST level of maturity of an information security program?
A. A training program is in place to promote information security awareness.
B. A framework is in place to measure risks and track effectiveness.
C. Information security policies and procedures are established.
D. The program meets regulatory and compliance requirements.
Question # 91
A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?
A. Data migration is not part of the contracted activities.
B. The replacement is occurring near year-end reporting
C. The user department will manage access rights.
D. Testing was performed by the third-party consultant
Question # 92
An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST
A. document the exception in an audit report.
B. review security incident reports.
C. identify compensating controls.
D. notify the audit committee.
Question # 93
Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?
A. To optimize system resources
B. To follow system hardening standards
C. To optimize asset management workflows
D. To ensure proper change control
Question # 94
What is the MAIN reason to use incremental backups?
A. To improve key availability metrics
B. To reduce costs associates with backups
C. To increase backup resiliency and redundancy
D. To minimize the backup time and resources
Question # 95
The waterfall life cycle model of software development is BEST suited for which of the following situations?
A. The protect requirements are wall understood.
B. The project is subject to time pressures.
C. The project intends to apply an object-oriented design approach.
D. The project will involve the use of new technology.
Question # 96
During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?
A. Backup media are not reviewed before disposal.
B. Degaussing is used instead of physical shredding.
C. Backup media are disposed before the end of the retention period
D. Hardware is not destroyed by a certified vendor.
Question # 97
Which of the following is the GREATEST risk associated with storing customer data on a web server?
A. Data availability
B. Data confidentiality
C. Data integrity
D. Data redundancy
Question # 98
Which of the following provides the BEST providence that outsourced provider services are being properly managed?
A. The service level agreement (SLA) includes penalties for non-performance.
B. Adequate action is taken for noncompliance with the service level agreement (SLA).
C. The vendor provides historical data to demonstrate its performance.
D. Internal performance standards align with corporate strategy.
Question # 99
Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
A. The job scheduler application has not been designed to display pop-up error messages.
B. Access to the job scheduler application has not been restricted to a maximum of two staff members
C. Operations shift turnover logs are not utilized to coordinate and control the processing environment
D. Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor
Question # 100
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
A. Staging
B. Testing
C. Integration
D. Development
Question # 101
Which of the following is a detective control?
A. Programmed edit checks for data entry
B. Backup procedures
C. Use of pass cards to gain access to physical facilities
D. Verification of hash totals
Question # 102
An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?
A. Security cameras deployed outside main entrance
B. Antistatic mats deployed at the computer room entrance
C. Muddy footprints directly inside the emergency exit
D. Fencing around facility is two meters high
Question # 103
Which of the following would MOST effectively ensure the integrity of data transmitted over a network?
A. Message encryption
B. Certificate authority (CA)
C. Steganography
D. Message digest
Question # 104
When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?
A. Observing the execution of a daily backup run
B. Evaluating the backup policies and procedures
C. Interviewing key personnel evolved In the backup process
D. Reviewing a sample of system-generated backup logs
Question # 105
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
A. the organization's web server.
B. the demilitarized zone (DMZ).
C. the organization's network.
D. the Internet
Question # 106
In an online application, which of the following would provide the MOST information about the transaction audit trail?
A. System/process flowchart
B. File layouts
C. Data architecture
D. Source code documentation
Question # 107
An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
A. well understand by all employees.
B. based on industry standards.
C. developed by process owners.
D. updated frequently.
Question # 108
Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?
A. Ensuring that audit trails exist for transactions
B. Restricting access to update programs to accounts payable staff only
C. Including the creator's user ID as a field in every transaction record created
D. Restricting program functionality according to user security profiles
Question # 109
Due to limited storage capacity, an organization has decided to reduce the actual retention period (or media containing completed low-value transactions. Which ol the following is MOST important lor the organization to ensure?
A. The policy includes a strong risk-based approach.
B. The retention period allows for review during the year-end audit.
C. The retention period complies with data owner responsibilities.
D. The total transaction amount has no impact on financial reporting
Question # 110
Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?
A. Securing information assets in accordance with the classification assigned
B. Validating that assets are protected according to assigned classification
C. Ensuring classification levels align with regulatory guidelines
D. Defining classification levels for information assets within the organization
Question # 111
An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?
A. Training was not provided to the department that handles intellectual property and patents
B. Logging and monitoring for content filtering is not enabled.
C. Employees can share files with users outside the company through collaboration tools.
D. The collaboration tool is hosted and can only be accessed via an Internet browser
Question # 112
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?
A. Separate authorization for input of transactions
B. Statistical sampling of adjustment transactions
C. Unscheduled audits of lost stock lines
D. An edit check for the validity of the inventory transaction
Question # 113
An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:
A. the implementation plan meets user requirements.
B. a full, visible audit trail will be Included.
C. a dear business case has been established.
D. the new hardware meets established security standards
Question # 114
An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?
A. There Is a reconciliation process between the spreadsheet and the finance system
B. A separate copy of the spreadsheet is routinely backed up
C. The spreadsheet is locked down to avoid inadvertent changes
D. Access to the spreadsheet is given only to those who require access
Question # 115
Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?
A. Requirements may become unreasonable.
B. The policy may conflict with existing application requirements.
C. Local regulations may contradict the policy.
D. Local management may not accept the policy.
Question # 116
Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
A. The person who collected the evidence is not qualified to represent the case.
B. The logs failed to identify the person handling the evidence.
C. The evidence was collected by the internal forensics team.
D. The evidence was not fully backed up using a cloud-based solution prior to the trial.
Question # 117
The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:
A. randomly selected by a test generator.
B. provided by the vendor of the application.
C. randomly selected by the user.
D. simulated by production entities and customers.
Question # 118
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
A. Attack vectors are evolving for industrial control systems.
B. There is a greater risk of system exploitation.
C. Disaster recovery plans (DRPs) are not in place.
D. Technical specifications are not documented.
Question # 119
Which of the following concerns is BEST addressed by securing production source libraries?
A. Programs are not approved before production source libraries are updated.
B. Production source and object libraries may not be synchronized.
C. Changes are applied to the wrong version of production source libraries.
D. Unauthorized changes can be moved into production.
Question # 120
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
A. Available resources for the activities included in the action plan
B. A management response in the final report with a committed implementation date
C. A heal map with the gaps and recommendations displayed in terms of risk
D. Supporting evidence for the gaps and recommendations mentioned in the audit report
Question # 121
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
A. Preserving the same data classifications
B. Preserving the same data inputs
C. Preserving the same data structure
D. Preserving the same data interfaces
Question # 122
The PRIMARY role of a control self-assessment (CSA) facilitator is to:
A. conduct interviews to gain background information.
B. focus the team on internal controls.
C. report on the internal control weaknesses.
D. provide solutions for control weaknesses.
Question # 123
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
A. Reviewing vacation patterns
B. Reviewing user activity logs
C. Interviewing senior IT management
D. Mapping IT processes to roles
Question # 124
When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.
A. architecture and cloud environment of the system.
B. business process supported by the system.
C. policies and procedures of the business area being audited.
D. availability reports associated with the cloud-based system.
Question # 125
Which of the following is an example of a preventative control in an accounts payable system?
A. The system only allows payments to vendors who are included In the system's master vendor list.
B. Backups of the system and its data are performed on a nightly basis and tested periodically.
C. The system produces daily payment summary reports that staff use to compare against invoice totals.
D. Policies and procedures are clearly communicated to all members of the accounts payable department
Question # 126
Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?
A. Analyzing risks posed by new regulations
B. Designing controls to protect personal data
C. Defining roles within the organization related to privacy
D. Developing procedures to monitor the use of personal data
Question # 127
After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
A. Verifying that access privileges have been reviewed
B. investigating access rights for expiration dates
C. Updating the continuity plan for critical resources
D. Updating the security policy
Question # 128
Which of the following would BEST help lo support an auditors conclusion about the effectiveness of an implemented data classification program?
A. Purchase of information management tools
B. Business use cases and scenarios
C. Access rights provisioned according to scheme
D. Detailed data classification scheme
Question # 129
An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found Which sampling method would be appropriate?
A. Discovery sampling
B. Judgmental sampling
C. Variable sampling
D. Stratified sampling
Question # 130
During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?
A. Revise the assessment based on senior management's objections.
B. Escalate the issue to audit management.
C. Finalize the draft audit report without changes.
D. Gather evidence to analyze senior management's objections
Question # 131
A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditors BEST recommendation to facilitate compliance with the regulation?
A. Establish key performance indicators (KPls) for timely identification of security incidents.
B. Engage an external security incident response expert for incident handling.
C. Enhance the alert functionality of the intrusion detection system (IDS).
D. Include the requirement in the incident management response plan.
Question # 132
Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?
A. Reviewing the parameter settings
B. Reviewing the system log
C. Interviewing the firewall administrator
D. Reviewing the actual procedures
Question # 133
Which of the following is a social engineering attack method?
A. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.
B. A hacker walks around an office building using scanning tools to search for a wireless network to gain access.
C. An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.
D. An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.
Question # 134
An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?
A. Sell-assessment reports of IT capability and maturity
B. IT performance benchmarking reports with competitors
C. Recent third-party IS audit reports
D. Current and previous internal IS audit reports
Question # 135
What is the Most critical finding when reviewing an organization’s information security management?
A. No dedicated security officer
B. No official charier for the information security management system
C. No periodic assessments to identify threats and vulnerabilities
D. No employee awareness training and education program
Question # 136
Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse formal?
A. Testing
B. Replication
C. Staging
D. Development
Question # 137
Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?
A. Human resources (HR) sourcing strategy
B. Records of actual time spent on projects
C. Peer organization staffing benchmarks
D. Budgeted forecast for the next financial year
Question # 138
Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?
A. Staff were not involved in the procurement process, creating user resistance to the new system.
B. Data is not converted correctly, resulting in inaccurate patient records.
C. The deployment project experienced significant overruns, exceeding budget projections.
D. The new system has capacity issues, leading to slow response times for users.
Question # 139
Which of the following security risks can be reduced by a property configured network firewall?
A. SQL injection attacks
B. Denial of service (DoS) attacks
C. Phishing attacks
D. Insider attacks
Question # 140
Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
A. Legal and compliance requirements
B. Customer agreements
C. Data classification
D. Organizational policies and procedures
Question # 141
The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
A. Technology risk
B. Detection risk
C. Control risk
D. Inherent risk
Question # 142
During an audit of a financial application, it was determined that many terminated users' accounts were not disabled. Which of the following should be the IS auditor's NEXT step?
A. Perform substantive testing of terminated users' access rights.
B. Perform a review of terminated users' account activity
C. Communicate risks to the application owner.
D. Conclude that IT general controls ate ineffective.
Question # 143
An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
A. Redundant pathways
B. Clustering
C. Failover power
D. Parallel testing
Question # 144
Which of the following BEST protects an organization's proprietary code during a jointdevelopment activity involving a third party?
A. Statement of work (SOW)
B. Nondisclosure agreement (NDA)
C. Service level agreement (SLA)
D. Privacy agreement
Question # 145
Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?
A. Ensure the third party allocates adequate resources to meet requirements.
B. Use analytics within the internal audit function
C. Conduct a capacity planning exercise
D. Utilize performance monitoring tools to verify service level agreements (SLAs)
Question # 146
A manager identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor in this scenario?
A. Terminated staff
B. Unauthorized access
C. Deleted log data
D. Hacktivists
Question # 147
Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?
A. IT strategies are communicated to all Business stakeholders
B. Organizational strategies are communicated to the chief information officer (CIO).
C. Business stakeholders are Involved In approving the IT strategy.
D. The chief information officer (CIO) is involved In approving the organizational strategies
Question # 148
Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
A. The organization's systems inventory is kept up to date.
B. Vulnerability scanning results are reported to the CISO.
C. The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities
D. Access to the vulnerability scanning tool is periodically reviewed
Question # 149
During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?
A. Require documentation that the finding will be addressed within the new system
B. Schedule a meeting to discuss the issue with senior management
C. Perform an ad hoc audit to determine if the vulnerability has been exploited
D. Recommend the finding be resolved prior to implementing the new system
Question # 150
Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?
A. Media recycling policy
B. Media sanitization policy
C. Media labeling policy
D. Media shredding policy
Question # 151
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?
A. Guest operating systems are updated monthly
B. The hypervisor is updated quarterly.
C. A variety of guest operating systems operate on one virtual server
D. Antivirus software has been implemented on the guest operating system only.
Question # 152
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
A. Data from the source and target system may be intercepted.
B. Data from the source and target system may have different data formats.
C. Records past their retention period may not be migrated to the new system.
D. System performance may be impacted by the migration
Question # 153
A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:
A. evaluate replacement systems and performance monitoring software.
B. restrict functionality of system monitoring software to security-related events.
C. re-install the system and performance monitoring software.
D. use analytical tools to produce exception reports from the system and performance monitoring software
Question # 154
In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?
A. Discovery
B. Attacks
C. Planning
D. Reporting
Question # 155
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
A. IT steering committee minutes
B. Business objectives
C. Alignment with the IT tactical plan
D. Compliance with industry best practice
Question # 156
Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:
A. the patches were updated.
B. The logs were monitored.
C. The network traffic was being monitored.
D. The domain controller was classified for high availability.
Question # 157
A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
A. Continuous 24/7 support must be available.
B. The vendor must have a documented disaster recovery plan (DRP) in place.
C. Source code for the software must be placed in escrow.
D. The vendor must train the organization's staff to manage the new software
Question # 158
Stress testing should ideally be earned out under a:
A. test environment with production workloads.
B. production environment with production workloads.
C. production environment with test data.
D. test environment with test data.
Question # 159
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation ol a new system?
A. Comparing code between old and new systems
B. Running historical transactions through the new system
C. Reviewing quality assurance (QA) procedures
D. Loading balance and transaction data to the new system
Question # 160
An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
A. The data flows between the components to be used by the redesigned system
B. The proposed network topology to be used by the redesigned system
C. The current business capabilities delivered by the legacy system
D. The database entity relationships within the legacy system
Question # 161
Which of the following findings from an IT governance review should be of GREATEST concern?
A. The IT budget is not monitored
B. All IT services are provided by third parties.
C. IT value analysis has not been completed.
D. IT supports two different operating systems.
Question # 162
An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?
A. System event correlation report
B. Database log
C. Change log
D. Security incident and event management (SIEM) report
Question # 163
The decision to accept an IT control risk related to data quality should be the responsibility of the:
A. information security team.
B. IS audit manager.
C. chief information officer (CIO).
D. business owner.
Question # 164
Coding standards provide which of the following?
A. Program documentation
B. Access control tables
C. Data flow diagrams
D. Field naming conventions
Question # 165
During the discussion of a draft audit report. IT management provided suitable evidence fiat a process has been implemented for a control that had been concluded by the IS auditor as Ineffective. Which of the following is the auditor's BEST action?
A. Explain to IT management that the new control will be evaluated during follow-up
B. Re-perform the audit before changing the conclusion.
C. Change the conclusion based on evidence provided by IT management.
D. Add comments about the action taken by IT management in the report.
Question # 166
Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?
A. Periodic vendor reviews
B. Dual control
C. Independent reconciliation
D. Re-keying of monetary amounts
E. Engage an external security incident response expert for incident handling.
Question # 167
Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?
A. Balanced scorecard
B. Enterprise dashboard
C. Enterprise architecture (EA)
D. Key performance indicators (KPIs)
Question # 168
An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?
A. Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees
B. Establishing strong access controls on confidential data
C. Providing education and guidelines to employees on use of social networking sites
D. Monitoring employees' social networking usage
Question # 169
Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?
A. Compliance with action plans resulting from recent audits
B. Compliance with local laws and regulations
C. Compliance with industry standards and best practice
D. Compliance with the organization's policies and procedures
Question # 170
Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?
A. Rotate job duties periodically.
B. Perform an independent audit.
C. Hire temporary staff.
D. Implement compensating controls.
Question # 171
Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?
A. Purchasing guidelines and policies
B. Implementation methodology
C. Results of line processing
D. Test results
Question # 172
To confirm integrity for a hashed message, the receiver should use:
A. the same hashing algorithm as the sender's to create a binary image of the file.
B. a different hashing algorithm from the sender's to create a binary image of the file.
C. the same hashing algorithm as the sender's to create a numerical representation of the file.
D. a different hashing algorithm from the sender's to create a numerical representation of the file.
Question # 173
Which of the following should an IS auditor be MOST concerned with during a postimplementation review?
A. The system does not have a maintenance plan.
B. The system contains several minor defects.
C. The system deployment was delayed by three weeks.
D. The system was over budget by 15%.
Question # 174
An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?
A. Segregation of duties between issuing purchase orders and making payments.
B. Segregation of duties between receiving invoices and setting authorization limits
C. Management review and approval of authorization tiers
D. Management review and approval of purchase orders
Question # 175
Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?
A. Align service level agreements (SLAs) with current needs.
B. Monitor customer satisfaction with the change.
C. Minimize costs related to the third-party agreement.
D. Ensure right to audit is included within the contract.
Question # 176
Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?
A. Walk-through reviews
B. Substantive testing
C. Compliance testing
D. Design documentation reviews
Question # 177
When auditing the security architecture of an online application, an IS auditor should FIRST review the:
A. firewall standards.
B. configuration of the firewall
C. firmware version of the firewall
D. location of the firewall within the network
Question # 178
Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?
A. Require all employees to sign nondisclosure agreements (NDAs).
B. Develop an acceptable use policy for end-user computing (EUC).
C. Develop an information classification scheme.
D. Provide notification to employees about possible email monitoring.
Question # 179
Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?
A. Whether there is explicit permission from regulators to collect personal data
B. The organization's legitimate purpose for collecting personal data
C. Whether sharing of personal information with third-party service providers is prohibited
D. The encryption mechanism selected by the organization for protecting personal data
Question # 180
Which of the following is the BEST data integrity check?
A. Counting the transactions processed per day
B. Performing a sequence check
C. Tracing data back to the point of origin
D. Preparing and running test data
Question # 181
Which of the following is MOST important for an effective control self-assessment (CSA) program?
A. Determining the scope of the assessment
B. Performing detailed test procedures
C. Evaluating changes to the risk environment
D. Understanding the business process
Question # 182
Which of the following is the MOST effective way to maintain network integrity when using mobile devices?
A. Implement network access control.
B. Implement outbound firewall rules.
C. Perform network reviews.
D. Review access control lists.
Question # 183
An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance This would MOST likely increase the risk of a successful attack by.
A. phishing.
B. denial of service (DoS)
C. structured query language (SQL) injection
D. buffer overflow
Question # 184
Which of the following is an audit reviewer's PRIMARY role with regard to evidence?
A. Ensuring unauthorized individuals do not tamper with evidence after it has been captured
B. Ensuring evidence is sufficient to support audit conclusions
C. Ensuring appropriate statistical sampling methods were used
D. Ensuring evidence is labeled to show it was obtained from an approved source
Question # 185
An IT balanced scorecard is the MOST effective means of monitoring:
A. governance of enterprise IT.
B. control effectiveness.
C. return on investment (ROI).
D. change management effectiveness.
Question # 186
Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
A. Independent reconciliation
B. Re-keying of wire dollar amounts
C. Two-factor authentication control
D. System-enforced dual control
Question # 187
During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:
A. note the noncompliance in the audit working papers.
B. issue an audit memorandum identifying the noncompliance.
C. include the noncompliance in the audit report.
D. determine why the procedures were not followed.
Question # 188
Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?
A. Effectiveness of the security program
B. Security incidents vs. industry benchmarks
C. Total number of hours budgeted to security
D. Total number of false positives
Question # 189
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
A. Alignment with the IT tactical plan
B. IT steering committee minutes
C. Compliance with industry best practice
D. Business objectives
Question # 190
Which audit approach is MOST helpful in optimizing the use of IS audit resources?
A. Agile auditing
B. Continuous auditing
C. Outsourced auditing
D. Risk-based auditing
Question # 191
The implementation of an IT governance framework requires that the board of directors of an organization:
A. Address technical IT issues.
B. Be informed of all IT initiatives.
C. Have an IT strategy committee.
D. Approve the IT strategy.
Question # 192
An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart. Which of the following roles within the chart would provide this information?
A. Consulted
B. Informed
C. Responsible
D. Accountable
Question # 193
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
A. Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.
B. Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).
C. Jobs are scheduled and a log of this activity is retained for subsequent review.
D. Job failure alerts are automatically generated and routed to support personnel.
Question # 194
Which of the following should be an IS auditor's PRIMARY focus when developing a riskbased IS audit program?
A. Portfolio management
B. Business plans
C. Business processes
D. IT strategic plans
Question # 195
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?
A. Obtain error codes indicating failed data feeds.
B. Appoint data quality champions across the organization.
C. Purchase data cleansing tools from a reputable vendor.
D. Implement business rules to reject invalid data.
Question # 196
An incorrect version of source code was amended by a development team. This MOST likely indicates a weakness in:
A. incident management.
B. quality assurance (QA).
C. change management.
D. project management.
Question # 197
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?
A. Enterprise risk manager
B. Project sponsor
C. Information security officer
D. Project manager
Question # 198
During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:
A. Future compatibility of the application.
B. Proposed functionality of the application.
C. Controls incorporated into the system specifications.
D. Development methodology employed.
Question # 199
Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
A. Annual sign-off of acceptable use policy
B. Regular monitoring of user access logs
C. Security awareness training
D. Formalized disciplinary action
Question # 200
The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:
A. is more effective at suppressing flames.
B. allows more time to abort release of the suppressant.
C. has a decreased risk of leakage.
D. disperses dry chemical suppressants exclusively.
Question # 201
An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers. Which of the following controls is MOST important for the auditor to confirm is in place?
A. The default configurations have been changed.
B. All tables in the database are normalized.
C. The service port used by the database server has been changed.
D. The default administration account is used after changing the account password.
Question # 202
Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?
A. Background checks
B. User awareness training
C. Transaction log review
D. Mandatory holidays
Question # 203
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?
A. Increase the capacity of existing systems.
B. Upgrade hardware to newer technology.
C. Hire temporary contract workers for the IT function.
D. Build a virtual environment.
Question # 204
An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?
A. Verify the disaster recovery plan (DRP) has been tested.
B. Ensure the intrusion prevention system (IPS) is effective.
C. Assess the security risks to the business.
D. Confirm the incident response team understands the issue.
Question # 205
Which of the following is the BEST justification for deferring remediation testing until the next audit?
A. The auditor who conducted the audit and agreed with the timeline has left the
organization.
B. Management's planned actions are sufficient given the relative importance of the observations.
C. Auditee management has accepted all observations reported by the auditor.
D. The audit environment has changed significantly.
Question # 206
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
A. Conduct periodic on-site assessments using agreed-upon criteria.
B. Periodically review the service level agreement (SLA) with the vendor.
C. Conduct an unannounced vulnerability assessment of vendor's IT systems.
D. Obtain evidence of the vendor's control self-assessment (CSA).
Question # 207
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
A. the Internet.
B. the demilitarized zone (DMZ).
C. the organization's web server.
D. the organization's network.
Question # 208
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?
A. Implement a new system that can be patched.
B. Implement additional firewalls to protect the system.
C. Decommission the server.
D. Evaluate the associated risk.
Question # 209
When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
A. a risk management process.
B. an information security framework.
C. past information security incidents.
D. industry best practices.
Question # 210
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?
A. Accept management's decision and continue the follow-up.
B. Report the issue to IS audit management.
C. Report the disagreement to the board.
D. Present the issue to executive management.
Question # 211
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
A. Rollback strategy
B. Test cases
C. Post-implementation review objectives
D. Business case
Question # 212
During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?
A. Review working papers with the auditee.
B. Request the auditee provide management responses.
C. Request management wait until a final report is ready for discussion.
D. Present observations for discussion only.
Question # 213
Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
A. Identifying relevant roles for an enterprise IT governance framework
B. Making decisions regarding risk response and monitoring of residual risk
C. Verifying that legal, regulatory, and contractual requirements are being met
D. Providing independent and objective feedback to facilitate improvement of IT processes
Question # 214
An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?
A. Percentage of new hires that have completed the training.
B. Number of new hires who have violated enterprise security policies.
C. Number of reported incidents by new hires.
D. Percentage of new hires who report incidents
Question # 215
An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:
A. review recent changes to the system.
B. verify completeness of user acceptance testing (UAT).
C. verify results to determine validity of user concerns.
D. review initial business requirements.
Question # 216
A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?
A. Notify the cyber insurance company.
B. Shut down the affected systems.
C. Quarantine the impacted systems.
D. Notify customers of the breach.
Question # 217
During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?
A. Key performance indicators (KPIs)
B. Maximum allowable downtime (MAD)
C. Recovery point objective (RPO)
D. Mean time to restore (MTTR)
Question # 218
A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?
A. Implement overtime pay and bonuses for all development staff.
B. Utilize new system development tools to improve productivity.
C. Recruit IS staff to expedite system development.
D. Deliver only the core functionality on the initial target date.
Question # 219
An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
A. Require employees to attend security awareness training.
B. Password protect critical data files.
C. Configure to auto-wipe after multiple failed access attempts.
D. Enable device auto-lock function.
Question # 220
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?
A. Full test results
B. Completed test plans
C. Updated inventory of systems
D. Change management processes
Question # 221
Which of the following is MOST important to include in forensic data collection and preservation procedures?
A. Assuring the physical security of devices
B. Preserving data integrity
C. Maintaining chain of custody
D. Determining tools to be used
Question # 222
What is the BEST control to address SQL injection vulnerabilities?
A. Unicode translation
B. Secure Sockets Layer (SSL) encryption
C. Input validation
D. Digital signatures
Question # 223
Which of the following should be GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?
A. Data conversion was performed using manual processes.
B. Backups of the old system and data are not available online.
C. Unauthorized data modifications occurred during conversion.
D. The change management process was not formally documented
Question # 224
An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?
A. Implement a process to actively monitor postings on social networking sites.
B. Adjust budget for network usage to include social media usage.
C. Use data loss prevention (DLP) tools on endpoints.
D. implement policies addressing acceptable usage of social media during working hours.
Question # 225
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
A. Encryption of the spreadsheet
B. Version history
C. Formulas within macros
D. Reconciliation of key calculations
Question # 226
Secure code reviews as part of a continuous deployment program are which type of control?
A. Detective
B. Logical
C. Preventive
D. Corrective
Question # 227
Which of the following is MOST important to ensure when planning a black box penetration test?
A. The management of the client organization is aware of the testing.
B. The test results will be documented and communicated to management.
C. The environment and penetration test scope have been determined.
D. Diagrams of the organization's network architecture are available.
Question # 228
An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?
A. The process does not require specifying the physical locations of assets.
B. Process ownership has not been established.
C. The process does not include asset review.
D. Identification of asset value is not included in the process.
Question # 229
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?
A. Reconciliation of total amounts by project
B. Validity checks, preventing entry of character data
C. Reasonableness checks for each cost type
D. Display back of project detail after entry
Question # 230
An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:
A. refuse the assignment to avoid conflict of interest.
B. use the knowledge of the application to carry out the audit.
C. inform audit management of the earlier involvement.
D. modify the scope of the audit.
Question # 231
An organizations audit charier PRIMARILY:
A. describes the auditors' authority to conduct audits.
B. defines the auditors' code of conduct.
C. formally records the annual and quarterly audit plans.
D. documents the audit process and reporting standards.
Question # 232
Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
A. Assurance that the new system meets functional requirements
B. More time for users to complete training for the new system
C. Significant cost savings over other system implemental or approaches
D. Assurance that the new system meets performance requirements
Question # 233
An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
A. The current business capabilities delivered by the legacy system
B. The proposed network topology to be used by the redesigned system
C. The data flows between the components to be used by the redesigned system
D. The database entity relationships within the legacy system
Question # 234
When an intrusion into an organization network is deleted, which of the following should be done FIRST?
A. Block all compromised network nodes.
B. Contact law enforcement.
C. Notify senior management.
D. Identity nodes that have been compromised.
Question # 235
Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?
A. File level encryption
B. File Transfer Protocol (FTP)
C. Instant messaging policy
D. Application level firewalls
Question # 236
Which of the following would BEST facilitate the successful implementation of an IT-related framework?
A. Aligning the framework to industry best practices
B. Establishing committees to support and oversee framework activities
C. Involving appropriate business representation within the framework
D. Documenting IT-related policies and procedures
Question # 237
The PRIMARY advantage of object-oriented technology is enhanced:
A. efficiency due to the re-use of elements of logic.
B. management of sequential program execution for data access
C. grouping of objects into methods for data access.
D. management of a restricted variety of data types for a data object.
Question # 238
Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?
A. Segregation of duties between staff ordering and staff receiving information assets
B. Complete and accurate list of information assets that have been deployed
C. Availability and testing of onsite backup generators
D. Knowledge of the IT staff regarding data protection requirements
Question # 239
Which of the following BEST indicates the effectiveness of an organization's risk management program?
A. Inherent risk is eliminated.
B. Residual risk is minimized.
C. Control risk is minimized.
D. Overall risk is quantified.
Leave a comment
Your email address will not be published. Required fields are marked *