CISA Topic 1
Question #: 71
Topic #: 1
When auditing the security architecture of an online application, an IS auditor should FIRST review the:
A. location of the firewall within the network.
B. firewall standards.
C. firmware version of the firewall.
D. configuration of the firewall.
Selected Answer: A
Question #: 69
Topic #: 1
Which of the following would BEST facilitate the successful implementation of an IT-related framework?
A. Establishing committees to support and oversee framework activities
B. Documenting IT-related policies and procedures
C. Aligning the framework to industry best practices
D. Involving appropriate business representation within the framework
Selected Answer: D
Question #: 481
Topic #: 1
Which of the following should be an IS auditor’s GREATEST concern when reviewing a business continuity plan (BCP)?
A. Some critical business processes are not included in the BCP.
B. Business unit personnel are not aware of the BCP.
C. There is no evidence that the BCP has been tested.
D. An offsite storage location is not documented in the BCP.
Selected Answer: C
Question #: 203
Topic #: 1
Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?
A. Pilot operation
B. Parallel changeover
C. Modular changeover
D. Phased operation
Selected Answer: A
Question #: 198
Topic #: 1
During an operational audit of a biometric system used to control physical access, which of the following should be of GREATEST concern to an IS auditor?
A. False positives
B. User acceptance of biometrics
C. False negatives
D. Lack of biometric training
Selected Answer: C
Question #: 197
Topic #: 1
An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization’s website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?
A. Outsource data cleansing activities to reliable third parties.
B. Assign responsibility for improving data quality.
C. Implement business rules to validate employee data entry.
D. Invest in additional employee training for data entry.
Selected Answer: C
Question #: 193
Topic #: 1
During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor’s
MOST important course of action?
A. Document the finding and present it to management.
B. Determine if a root cause analysis was conducted.
C. Validate whether all incidents have been actioned.
D. Confirm the resolution time of the incidents.
Selected Answer: B
Question #: 189
Topic #: 1
What is the BEST way to control updates to the vendor master file in an accounts payable system?
A. Using prenumbered and authorized request forms
B. Having only one person updating the master file
C. Periodically reviewing the entire vendor master file
D. Comparing updates against authorization
Selected Answer: D
Question #: 799
Topic #: 1
Which of the following is MOST important with regard to an application development acceptance test?
A. User management approves the test design before the test is started.
B. All data files are tested for valid information before conversion.
C. The quality assurance (QA) team is in charge of the testing process.
D. The programming team is involved in the testing process.
Selected Answer: C
Question #: 792
Topic #: 1
In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?
A. Restrict access to changes in the extract/transfer/load (ETL) process between the two systems
B. Include the data warehouse m the impact analysis for any changes in the source system
C. Configure data quality alerts to check variances between the data warehouse and the source system
D. Require approval for changes in the extract/transfer/load (ETL) process between the two systems
Selected Answer: B
Question #: 791
Topic #: 1
Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?
A. Average the business units’ IT risk levels.
B. Identify the highest-rated IT risk level among the business units.
C. Establish a global IT risk scoring criteria.
D. Prioritize the organization’s IT risk scenarios.
Selected Answer: D
Question #: 131
Topic #: 1
Which of the following development practices would BEST mitigate the risk associated with theft of user credentials transmitted between mobile devices and the corporate network?
A. Enforce the validation of digital certificates used in the communication sessions.
B. Release mobile applications in debugging mode to allow for easy troubleshooting.
C. Embed cryptographic keys within the mobile application source code.
D. Allow persistent sessions behveen mobile applications and the corporate network.
Selected Answer: A
Question #: 1
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s business continuity plan (BCP)?
A. The BCP has not been tested since it was first issued.
B. The BCP is not version-controlled.
C. The BCP’s contact information needs to be updated.
D. The BCP has not been approved by senior management.
Selected Answer: A
Question #: 117
Topic #: 1
Which of the following is the MOST efficient way to assess the controls in a service provider’s environment?
A. Review testing performed by the service provider’s internal audit department.
B. Require the service provider to conduct control self-assessments (CSAs).
C. Review the service provider’s master service agreement (MSA).
D. Obtain an independent auditor’s report from the service provider.
Selected Answer: D
Question #: 115
Topic #: 1
Which of the following business continuity activities prioritizes the recovery of critical functions?
A. Business impact analysis (BIA)
B. Risk assessment
C. Business continuity plan (BCP) testing
D. Disaster recovery plan (DRP) testing
Selected Answer: A
Question #: 105
Topic #: 1
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?
A. Display back of project detail after entry
B. Reconciliation of total amounts by project
C. Reasonableness checks for each cost type
D. Validity checks, preventing entry of character data
Selected Answer: C
Question #: 760
Topic #: 1
An organization’s software developers need access to personally identifiable information (PII) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?
A. Data masking
B. Data encryption
C. Data tokenization
D. Data abstraction
Selected Answer: B
Question #: 48
Topic #: 1
Which audit approach is MOST helpful in optimizing the use of IS audit resources?
A. Agile auditing
B. Continuous auditing
C. Risk-based auditing
D. Outsourced auditing
Selected Answer: C
Question #: 749
Topic #: 1
Which of the following BEST enables the timely identification of risk exposure?
A. Control self-assessment (CSA)
B. Internal audit review
C. Stress testing
D. External audit review
Selected Answer: C
Question #: 697
Topic #: 1
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
A. Observe the performance of business processes.
B. Develop a process to identify authorization conflicts.
C. Review a report of security rights in the system.
D. Examine recent system access rights violations.
Selected Answer: C
Question #: 683
Topic #: 1
The waterfall life cycle model of software development is BEST suited for which of the following situations?
A. The project will involve the use of new technology.
B. The project intends to apply an object-oriented design approach.
C. The project is subject to time pressures.
D. The project requirements are well understood.
Selected Answer: D
Question #: 650
Topic #: 1
A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:
A. use a proxy server to filter out Internet sites that should not be accessed.
B. keep a manual log of Internet access.
C. include a statement in its security policy about Internet use.
D. monitor remote access activities.
Selected Answer: D
Question #: 636
Topic #: 1
Which of the following presents the GREATEST challenge to the alignment of business and IT?
A. Lack of information security involvement in business strategy development
B. An IT steering committee chaired by the chief information officer (CIO)
C. Insufficient IT budget to execute new business projects
D. Lack of chief information officer (CIO) involvement in board meetings
Selected Answer: D
Question #: 4
Topic #: 1
Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?
A. Ensure ownership is assigned.
B. Test corrective actions upon completion.
C. Ensure sufficient audit resources are allocated.
D. Communicate audit results organization-wide.
Selected Answer: A
Question #: 1294
Topic #: 1
The BEST way to provide assurance that a project is adhering to the project plan is to:
A. conduct compliance audits at major system milestones.
B. require design reviews at appropriate points in the life cycle.
C. have an IS auditor participate on the quality assurance (QA) team.
D. have an IS auditor participate on the steering committee.
Selected Answer: A
Question #: 1293
Topic #: 1
Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?
A. Application security testing
B. Forensic audit
C. Server security audit
D. Penetration testing
Selected Answer: B
Question #: 1286
Topic #: 1
Which of the following is the MAIN responsibility of the IT steering committee?
A. Developing and implementing the secure system development framework
B. Implementing processes to integrate security with business objectives
C. Developing and assessing the IT security strategy
D. Reviewing and assisting with IT strategy integration efforts
Selected Answer: C
Question #: 1021
Topic #: 1
Which of the following is MOST helpful for understanding an organization’s key driver to modernize application platforms?
A. Network architecture diagrams
B. Inventory of end-of-life software
C. Vendor software invoices
D. System-wide incident reports
Selected Answer: D
Question #: 1016
Topic #: 1
Which of the following should be the role of internal audit in an organization’s move to the cloud?
A. Identifying and mitigating risk to an acceptable level
B. Identifying impacts to organizational budgets and resources
C. Implementing security controls for data prior to migration
D. Serving as a trusted partner and advisor
Selected Answer: A
Question #: 657
Topic #: 1
Following the implementation of a data loss prevention (DLP) tool, administrators have been overwhelmed with a high number of false positives. Which of the following is the BEST way to address this issue?
A. Enable monitoring-only mode to permit further tuning of the solution.
B. Educate staff about the risks of sharing sensitive information outside the organization.
C. Amend policy rules to match approved and unapproved business information pathways.
D. Ensure the latest signature files are present and configure regular updates.
Selected Answer: C
Question #: 635
Topic #: 1
Which of the following documents should specify roles and responsibilities within an IT audit organization?
A. Organizational chart
B. Annual audit plan
C. Audit charter
D. Engagement letter
Selected Answer: C
Question #: 1001
Topic #: 1
Which of the following observations noted by an IS auditor reviewing internal IT standards is MOST important to address?
A. The standards have no reference to an industry-recognized framework.
B. The standards are not detailed in policies and procedures.
C. The standards are not readily available to organization-wide users.
D. The standards have not been revised within the last year.
Selected Answer: B
Question #: 868
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s release management processes?
A. Some releases are carried out with no supporting release documentation
B. Some releases exceeded the agreed-upon outage window.
C. Release documentation does not follow a consistent format for all systems.
D. Release management policies have not been updated in the past two years.
Selected Answer: A
Question #: 97
Topic #: 1
During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor’s BEST course of action?
A. Retest the control.
B. Notify the audit manager.
C. Close the audit finding.
D. Notify the chair of the audit committee
Selected Answer: 나
Question #: 91
Topic #: 1
Which of the following is MOST important for an IS auditor to confirm when reviewing an organization’s plans to implement robotic process automation (RPA) to automate routine business tasks?
A. A benchmarking exercise of industry peers who use RPA has been completed.
B. The end-to-end process is understood and documented.
C. A request for proposal (RFP) has been issued to qualified vendors.
D. Roles and responsibilities are defined for the business processes in scope.
Selected Answer: B
Question #: 40
Topic #: 1
When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:
A. channel access only through the public-facing firewall.
B. channel access through authentication.
C. communicate via Transport Layer Security (TLS).
D. block authorized users from unauthorized activities.
Selected Answer: B
Question #: 480
Topic #: 1
Which of the following is the MOST effective approach in assessing the quality of modifications made to financial software?
A. An independent auditor will be engaged to undertake a pre-implementation review.
B. The quality of the implemented product will be assessed during acceptance testing.
C. The quality plan will be assessed during the design phase of development.
D. Independent quality assurance (QA) activities will be undertaken at various phases of the project.
Selected Answer: D
Question #: 36
Topic #: 1
Which of the following is the BEST indicator of the effectiveness of an organization’s incident response program?
A. Number of successful penetration tests
B. Percentage of protected business applications
C. Number of security vulnerability patches
D. Financial impact per security event
Selected Answer: D
Question #: 35
Topic #: 1
Which of the following data would be used when performing a business impact analysis (BIA)?
A. Projected impact of current business on future business
B. Expected costs for recovering the business
C. Cost of regulatory compliance
D. Cost-benefit analysis of running the current business
Selected Answer: B
Question #: 34
Topic #: 1
When planning an audit to assess application controls of a cloud-based system, it is MOST important for the IS auditor to understand the:
A. availability reports associated with the cloud-based system.
B. architecture and cloud environment of the system.
C. policies and procedures of the business area being audited.
D. business process supported by the system.
Selected Answer: B
Question #: 821
Topic #: 1
Which of the following has the GREATEST potential impact on the independence of an IS auditor?
A. Prior experience in IS audit
B. Prior relationship with vendors
C. Prior knowledge of technology
D. Prior job responsibilities
Selected Answer: B
Question #: 601
Topic #: 1
An IS auditor is informed that several spreadsheets are being used to generate key financial information. What should the auditor verify NEXT?
A. Whether adequate documentation and training is available for spreadsheet users
B. Whether the spreadsheets meet the minimum IT general controls requirements
C. Whether there is a complete inventory of end-user computing (EUC) spreadsheets
D. Whether the spreadsheets are being formally reviewed by the chief financial officer (CFO)
Selected Answer: C
Question #: 391
Topic #: 1
Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (IDSs)?
A. An increase in the number of internally reported critical incidents
B. An increase in the number of unfamiliar sources of intruders
C. An increase in the number of identified false positives
D. An increase in the number of detected incidents not previously identified
Selected Answer: D
Question #: 372
Topic #: 1
Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
A. Audit cycle defined in the audit plan
B. Recommendation from executive management
C. Residual risk from the findings of previous audits
D. Complexity of management’s action plans
Selected Answer: C
Question #: 371
Topic #: 1
Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s security controls for policy compliance?
A. Security policies are not applicable across all business units.
B. End users are not required to acknowledge security policy training.
C. The security policy has not been reviewed within the past year.
D. Security policy documents are available on a public domain website.
Selected Answer: A
Question #: 369
Topic #: 1
Which of the following is MOST important for an IS auditor to verify when evaluating an organization’s firewall?
A. Logs are being collected in a separate protected host.
B. Access to configuration files is restricted.
C. Automated alerts are being sent when a risk is detected.
D. Insider attacks are being controlled
Selected Answer: B
Question #: 368
Topic #: 1
Which of the following information security requirements BEST enables the tracking of organizational data in a bring your own device (BYOD) environment?
A. Employees must immediately report lost or stolen mobile devices containing organizational data.
B. Employees must use auto-lock features and complex passwords on personal devices.
C. Employees must sign acknowledgment of the organization’s mobile device acceptable use policy.
D. Employees must enroll their personal devices in the organization’s mobile device management program.
Selected Answer: A
Question #: 1330
Topic #: 1
An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data. Which of the following is the GREATEST risk to the organization related to data backup and retrieval?
A. The organization may be locked into an unfavorable contract with the vendor.
B. The organization may not be allowed to inspect the vendor’s data center.
C. The vendor may be unable to restore critical data.
D. The vendor may be unable to restore data by recovery time objective (RTO) requirements.
Selected Answer: C
Question #: 927
Topic #: 1
The MOST appropriate person to chair the steering committee for an enterprise-wide system development should be the:
A. business analyst
B. project manager
C. IS director
D. executive level manager
Selected Answer: D
Question #: 1109
Topic #: 1
Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides the BEST assurance that the transactions were recovered successfully?
A. Recount the transaction records to ensure no records are missing.
B. Compare transaction values against external statements to verify accuracy.
C. Rerun the process on a backup machine to verify the results are the same.
D. Review transaction recovery logs to ensure no errors were recorded.
Selected Answer: D
Question #: 1052
Topic #: 1
An application development team is also promoting changes to production for a critical financial application. Which of the following is the BEST control to reduce the associated risk?
A. Performing periodic audits
B. Implementing a change management code review
C. Performing regression tests
D. Exporting change logs to a secure server
Selected Answer: B
Question #: 407
Topic #: 1
Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?
A. Vendor selection and statements of work
B. Invoices and reconciliations
C. Purchase requisitions and purchase orders
D. Goods receipts and payments
Selected Answer: D
Question #: 1332
Topic #: 1
Which of the following should an IS auditor recommend be performed FIRST when evaluating potential enterprise resource planning (ERP) implementation vendors?
A. Review the vendors’ past implementations.
B. Investigate the vendors’ financial history.
C. Check the vendors’ client references.
D. Develop the vendor response scorecard.
Selected Answer: D
Question #: 1421
Topic #: 1
Which of the following processes is MOST important to define within a data classification policy?
A. Auditing access to data assets
B. Backing up data assets
C. Disposing of data assets
D. Recovering data assets
Selected Answer: A
Question #: 1376
Topic #: 1
An IS auditor is reviewing a client’s outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor’s GREATEST concern?
A. Payroll processing costs have not been included in the IT budget.
B. User access rights have not been periodically reviewed by the client.
C. The third-party contract does not comply with the vendor management policy.
D. The third-party contract has not been reviewed by the legal department.
Selected Answer: D
Question #: 1402
Topic #: 1
Which of the following controls is MOST crucial to ensure an organization will be able to recover its data from backup media in the event of a disaster?
A. Keeping a current inventory of backup media
B. Encrypting data on backup media
C. Periodically restoring backup media for key databases
D. Storing backup media at an offsite facility
Selected Answer: D
Question #: 1404
Topic #: 1
An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor’s NEXT course of action?
A. Obtain a verbal confirmation from IT for this exemption
B. Review the list of end users and evaluate for authorization.
C. Report this control process weakness to senior management.
D. Verify management’s approval for this exemption.
Selected Answer: B
Question #: 1409
Topic #: 1
A contract for outsourcing IS functions should always include:
A. a provision for an independent audit of the contractor’s operations.
B. data transfer protocols.
C. the names and roles of staff to be employed in the operation.
D. full details of security procedures to be observed by the contractor.
Selected Answer: A
Question #: 1206
Topic #: 1
A financial institution suspects that a manager has been crediting customer accounts without authorization. Which of the following is the MOST effective method to validate this concern?
A. Variable sampling
B. Discovery sampling
C. Stop-or-go sampling
D. Haphazard sampling
Selected Answer: C
Question #: 268
Topic #: 1
What is the MOST difficult aspect of access control in a multiplatform, multiple-site client/server environment?
A. Restricting a local user to necessary resources on a local platform
B. Creating new user IDs valid only on a few hosts
C. Maintaining consistency throughout all platforms
D. Restricting a local user to necessary resources on the host server
Selected Answer: B
Question #: 262
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor reviewing data conversion and migration during the implementation of a new application system?
A. Data conversion was performed using manual processes.
B. Unauthorized data modifications occurred during conversion.
C. The change management process was not formally documented.
D. Backups of the old system and data are not available online.
Selected Answer: B
Question #: 1254
Topic #: 1
Which of the following presents the GREATEST risk of data leakage in the cloud environment?
A. Multi-tenancy within the same database
B. Lack of role-based access
C. Expiration of security certificate
D. Lack of data retention policy
Selected Answer: A
Question #: 234
Topic #: 1
When classifying information, it is MOST important to align the classification to:
A. business risk.
B. data retention requirements.
C. industry standards.
D. security policy.
Selected Answer: D
Question #: 1452
Topic #: 1
An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?
A. Mirror backup
B. Differential backup
C. Full backup
D. Incremental backup
Selected Answer: B
Question #: 1490
Topic #: 1
Which of the following BEST supports the effectiveness of a compliance program?
A. Assessing and tracking all compliance audit findings
B. Implementing a governance, risk, and compliance (GRC) tool to track compliance to regulations
C. Monitoring which compliance regulations apply to the organization
D. Implementing an awareness plan regarding compliance regulation requirements
Selected Answer: A
Question #: 1492
Topic #: 1
Which of the following BEST enables an organization to identify potential security threats associated with a virtualization technique proposed by the vendor of a popular virtual machine (VM) system?
A. Architecture design
B. Functional specifications
C. Risk assessment
D. Hypervisor logs
Selected Answer: D
Question #: 1474
Topic #: 1
A review of an organization’s balance sheet for material transactions and an application review of the program that produced the balance sheet would use which of the following sampling methods?
A. Variable sampling
B. Judgmental sampling
C. Discovery sampling
D. Stop-or-go sampling
Selected Answer: A
Question #: 1479
Topic #: 1
Which of the following BEST facilitates compliance with requirements mandating the security of confidential data?
A. Encryption of external data transmissions
B. Standardized escalation protocols for breaches
C. Classification of data
D. Signed acknowledgment of security policies
Selected Answer: C
Question #: 313
Topic #: 1
Due to a high volume of customer orders, an organization plans to implement a new application for customers to use for online ordering. Which type of testing is
MOST important to ensure the security of the application prior to go-live?
A. Stress testing
B. User acceptance testing (UAT)
C. Vulnerability testing
D. Regression testing
Selected Answer: A
Question #: 100
Topic #: 1
While auditing a small organization’s data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
A. Conduct awareness presentations and seminars for information classification policies.
B. Use automatic document classification based on content.
C. Have IT security staff conduct targeted training for data owners.
D. Publish the data classification policy on the corporate web portal.
Selected Answer: C
Question #: 80
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?
A. Business units are allowed to dispose printers directly to authorized vendors.
B. Inoperable printers are stored in an unsecured area.
C. Disposal policies and procedures are not consistently implemented.
D. Evidence is not available to verify printer hard drives have been sanitized prior to disposal.
Selected Answer: D
Question #: 62
Topic #: 1
Backups will MOST effectively minimize a disruptive incident’s impact on a business if they are:
A. taken according to recovery point objectives (RPOs).
B. scheduled according to the service delivery objectives.
C. performed by automated backup software on a fixed schedule.
D. stored on write-once read-many media.
Selected Answer: A
Question #: 835
Topic #: 1
A bank’s transactional services are exclusively conducted online via Internet and mobile banking. Both its primary and disaster recovery sites are supported by the same Internet service provider (ISP). Which of the following is the BEST way for the bank to minimize risk in this situation?
A. Conduct incremental backups of transactional data every two hours.
B. Conduct real-time data synchronization between the primary and disaster recovery sites.
C. Revise the current contract to require 99.99% connection availability with the current ISP.
D. Establish a contractual agreement with a second ISP to cover connection to the disaster recovery site
Selected Answer: D
Question #: 901
Topic #: 1
Which of the following BEST addresses the availability of an online store?
A. Online backups
B. A mirrored site at another location
C. Clustered architecture
D. RAID level 5 storage devices
Selected Answer: C
Question #: 764
Topic #: 1
Which of the following is the BEST method to safeguard data on an organization’s laptop computers?
A. Two-factor authentication
B. Full disk encryption
C. Disabled USB ports
D. Biometric access control
Selected Answer: B
Question #: 885
Topic #: 1
During data conversion, data cleansing is BEST performed prior to:
A. load
B. transformation
C. validation
D. extraction
Selected Answer: D
Question #: 144
Topic #: 1
The risk of communication failure in an e-commerce environment is BEST minimized through the use of:
A. alternative or diverse routing.
B. compression software to minimize transmission duration.
C. functional or message acknowledgments.
D. a packet filtering firewall to reroute messages
Selected Answer: A
Question #: 133
Topic #: 1
Which of the following cloud deployment models would BEST meet the needs of a startup software development organization with limited initial capital?
A. Community
B. Hybrid
C. Private
D. Public
Selected Answer: D
Question #: 859
Topic #: 1
When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?
A. Operating system
B. Data backups
C. Decision support system
D. Applications
Selected Answer: A
Question #: 830
Topic #: 1
When designing a data analytics process, which of the following should be the stakeholder’s role in automating data extraction and validation?
A. Allocating the resources necessary to purchase the appropriate software packages
B. Indicating which data elements are necessary to make informed decisions
C. Designing the workflow necessary for the data analytics tool to evaluate the appropriate data
D. Performing the business case analysis for the data analytics initiative
Selected Answer: B
Question #: 122
Topic #: 1
External experts were used on a recent IT audit engagement. While assessing the external experts’ work, the internal audit team found some gaps in the evidence that may have impacted their conclusions. What is the internal audit team’s BEST course of action?
A. Engage another expert to conduct the same testing.
B. Report a scope limitation in their conclusions.
C. Recommend the external experts conduct additional testing.
D. Escalate to senior management.
Selected Answer: C
Question #: 141
Topic #: 1
What is the BEST method for securing credit card numbers stored temporarily on a file server prior to transmission to the downstream system for payment processing?
A. Masking the full credit card number
B. Encryption with strong cryptography
C. Truncating the credit card number
D. One-way hash with strong cryptography
Selected Answer: B
Question #: 691
Topic #: 1
Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?
A. Device encryption
B. Device tracking software
C. Password/PIN protection
D. Periodic backup
Selected Answer: C
Question #: 1351
Topic #: 1
As part of the risk management process, threats and vulnerabilities should be mapped to:
A. existing controls.
B. information assets.
C. business objectives.
D. key performance indicators (KPIs).
Selected Answer: B
Question #: 250
Topic #: 1
Code changes are compiled and placed in a change folder by the developer. An implementation team migrates changes to production from the change folder.
Which of the following BEST indicates separation of duties is in place during the migration process?
A. A second individual performs code review before the change is released to production.
B. The implementation team does not have access to change the source code.
C. The implementation team does not have experience writing code.
D. The developer approves changes prior to moving them to the change folder.
Selected Answer: B
Question #: 164
Topic #: 1
An IS auditor is observing transaction processing and notes that a high-priority update job ran out of sequence. What is the MOST significant risk from this observation?
A. Daily schedules lack change control.
B. Previous jobs may have failed.
C. The job may not have run to completion.
D. The job completes with invalid data.
Selected Answer: D
Question #: 7
Topic #: 1
To confirm integrity for a hashed message, the receiver should use:
A. the same hashing algorithm as the sender’s to create a binary image of the file.
B. a different hashing algorithm from the sender’s to create a numerical representation of the file.
C. a different hashing algorithm from the sender’s to create a binary image of the file.
D. the same hashing algorithm as the sender’s to create a numerical representation of the file.
Selected Answer: D
Question #: 572
Topic #: 1
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization’s payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience. What is the BEST course of action?
A. Transfer the assignment to a different audit manager despite lack of IT project management experience
B. Have a senior IS auditor manage the project with the IS audit manager performing final review
C. Outsource the audit to independent and qualified resources
D. Manage the audit since there is no one else with the appropriate experience
Selected Answer: C
Question #: 524
Topic #: 1
Which of the following is the BEST reason for an organization to use clustering?
A. To decrease system response time
B. To improve the recovery time objective (RTO)
C. To improve system resiliency
D. To facilitate faster backups
Selected Answer: C
Question #: 485
Topic #: 1
Which of the following is the BEST way for an IS auditor to validate that employees have been made aware of the organization’s information security policy?
A. Interview employees to determine their level of understanding of the policy.
B. Compare the employee roster against a list of those who attended security training.
C. Review HR records for employee violations of the information security policy.
D. Review the training process to determine how policies are explained to employees.
Selected Answer: A
Question #: 1388
Topic #: 1
An IS auditor should be MOST concerned with the placement of environmental detectors for heat, water, and smoke in which of the following locations?
A. Inside ventilation ducts
B. Around cooling units
C. Above the ceiling
D. Under the floor
Selected Answer: B
Question #: 1346
Topic #: 1
An organization uses system interfaces to disburse money to various banks. Which of the following features in the system interfaces is MOST important to provide assurance that the money is going to the right bank account?
A. Audit logging
B. Nonrepudiation
C. Encryption
D. Digital signature
Selected Answer: D
Question #: 569
Topic #: 1
An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives. Which of the following is the BEST course of action to address this issue?
A. Evaluate the corporate asset handling policy for potential gaps.
B. Examine the workflow to identify gaps in asset handling responsibilities.
C. Recommend the drives be sent to the vendor for destruction.
D. Escalate the finding to the asset owner for remediation.
Selected Answer: D
Question #: 566
Topic #: 1
An IS department is evaluated monthly on its cost-revenue ratio, user satisfaction rate, and computer downtime. This is BEST characterized as an application of:
A. control self-assessment (CSA).
B. balanced scorecard.
C. value chain analysis.
D. risk control framework.
Selected Answer: B
Question #: 565
Topic #: 1
An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor’s BEST recommendation should be to:
A. recommend corrective actions to be taken by the security administrator.
B. reclassify the data to a lower level of confidentiality.
C. implement a strong password schema for users.
D. require the business owner to conduct regular access reviews.
Selected Answer: A
Question #: 564
Topic #: 1
An IS audit team is evaluating the documentation related to the most recent application user-access review performed by IT and business management. It is determined the user list was not system-generated. Which of the following should be the GREATEST concern?
A. Source of the user list reviewed
B. Availability of the user list reviewed
C. Confidentiality of the user list reviewed
D. Completeness of the user list reviewed
Selected Answer: A
Question #: 563
Topic #: 1
An audit has identified that business units have purchased cloud-based applications without IT’s support. What is the GREATEST risk associated with this situation?
A. The application purchases did not follow procurement policy.
B. The applications may not reasonably protect data.
C. The applications could be modified without advanced notice.
D. The applications are not included in business continuity plans (BCPs).
Selected Answer: B
Question #: 562
Topic #: 1
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
A. System performance may be impacted by the migration.
B. Records past their retention period may not be migrated to the new system.
C. Data from the source and target system may have different data formats.
D. Data from the source and target system may be intercepted.
Selected Answer: D
Question #: 561
Topic #: 1
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization’s information security policy?
A. Business objectives
B. Alignment with the IT tactical plan
C. Compliance with industry best practice
D. IT steering committee minutes
Selected Answer: A
Question #: 560
Topic #: 1
Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?
A. File level encryption
B. Application level firewalls
C. Instant messaging policy
D. File Transfer Protocol (FTP)
Selected Answer: C
Question #: 556
Topic #: 1
Which of the following is the PRIMARY objective of baselining the IT control environment?
A. Define process and control ownership.
B. Ensure IT security strategy and policies are effective.
C. Align IT strategy with business strategy.
D. Detect control deviations.
Selected Answer: D
Question #: 558
Topic #: 1
Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
A. Monitor access to stored images and snapshots of virtual machines
B. Restrict access to images and snapshots of virtual machines
C. Review logical access controls on virtual machines regularly
D. Limit creation of virtual machine images and snapshots
Selected Answer: B
Question #: 553
Topic #: 1
Which of the following yields the HIGHEST level of system availability?
A. Backups
B. Real-time replication
C. Cloud storage
D. Hot swaps
Selected Answer: B
Question #: 552
Topic #: 1
Which of the following would be of MOST concern during an audit of an end-user computing (EUC) system containing sensitive information?
A. Audit logging is not available.
B. System data is not protected.
C. The system’s anti-virus software is outdated.
D. Service level agreements (SLAs) are undefined.
Selected Answer: B
Question #: 548
Topic #: 1
Which of the following is the GREATEST risk associated with the lack of an effective data privacy program?
A. Failure to comply with data-related regulations
B. Failure to prevent fraudulent transactions
C. Inability to manage access to private or sensitive data
D. Inability to obtain customer confidence
Selected Answer: A
Question #: 546
Topic #: 1
Which of the following measures BEST mitigates the risk of exfiltration during a cyberattack?
A. Perimeter firewall
B. Hashing of sensitive data
C. Network access controls (NAC)
D. Data loss prevention (DLP) system
Selected Answer: D
Question #: 543
Topic #: 1
Which of the following would be the MOST significant factor when choosing among several backup system alternatives with different restoration speeds?
A. Mean time between failures (MTBFs)
B. Recovery point objective (RPO)
C. Recovery time objective (RTO)
D. Maximum tolerable outages (MTOs)
Selected Answer: C
Question #: 541
Topic #: 1
Which of the following should be the PRIMARY basis for procedures to dispose of data securely?
A. Type of media used for data storage
B. Environmental regulations
C. Classification of data
D. Data retention policy
Selected Answer: C
Question #: 540
Topic #: 1
Which of the following would lead an IS auditor to conclude that the evidence collected during a digital forensic investigation would not be admissible in court?
A. The logs failed to identify the person handling the evidence.
B. The person who collected the evidence is not qualified to represent the case.
C. The evidence was not fully backed up using a cloud-based solution prior to the trial.
D. The evidence was collected by the internal forensics team.
Selected Answer: B
Question #: 539
Topic #: 1
Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization’s data loss prevention (DLP) controls?
A. Conduct interviews to identify possible data protection vulnerabilities.
B. Verify that confidential files cannot be transmitted to a personal USB device.
C. Verify that current DLP software is installed on all computer systems.
D. Review data classification levels based on industry best practice
Selected Answer: B
Question #: 538
Topic #: 1
Which of the following is a corrective control?
A. Verifying duplicate calculations in data processing
B. Separating equipment development, testing, and production
C. Executing emergency response plans
D. Reviewing user access rights for segregation of duties
Selected Answer: C
Question #: 537
Topic #: 1
Which of the following is the MOST important aspect of an information security policy approved by the board of directors?
A. The policy must provide guidance for information classification.
B. The policy must be modified periodically for relevance.
C. The policy must be communicated to all stakeholders.
D. The policy must address the privacy of stakeholder information.
Selected Answer: C
Question #: 536
Topic #: 1
Which of the following is MOST important when duties in a small organization cannot be appropriately segregated?
A. Variance reporting
B. Exception reporting
C. Audit trail
D. Independent reviews
Selected Answer: D
Question #: 532
Topic #: 1
Which of the following is MOST important for an IS auditor to verify during a disaster recovery audit?
A. The disaster recovery plan (DRP) is updated on a regular basis.
B. Roles and responsibilities are documented.
C. Regular backups are made and stored offsite.
D. Tabletop disaster recovery tests are conducted.
Selected Answer: A
Question #: 527
Topic #: 1
Which of the following is the BEST way for an IS auditor to determine how well an information security program has been implemented throughout the organization?
A. Evaluate the percentage of employees who have taken security awareness training.
B. Review security awareness training content for completeness.
C. Perform security risk assessments for the organization’s business units.
D. Evaluate the integration of security best practices into business workflow.
Selected Answer: C
Question #: 523
Topic #: 1
Which of the following should be done FIRST when planning a penetration test?
A. Define the testing scope.
B. Determine reporting requirements for vulnerabilities.
C. Obtain management consent for the testing.
D. Execute nondisclosure agreements (NDAs).
Selected Answer: A
Question #: 520
Topic #: 1
Which of the following provides the MOST assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system?
A. Running historical transactions through the new system
B. Loading balance and transaction data to the new system
C. Comparing code between old and new systems
D. Reviewing quality assurance (QA) procedures
Selected Answer: A
Question #: 521
Topic #: 1
Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
A. Complete testing of the recovery plan
B. Availability of the site in the event of multiple disaster declarations
C. Reciprocal agreements with other organizations
D. Coordination with the site staff in the event of multiple disaster declarations
Selected Answer: B
Question #: 518
Topic #: 1
Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?
A. Review the business requirements document for date of birth field requirements.
B. Review new account applications submitted in the past month for invalid dates of birth.
C. Attempt to submit new account applications with invalid dates of birth.
D. Evaluate configuration settings for the date of birth field requirements
Selected Answer: B
Question #: 517
Topic #: 1
Which of the following BEST guards against the risk of attack by hackers?
A. Message validation
B. Tunneling
C. Encryption
D. Firewalls
Selected Answer: D
Question #: 514
Topic #: 1
Which of the following is the MAJOR advantage of automating internal controls?
A. To enable the review of large value transactions
B. To help identify transactions with no segregation of duties
C. To efficiently test large volumes of data
D. To assist in performing analytical reviews
Selected Answer: C
Question #: 1480
Topic #: 1
Which of the following MOST effectively reduces the probability of a brute force attack being successful?
A. Establishing an account lockout policy
B. Establishing account activity timeouts
C. Increasing password change frequency
D. Requiring minimum password length
Selected Answer: D
Question #: 508
Topic #: 1
Which of the following is the PRIMARY protocol for protecting outbound content from tampering and eavesdropping?
A. Internet Key Exchange (IKE)
B. Secure Shell (SSH)
C. Point-to-Point Protocol (PPP)
D. Transport Layer Security (T LS)
Selected Answer: D
Question #: 510
Topic #: 1
Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?
A. Performance data
B. Participative management techniques
C. Quality assurance (QA) reviews
D. Real-time audit software
Selected Answer: A
Question #: 506
Topic #: 1
Which of the following is MOST important to include in forensic data collection and preservation procedures?
A. Maintaining chain of custody
B. Preserving data integrity
C. Assuring the physical security of devices
D. Determining tools to be used
Selected Answer: A
Question #: 505
Topic #: 1
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
A. Version history
B. Formulas within macros
C. Reconciliation of key calculations
D. Encryption of the spreadsheet
Selected Answer: C
Question #: 502
Topic #: 1
Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?
A. Full operational test
B. Periodic risk assessment
C. Annual walk-through testing
D. Frequent testing of backups
Selected Answer: A
Question #: 501
Topic #: 1
Which of the following is the BEST indication of the completeness of interface control documents used for the development of a new application?
A. Failed interface data transfers prevent subsequent processes.
B. All documents have been reviewed by end users.
C. Both successful and failed interface data transfers are recorded.
D. All inputs and outputs for potential actions are included.
Selected Answer: D
Question #: 500
Topic #: 1
Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?
A. Flooding the site with an excessive number of packets
B. Intercepting packets and viewing passwords
C. Phishing
D. Using a dictionary attack of encrypted passwords
Selected Answer: A
Question #: 494
Topic #: 1
Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?
A. Regularly update business impact assessments.
B. Prepare detailed plans for each business function.
C. Make senior managers responsible for their plan sections.
D. Involve staff at all levels in periodic paper walk-through exercises.
Selected Answer: A
Question #: 491
Topic #: 1
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
A. Network topology diagrams
B. Reports of network traffic analysis
C. The ISP service level agreement
D. Incident monitoring logs
Selected Answer: A
Question #: 484
Topic #: 1
Which of the following provides the MOST comprehensive description of IT’s role in an organization?
A. IT job descriptions
B. IT project portfolio
C. IT organizational chart
D. IT charter
Selected Answer: D
Question #: 479
Topic #: 1
Which of the following BEST determines if a batch update job was successfully executed?
A. Obtaining process owner confirmation that the job was completed
B. Testing a sample of transactions to confirm updates were applied
C. Verifying the timestamp from the job log
D. Reviewing a copy of the script for the job
Selected Answer: B
Question #: 478
Topic #: 1
Which of the following is MOST important to ensure when planning a black box penetration test?
A. The management of the client organization is aware of the testing.
B. The test results will be documented and communicated to management.
C. Diagrams of the organization’s network architecture are available.
D. The environment and penetration test scope have been determined.
Selected Answer: A
Question #: 476
Topic #: 1
Which of the following is the MOST effective way to maintain network integrity when using mobile devices?
A. Implement outbound firewall rules.
B. Implement network access control.
C. Perform network reviews.
D. Review access control lists.
Selected Answer: B
Question #: 475
Topic #: 1
Which of the following is the BEST indication that an information security program is aligned with organizational objectives?
A. Senior management conducts regular reviews of information security policies.
B. The information security steering committee sets organizational security priorities.
C. Risk is managed to within organizational tolerances.
D. Information security processes are in place throughout the system development life cycle (SDLC).
Selected Answer: C
Question #: 474
Topic #: 1
Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?
A. Change management
B. Incident management
C. Problem management
D. Configuration management
Selected Answer: C
Question #: 472
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor reviewing a system software development project based on agile practices?
A. Lack of change management documentation
B. Lack of user acceptance testing (UAT) sign off
C. Lack of weekly production releases
D. Lack of secure coding practices
Selected Answer: D
Question #: 470
Topic #: 1
Which of the following is the GREATEST risk associated with conducting penetration testing on a business-critical application production environment?
A. Results may differ from those obtained in the test environment.
B. Data integrity may become compromised.
C. System owners may not be informed in advance.
D. This type of testing may not adhere to audit standards.
Selected Answer: B
Question #: 469
Topic #: 1
Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?
A. Security awareness training was not provided prior to the test.
B. Staff members were not notified about the test beforehand.
C. Staff members who failed the test did not receive follow-up education.
D. Test results were not communicated to staff members.
Selected Answer: C
Question #: 467
Topic #: 1
Which of the following is the PRIMARY benefit of performing a maturity model assessment?
A. It identifies and fixes attribute weaknesses.
B. It facilitates the execution of an improvement plan.
C. It acts as a measuring tool and progress indicator.
D. It ensures organizational consistency and improvement
Selected Answer: C
Question #: 463
Topic #: 1
Which of the following is MOST important when planning a network audit?
A. Isolation of rogue access points
B. Identification of existing nodes
C. Analysis of traffic content
D. Determination of IP range in use
Selected Answer: B
Question #: 464
Topic #: 1
Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
A. Identifying relevant roles for an enterprise IT governance framework
B. Providing independent and objective feedback to facilitate improvement of IT processes
C. Making decisions regarding risk response and monitoring of residual risk
D. Verifying that legal, regulatory, and contractual requirements are being met
Selected Answer: B
Question #: 458
Topic #: 1
Which of the following findings should be of MOST concern to an IS audit or reviewing an organization’s business continuity plan (BCP)?
A. The plan has not been updated in several years.
B. The plan has not been signed by executive management.
C. No tabletop exercises have been conducted for the plan.
D. End users have not been trained on the latest version of the plan.
Selected Answer: A
Question #: 454
Topic #: 1
Which of the following is the GREATEST risk associated with data conversion and migration during implementation of a new application?
A. Lack of data transformation rules
B. Absence of segregation of duties
C. Obsolescence and data backup compatibility
D. Inadequate audit trails and logging
Selected Answer: C
Question #: 449
Topic #: 1
Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
A. Cost of projects divided by total IT cost
B. Net present value (NPV) of the portfolio
C. Total cost of each project
D. Expected return divided by total project cost
Selected Answer: B
Question #: 443
Topic #: 1
Which of the following is the BEST indicator of the effectiveness of an organization’s portfolio management program?
A. Percentage of investments achieving their forecasted value
B. Maturity levels of the value management processes
C. Experience of the portfolio management personnel
D. Stakeholder’s perception of IT’s value
Selected Answer: A
Question #: 442
Topic #: 1
Which of the following is the BEST control to help prevent sensitive data leaving an organization via email?
A. Scanning outgoing emails
B. Blocking outbound emails sent without encryption
C. Conducting periodic phishing tests
D. Providing encryption solutions for employees
Selected Answer: D
Question #: 1457
Topic #: 1
Which of the following presents the GREATEST threat to an organization’s entire virtual infrastructure?
A. Change management processes are inefficient.
B. Changes are pushed to production during business hours.
C. Local authentication is used for guest systems.
D. The virtual machine image has not been standardized.
Selected Answer: D
Question #: 440
Topic #: 1
Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?
A. Periodic vendor reviews
B. Independent reconciliation
C. Re-keying of monetary amounts
D. Dual control
Selected Answer: D
